Exclusions are not applied when versions are provided by constraints

[fmck3516]

Hi Spring team!

I made a observation and I'm not sure if it's a bug, or if my expectations are wrong.

Details

https://github.com/fmck3516/io.spring.dependency-management/tree/main

TLDR

The transitive dependency commons-logging is excluded when the version for core-httpclient-impl is provided directly:

dependencies {
    implementation 'com.optimizely.ab:core-httpclient-impl:3.10.2'
}

The transitive dependency commons-logging is NOT excluded when the version forcore-httpclient-impl is provided via constraint:

dependencies {
    constraints {
        implementation 'com.optimizely.ab:core-httpclient-impl:3.10.2'
    }
    implementation 'com.optimizely.ab:core-httpclient-impl'
}

My expectation is that the runtime classpath is the the same: Whether I provide the version directly or via constraint.

[wilkinsona]

Thanks for the report. I think this is a bug. When the plugin's trying to apply Maven-style exclusions it has to copy the configurations. This copying isn't considering constraints so they're lost. As a result, an attempt is made to resolve com.optimizely.ab:core-httpclient-impl:. The lack of version causes it to fail so its pom isn't loaded and the exclusions aren't applied.