Let's say I using a framework with netty and/or jetty, but with a netty version with a security vulnerability.

I tried:

configurations.all {   
    Action<Configuration> {
        val conf = this@Action
        dependencies {
            add(conf, ".eclipse.jetty:jetty-http:12.0.12") {
                because("some vuln")
            }
        }
    }
}

This does not work:

$ gw dependencies | grep .eclipse.jetty:jetty-http

|    |    +--- .eclipse.jetty:jetty-http:11.0.20 (c)
|    |    +--- .eclipse.jetty:jetty-http:11.0.20
|    |    +--- .eclipse.jetty:jetty-http:11.0.20 (*)
|    |    |    +--- .eclipse.jetty:jetty-http:11.0.20 (*)
# ...

Then I think I want to bump the whole netty/jetty group, as I suppose it would be better than bumping the single vuln dependency and having an inconsistent group. And this I fail completely.