Modern package managers often produce so-called lock files, which contain hashes of the all source dependencies.
For example, npm and yarn will have hashes of the source tarballs in package-lock.json/yarn.lock, and yarn2nix, node2nix or napalm will parse the lock files and create fixed-output derivations for the dependency sources.
Composer does not contain hashes of tarballs, since it fetches them from GitHub and tarballs there are not stable. But it still contains commit references and Nix will accept those even in sandbox so that is what composition-c4 uses. (Though this will fail in restricted eval mode).