Rob

Any chance you could get us some debugging output showing the values of these lines? https://github.com/composer/composer/blob/main/src/Composer/Autoload/AutoloadGenerator.php#L1147-L1155 The "easiest" way to do this would be to run composer from source (git...

That's a bit harsh maybe. It looks like @Alex300 is a big contributor to Cotonti. Maybe he is simply trying to modernize the framework/application? The way support for Composer was...

Since we already support `COMPOSER_AUTH`, I see no motivation to support something else. You can even nest a variable inside said variable. Supporting ENV variables inside configuration files is not...

This is not really feasible. The majority of downloads are automatically fetched from github's dist API. Users have no way of knowing up front what exactly the hash will be,...

https://github.com/composer/composer/blob/0f373e3249b0d9523c94766d69d47676f190fdb4/src/Composer/Downloader/FileDownloader.php#L137-L184 Are you sure your "package.json" is actually read? Did you run your composer install or update command in `-vvv` mode?

Can you share your verbose output with us?

Ah, yeah, it is actually documented also: https://github.com/composer/composer/blob/8eae15182c171bc33fc558c1f88ea3e832674c3c/res/composer-schema.json#L826 But since it is most often used only internally, I kind of forgot about it.

~I *think* `composer diagnose` validates the schema? Not certain.~ Never mind, it is `validate` yeah, and probably most people do not run that often.

I am not opposed to this, I am just not sure if it should be `--prevent-ambiguous` or if maybe a more generic `--strict` would be more suited.

That's because `stderr` is not only for errors, unlike a lot of people seem to think. Writing to `stderr` does not imply something went wrong and it is a horrible...