AddDependency: version update skipped when only test sources are present

[Jenson3210]

Summary

AddDependency with onlyIfUsing=null behaves inconsistently depending on which source set is present in the project:

• With srcMainJava: an existing dependency (e.g. guava 29.0-jre) is correctly updated to 30.0-jre
• With only srcTestJava: the same dependency is not updated and stays at 29.0-jre

Root Cause

In AddDependency.java, the compile scope early-return check (lines 228-239) includes a version comparison:

if (dependencies.get(Scope.Compile) != null) {
    for (ResolvedDependency d : dependencies.get(Scope.Compile)) {
        if (hasAcceptableTransitivity(d, acc) &&
            groupId.equals(d.getGroupId()) &&
            artifactId.equals(d.getArtifactId()) &&
            (d.isTransitive() ||
                    (d.isDirect() && version.equals(d.getVersion())))  // ← checks version
        ) {
            return maven;
        }
    }
}

When versions differ, this check does not return early, allowing AddDependencyVisitor to update the version.

The test/provided scope check (lines 243-250) does not check the version:

if ((resolvedScopeEnum == Scope.Provided || resolvedScopeEnum == Scope.Test) && dependencies.get(resolvedScopeEnum) != null) {
    for (ResolvedDependency d : dependencies.get(resolvedScopeEnum)) {
        if (hasAcceptableTransitivity(d, acc) &&
                groupId.equals(d.getGroupId()) && artifactId.equals(d.getArtifactId())) {
            return maven;  // ← returns early regardless of version mismatch
        }
    }
}

Since compile-scope dependencies are also resolved in test scope, the existing dependency is found and the recipe returns early without ever reaching AddDependencyVisitor.

How to reproduce

When the scope is resolved as test (because only test sources exist), AddDependency will not update an existing compile-scope dependency to a newer version. With srcMainJava present, the scope resolves as compile and the version check allows the update to proceed.

Discussion

The question is: should the test/provided scope check also include a version comparison (like the compile scope check does), so that version updates are applied consistently regardless of the source set? Or is the current behavior intentional — i.e., test/provided scope dependencies should not be bumped?

[Jenson3210]

@timtebeek this explains the downstream failure. Should we add a version check?

[timtebeek]

I don't think that would have been intentional, and if it was it should be caught by an existing test. Seems fine to me to add the version check for other scopes as well, thanks!

[Jenson3210]

@timtebeek Would we want to do an update or no update? Worried that AddDependency would become too wide and differ behavior from upgrade recipe.
IMO when they want an update, this recipe should not be used. WDYT?