Per @ocramius, composer.lock is useful for deployment. We don't need it included
with the skeleton since it is generated on the first install, however we likely
do not want it to be ignored from version control, since it carries the tested
versions of the dependencies from development to production in the deployment
process.