Add sibling exclusion for new coordinates instead of replacing old ones

ChangeDependencyGroupIdAndArtifactId previously called ChangeExclusion to
rename exclusions matching the old coordinates to the new ones. This was
incorrect because the old exclusion exists to block the OLD vulnerable
transitive dependency that other libraries may still pull in.

Now, when changing dependency coordinates, existing exclusions for the old
coordinates are preserved and a sibling exclusion for the new coordinates
is added alongside them. This ensures both old and new transitive
dependencies are excluded.

Author: Jenson3210

rewrite-maven/src/main/java/org/openrewrite/maven/ChangeDependencyGroupIdAndArtifactId.java

@@ -122,7 +122,8 @@ public String getInstanceNameSuffix() {
     }
 
     String description = "Change a Maven dependency coordinates. The `newGroupId` or `newArtifactId` **MUST** be different from before. " +
-                "Matching `<dependencyManagement>` coordinates are also updated if a `newVersion` or `versionPattern` is provided.";
+                "Matching `<dependencyManagement>` coordinates are also updated if a `newVersion` or `versionPattern` is provided. " +
+                "Exclusions that reference the old dependency coordinates are preserved, and a sibling exclusion for the new coordinates is added alongside them.";
 
     @Override
     public Validated<Object> validate() {
@@ -269,6 +270,36 @@ public Xml visitDocument(Xml.Document document, ExecutionContext ctx) {
                             newArtifactId,
                             newVersion, versionPattern).getVisitor());
                 }
+                // Add sibling exclusions for the new coordinates alongside existing old exclusions
+                if (newGroupId != null || newArtifactId != null) {
+                    String effectiveNewGroupId = newGroupId != null ? newGroupId : oldGroupId;
+                    String effectiveNewArtifactId = newArtifactId != null ? newArtifactId : oldArtifactId;
+                    doAfterVisit(new MavenVisitor<ExecutionContext>() {
+                        @Override
+                        public Xml visitTag(Xml.Tag tag, ExecutionContext ctx) {
+                            Xml.Tag t = (Xml.Tag) super.visitTag(tag, ctx);
+                            if (!"exclusions".equals(t.getName())) {
+                                return t;
+                            }
+                            boolean hasOldExclusion = t.getChildren("exclusion").stream()
+                                    .anyMatch(e -> matchesGlob(e.getChildValue("groupId").orElse(null), oldGroupId) &&
+                                                   matchesGlob(e.getChildValue("artifactId").orElse(null), oldArtifactId));
+                            boolean hasNewExclusion = t.getChildren("exclusion").stream()
+                                    .anyMatch(e -> effectiveNewGroupId.equals(e.getChildValue("groupId").orElse(null)) &&
+                                                   effectiveNewArtifactId.equals(e.getChildValue("artifactId").orElse(null)));
+                            if (hasOldExclusion && !hasNewExclusion) {
+                                t = (Xml.Tag) new AddToTagVisitor<>(t, Xml.Tag.build(
+                                        "<exclusion>\n" +
+                                        "<groupId>" + effectiveNewGroupId + "</groupId>\n" +
+                                        "<artifactId>" + effectiveNewArtifactId + "</artifactId>\n" +
+                                        "</exclusion>"))
+                                        .visitNonNull(t, ctx, getCursor().getParentOrThrow());
+                                maybeUpdateModel();
+                            }
+                            return t;
+                        }
+                    });
+                }
                 return super.visitDocument(document, ctx);
             }
 

rewrite-maven/src/test/java/org/openrewrite/maven/ChangeDependencyGroupIdAndArtifactIdTest.java

