I'm wondering if there a general mechanism to detect an out of date lock file.

Specifically I mean that there have been updates made to dependencies in buf.yaml and buf dep update has not been run.
The net result of this situation is that buf generate will continue to operate on the versions in buf.lock and silently ignore that buf.yaml has updated dependencies.
When the module is subsequently published, the dependencies are still on the old commits (and in our case have now diverged from the compiled SDKs published in Maven).

We've noticed this in practice in our toolchain, which drives upstream updates via Renovate updates to Maven dependencies, which are then templated into the buf.yaml.
In the absence of Renovate support for buf dependencies (which would perform lock file maintenance), we'd like to institute a check to avoid these updates building without someone intervening to update the lock file.

The best option we have at present is running buf dep update and comparing before an after (either manually or with a git status).
A buf dep outdated command would be useful in this context (or a dry-run option to buf dep update) along with modified status codes for an out of date situation.

Does anyone have any better ideas in the current tooling?