Coursier transitive dependencies bug results in incorrect lockfile #22909
Description
Given three dependencies A, B, and C where A depends on B which depends on C and A only depends on C transitively through B (no explicit dependency), the Coursier locking functionality sometimes will not include C in the dependencies of A. For some combinations of A->B->C such as spring-context->spring-core->spring-jcl, the bug does not exist.
But for timbre->encore->truss, the bug exists.
This seems to happen in situations where you request a version of B from Coursier that isn't the version of B that your version of A wants by default.
This one is fine:
cs fetch --json-output-file timbre_single.json com.taoensso:timbre:6.3.1 -r clojars timbre has both truss and encore in its dependencies
This one is fine as timbre 6.3.1 wants encore 3.68.0 by default:
cs fetch --json-output-file timbre_double.json com.taoensso:timbre:6.3.1 com.taoensso:encore:3.68.0 -r clojars
Requesting a different version of encore than what timbre wants by default produces the error:
cs fetch --json-output-file timbre_bug.json com.taoensso:timbre:6.3.1 com.taoensso:encore:3.132.0 -r clojars
In the first two example, timbre will correctly show both encore and truss in its dependencies. In the third example, timbre will have encore in its dependencies, but truss won't be there. However, if you look at the coord for encore, truss will be present there as a dependency.
The issue persists with Coursier 2.1.24. However, the issue is resolved on 2.1.25-M19 (and perhaps an earlier milestone release). So once they cut a release for 2.1.25, we should update.
In my personal repo, I've just set the default Coursier version to 2.1.25-M19, and that's fine me for now.