Using symfony/symfony makes Composer install all Symfony Components in the same version. But when using the standalone packages, Composer might install dependencies in a different major version - for example, symfony/validator v2.8 is compatible with symfony/translation v3.0.

The Problem

This is fine if you don't want to stick strictly to Symfony LTS versions, but it does mean that you could end up using versions of components which no longer receive security updates:

The Solution

We could manually composer require every single Symfony component in certain versions, even the ones we don't directly depend on, but that can be a hassle. Instead, I've created a Composer metapackage which prevents Composer from installing those unsupported versions.

Adding it to your project is as simple as running:

composer require --dev colinodell/symfony-lts-or-current:dev-master

Installing colinodell/symfony-lts-or-current package forces Composer to always use an LTS or current version of Symfony Components, regardless of whether they are explicitly listed as a project's dependency or installed transitively:

As of this article's publish date, the colinodell/symfony-lts-or-current package will only allow these Symfony versions to be installed:

• 2.8.x (LTS)
• 3.4.x (LTS)
• 4.1.x (current version)

(Although 2.7 and 4.0 still receive security updates, they are not current or LTS releases and are therefore excluded)

Alternative: symfony/lts

Astute readers may notice that this metapackage is somewhat similar to symfony/lts but with one key difference: symfony/lts forces ALL components to the be SAME version, whereas this allows newer versions to be installed provided they are LTS or current.