How to correctly require a specific commit in Composer so that it would be available for dependent packages?

You'll have to explicitly require the Gaufrette library at that hash, with a dev flag, in both your library and your application. Something like this should work in the application composer.json:

{
    "name": "bar/bar-app",
    "repositories": [
        {
            "type": "vcs",
            "url": "ssh://git.example.com/foo-lib"
        }
    ],
    "require-dev": {
        "foo/foo-lib": "dev-master",
        "knplabs/gaufrette": "dev-master#2633721877cae79ad461f3ca06f3f77fb4fce02e"
    }
}

From the documentation:

If one of your dependencies has a dependency on an unstable package you need to explicitly require it as well, along with its sufficient stability flag.

The documentation also suggests that you'll need to include the repository for Gaufrette in your bar/bar-app Composer file, though it sounds like this wasn't necessary in this case. I'm not sure why.

Here is how you do it on the command line:

composer update knplabs/gaufrette:dev-master#2633721 --with-dependencies

You don't have to use the whole hash, a hash seven characters long seems to dothe trick. As mentioned above, your project will need to support dev - which it will complain about if not already set. Also, use --with-dependencies to get any dependencies of the one you are updating.