Hey.

On 11.11.2023 I've used composer image composer:2.6.5 and it contained PHP 8.2.x. Just now I pulled the same image tag, but got a different image, as it now contains PHP 8.3.0. This is technically a breaking change as it might violate php <= 8.2 constraint in the require section of composer.json, and it's also just not a good practice to publish different code under the same version without any notice.

Some tags, which are just links to other tags, are meant to change (like latest, or 2.6, or 2), but specific version tags really should not be updated.

This only happens for the community images. We do not consider it a BC as the PHP version of the container is irrelevant for us and it should not be relied upon by end users, as documented.

Edit: it seems official-images also get rebuilt sometimes. Not sure what the trigger was for that, not us at least.

Also note that our Dockerfile specifically states FROM php:8-alpine for all stages, meaning you can expect to get the latest 8.x version of PHP whenever the container is rebuilt.

Got it. Would it be possible to at least lock the base PHP image to a more specific version (php:8.3-alpine or php:8.3.0-alpine)? 8-alpine is a very broad constraint because it includes all 8.x versions, and those are major versions with possible breaking changes, which may backfire on composer some day.