What's the difference between composer.lock and installed.json?

composer.lock is generated when installing for the first time or updating. It contains references to the exact versions used. It should be committed into the version tracking repository to allow restoring this exact combination of libraries.

installed.json is an internal file of Composer. It's used when you remove a package manually from composer.json to remove the files from the vendor directory. Otherwise, the old vendor package would be around forever.