We have a composer.json where we have a dependency on roave/security-advisories. One of my team has added some config to the extra property and composer validate is failing with complaints about the lock file. He tries to run composer update --lock and gets this output:

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires dompdf/dompdf == 1.2.1.0 -> satisfiable by dompdf/dompdf[v1.2.1].
    - roave/security-advisories dev-master conflicts with dompdf/dompdf <2.0.1.
    - Root composer.json requires roave/security-advisories == dev-master -> satisfiable by roave/security-advisories[dev-master].

We obviously do need to update roave/security-advisories and dompdf/dompdf, but in the short term, is there no way to fix the lock file without doing that?

Wrong repo.