Requiring or updating a package from a git repository inconsistently adds and removes stability-flags from other packages in composer.lock

[pereorga]

My composer.json:

{
  "name": "pere/composer-test",
  "type": "project",
  "minimum-stability": "dev",
  "prefer-stable": true,
  "repositories": [
    {
      "type": "package",
      "package": {
        "name": "pereorga/pccd-lt-filter",
        "version": "dev-master",
        "source": {
          "type": "git",
          "url": "https://github.com/pereorga/pccd-lt-filter.git",
          "reference": "master"
        }
      }
    },
    {
      "type": "package",
      "package": {
        "name": "noisebynorthwest/php-spx",
        "version": "dev-master",
        "source": {
          "type": "git",
          "url": "https://github.com/NoiseByNorthwest/php-spx.git",
          "reference": "master"
        }
      }
    }
  ],
  "require-dev": {
    "pereorga/pccd-lt-filter": "dev-master",
    "noisebynorthwest/php-spx": "dev-master"
  }
}

Output of composer diagnose:

Checking composer.json: WARNING
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.
Checking platform settings: OK
Checking git settings: OK git version 2.41.0
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com rate limit: OK
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: OK
Composer version: 2.6.5
PHP version: 8.2.11
PHP binary path: /opt/homebrew/Cellar/php/8.2.11/bin/php
OpenSSL version: OpenSSL 3.1.3 19 Sep 2023
cURL version: 8.4.0 libz 1.2.11 ssl (SecureTransport) OpenSSL/3.1.3
zip: extension present, unzip present, 7-Zip present (7zz)

When I run this command:

composer require -vvv --dev pereorga/pccd-lt-filter

I get the following output:

Running 2.6.5 (2023-10-06 10:11:52) with PHP 8.2.11 on Darwin / 22.6.0
Reading ./composer.json (/Users/pere/dev/composer-test/composer.json)
Loading config file ./composer.json (/Users/pere/dev/composer-test/composer.json)
Checked CA file /opt/homebrew/etc/ca-certificates/cert.pem: valid
Executing command (/Users/pere/dev/composer-test): 'git' 'branch' '-a' '--no-color' '--no-abbrev' '-v'
Executing command (/Users/pere/dev/composer-test): git describe --exact-match --tags
Executing command (CWD): git --version
Executing command (/Users/pere/dev/composer-test): git log --pretty="%H" -n1 HEAD --no-show-signature
Executing command (/Users/pere/dev/composer-test): hg branch
Executing command (/Users/pere/dev/composer-test): fossil branch list
Executing command (/Users/pere/dev/composer-test): fossil tag list
Executing command (/Users/pere/dev/composer-test): svn info --xml
Failed to initialize global composer: Composer could not find the config file: /Users/pere/.composer/composer.json

Reading /Users/pere/dev/composer-test/vendor/composer/installed.json
./composer.json has been updated
Reading ./composer.json (/Users/pere/dev/composer-test/composer.json)
Loading config file ./composer.json (/Users/pere/dev/composer-test/composer.json)
Executing command (/Users/pere/dev/composer-test): 'git' 'branch' '-a' '--no-color' '--no-abbrev' '-v'
Executing command (/Users/pere/dev/composer-test): git describe --exact-match --tags
Executing command (/Users/pere/dev/composer-test): git log --pretty="%H" -n1 HEAD --no-show-signature
Executing command (/Users/pere/dev/composer-test): hg branch
Executing command (/Users/pere/dev/composer-test): fossil branch list
Executing command (/Users/pere/dev/composer-test): fossil tag list
Executing command (/Users/pere/dev/composer-test): svn info --xml
Failed to initialize global composer: Composer could not find the config file: /Users/pere/.composer/composer.json

Reading /Users/pere/dev/composer-test/vendor/composer/installed.json
Running composer update pereorga/pccd-lt-filter
Loading composer repositories with package information
Built pool.
Running pool optimizer.
Updating dependencies
Generating rules
Resolving dependencies through SAT
Looking at all rules.

Dependency resolution completed in 0.000 seconds
Analyzed 102 packages to resolve dependencies
Analyzed 102 rules to resolve dependencies
Generating rules
Resolving dependencies through SAT
Looking at all rules.

