Personally there are a few times where I tend to screw up with Composer for PHP the most. At the high level its going to be very obvious that the main reason for these comes from versioning. It's a pain in the ass to say yes my app can use v1, v2, v4, but not v3. Once you leave the small set of packages directly related to Composer itself, very few are sitting there juggling version constraints in the real world. Most version constraints are set expecting "features could ever be removed or broken from this point on" and nothing is ever going to fix that human problem, leaving the best solution for the time - work around it.
The Production Server
The first way where I tend to screw up is during the process of publishing to production. We have a lot of small projects and a small team, and not much time has been spent on the deployment system. Once it is decided it is time, here is the strat I currently use to deploy as the department head:
'Is It Working?'
"It Is working."
'Ok, Going Live.'
$ ssh prod
$ git pull && composer install && phinx migrate
'Ok, It Is Live.'
And this is fine. Until you are stupid like me and type composer update instead of composer install on production. Then it's a race to rm -rf vendor and composer install again before anybody notices, because you're never going to mash CTRL+C fast enough to not have fucked everything up. Sure a script that runs these things for me would stop that from happening but this is only one project of many, and one of a few use cases. Could be fixed by setting version constraints to today's maximum, and then editing those constraints as we go which sounds super annoying. Another fix could have been to have a road block stopping me from doing that on production.
the Greenish Field
Another other time I end up punching myself in the face is with an internal framework we are still heavily iterating, iterating over too frequently to deal with tagging versions, so the version is dev-master oh no. Two months ago I implemented some upgrades that were not friendly to ONE of our website projects... and I even knew this... I went into that project and wrote a page of comments about how if you are here, this probably broke, because of the update in the thing, and also by the way here is some prototype code you might need to fix it, as there was just not enough hours in the day to make it solid right then and there.
But then I forgot.
6 weeks after that a composer update happened, everything seemed fine except this one case, and it was not found until a week and a half over that. Then I spent about 2 hours stepping through code until I found the message I left for myself about the exact problem that was happening. Had there been something stopping me from doing that first composer update I could have warned myself into action before proceeding.
The third use case we had was after handing off an entire project to the people who commissioned the project originally, I wanted to put up a road block just in case they had someone over there smart enough to try picking up where we left off. Having the ability to put up a warning when doing composer update to stop them from taking on potentially too many new surprises would be extremely valuable - as much as I would enjoy the billable hours when they have to call about the house burning down.
To try and take some proactive progress on some of my Twitter ranting, decided to start working on a plugin for Composer to help me do (or in this case, not do) some things. Elected for a super generic name since I expect this will not be the only feature in in it eventually.
If composer-update-warning.txt exists in the same directory as composer.json then any time you try update, it will fail citing the contents of that file. That's all there is to it, that file can be made and read by anything so you don't have to actually update it to see why there is a warning against updating it. To allow updating again empty or delete the file. It also adds a new command, set-update-warning, that can make the file for you. The page on Packagist and Github can give you all the details about the actual usage of the plugin.