You're supposed to commit it for applications, but omit it for libraries. Libraries declare the versions they're compatible with but they don't lock to specific releases.
In at least some packaging systems, committing the lock file for a library is useful so that the library maintainers use the same versions. (It's ignored by users of the library.)