Show production awareness: "I commit composer.lock, run composer audit in CI, use caret constraints for flexibility, and review composer update diffs before merging — I want to know exactly what changed and why."
Lock files: composer.lock pins exact versions for reproducible builds — always commit it. Version constraints: use caret (^) for semver-compatible updates, tilde (~) for patch-level only, and exact versions when stability is critical. Security: run composer audit in CI to detect known vulnerabilities. Private packages: use Private Packagist, Satis for self-hosted, or Composer repositories with authentication. Strong candidates discuss: the difference between require and require-dev, platform requirements (php version constraints), conflict resolution when dependencies need incompatible versions, Composer scripts for automation, and the importance of running composer update deliberately rather than blindly.
Tests professional dependency management. Candidates who do not commit composer.lock or who run composer update in production will cause reproducibility issues. Those who audit dependencies and understand version constraints manage supply chain risk.