You should use a specific ( tagged stable at best ) version wherever possible.
While composer.lock does lock the dependency to a specific commit even when using dev-master … every composer update will update the dependency to the latest version and afterwards update the lockfile.
If your lockfile somehow gets deleted/lost and it is not backuped / under version control you can easily end up with a non-working project after running composer install or composer update!
A simple example would be symfony/symfony itself … new commits might introduce new BC (backward compatibility) breaks in the dev-master branch any time leaving your application in a non-functional state.