Dependency version with double full stop

I mistakenly ended up with the following in my build.gradle:
implementation "com.auth0:auth0:1..0"

Previously it was:
implementation "com.auth0:auth0:1.19.0"

What is the expected behaviour here? The docs don’t mention this pattern for version numbers:

To my surprise this still compiled and continued to use 1.19.0, even when appending --refresh-dependencies:

./gradlew dependencyInsight --configuration compileClasspath --dependency com.auth0:auth0 --refresh-dependencies
To honour the JVM settings for this build a new JVM will be forked. Please consider using the daemon:
Daemon will be stopped at the end of the build stopping after processing

> Task :dependencyInsight
   variant "compile" [
      org.gradle.status              = release (not requested)
      org.gradle.usage               = java-api
      org.gradle.libraryelements     = jar (compatible with: classes)
      org.gradle.category            = library

      Requested attributes not found in the selected variant:
         org.gradle.dependency.bundling = external
         org.gradle.jvm.version         = 8
   Selection reasons:
      - By conflict resolution : between versions 1.19.0 and 1..0

\--- com.auth0:mvc-auth-commons:1.3.0
     \--- compileClasspath

com.auth0:auth0:1..0 -> 1.19.0
\--- compileClasspath

A web-based, searchable dependency report is available by adding the --scan option.


It probably just “worked” because two requested versions were in the compileClasspath, both 1..0 and 1.19.0 (via mvc-auth-commons:1.3.0). During conflict resolution, the version comparison algorithm might have become the comparison between 1-19-0 and 1-0, or 1-null-0. Either way, it was determined that 1.19.0 is the higher version and 1..0 is never searched for in the repositories. If you took out the dependency on mvc-auth-commons it should fail.

1 Like