Yii2 + Git + Composer Best Practices

So I am looking forward to first taste of Yii2 and also composer and I was wondering what is the best practice to manage composer and git alongside in a code base. As far as I can see composer-installed third party extensions appear as git submodules (if they are pulled from github). In addition, I would like my custom code to be in git. So my question is what is the git deployment best practices in this case? Should I run composer update on the production server every time I deploy? Should I deploy the composer.lock file so that I can ensure the same extension version all over the place?

Thanks for sharing your thoughts!

deploy composer.lock and run composer install on production. This way you will get versions that are defined in lock file.

Use composer update only in dev/testing.

Does it mean, that the vendor directory can be excluded from git?

@Nagy Read this https://getcomposer.org/doc/faqs/should-i-commit-the-dependencies-in-my-vendor-directory.md