jendrik, Maven Central and Gradle Plugin Portal should have never allowed to publish dependencies with not-fixed versions.
If you don't check your transitives carefully, something might sneak in. And you have non-reproducible builds. Which you only notice once something breaks.
Like here: https://github.com/google/guava/issues/6612#issuecomment-1618157335