Dependency resolution picking the wrong version (overly optimistic resolution strategy)

I’m using Gradle with some JRuby code and resolving dependencies via the rubygems maven proxy.

I’m finding that Gradle is picking too recent of a version of the ‘jwt’ transitive dependency. Under one of my dependencies ‘jwt’ is listed with this version range: ‘rubygems:jwt:[0.1.0,0.1.99999] -> 1.2.0’

Under another dependency, ‘jwt’ is specified with the following version range: ‘rubygems:jwt:[0,) -> 1.2.0’

It seems like Gradle is doing the opposite of what I would expect to be correct behavior here. I’m aware I can use ‘force = true’ for a dependency, but I’d like to avoid having to force every single transitive dependency version.

This seems like a bug that Gradle isn’t choosing ‘0.1.13’ of the ‘jwt’ transitive dependency, but instead is choosing the “latest”.

When a dependency is included in the graph twice, the Gradle resolves each independently and then chooses the newer of the 2 versions. This is a behaviour that was inherited from Ivy, and is clearly not idea in the case where 2 version ranges overlap. In this case, we should instead be choosing the newest version that matches both ranges.

This is something we’d like to fix in the future, but it would be considered a breaking change and not something we would change without considering backward compatibility.

Thanks for the update Daz, do you have a suggestion on how I might be able to work around the issue since it likely won’t appear before Gradle 3, I’m assuming since it’d be a breaking change.

I’m worried about playing “transitive dependency whackamole” with this issue if it comes upw ith additional transitive dependencies :frowning:

There’s not really any way, except by forcing the version, or using a dependency resolve rule (which is similar, but more powerful).