UpgradeDependencyVersion does not correctly update BOM imports if they overlap

[MrThaler]

What version of OpenRewrite are you using?

I am using

• rewrite-recipe-bom 3.18.0

How are you running OpenRewrite?

Writing my own recipes, but using JUnit tests to confirm the behavior observed "in the field".

What is the smallest, simplest way to reproduce the problem?

In this test we have two runs:

• In the first run we only upgrade camunda-bom to 7.3.0 where it has no overlap with camunda-engine-dmn-bom
• In the second run we upgrade camunda-bom to 7.20.0 where it has 4 entries in common with camunda-engine-dmn-bom (camunda-engine-dmn, camunda-engine-feel-api, camunda-engine-feel-juel and camunda-engine-feel-scala).

  @ParameterizedTest
  @ValueSource(strings={"7.3.0","7.20.0"})
  void sequentialRuns(final String targetVersion){
      rewriteRun(
        spec ->
            spec.recipes(
                new UpgradeDependencyVersion(
                    "org.camunda.bpm", "camunda-bom", targetVersion, null, null, null),
                new UpgradeDependencyVersion(
                    "org.camunda.bpm.dmn", "camunda-engine-dmn-bom", "7.20.0", null, null, null)),
        pomXml("""
              <project>
                <groupId>group.id</groupId>
                <artifactId>artifactId</artifactId>
                <version>1.0.0</version>
  
                <dependencyManagement>
                  <dependencies>
                    <dependency>
                      <groupId>org.camunda.bpm</groupId>
                      <artifactId>camunda-bom</artifactId>
                      <version>7.2.0</version>
                      <type>pom</type>
                      <scope>import</scope>
                    </dependency>
                    <dependency>
                      <groupId>org.camunda.bpm.dmn</groupId>
                      <artifactId>camunda-engine-dmn-bom</artifactId>
                      <version>7.10.0</version>
                      <type>pom</type>
                      <scope>import</scope>
                    </dependency>
                  </dependencies>
                </dependencyManagement>
              </project>
              """,
              """
              <project>
                <groupId>group.id</groupId>
                <artifactId>artifactId</artifactId>
                <version>1.0.0</version>
  
                <dependencyManagement>
                  <dependencies>
                    <dependency>
                      <groupId>org.camunda.bpm</groupId>
                      <artifactId>camunda-bom</artifactId>
                      <version>%s</version>
                      <type>pom</type>
                      <scope>import</scope>
                    </dependency>
                    <dependency>
                      <groupId>org.camunda.bpm.dmn</groupId>
                      <artifactId>camunda-engine-dmn-bom</artifactId>
                      <version>7.20.0</version>
                      <type>pom</type>
                      <scope>import</scope>
                    </dependency>
                  </dependencies>
                </dependencyManagement>
              </project>
              """.formatted(targetVersion)));
  }

What did you expect to see?

Both times both BOMs should be updated to version 7.20.0.

What did you see instead?

Only the first BOM listed in the pom.xml is updated. When swapped around, the other bom gets updated first; it seems to always be the first one from the top.

Setting the "overrideManagedVersion" flag does not change this behavior.

What else do you have to add?

I'm honestly not sure if this is a bug or not. While not understanding completely what's going on in the source code, I think it keeps track of which dependencies (directly or indirectly) got affected during the run already and does not touch a BOM if a dependency within has already been parsed.
While this might be inteded behavior, it does not state so in the documentation.