Packagist vs. "git clone" and composer install

Question

Just pushed a package to packagist:

composer require rokfor/rokfor-slim:dev-master

It's returning the error

Your requirements could not be resolved to an installable set of packages.

  Problem 1
  - Installation request for rokfor/rokfor-slim 
    dev-master -> satisfiable by rokfor/rokfor-slim[dev-master].
  - rokfor/rokfor-slim dev-master requires 
    jlndk/slim-jade ^1.0 -> no matching package found.

If I'm checking out like

$ git clone https://github.com/rokfor/rokfor-slim
$ cd rokfor-slim
$ composer install

Everything installs just fine.

I think I'm missing something crucial here. Is it not allowed to push a package to packagist with a source from a vcs repository?

The composer.json looks like:

{
"name": "rokfor/rokfor-slim",
"description": "Rokfor CMS: Headless CMS with JSON api",
"keywords": ["rokfor", "slim","framework","view","template","jade"],
"homepage": "http://cloud.rokfor.ch",
"license": "MIT",
"type": "project",
"time": "2016-02-28",
"authors": [
    {
        "name": "Rokfor",
        "homepage": "http://www.rokfor.ch"
    }
],
"repositories": [
    {
        "type": "vcs",
        "url": "https://github.com/urshofer/slim-jade"
    },
    {
        "type": "vcs",
        "url": "https://github.com/Rokfor/rokfor-php-db"
    },
    {
        "type": "vcs",
        "url": "https://github.com/urshofer/slim-auth"
    }
],
"require": {
    "php": ">=5.5.0",
    "slim/slim": "~3.0",
    "jlndk/slim-jade": "^1.0",
    "rokfor/db": "dev-versioning",
    "monolog/monolog": "^1.17",
    "slim/csrf": "^0.6.0",
    "jeremykendall/slim-auth": "dev-slim-3.x",
    "slim/flash": "^0.1.0",
    "akrabat/rka-ip-address-middleware": "^0.4.0",
    "palanik/corsslim": "dev-slim3",
    "erusev/parsedown": "^1.6",
    "predis/predis": "^1.0",
    "lcobucci/jwt": "^3.1",
    "ext-gd": "*"
},
"require-dev": {
    "phpunit/phpunit": "*"
},
"minimum-stability": "dev",
"prefer-stable": true
}

Answer 1

In a library, you cannot reference anything other than libraries that are available on packagist.org. Or you instruct your users to reference an additional source for package information.

Adding vcs and package repositories is only allowed for the root composer.json, which you cannot influence as a library other than instructing your users to do additional things beyond composer require your/lib. Which is kind of annoying, and also may be subject to security considerations, because this will not only open the door for your individual library, but for ANY library as well.

And as you did with "jlndk/slim-jade" (which the original author published from his repository as 0.0.1, and another author re-published it without adding it to packagist or changing the lib's name, adding the version tag 1.0), any additional source of package information can potentially add more package information, i.e. add a newer, malicious version of e.g. a symfony package.