Gradle doesn't enforce maven version range in pom?

I’m using a library that declares a dependency on another library with the version declared as [7.3.0]. and yet the library gets upgraded to 7.5.0.

Is Gradle not recognizing this?

We do respect version ranges in dependency POM files. What is the result of running dependencyInsight for that dependency?

Generally speaking, publishing metadata with a version ranges or dynamic versions is a bad idea. Reproducibility is not given.

What library are you referring using? Could you provide us with an example to have a deeper look?

dependencyInsight doesn’t show anything interesting.

Here it is:
:app:dependencyInsight

com.google.android.gms:play-services-base:7.5.0 (conflict resolution)
\--- com.google.android.gms:play-services-wearable:7.5.0
     \--- compile

com.google.android.gms:play-services-base:7.3.0 -> 7.5.0
+--- com.google.android.gms:play-services-location:7.3.0
|    \--- compile
\--- com.google.android.gms:play-services-maps:7.3.0
     \--- com.google.android.gms:play-services-location:7.3.0 (*)

We don’t actually have these kind of dependency right now. I tweaked the pom file to see if it would work as these artifacts are meant to always use the same version if they are used together. (there’s some inter-artifact internal APIs that’s changing or is obfuscated)

I assume ‘play-services-base’ is the dependency in question here? The output of dependencyInsight indicates that 7.5.0 is being chosen due to conflict resolution, which is the expected behavior since ‘play-services-wearable’ depends on 7.5.0. If you want to use 7.3.0 you’ll have to force the dependency.

The setup is
play-services-location:7.3.0, depends on play-services-base [7.3.0]
play-services-wearable:7.5.0, depends on play-services-base 7.5.0

Shouldn’t the conflict resolution fail and tell me it cannot resolve the dependency properly?

No, unfortunately. Essentially, the dependency version ‘[7.3.0]’ just gets resolved to the static version ‘7.3.0’. With both 7.3.0 and 7.5.0 present in the dependency graph, conflict resolution kicks in and the newer version is chosen. I believe you are running into the same use case as described in this topic.