Why did composer downgrade my packages?

Question

php composer.phar update did this (removed 2.3.0 packages and installed entire 2.2.5 Zend Framework):

$ php composer.phar update
Loading composer repositories with package information
Updating dependencies (including require-dev)
  - Removing zendframework/zend-filter (2.3.0)
  - Removing zendframework/zend-view (2.3.0)
  - Removing zendframework/zend-eventmanager (2.3.0)
  - Removing zendframework/zend-loader (2.3.0)
  - Removing zendframework/zend-escaper (2.3.0)
  - Removing zendframework/zend-log (2.3.0)
  - Removing zendframework/zend-servicemanager (2.3.0)
  - Removing zendframework/zend-stdlib (2.3.0)
  - Installing zendframework/zendframework (2.2.5)
    Loading from cache
Writing lock file
Generating autoload files

Why did it do that? My composer.json looks like this and suggests nothing of the sort that directed the above course of events:

"repositories":[
    {
        "type":"composer",
        "url":"https://packagist.org/"
    },
    {
         "type":"composer",
         "url":"http://packages.zendframework.com/"
    }
],
"require": {
    "zendframework/zend-log" : "2.*",
    "zendframework/zend-escaper" : "2.*",
    "zendframework/zend-filter" : "2.*",
    "zendframework/zend-view" : "2.*"
}

My expectation was: remove 2.3.0, install 2.3.1 packages

Answer 1

My answer doesn't quite describe why it was downgraded, since the algorithms in Composer are quite intensive (that is why update takes way longer than installing with a .lock). They go through all of your dependencies, all of the potential versions, and what each dependencies' versions' dependencies are. After getting all of this information it tries to come up with a "perfect" match.

Sometimes the slightest change in your dependencies, or a dependency's dependencies, can create drastic changes. Also, you'll sometimes see that it is impossible to resolve your dependencies because one dependency may require symfony/http-foundation ~2.5 and one may require symfony/http-foundation 2.1.* (this isn't what happened in your case, but it is good to know).

All in all, the moral of the story is you should be as specific as possible with your composer.json (especially in production). That way, you can always be in control of what version you use rather than letting Composer decide. Worse case, is you run a composer update and it cannot resolve your dependencies. Then do some research on Packagist to see which versions will happily resolve together.

I suggest using either version ~2.3 (which is the same as >= 2.3 and < 3) or 2.3.*. Then Composer won't even try version 2.2.5. Check Composer's documentation to see how you can express different package versions.