a9f/typo3-fractor cannot coexist with simplesamlphp 2.5 (webmozart/assert version conflict)

[magicsunday]

Summary

a9f/fractor-yaml (transitively required by a9f/typo3-fractor) pins
webmozart/assert ^1.11 via an un-prefixed dependency path. This makes
the package impossible to install alongside dependencies that require
webmozart/assert ^2.x, e.g. simplesamlphp/simplesamlphp ^2.5
(pulls simplesamlphp/assert ~2.0 → webmozart/assert ~2.1).

Reproduce

Minimal composer.json (PHP 8.4):

{
    "require": {
        "simplesamlphp/simplesamlphp": "^2.5"
    },
    "require-dev": {
        "a9f/typo3-fractor": "^0.5"
    }
}

composer update --dry-run:

- a9f/fractor-yaml[v0.5.0, ..., v0.5.10] require webmozart/assert ^1.11
- simplesamlphp/assert[v2.0.0, ..., v2.0.2] require webmozart/assert ~2.1
You can only install one version of a package …

Impact

Same scenario as in
sabbelasichon/typo3-rector#4879
— any TYPO3 13 extension integrating simplesamlphp ≥ 2.5 cannot
include fractor in its dev tooling.

Suggested fix

Preferred: widen the constraint in a9f/fractor-yaml (and any other
a9f/* packages that pin webmozart/assert ^1.11) to
"webmozart/assert": "^1.11 || ^2.0". Since typo3-fractor already
requires PHP ≥ 8.2, the v2 PHP-minimum is not a blocker — you only need
to verify that no Assert::isTraversable() calls are used (removed in
v2, replacement: isIterable).

Alternative: ship a PHP-scoped / prefixed build of the fractor
packages.

Environment

• a9f/typo3-fractor: v0.5.0–v0.5.10
• a9f/fractor-yaml: v0.5.0–v0.5.10
• PHP: 8.4
• simplesamlphp/simplesamlphp: 2.5.0