I upgraded the versions of a list of security vulnerabilities found in transitive dependencies but I am having trouble with one, which happens to be a grandchild dependency.
The child dependencies were easily remediated by adding something like this to the pom
<dependencyManagement>
<dependencies>
<dependency>
<groupId>child</groupId>
<artifactId>dependency</artifactId>
<version>${updated.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
However, this did not work for the grandchild. I moved it to the top of the dependencyManagement list to give it first priority but it it made no difference.
I find it hard to believe that a grandchild dependency would be treated differently, especially as I can't find any documentation about this issue, but this seems to be the only difference. Are there other factors to consider?