The Composer schema spec [[https://getcomposer.org/doc/04-schema.md#package-links|has this to say]] about explicit commit references (ie. stuff like `"dev-master#2eb0c0978d290a1c45346a1955188929cb4e5db7"`):
> This feature has severe technical limitations, as the composer.json metadata will still be read from the branch name you specify before the hash. You should therefore only use this as a temporary solution during development to remediate transient issues, until you can switch to tagged releases. The Composer team does not actively support this feature and will not accept bug reports related to it.
Let this sink in: when using an explicit commit reference, the composer.json data (including the autoloading specification, dependencies etc) will be from a different version of the library than the actual files. If the explicitly referenced commit and the current head of master have any difference in functionality-affecting composer.json metadata, the library will be broken and unusable.
Found out about this because MediaWiki 1.31 pins phpstorm-stubs, to which `"autoload": { "files": ["PhpStormStubsMap.php"] }` [[https://github.com/JetBrains/phpstorm-stubs/commit/9502cfe9bb44f6c011af49c552d2a0b6152dd537#diff-b5d0ee8c97c7abd7e3fa29b9a27d1780R22|has been added]] yesterday. So now installing MediaWiki 1.31 without `--no-dev` results in a broken install which immediately fatals because the Composer autoloader registration process tries to execute a file that doesn't exist, causing breakage [[https://travis-ci.org/SemanticMediaWiki/SemanticMediaWiki/jobs/551044301|like this]].
So apparently explicit commit references are an antipattern that we should avoid in all our publicly released software.