Hex 2.0.0 version resolver bug - incorrectly resolving shared dependency

[akosasante]

Hi, I posted in the Slack and was notified that a fix is incoming for this but just wanted to open an Issue here for posterity/tracking purposes.

Reproduction Steps:

My repo has the following deps:

defp deps do
    [
      {:bugsnag, "~> 1.7.0"},
      {:plugsnag, github: "bugsnag-elixir/plugsnag", tag: "1.4.0"}
    ]
  end

Plugsnag has a dependency on bugsnag: https://github.com/bugsnag-elixir/plugsnag/blob/da90b90f3eb97c5de1c25bf357bc22fe968a861e/mix.exs#L29

defp deps do
    [{:bugsnag, "~> 1.3 or ~> 2.0"},
     {:plug, "~> 1.0"},
     {:ex_doc, ">= 0.0.0", only: :dev},
     {:dialyxir, "~> 0.3.5", only: [:dev]}
    ]
end

With Hex 1.0.1 , mix deps.get installs bugsnag 1.7.0 With Hex 2.0.0, it installs bugsnag 3.0.2 (the latest version). This is despite the fact that the bugsnag dependency in my application is asking for >= 1.7.0 AND < 2.0.0 (per my understanding of the ~> symbol) but it's installing something completely outside of both requested versions.

We also have a fork of the plugsnag library which results in a different version getting installed:

PagerDuty/plugsnag mix.exs:

  defp deps do
    [{:bugsnag, "~> 1.3 or ~> 2.0"},
     {:plug, "~> 1.0"},
     {:ex_doc, "~> 0.19", only: :dev},
     {:dialyxir, "~> 0.3.5", only: [:dev]}
    ]
  end

So if in my app I have our fork instead:

defp deps do
    [
      {:bugsnag, "~> 1.7.0"},
      {:plugsnag, github: "PagerDuty/plugsnag", tag: "1.4.0"}
    ]
  end

With Hex 1.0.1 mix deps With Hex 2.0.0,mix deps.get` installs bugsnag 2.1.1

This time it is within the range allowed by our plugsnag dep definition but still outside of the range allowed by bugsnag dep.

[ericmj]

Thanks for opening an issue.