Dependency resolution completed in 0.000 seconds
Lock file operations: 2 installs, 0 updates, 0 removals
Installs: noisebynorthwest/php-spx:dev-master master, pereorga/pccd-lt-filter:dev-master master
  - Locking noisebynorthwest/php-spx (dev-master master)
  - Locking pereorga/pccd-lt-filter (dev-master master)
Writing lock file
Installing dependencies from lock file (including require-dev)
Reading ./composer.lock (/Users/pere/dev/composer-test/composer.lock)
Nothing to install, update or remove
Generating autoload files
Reading /Users/pere/Library/Caches/composer/repo/https---repo.packagist.org/packages.json from cache
Downloading https://repo.packagist.org/p2/noisebynorthwest/php-spx.json
Downloading https://repo.packagist.org/p2/pereorga/pccd-lt-filter.json
[404] https://repo.packagist.org/p2/noisebynorthwest/php-spx.json
[404] https://repo.packagist.org/p2/pereorga/pccd-lt-filter.json
Downloading https://packagist.org/api/security-advisories/
[200] https://packagist.org/api/security-advisories/
No security vulnerability advisories found.
Using version dev-master for pereorga/pccd-lt-filter

This is added to composer.lock:

"stability-flags": {
  "noisebynorthwest/php-spx": 20
},

Then, when I run this command:

composer require -vvv --dev noisebynorthwest/php-spx

I get the following output:

Running 2.6.5 (2023-10-06 10:11:52) with PHP 8.2.11 on Darwin / 22.6.0
Reading ./composer.json (/Users/pere/dev/composer-test/composer.json)
Loading config file ./composer.json (/Users/pere/dev/composer-test/composer.json)
Checked CA file /opt/homebrew/etc/ca-certificates/cert.pem: valid
Executing command (/Users/pere/dev/composer-test): 'git' 'branch' '-a' '--no-color' '--no-abbrev' '-v'
Executing command (/Users/pere/dev/composer-test): git describe --exact-match --tags
Executing command (CWD): git --version
Executing command (/Users/pere/dev/composer-test): git log --pretty="%H" -n1 HEAD --no-show-signature
Executing command (/Users/pere/dev/composer-test): hg branch
Executing command (/Users/pere/dev/composer-test): fossil branch list
Executing command (/Users/pere/dev/composer-test): fossil tag list
Executing command (/Users/pere/dev/composer-test): svn info --xml
Failed to initialize global composer: Composer could not find the config file: /Users/pere/.composer/composer.json

Reading ./composer.lock (/Users/pere/dev/composer-test/composer.lock)
Reading /Users/pere/dev/composer-test/vendor/composer/installed.json
./composer.json has been updated
Reading ./composer.json (/Users/pere/dev/composer-test/composer.json)
Loading config file ./composer.json (/Users/pere/dev/composer-test/composer.json)
Executing command (/Users/pere/dev/composer-test): 'git' 'branch' '-a' '--no-color' '--no-abbrev' '-v'
Executing command (/Users/pere/dev/composer-test): git describe --exact-match --tags
Executing command (/Users/pere/dev/composer-test): git log --pretty="%H" -n1 HEAD --no-show-signature
Executing command (/Users/pere/dev/composer-test): hg branch
Executing command (/Users/pere/dev/composer-test): fossil branch list
Executing command (/Users/pere/dev/composer-test): fossil tag list
Executing command (/Users/pere/dev/composer-test): svn info --xml
Failed to initialize global composer: Composer could not find the config file: /Users/pere/.composer/composer.json

Reading ./composer.lock (/Users/pere/dev/composer-test/composer.lock)
Reading /Users/pere/dev/composer-test/vendor/composer/installed.json
Running composer update noisebynorthwest/php-spx
Loading composer repositories with package information
Built pool.
Running pool optimizer.
Updating dependencies
Generating rules
Resolving dependencies through SAT
Looking at all rules.

Dependency resolution completed in 0.000 seconds
Analyzed 102 packages to resolve dependencies
Analyzed 102 rules to resolve dependencies
Nothing to modify in lock file
Generating rules
Resolving dependencies through SAT
Looking at all rules.

Dependency resolution completed in 0.000 seconds
Writing lock file
Installing dependencies from lock file (including require-dev)
Reading ./composer.lock (/Users/pere/dev/composer-test/composer.lock)
Nothing to install, update or remove
Generating autoload files
Reading /Users/pere/Library/Caches/composer/repo/https---repo.packagist.org/packages.json from cache
Downloading https://repo.packagist.org/p2/noisebynorthwest/php-spx.json
Downloading https://repo.packagist.org/p2/pereorga/pccd-lt-filter.json
[404] https://repo.packagist.org/p2/pereorga/pccd-lt-filter.json
[404] https://repo.packagist.org/p2/noisebynorthwest/php-spx.json
Downloading https://packagist.org/api/security-advisories/
[200] https://packagist.org/api/security-advisories/
No security vulnerability advisories found.
Using version dev-master for noisebynorthwest/php-spx

This is added to composer.lock:

"stability-flags": {
  "pereorga/pccd-lt-filter": 20
},

(and noisebynorthwest/php-spx is removed)

Expected result

I expect stability flags to not be added or removed for unrelated packages.

[Seldaek]

Interesting, seems to be an issue with require, perhaps partial updates. In any case it looks like I can reproduce it. Thanks for the good repro case.