When you remove composer.lock file, (you can use composer install instead of composer update), but you need to prevent that composer is installing newer versions of packages, because that's not the task of this action.

Please use composer update --lock instead of composer update. There will not been looking to newer versions of packages, but it removes replaced / or installs the excluded replaced packages

This is an ongoing insight. At first, when composer replacements started to be a thing, running compose update (regardless of the flag) didn't work, so therefore the composer.lock removal was suggested. Perhaps these days, this is less of an issue. I'll update the docs to mention only composer update --lock