Special handling required for stability suffixes

[fredden]

Following on from composer/composer#12719, I have today learned that the stability suffixes apply to the package and not the particular version constraint that it is written on. This means that the following composer.json can be further normalised:

{
    "require": {
        "symfony/uid": "^8.0 || ~8.1.0@dev"
    }
}

With this composer.json, running composer update --prefer-lowest will install version v8.0.0-BETA1. This means that the constraint could be normalised to ^8.0@dev (as the ^8.0 already covers / includes ~8.1.0, and the @dev is handled separately to the version constraint). Or perhaps @dev ^8.0 would be a more clear way to normalise this constraint.

[stof]

@dev ^8.0 is an invalid constraint. The stability modifier suffix cannot be used as a prefix. It is a suffix.

[fredden]

When I run composer require "symfony/uid:@dev ^7.2" in an empty directory I get the same packages and versions as when I run composer require "symfony/uid:^7.2@dev" in an empty directory. This suggests to me that the constraint is being interpreted by Composer (v2.9.3) the same way.

The documentation for package links does say that these stability flags 'take the form "constrraint@stability flag"' and then gives an example of "acme/foo": "@dev" (where there is no version listed before the @).

I don't see any @ symbols in https://getcomposer.org/schema.json. @stof can you share a link to where you're seeing this as being invalid syntax?