How composer `extra.symfony.require` restriction is enforced?

Question

Let's say I have a Symfony v4.4 (Flex) project with the following block in the composer.json :

"extra": {
    "symfony": {
        "allow-contrib": false,
        "require": "4.4.*"
    }
}

As expected, it restricts the Symfony core packages to stick to the v4.4 version.

symfony/monolog-bridge package respects it, so you cannot install symfony/monolog-bridge ~4.3.0 or ^5.0 .

Yet you can install symfony/monolog-bundle ~3.5.0 , which is also expected, given it's just a bundle that is not part of the core Symfony framework and which has its own independent release and versioning cycle.

What I cannot understand is what helps composer to distinguish, which of those packages a Symfony core package so that extra.symfony.require restriction was applied, and which is not?

I originally thought it's the composer's type property that makes it possible, but I cannot find any traces of symfony-bridge type being any unique. If it is - a link to source code or documentation would be extremely helpful.

UPD :

The default Symfony (with Flex) v4.4 composer.json:

{
    "name": "symfony/website-skeleton",
    "type": "project",
    "license": "MIT",
    "description": "A skeleton to start a new Symfony website",
    "require": {
        "php": "^7.1.3",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "sensio/framework-extra-bundle": "^5.1",
        "symfony/asset": "*",
        "symfony/console": "*",
        "symfony/dotenv": "*",
        "symfony/expression-language": "*",
        "symfony/flex": "^1.3.1",
        "symfony/form": "*",
        "symfony/framework-bundle": "*",
        "symfony/http-client": "*",
        "symfony/intl": "*",
        "symfony/mailer": "*",
        "symfony/monolog-bundle": "^3.1",
        "symfony/orm-pack": "*",
        "symfony/process": "*",
        "symfony/security-bundle": "*",
        "symfony/serializer-pack": "*",
        "symfony/translation": "*",
        "symfony/twig-pack": "*",
        "symfony/validator": "*",
        "symfony/web-link": "*",
        "symfony/yaml": "*"
    },
    "require-dev": {
        "symfony/debug-pack": "*",
        "symfony/maker-bundle": "^1.0",
        "symfony/profiler-pack": "*",
        "symfony/test-pack": "*"
    },
    "config": {
        "preferred-install": {
            "*": "dist"
        },
        "sort-packages": true
    },
    "autoload": {
        "psr-4": {
            "App\\": "src/"
        }
    },
    "autoload-dev": {
        "psr-4": {
            "App\\Tests\\": "tests/"
        }
    },
    "replace": {
        "paragonie/random_compat": "2.*",
        "symfony/polyfill-ctype": "*",
        "symfony/polyfill-iconv": "*",
        "symfony/polyfill-php71": "*",
        "symfony/polyfill-php70": "*",
        "symfony/polyfill-php56": "*"
    },
    "scripts": {
        "auto-scripts": {
            "cache:clear": "symfony-cmd",
            "assets:install %PUBLIC_DIR%": "symfony-cmd"
        },
        "post-install-cmd": [
            "@auto-scripts"
        ],
        "post-update-cmd": [
            "@auto-scripts"
        ]
    },
    "conflict": {
        "symfony/symfony": "*"
    },
    "extra": {
        "symfony": {
            "allow-contrib": false,
            "require": "4.4.*"
        }
    }
}

now if you add "symfony/monolog-bridge": "^5.0" dependency and composer update you'd get

$ composer update
Loading composer repositories with package information
Updating dependencies (including require-dev)
Restricting packages listed in "symfony/symfony" to "4.4.*"
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - The requested package symfony/monolog-bridge ^5.0 exists as symfony/monolog-bridge[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1] but these are rejected by your constraint.
  Problem 2
    - symfony/monolog-bundle v3.5.0 requires symfony/monolog-bridge ~3.4 || ~4.0 || ^5.0 -> satisfiable by symfony/monolog-bridge[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1] but these conflict with your requirements or minimum-stability.
    - symfony/monolog-bundle v3.5.0 requires symfony/monolog-bridge ~3.4 || ~4.0 || ^5.0 -> satisfiable by symfony/monolog-bridge[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1] but these conflict with your requirements or minimum-stability.
    - symfony/monolog-bundle v3.4.0 requires symfony/monolog-bridge ~3.4|~4.0 -> satisfiable by symfony/monolog-bridge[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1] but these conflict with your requirements or minimum-stability.
    - symfony/monolog-bundle v3.3.1 requires symfony/monolog-bridge ~2.7|~3.3|~4.0 -> satisfiable by symfony/monolog-bridge[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1] but these conflict with your requirements or minimum-stability.
    - symfony/monolog-bundle v3.3.0 requires symfony/monolog-bridge ~2.7|~3.3|~4.0 -> satisfiable by symfony/monolog-bridge[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1] but these conflict with your requirements or minimum-stability.
    - symfony/monolog-bundle v3.2.0 requires symfony/monolog-bridge ~2.7|~3.0|~4.0 -> satisfiable by symfony/monolog-bridge[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1] but these conflict with your requirements or minimum-stability.
    - symfony/monolog-bundle v3.1.2 requires symfony/monolog-bridge ~2.7|~3.0|~4.0 -> satisfiable by symfony/monolog-bridge[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1] but these conflict with your requirements or minimum-stability.
    - symfony/monolog-bundle v3.1.1 requires symfony/monolog-bridge ~2.7|~3.0|~4.0 -> satisfiable by symfony/monolog-bridge[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1] but these conflict with your requirements or minimum-stability.
    - symfony/monolog-bundle v3.1.0 requires symfony/monolog-bridge ~2.7|~3.0 -> no matching package found.
    - Installation request for symfony/monolog-bundle ^3.1 -> satisfiable by symfony/monolog-bundle[v3.1.0, v3.1.1, v3.1.2, v3.2.0, v3.3.0, v3.3.1, v3.4.0, v3.5.0].

