Jordi Boggiano

Yeah but as we pin the php version using platform config it breaks dependency resolution, I'd rather not mess around with this.. Will just wait a bit for phpstan v2...

Yup that we have already so indeed not in a rush for v2

Composer 2 adds --with flag so you can run `composer update --with drupal/core:8.5.1` for example which explicitly requires that version (without changing the requirement in composer.json), and does a partial...

Maybe.. Feel free to PR

I think I agree with this in principle.. But I am really worried what the impact will be on packagist. I wonder how many packages do this wrong and will...

Yeah good point.. and that's too many I'd say. 26000 conflicts in 1148 packages found, including 3800 packages that have problems in dev versions (those would start erroring with validation...

Sure, but this PR is only adding warnings for `require` + `conflict`, not require-dev. What I meant by `including 3800 packages that have problems in dev versions` in case that's...

I had a closer look and it seems if we gate this behind a new CHECK_* flag (see self::CHECK_STRICT_CONSTRAINTS in the code), then it would be included in the validate...

> I'm not sure I even agree with the premise here. I think it may be more accurate to require foo/bar ^2.0 and conflict with 2.4.7 if that contained some...

Ok I think in the current state I'm ok with the PR, given it won't warn on packagist.org, and users of `validate` can use `--no-check-all` to skip the various constraint...