The composer might downgrade package instead of updating. This might be the case when dependent package requires third party package version that is lower than currently installed by root package or other package. Composer itself have tool to get some information about such case.
Why prohibits update:
composer prohibits maslosoft/hedron:1.1.17
The command parameter name is
prohibits and can take
as an argument package name along with the version. This outputs
useful information about why package cannot be
upgraded or installed.
This also accepts versions in format same as for update:
composer prohibits symfony/console:^4
Example output of command:
maslosoft/hedron 1.1.17 requires zordius/lightncandy (^1) maslosoft/signals dev-master does not require zordius/lightncandy (but v0.95 is installed)