JSON output from fetch has missing dependencies if versions are specified as intervals

Aloha!

We’re seeing an issue where the result of coursier fetch --json-output-file has missing dependencies if versions are specified as intervals.

Here is a concrete example that is reproducible on 2.0.0-RC6-21, as well as on the master branch (813eec9 as of this post).

If we run coursier fetch --json-output-file tree.json io.grpc:grpc-netty-shaded:1.29.0, we will see that tree.json contains:

{
  "conflict_resolution": {},
  "dependencies": [

    ...

    {
      "coord": "io.grpc:grpc-netty-shaded:1.29.0",
      "file": "v1/https/repo1.maven.org/maven2/io/grpc/grpc-netty-shaded/1.29.0/grpc-netty-shaded-1.29.0.jar",
      "directDependencies": [
        "io.grpc:grpc-core:1.29.0"
      ],
      "dependencies": [
        "io.grpc:grpc-core:1.29.0"
      ]
    },

    ...

    {
      "coord": "io.grpc:grpc-core:1.29.0",
      "file": "v1/https/repo1.maven.org/maven2/io/grpc/grpc-core/1.29.0/grpc-core-1.29.0.jar",
      "directDependencies": [],
      "dependencies": []
    },

    ...

  ],
  "version": "0.1.0"
}

However, the POM file for io.grpc:grpc-core:1.29.0 does list several dependencies.

What we’ve investigated so far

In the POM file for io.grpc:grpc-netty-shaded:1.29.0, it specifies its dependency, io.grpc:grpc-core to be at a version interval, [1.29.0]:

<dependencies>
  <dependency>
    <groupId>io.grpc</groupId>
    <artifactId>grpc-core</artifactId>
    <version>[1.29.0]</version>
    <scope>compile</scope>
  </dependency>
</dependencies>

This then causes the directDependencies and dependencies fields for io.grpc:grpc-core to be empty – which also means that the dependencies field for io.grpc:grpc-netty-shaded is incomplete and missing transitive dependencies.

Taking a quick look, we did see that the projectCache in Resolution.scala:

https://github.com/coursier/coursier/blob/813eec9b45fedc6791c4193d496b7fdbfaf75917/modules/core/shared/src/main/scala/coursier/core/Resolution.scala#L668

stores entries keyed using the “raw version” string from the POM, which in this case, would be "[1.29.0]".

However, we eventually fetch items from that cache when populating lists of dependencies for the JSON output. That mechanism starts here:

https://github.com/coursier/coursier/blob/813eec9b45fedc6791c4193d496b7fdbfaf75917/modules/cli/src/main/scala/coursier/cli/util/JsonReport.scala#L132-L148

and the cache access is a few layers below:

https://github.com/coursier/coursier/blob/813eec9b45fedc6791c4193d496b7fdbfaf75917/modules/core/shared/src/main/scala/coursier/core/Resolution.scala#L738-L750

But note that use the “reconciled version” here (i.e.,val dep0 = dep.withVersion(reconciledVersion)), which would be "1.29.0" in this case. A “cache miss” here then results in the the lists of dependencies being empty.

A simple fix, that we’ve verified locally to be working, is to simply query the cache via the “raw version” string, i.e. use dep instead of dep0 in the above snippet, but we are unsure if this causes other unintended side effects.

For context, we saw this behavior when using https://github.com/bazelbuild/rules_jvm_external, which depends on the JSON output from coursier fetch (https://github.com/bazelbuild/rules_jvm_external/issues/433).

We would really appreciate if a maintainer can take a look here! Thank you in advance!