PHP composer, use package specifying 5.3.7, on 5.3.3-7+squeeze19

Question 1

The library in question has a test suite. Simply run its tests on your 5.3.3 box and if they work you can be more confident in using it.

I would speculate that they might not: the author must have a good reason for specifying that particular version of PHP. There may be a bugfix in 5.3.7 that part of the library depends on.

In that case, I would suggest you write a couple of your own unit tests to ensure the parts of your code that use the library still work on that environment.

Question 2

I'd suspect the reason for the requirements is the same as for ircmaxell's more famous password_compat library:

Requirements

This library requires PHP >= 5.3.7 OR a version that has the $2y fix backported into it (such as RedHat provides). Note that Debian's 5.3.3 version is NOT supported.

The runtime checks have been removed due to this version issue. To see if password_compat is available for your system, run the included version-test.php. If it outputs "Pass", you can safely use the library. If not, you cannot.

If you attempt to use password-compat on an unsupported version, attempts to create or verify hashes will return false. You have been warned!

The reason for this is that PHP prior to 5.3.7 contains a security issue with its BCRYPT implementation. Therefore, it's highly recommended that you upgrade to a newer version of PHP prior to using this layer.

It sounds like your 5.3.3 version does not have the backport fix (based on that it looks Debian based, confirm yourself if the fix has been backported specifically to your version or not), so you really shouldn't be running this code (or any bcrypt based code) on 5.3.3 as it may open you up to actual security vulnerabilities.