So it turns out Trellis is also slightly to blame here we think.
Trellis copies the vendor folder to new releases. See https://github.com/roots/trellis/blob/8666765785aa799cb6828dccf9c6f846eb975cba/roles/deploy/defaults/main.yml#L11-L15
It seems like there is an issue with the underlying package being updated, but it might be exposed by copying the vendor dir instead of just relying on a brand new composer install every time.
This was done for speed purposes and has never been an issue until now.