Specific commit version in composer.json produce strange require

Question

I'm trying to make working an old PHP source code. composer.json contains:

{
    "minimum-stability": "dev",
    "name": "symfony/framework-standard-edition",
    "description": "The \"Symfony Standard Edition\" distribution",
    "autoload": {
        "psr-0": { "": "src/" }
    },
    "require": {
        "php": ">=5.3.3",
        "symfony/symfony": "v2.2.4",
        [...]
        "friendsofsymfony/user-bundle": "v1.3.1",
        "doctrine/data-fixtures" : "dev-master#b4a135c",
        [...]

But when I run php composer.phar install I got:

  Problem 1
    - Installation request for doctrine/data-fixtures dev-master#b4a135c -> satisfiable by doctrine/data-fixtures[dev-master].
    - doctrine/data-fixtures dev-master requires php ^7.1 -> your PHP version (5.6.37) does not satisfy that requirement.

doctrine/data-fixtures requirement for this commit is here.

Why composer is talking about php ^7.1? How really use version b4a135c of this package?

Answer 1

When you're using such constraint, requirements are taken from branch. So for dev-master#b4a135c requirements are checked for master branch, so this is the source of ^7.1 requirement.

Quick workaround would be to use different branch:

"doctrine/data-fixtures": "1.0.x-dev#b4a135c",

But you should really fix it and use real constraints and releases - pointing to specified commit is basically a hack and should be avoided. Relying on it in a long term probably will give some problems at some point. This limitation and possible problems are documented:

While this is convenient at times, it should not be how you use packages in the long term because it comes with a technical limitation. The composer.json metadata will still be read from the branch name you specify before the hash. Because of that in some cases it will not be a practical workaround, and you should always try to switch to tagged releases as soon as you can.