@@ -3489,11 +3489,10 @@ void versionNotDroppedWhenSwaggerMigratedFirst() {
 
     @Issue("https://github.com/moderneinc/customer-requests/issues/1330")
     @Test
-    void exclusionNotUpdatedWhenDependencyGroupIdChanges() {
+    void exclusionPreservedAndSiblingAddedWhenDependencyGroupIdChanges() {
         // When changing a dependency's groupId/artifactId, exclusions that match
-        // the old coordinates should NOT be updated. The exclusion exists to block
-        // the old transitive dependency, and other libraries may still depend on
-        // the old artifact transitively.
+        // the old coordinates should be preserved, and a sibling exclusion for the
+        // new coordinates should be added alongside them.
         rewriteRun(
           spec -> spec.recipe(new ChangeDependencyGroupIdAndArtifactId(
             "com.fasterxml.jackson.jaxrs",
@@ -3532,19 +3531,26 @@ void exclusionNotUpdatedWhenDependencyGroupIdChanges() {
               </project>
               """,
             spec -> spec.after(actual -> assertThat(actual)
-              .containsPattern("<groupId>com\\.fasterxml\\.jackson\\.jakarta\\.rs</groupId>\\s*<artifactId>jackson-jakarta-rs-json-provider</artifactId>\\s*<version>2\\.\\d+\\.\\d+</version>")
+              // Old exclusion preserved
+              .contains("<groupId>com.fasterxml.jackson.jaxrs</groupId>")
+              .contains("<artifactId>jackson-jaxrs-json-provider</artifactId>")
+              // Sibling exclusion added for new coordinates
+              .contains("<groupId>com.fasterxml.jackson.jakarta.rs</groupId>")
+              .contains("<artifactId>jackson-jakarta-rs-json-provider</artifactId>")
+              // Version updated
+              .containsPattern("<version>2\\.\\d+\\.\\d+</version>")
               .doesNotContain("<version>2.9.7</version>")
               .actual())
           )
         );
     }
 
     @Test
-    void exclusionsForOldDependencyShouldNotBeChanged() {
+    void exclusionPreservedAndSiblingAddedForNewCoordinates() {
         // When changing commons-lang:commons-lang to org.apache.commons:commons-lang3,
-        // exclusions for commons-lang:commons-lang in OTHER dependencies should NOT be updated.
-        // The exclusion exists to block the old vulnerable transitive dependency, and
-        // other libraries may still transitively depend on commons-lang:commons-lang.
+        // the old exclusion for commons-lang:commons-lang should be preserved (to block
+        // the vulnerable transitive dependency), and a sibling exclusion for the new
+        // coordinates should be added alongside it.
         rewriteRun(
           spec -> spec.recipe(new ChangeDependencyGroupIdAndArtifactId(
             "commons-lang",
@@ -3581,32 +3587,15 @@ void exclusionsForOldDependencyShouldNotBeChanged() {
                   </dependencies>
               </project>
               """,
-            """
-              <project>
-                  <modelVersion>4.0.0</modelVersion>
-                  <groupId>com.mycompany.app</groupId>
-                  <artifactId>my-app</artifactId>
-                  <version>1</version>
-                  <dependencies>
-                      <dependency>
-                          <groupId>org.apache.commons</groupId>
-                          <artifactId>commons-lang3</artifactId>
-                          <version>3.20.0</version>
-                      </dependency>
-                      <dependency>
-                          <groupId>org.apache.struts</groupId>
-                          <artifactId>struts2-core</artifactId>
-                          <version>2.5.30</version>
-                          <exclusions>
-                              <exclusion>
-                                  <groupId>commons-lang</groupId>
-                                  <artifactId>commons-lang</artifactId>
-                              </exclusion>
-                          </exclusions>
-                      </dependency>
-                  </dependencies>
-              </project>
-              """
+            spec -> spec.after(actual -> assertThat(actual)
+              // Direct dependency changed to commons-lang3
+              .containsPattern("<groupId>org\\.apache\\.commons</groupId>\\s*<artifactId>commons-lang3</artifactId>\\s*<version>3\\.\\d+\\.\\d+</version>")
+              .doesNotContain("<version>2.6</version>")
+              // Old exclusion preserved
+              .containsPattern("<exclusion>\\s*<groupId>commons-lang</groupId>\\s*<artifactId>commons-lang</artifactId>\\s*</exclusion>")
+              // Sibling exclusion added for new coordinates
+              .containsPattern("<exclusion>\\s*<groupId>org\\.apache\\.commons</groupId>\\s*<artifactId>commons-lang3</artifactId>\\s*</exclusion>")
+              .actual())
           )
         );
     }