I have converted my email on using composer to manage a set of library dependencies for MediaWiki-Core [0] into an RFC [1]. Work is continuing on the implementation of this project, but there are still debatable implementation details and the RFC process is meant to not only validate ideas but leave behind a record of the design decisions that have been made and trade offs that were considered in the process.
In particular, the current draft RFC omits discussion of the concept of library "ownership" for long term updates and security fixes and could use more detail around the process of forking, patching and subsequently maintaining a external library. I will attempt to fill in some of these details as I see them over the next day or so, but now would be a great time for people with strong ideas or opinions on these aspects to comment on the talk page.
[0]: http://www.gossamer-threads.com/lists/wiki/wikitech/467520?page=last [1]: https://www.mediawiki.org/wiki/Requests_for_comment/Composer_managed_librari...
Bryan