I have a composer.json file with some packages in specific versions. So I am sure that every time i run composer update I will retrieve exactly the SAME code as before.
But there are some application authors and companies that produce "hotfixes". That means they fix something in their code without changing the version.
Do you know if this thing can happen in composer's packages?
If yes, then every time I download packages using composer.json i cannot be sure that I get the same code...
Well, the problem is that you run composer update. You should never do that unless you want to get newest commit of the package you use.
Each time you use composer.json also composer.lock file is generated and in case you commit this in repository (for example GIT) you should always commit both composer.json and composer.lock. Now if you (or someone else) in future will want to install your application and will run composer install they will get exact same commits that are saved in composer.lock.
So the simple rule is - when you want to install the same, you should have composer.json and composer.lock and run composer install and in case you want to update all packages to the versions you have in composer.json you should run composer update