In this post to his site Marc Morera talks about Composer dependencies and an issue that can come up with two things: having a large number of dependencies and minimum PHP version requirements (and when they change).
Any final project needs a lot of dependencies, and even if your composer.json file is small, you may need a dependency with a lot of dependencies. [...] Computing the real dependencies in my environment seems a great solution, right? I run composer update in my computer, I update the composer.lock version in the repository, and then I only need to do composer install. What I reduce here is the computing time of all recursive dependencies from 20+ minutes to less than 5 minutes. [...] Why this is a bad solution?
He explains that some projects will change the PHP version requirement in a minor version, potentially causing your build to break on other versions without you changing anything. He points out that there's "no good solution" he sees but does recommend good upkeep of your
composer.json as a
composer update is the best course of action. He also makes recommendations to the library developers about keeping requirements scope as wide as possible and only defining specifics when the project is finalized.