I came across a magento 2.3 project and I saw an intentional commit upon ./vendor also sometimes I saw manually editing code upon it.

This was an intentional action and not due to lack of knowledge. And the reason why is because composer may download breaking dependencies or may cause unstability because the versions are not too concrete. Therefore the latest subversions is installed upon composer install.

Furthermore, according to ma coleagues, any instability with vendor causes many manhours for debugging. As a result upon initial composer install they commit the ./vendor.

Is this also a practice you follow? Do you have an alternative approach? Is there a way to cement the installed versions regardless what dependencie's composer.json says?