Restrict Composer dependency updates to only patch releases

I was doing website maintenance and checked for outdated dependencies with composer outdated. I usually filter with -D for checking direct dependencies and -p for packages with patch releases. These are typically easy pickings. I saw I was on 2.1.3 of the Honeypot module and 2.1.4 was available. So I ran composer update drupal/honeypot. I noticed the module was updated to 2.2.0, because my Composer constraint is drupal/honeypot: ^2.0, allowing minor updates. I figured that was fine enough. Turns out it wasn't.

I have a continuous integration job that takes my main branch and tests the pull request against running drush updb. It failed because of missing schema changes. I was really confused, until I found this issue in its issue queue: https://www.drupal.org/project/honeypot/issues/3468450. It turns out that the maintainer removed update hooks between minor versions, which is usually a major version type of change. At least, that's how Drupal Core works.

You jumped versions and didn’t update your database to account for the change made between 2.1.3 and 2.1.4. Update to 2.1.4 first and make sure you do a database update.

Luckily I have this CI check for dependency updates. Generally, it is to catch magical configuration changes made in update hooks that I didn’t know needed to be re-exported. This time it caught an expected/unexpected usage of hook_update_last_removed.