Exclude package aliases when generating output

[ChaseOnTheWeb]

For a package with version aliases, the order of $packages seems to be inconsistent between install/require/update operations, which can cause a package in the manifest to switch back and forth between these versions.

My proposal is to filter out any package alias entries. Is there any reason we would need to know about them?

Example

Fresh project:

$ composer require --dev joachim-n/composer-manifest
$ composer require --dev grasmash/drupal-security-warning:1.x-dev

composer-manifest.yaml contains:

packages:
    grasmash/drupal-security-warning: '1.x-dev:848fd28335c984ca1ceb9454f7d636465db5c5f8'
    joachim-n/composer-manifest: 1.1.5
    symfony/polyfill-ctype: v1.27.0
    symfony/yaml: v6.2.7

But after:

$ composer update -w

Even if no packages were updated, composer-manifest.yaml now contains (first package version is different):

packages:
    grasmash/drupal-security-warning: 'dev-master:848fd28335c984ca1ceb9454f7d636465db5c5f8'
    joachim-n/composer-manifest: 1.1.5
    symfony/polyfill-ctype: v1.27.0
    symfony/yaml: v6.2.7

Then, with:

$ rm -rf vendor
$ composer install

We're back to:

packages:
    grasmash/drupal-security-warning: '1.x-dev:848fd28335c984ca1ceb9454f7d636465db5c5f8'
    joachim-n/composer-manifest: 1.1.5
    symfony/polyfill-ctype: v1.27.0
    symfony/yaml: v6.2.7

After this PR, version should be dev-master in all cases.

[loopy3025]

I have pinned this to dev-master#9353b37dfe02489938e4e655e1e8b743db8f40d3 and tried it out. I've noticed that it's not just dev dependencies that are a problem in this situation. If I delete /vendor and composer.lock then run composer install, there are entire packages missing from composer-manifest.yml. I'm guessing it's dependencies. I have to run composer install immediately afterward or else I'll end up with a check dirty upstream.