Drupal - Composer updates .htaccess file when updating

 "extra": {
   "drupal-scaffold": { 
       "source": "http://cgit.drupalcode.org/drupal/plain/{path}?h={version}", 
       "excludes": [ ".htaccess", "robots.txt" ]
       }
}

Put this above code in your composer.json file.

While the accepted answer is correct and this prevent the .htacces file from being overwritten, most updates done to that files are linked to security issues. You should patch the file instead, as described in this answer : https://drupal.stackexchange.com/a/271147/25673

Here's a copy of the answer by Stef Van Looveren

In the scripts section of your composer.json file, use the following:

"post-drupal-scaffold-cmd": [
  "patch -p0 < patches/htaccess.patch"
]

(this requires "drupal-composer/drupal-scaffold" in your require section)