In a new post to his site Joe Ferguson shows you how to move a dependency over to Composer but still require the older version, possibly one that's already included in the codebase as a checked-in source.
A common problem I run into with older applications are dependencies that have been added and loaded from the application’s repository. You would often see a “libraries” folder with a “className.php” type file. If you’re lucky you’ll have the entire folder of the dependency including the release notes to be able to find out exactly what version you’re using.
[...] What if the author hasn’t tagged our older version? Maybe they converted the repository to git from subversion or some other system? You have to go digging into the commit history to find the commit you want to match your current version.
He includes the Composer configuration required for both examples (loading the older version and loading by commit ID) as well as the addition of the "minimum-stability" option. This option allows you to pull directly from the "master" branch if you need to - just be sure to define exact versions of other dependencies otherwise you'll get dev versions of them too.