Potential causes:
 - A typo in the package name
 - The package is not available in a stable-enough version according to your minimum-stability setting
   see <https://getcomposer.org/doc/04-schema.md#minimum-stability> for more details.
 - It's a private package and you forgot to add a custom repository to find it

Read <https://getcomposer.org/doc/articles/troubleshooting.md> for further common problems.

The question remains - how symfony knows that package should be restricted by v4.4

Answer 1

As far as I know Flex uses the list of components from the symfony/symfony metapackage, according to the message in your output:

Restricting packages listed in "symfony/symfony" to "4.4.*"

You can find the list of packages in the corresponding composer.json or on packagist:

• https://packagist.org/packages/symfony/symfony
• https://github.com/symfony/symfony/blob/master/composer.json#L38-L100

This is the current list for 4.4.1:

symfony/asset: v4.4.1
symfony/amazon-mailer: v4.4.1
symfony/browser-kit: v4.4.1
symfony/cache: v4.4.1
symfony/config: v4.4.1
symfony/console: v4.4.1
symfony/css-selector: v4.4.1
symfony/dependency-injection: v4.4.1
symfony/debug: v4.4.1
symfony/debug-bundle: v4.4.1
symfony/doctrine-bridge: v4.4.1
symfony/dom-crawler: v4.4.1
symfony/dotenv: v4.4.1
symfony/error-handler: v4.4.1
symfony/event-dispatcher: v4.4.1
symfony/expression-language: v4.4.1
symfony/filesystem: v4.4.1
symfony/finder: v4.4.1
symfony/form: v4.4.1
symfony/framework-bundle: v4.4.1
symfony/google-mailer: v4.4.1
symfony/http-client: v4.4.1
symfony/http-foundation: v4.4.1
symfony/http-kernel: v4.4.1
symfony/inflector: v4.4.1
symfony/intl: v4.4.1
symfony/ldap: v4.4.1
symfony/lock: v4.4.1
symfony/mailchimp-mailer: v4.4.1
symfony/mailer: v4.4.1
symfony/mailgun-mailer: v4.4.1
symfony/messenger: v4.4.1
symfony/mime: v4.4.1
symfony/monolog-bridge: v4.4.1
symfony/options-resolver: v4.4.1
symfony/postmark-mailer: v4.4.1
symfony/process: v4.4.1
symfony/property-access: v4.4.1
symfony/property-info: v4.4.1
symfony/proxy-manager-bridge: v4.4.1
symfony/routing: v4.4.1
symfony/security: v4.4.1
symfony/security-core: v4.4.1
symfony/security-csrf: v4.4.1
symfony/security-guard: v4.4.1
symfony/security-http: v4.4.1
symfony/security-bundle: v4.4.1
symfony/sendgrid-mailer: v4.4.1
symfony/serializer: v4.4.1
symfony/stopwatch: v4.4.1
symfony/templating: v4.4.1
symfony/translation: v4.4.1
symfony/twig-bridge: v4.4.1
symfony/twig-bundle: v4.4.1
symfony/validator: v4.4.1
symfony/var-dumper: v4.4.1
symfony/var-exporter: v4.4.1
symfony/web-link: v4.4.1
symfony/web-profiler-bundle: v4.4.1
symfony/web-server-bundle: v4.4.1
symfony/workflow: v4.4.1
symfony/yaml: v4.4.1

As for symfony/monolog-bundle , which is not in the list, it will be installed in a version which does not conflict with other packages. In other words it will be installed in whatever version fits best for Symfony 4.