In my experience, if a composer.lock file is preset and the versions of the installed dependencies match with the "locked" versions, composer install --dry-run will always return Nothing to install or update. It will not check if "composer dependencies [are] up to date", but this is what the check is about, isn't it?

Then the check is probably mislabeled.
At least that's not what I would like to check (certainly not on production systems).

The basic idea behind it was that we faced a couple of issues when working together with other developers. They didn't know that we added things to the composer.json and they needed to call composer install.

So instead of checking: are there newer versions of your composer dependencies available?
This checks should ensure that the installed dependencies match the dependencies in your .lock file.

Ah, okay. Then the label is at least ambiguous.

I changed the name of the checks to make this more clear 👍