You should use a specific ( tagged stable at best ) version wherever possible.
While composer.lock
does lock the dependency to a specific commit even when using dev-master
… every composer update
will update the dependency to the latest version and afterwards update the lockfile.
If your lockfile somehow gets deleted/lost and it is not backuped / under version control you can easily end up with a non-working project after running composer install
or composer update
!
A simple example would be symfony/symfony
itself … new commits might introduce new BC (backward compatibility) breaks in the dev-master
branch any time leaving your application in a non-functional state.