Transitive dependencies with wildcard override versions set in depedency management

[Raniz85]

When upgrading to Spring Boot 1.4 which pulls in the dependency management plugin version 0.6.0.RELEASE we noticed that some versions that we have defined were being overridden by more lax version definitions from dependencies.

The following build.gradle demonstrates the issue:

plugins {
    id "io.spring.dependency-management" version "0.6.0.RELEASE"
    id "java"
}

repositories {
    jcenter()
}

dependencyManagement {
    imports {
        mavenBom "com.amazonaws:aws-java-sdk-bom:1.10.7"
    }
    dependencies {
        dependency "com.amazonaws:aws-java-sdk-s3:1.10.8"
    }
}

dependencies {
    compile "se.raneland.urlhandler:url-handler-aws-s3:2.0.RELEASE"
    compile "com.amazonaws:aws-java-sdk-dynamodb"
}

wrapper {
    gradleVersion = "2.14.1"
}

With this, the runtime dependencies will be:

runtime - Runtime dependencies for source set 'main'.
+--- se.raneland.urlhandler:url-handler-aws-s3:2.0.RELEASE
|    +--- se.raneland.urlhandler:url-handler-aws-core:2.0.RELEASE
|    |    +--- com.amazonaws:aws-java-sdk-core:1.+ -> 1.11.26
|    |    |    +--- commons-logging:commons-logging:1.1.3 -> 1.2
|    |    |    +--- org.apache.httpcomponents:httpclient:4.5.2
|    |    |    |    +--- org.apache.httpcomponents:httpcore:4.4.4
|    |    |    |    +--- commons-logging:commons-logging:1.2
|    |    |    |    \--- commons-codec:commons-codec:1.9
|    |    |    +--- com.fasterxml.jackson.core:jackson-databind:2.6.6
|    |    |    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.6.0
|    |    |    |    \--- com.fasterxml.jackson.core:jackson-core:2.6.6
|    |    |    +--- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.6.6
|    |    |    |    \--- com.fasterxml.jackson.core:jackson-core:2.6.6
|    |    |    \--- joda-time:joda-time:2.8.1
|    |    \--- org.projectlombok:lombok:1.16.4
|    +--- se.raneland.urlhandler:url-handler-core:2.0.RELEASE
|    |    \--- org.projectlombok:lombok:1.16.4
|    +--- com.amazonaws:aws-java-sdk-s3:1.+ -> 1.11.26
|    |    +--- com.amazonaws:aws-java-sdk-kms:1.11.26 -> 1.10.7
|    |    |    \--- com.amazonaws:aws-java-sdk-core:1.10.7 -> 1.11.26 (*)
|    |    +--- com.amazonaws:aws-java-sdk-core:1.11.26 (*)
|    |    \--- com.amazonaws:jmespath-java:1.0
|    |         \--- com.fasterxml.jackson.core:jackson-databind:2.6.6 (*)
|    \--- org.projectlombok:lombok:1.16.4
\--- com.amazonaws:aws-java-sdk-dynamodb: -> 1.10.7
     +--- com.amazonaws:aws-java-sdk-s3:1.10.7 -> 1.11.26 (*)
     \--- com.amazonaws:aws-java-sdk-core:1.10.7 -> 1.11.26 (*)

As can be seen, the AWS libraries are not fixed at 1.10.7 (1.10.8 for s3) but instead the transitive dependency on 1.+ is used.

Version 0.5.7.RELEASE doesn't have this issue:

runtime - Runtime dependencies for source set 'main'.
+--- se.raneland.urlhandler:url-handler-aws-s3:2.0.RELEASE
|    +--- se.raneland.urlhandler:url-handler-aws-core:2.0.RELEASE
|    |    +--- com.amazonaws:aws-java-sdk-core:1.+ -> 1.10.7
|    |    |    +--- commons-logging:commons-logging:1.1.3
|    |    |    +--- org.apache.httpcomponents:httpclient:4.3.6
|    |    |    |    +--- org.apache.httpcomponents:httpcore:4.3.3
|    |    |    |    +--- commons-logging:commons-logging:1.1.3
|    |    |    |    \--- commons-codec:commons-codec:1.6
|    |    |    +--- com.fasterxml.jackson.core:jackson-databind:2.5.3
|    |    |    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.5.0
|    |    |    |    \--- com.fasterxml.jackson.core:jackson-core:2.5.3
|    |    |    \--- joda-time:joda-time:2.8.1
|    |    \--- org.projectlombok:lombok:1.16.4
|    +--- se.raneland.urlhandler:url-handler-core:2.0.RELEASE
|    |    \--- org.projectlombok:lombok:1.16.4
|    +--- com.amazonaws:aws-java-sdk-s3:1.+ -> 1.10.8
|    |    +--- com.amazonaws:aws-java-sdk-kms:1.10.8 -> 1.10.7
|    |    |    \--- com.amazonaws:aws-java-sdk-core:1.10.7 (*)
|    |    \--- com.amazonaws:aws-java-sdk-core:1.10.8 -> 1.10.7 (*)
|    \--- org.projectlombok:lombok:1.16.4
\--- com.amazonaws:aws-java-sdk-dynamodb: -> 1.10.7
     +--- com.amazonaws:aws-java-sdk-s3:1.10.7 -> 1.10.8 (*)
     \--- com.amazonaws:aws-java-sdk-core:1.10.7 (*)

[wilkinsona]

That change is due to #77. I hadn't considered that someone would publish a version of a library with a version range on one of its dependency, particularly one using Gradle-specific syntax.

The pom for se.raneland.urlhandler:url-handler-aws-core:2.0.RELEASE is broken with Maven. You get a couple of warnings:

[WARNING] The POM for com.amazonaws:aws-java-sdk-core:jar:1.+ is missing, no dependency information available
[WARNING] The POM for com.amazonaws:aws-java-sdk-s3:jar:1.+ is missing, no dependency information available

Followed by a build failure:

[ERROR] Failed to execute goal on project foo: Could not resolve dependencies for project com.example:foo:jar:1.0.0-SNAPSHOT: The following artifacts could not be resolved: com.amazonaws:aws-java-sdk-core:jar:1.+, com.amazonaws:aws-java-sdk-s3:jar:1.+: Failure to find com.amazonaws:aws-java-sdk-core:jar:1.+ in https://jcenter.bintray.com was cached in the local repository, resolution will not be reattempted until the update interval of jcenter has elapsed or updates are forced -> [Help 1]

If the pom used the correct syntax for a version range the change made in #77 wouldn't cause a problem.

[wilkinsona]

Given that the pom that triggers this is broken, i.e. it doesn't work with Maven which defines the pom format, I don't think it makes sense for this plugin to cope with it.