I believe I have found a bug where Composer silently downloads a transitive dev dependency even tho --no-dev is specified.
This happens when one of the required packages declares a dependency on a psr*-implementation and you did not provide one + one of your dev dependencies has a transitive dependency on that psr*-implemenation.

The correct behavior here should be to abort the installation.

I created a reproducer repo (https://github.com/calvinalkan/composer-bug). This took me hours to find out why I had packages in my build that I did not declare anywhere. Verified with the latest composer version (2.3.8) and the official composer docker image.

( I cant adhere to the commit template because GitHub is giving me "Comment is too long (maximum is 65536 characters)")
All the output and steps to reproduce are in the reproducer repo.