Short version: The "best way" for this depends on your setup. If you used to run the php bin / vendors update, then it would be better to remove the line for the package you want to update from the deps.lock file, and then run "php bin / vendors install" from your Symfony database.
Long version: I think some clarification on what the teams of different suppliers are doing is ok.
1) php bin / vendors install
This command downloads (if necessary) and installs the source package files of the provider package to symfony / vendor. This command will first look at deps.lock to see what git commits / versions are listed there, then it will look at your deps file to see which versions are listed there. If no version is specified for a particular package, it will download the latest version of the package code for that package. If a version is found, it will download and install this version of the vendor code.
This command will not put anything in deps.lock.
2) php bin / vendors install --reinstall
This command does the same as installing php bin / vendors, except that it will always load the code before installing it in symfony / vendor.
This command will not put anything in deps.lock.
3) Update php bin / vendors
This command will ignore deps.lock and will download (if necessary) and install the package code versions listed in the depot file in symfony / vendor.
After the download is complete and the code is installed, it will place the git commit id / version of the downloaded code for each package in the deps.lock file. Thus, when you run one of the installation commands listed above, the version of the downloaded code will not change unless you delete the associated line with the deps.lock file or if you run the update command again.
The idea behind the deps.lock file is that it prevents you from accidentally upgrading your packages to a later non-working version of the code for a third-party package version. Symfony and its packages are constantly evolving, so changes (even if they are not bugs) happen quite often and break your code. You probably want your versions to be locked in deps.lock as soon as possible and only updated when you want to do this.
Once you lock the package versions in deps.lock, you just need to remove the associated line from the deps.lock file by running one of the installation commands to update the specific package, as I said in the short answer above. If you want to block this code to the version that you just installed, you need to add the line to deps.lock yourself or remove everything from the depot and start the php bin / vendor update, as described above.