Core 8.2.7 to 8.3.9 causes symfony/dependency-injection method mismatch

I have a palantirnet/drupal-skeleton composer.json created D8 site. What I did to update are:

  1. Run `composer remove drupal/core` so that no dependency issues would cause errors
  2. Run `composer require drupal/core:^8.3`

On an Acquia Dev Desktop setup of the site everything looks good but when I used the Docker php:5.6-apache + drush/drush image, I’m getting an somewhat serious warning when running Drush commands like st, updb, cim and cex. Here are the messages:

Declaration of DrupalCoreDependencyInjectionContainerBuilder::callMethod($service, $call) should be compatible with SymfonyComponentDependencyInjectionContainerBuilder::callMethod($service, $call, SplObjectStorage $inlinedDefinitions)                     [warning]
Declaration of DrupalCoreDependencyInjectionContainerBuilder::shareService(SymfonyComponentDependencyInjectionDefinition $definition, $service, $id) should be compatible with                                                                                 [warning]
SymfonyComponentDependencyInjectionContainerBuilder::shareService(SymfonyComponentDependencyInjectionDefinition $definition, $service, $id, SplObjectStorage $inlinedDefinitions) ContainerBuilder.php:19

I looked into it and indeed the Drupal version and Symfony version doesn’t match. I did further investigation and noticed that symfony/dependency-injection was at v2.8.18 and now was updated to v2.8.37 because the constraint of drupal/core for the Symfony package is “~8.2” but this package changes it’s method parameters starting from v2.8.32.

So I did:

$ composer require symfony/dependency-injection:2.8.31
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 0 installs, 1 update, 0 removals
  - Updating symfony/dependency-injection (v2.8.37 => v2.8.31): Downloading (100%)
Package codegyre/robo is abandoned, you should avoid using it. Use consolidation/robo instead.
Package guzzle/guzzle is abandoned, you should avoid using it. Use guzzlehttp/guzzle instead.
Writing lock file
Generating autoload files

I’m will still be testing but is explicitly requiring a package with a specific version that is declared by a package alright or allowed in composer managed projects?


Drupal version: