composer installs 4.3 by default

[loranger]

• Deployer version: would like to get 7, had 4.3
• Deployment OS: Docker

I'd like to upgrade a laravel project and its dependencies, such as deployer, but I struggle with upgrading versions, so I tried a kind of unit test in order to understand the issue.

It seems composer require deployer/deployer provides deployer 4.3 instead of the latest version.

Here is my testing setup:

docker-compose.yml

version: "3.4"

services:

  php-fpm: &php-fpm
    build:
      context: .
      dockerfile: ./Dockerfile
    volumes:
      - ./:/app
    command: "php -S 0.0.0.0:80 /app/index.php"

  composer:
    <<: *php-fpm
    working_dir: /app/
    command: -V
    entrypoint: ['/usr/bin/composer']

Dockerfile

FROM php:alpine

RUN apk add --no-cache libzip-dev libpng-dev
RUN docker-php-ext-install gd zip

COPY --from=composer:latest /usr/bin/composer /usr/bin/composer

WORKDIR /app
EXPOSE 80

composer.json

{
    "name": "loranger/testing"
}

With those three files, after building a php image (using latest php:alpine version which is PHP 8.1.7) if I try to install deployer, I only get 4.3 version which forbids me to continue my upgrade process.

$ docker-compose run --rm composer -V -vvv

Running 2.3.8 (2022-07-01 12:10:47) with PHP 8.1.7 on Linux / 5.10.104-linuxkit
Composer version 2.3.8 2022-07-01 12:10:47

$ docker-compose run --rm composer require deployer/deployer --dev --dry-run

Info from https://repo.packagist.org: #StandWithUkraine
Using version ^4.3 for deployer/deployer
./composer.json has been updated
Running composer update deployer/deployer
Loading composer repositories with package information
Updating dependencies
Lock file operations: 39 installs, 0 updates, 0 removals
  - Locking deployer/deployer (v4.3.4)
  - Locking elfet/pure (v3.0.0)
  - Locking evenement/evenement (v2.1.0)
  - Locking guzzlehttp/psr7 (1.9.0)
  - Locking monolog/monolog (1.27.1)
  - Locking phpseclib/phpseclib (2.0.37)
  - Locking pimple/pimple (v3.5.0)
  - Locking psr/cache (2.0.0)
  - Locking psr/container (1.1.2)
  - Locking psr/http-message (1.0.1)
  - Locking psr/log (1.1.4)
  - Locking ralouphie/getallheaders (3.0.3)
  - Locking react/cache (v0.4.2)
  - Locking react/child-process (v0.4.3)
  - Locking react/dns (v0.4.17)
  - Locking react/event-loop (v0.4.3)
  - Locking react/http (v0.4.4)
  - Locking react/http-client (v0.4.17)
  - Locking react/promise (v2.9.0)
  - Locking react/promise-timer (v1.6.0)
  - Locking react/react (v0.4.2)
  - Locking react/socket (v0.4.6)
  - Locking react/socket-client (v0.4.6)
  - Locking react/stream (v0.4.6)
  - Locking ringcentral/psr7 (1.3.0)
  - Locking symfony/cache (v5.4.10)
  - Locking symfony/cache-contracts (v2.5.2)
  - Locking symfony/console (v3.4.47)
  - Locking symfony/debug (v4.4.41)
  - Locking symfony/deprecation-contracts (v3.1.1)
  - Locking symfony/expression-language (v4.4.43)
  - Locking symfony/polyfill-ctype (v1.26.0)
  - Locking symfony/polyfill-mbstring (v1.26.0)
  - Locking symfony/polyfill-php73 (v1.26.0)
  - Locking symfony/polyfill-php80 (v1.26.0)
  - Locking symfony/process (v3.4.47)
  - Locking symfony/service-contracts (v2.5.2)
  - Locking symfony/var-exporter (v6.1.1)
  - Locking symfony/yaml (v3.4.47)
Installing dependencies from lock file (including require-dev)
Package operations: 39 installs, 0 updates, 0 removals
  - Installing symfony/polyfill-ctype (v1.26.0)
  - Installing symfony/yaml (v3.4.47)
  - Installing symfony/process (v3.4.47)
  - Installing symfony/polyfill-mbstring (v1.26.0)
  - Installing psr/log (1.1.4)
  - Installing symfony/debug (v4.4.41)
  - Installing symfony/console (v3.4.47)
  - Installing psr/container (1.1.2)
  - Installing pimple/pimple (v3.5.0)
  - Installing phpseclib/phpseclib (2.0.37)
  - Installing monolog/monolog (1.27.1)
  - Installing symfony/deprecation-contracts (v3.1.1)
  - Installing symfony/service-contracts (v2.5.2)
  - Installing symfony/var-exporter (v6.1.1)
  - Installing symfony/polyfill-php80 (v1.26.0)
  - Installing symfony/polyfill-php73 (v1.26.0)
  - Installing psr/cache (2.0.0)
  - Installing symfony/cache-contracts (v2.5.2)
  - Installing symfony/cache (v5.4.10)
  - Installing symfony/expression-language (v4.4.43)
  - Installing evenement/evenement (v2.1.0)
  - Installing react/stream (v0.4.6)
  - Installing react/promise (v2.9.0)
  - Installing react/event-loop (v0.4.3)
  - Installing react/promise-timer (v1.6.0)
  - Installing react/cache (v0.4.2)
  - Installing react/dns (v0.4.17)
  - Installing react/socket-client (v0.4.6)
  - Installing react/socket (v0.4.6)
  - Installing ralouphie/getallheaders (3.0.3)
  - Installing psr/http-message (1.0.1)
  - Installing guzzlehttp/psr7 (1.9.0)
  - Installing react/http-client (v0.4.17)
  - Installing ringcentral/psr7 (1.3.0)
  - Installing react/http (v0.4.4)
  - Installing react/child-process (v0.4.3)
  - Installing react/react (v0.4.2)
  - Installing elfet/pure (v3.0.0)
  - Installing deployer/deployer (v4.3.4)
25 package suggestions were added by new dependencies, use `composer suggest` to see details.
Package elfet/pure is abandoned, you should avoid using it. No replacement was suggested.
Package react/http-client is abandoned, you should avoid using it. Use react/http instead.
Package react/socket-client is abandoned, you should avoid using it. Use react/socket instead.
Package symfony/debug is abandoned, you should avoid using it. Use symfony/error-handler instead.

Of course, I could lock the version to v7.0.0-rc.8, v8.x-dev or maybe dev-master, but I would prefer to get the latest stable release as we used to get when calling composer require with not specified version, and as written in the doc.

Is deployer 4.3 really the latest stable version ? Am I the only one having such an old version ? Am I missing something ?