I had another idea related to the topic of this thread, though technically quite independent from (virtually all) the implementation needed for the other functionality described already.
Have an API module that simply serves the composer.lock file. This can be implemented as trivially as reading the file and serving that, or perhaps doing a json parse in between and feeding the array to the MW API thing. In fact, I'd not go further and add additional things on top here, so it stays as simple as it can be for this use case. And if it is this trivial, it might be feasible to get it into MW core.
Be warned, whoever implements this might be forever loved by Jamie Thingelstad (Wikiapiary).