For the bootstrap refactor branch (#3872) I'm currently pulling in a forked version of mustangostang/spyc. To let Composer use the forked version, we still specify the normal package name of mustangostang/spyc, but add our own repository as a custom source in the composer.json file's "repositories" section.

However, this approach will fail when someone pulls in WP-CLI via Composer, as they would then need to explicitly add our forked version of the package to their "repositories" section as well. Composer enforces this behaviour because of security reasons, so that no package can replace the dependencies of other packages with custom (and potentially malicious) forks.

I recommend renaming our forked package to wp-cli/mustangostang-spyc and adding it to packagist.org, so that we can pull it in through the normal means. If ever the main package should accept our PRs, then we can switch back to the original package instead.