composer install should not be a problem, even when using composer version 1, as it reads from the composer.lock file (which I assume you commit it as it is the default)
For frontend dependencies, I moved on compiling my assets locally and pushing them already processed so I don't even need to have node/npm/yarn installed on the server (unless I am using some integration which needs it).
I keep public/js, public/css, and public/mix-manifest.json (and any other generated frontend file/folder) on my .gitignore file, so they don't mess up every commit if I am using yarn watch (or npm run watch).
But then I have a "build-push.sh" script which runs yarn prod and force add the generated files to a separated commit when I am building to production.
Here is a simplified version of this script:
#!/usr/bin/env bash
# Ensure script is running on the project's folder
cd /home/rodrigo/code/project || exit
# Ensure no changes in generated assets are commited by mistake
git reset HEAD public
git checkout -- public
# Commit changes with message from command line or a default one
git add .
git commit -m "${1:-savepoint}"
# Ensure all generated assets are removed, recompiled and force added to a separated commit
rm -r public/css public/js public/fonts public/images public/favicon public/favicon.ico public/mix-manifest.json
yarn run prod
git add --force public/css public/js public/fonts public/images public/favicon public/favicon.ico public/mix-manifest.json
git commit -m 'frontend compilation'
# Push commits to git
git push origin master
# Trigger Forge Deploy
curl https://forge.laravel.com/servers/...
notify-send 'deployed'
Hope this helps.