Use composer install to install dependencies

[dhensby]

This change uses composer install instead of composer update to install dependencies.

The point of the composer.lock file is to allow reproducible dependency installs across environments/projects. To use the update command during CI means that we get non-reproducible results and that we ship an untested lock file with our projects.

Not only this, but the use of update instead of install is having quite profound impacts on CI build times. Looking at the mfa module as an example, installation times have gone from 25 seconds to 3.5 minutes when switching from install to update.

Unless there's some undocumented reason as to why update is preferred to install, this should be changed

[michalkleiner]

There's no lock file to go by but using install over update still makes sense.

[emteknetnz]

Makes sense. From memory there was a conscious reason why composer update made more sense than composer install, though I can't remember what that reason was. Possibly that reason is no longer be valid anyway.

[emteknetnz]

OK probably the reason was that --prefer-lowest only works with composer update :D No worries, we can be a little dynamic with it - #36