feat: pin kit SDK dependencies to current supported ranges

[nickolas-dimitrakas]

Background

Align Android kit dependency metadata with the iOS kit pattern of supporting one third-party SDK major per kit. Each currently supported Android kit should declare a bounded third-party SDK range so consumers do not resolve into unsupported future versions.

What Has Changed

Kit dependency ranges

• Update production third-party SDK dependencies across the currently supported kit modules from exact versions to bounded Maven ranges.
• Use the version currently listed in each kit as the inclusive lower bound, preserving the minimum SDK version that the kit already declared.
• Use the next unsupported major version as the exclusive upper bound where the current kit is compatible with that full major line.
• Cover Adjust, Adobe Media, AppsFlyer, Apptentive, Apptimize, Branch, Braze, CleverTap, Comscore, GA, GA4, Iterable, Kochava, Leanplum, Localytics, OneTrust, Optimizely, Radar, Rokt, Singular, and Urban Airship.
• Keep mParticle internal dependencies and test-only dependencies unchanged, except GA/GA4 compile-time/test Firebase measurement dependencies that model the supported SDK line.
• Keep Radar on the validated 3.5.x support line with [3.5.11,3.6.0) because a broad 3.x range resolves to 3.34.0, which no longer exposes APIs used by the current kit.
• Keep Braze 41 on [41.0.0,41.1.0) because 41.1.1 pulls androidx.swiperefreshlayout:swiperefreshlayout:1.2.0, which requires AGP 8.6 while this branch uses AGP 8.3.2.
• Keep Leanplum 7 on [7.0.1,7.1.0) because 7.8.0 raises the library minSdk requirement to 21 while the kit/example build still uses minSdk 16.

Adobe Media kit — BOM lock-in and rename (adobemedia-5 → adobemedia-3)

• Renamed the kit module from adobemedia-5 to adobemedia-3. Kit directories follow the wrapped-SDK-major convention (e.g. adjust-5 wraps Adjust v5), and the Adobe Experience Platform Mobile SDK is at major 3.x, so 5 was incorrect.
• Replaced the mixed per-artifact pins with Adobe's recommended Bill of Materials (BOM): api platform('com.adobe.marketing.mobile:sdk-bom:[3.0.0,4.0.0)') with each extension (core, analytics, media, userprofile, lifecycle, identity, signal) declared with no version. The BOM pins all extensions to a mutually-compatible set, and the range tracks the latest 3.x minor/patch automatically — the Gradle equivalent of iOS SPM .upToNextMajor(from: "3.0.0").
• Dropped the legacy com.adobe.marketing.mobile:sdk-core (the 1.x ACP Core bundle, deprecated by Adobe on 2024-06-30) and com.adobe.marketing.mobile:mobileservices (listed by Adobe as "Not supported" on Android, and unused by the kit). These legacy 1.x artifacts were previously mixed with the modern AEP 3.x extensions; the kit source already targets the AEP 3.x API surface (MobileCore, Media, Analytics, …), so modern core now arrives via the BOM instead.

Adobe kit — rename (adobe-5 → adobe)

• Renamed the kit module from adobe-5 to adobe. This kit is a server-to-server integration with no Adobe SDK dependency (no com.adobe.* imports), so the wrapped-SDK-major suffix does not apply. It now follows the no-number convention used by the OneTrust and Rokt kits.
• The published artifact version (android-adobe-kit:5+) is intentionally unchanged, consistent with other no-number kits whose published major is independent of the directory name.

Shared updates for the renames

• Updated kits/matrix.json, settings-kits.gradle, settings-kit-examples.gradle, and each example module's implementation project(...) reference for both renamed kits.

Follow-up Candidates

• Radar 3 can be widened in a follow-up after updating the kit implementation against the newer Radar 3.x APIs and confirming whether compatibility with 3.5.11 can still be preserved.
• Braze 41 can be widened in a follow-up after the workstation 6 branch moves to AGP 8.6+ or otherwise handles the swiperefreshlayout:1.2.0 AAR metadata requirement introduced by Braze 41.1.1.
• Leanplum 7 needs a compatibility decision before widening: newer 7.x artifacts raise minSdk to 21, so supporting them may require a separate minSdk 21 kit line or an agreed change to the kit's Android version support.
• Cross-platform test workflow compatibility should be handled separately; it currently invokes Gradle 7.5.1 against workstation 6, which requires Gradle 8.4+ through AGP.

Screenshots/Video

N/A - no visual changes.

Validation

• trunk check passed with no new issues.
• ./gradlew build passed.
• ./gradlew test passed.
• ./gradlew ktlintCheck passed.
• ./gradlew -c settings-kits.gradle -Pmparticle.kit.mparticleFromMavenLocalOnly=true testRelease ktlintCheck publishMavenPublicationToMavenLocal passed.
• Adobe Media BOM: :kits:android-adobemedia:adobemedia-3:dependencies resolves sdk-bom to the latest 3.x (3.19.0), core to 3.7.0, with sdk-core/mobileservices no longer present; testReleaseUnitTest and assembleRelease pass.
• Adobe rename: :kits:android-adobe:adobe:assembleRelease passes and the project loads under the updated settings.
• ./gradlew ':kits:android-braze:braze-41:example-kotlin:assembleDebug' -c settings-kit-examples.gradle -Pmparticle.kit.mparticleFromMavenLocalOnly=true passed.
• ./gradlew ':kits:android-leanplum:leanplum-7:example-kotlin:assembleDebug' -c settings-kit-examples.gradle -Pmparticle.kit.mparticleFromMavenLocalOnly=true passed.
• cd kits/urbanairship/urbanairship-20 && ./gradlew -Pmparticle.kit.mparticleFromMavenLocalOnly=true testRelease ktlintCheck passed.
• CI instrumented-core / Instrumented Tests (Core) passed on commit fc26cc3a; a fresh run is pending after reverting the unrelated buildSrc compatibility change.

Checklist

• Self-review completed
• Tests added or updated
• Tested locally

[cursor]

PR Summary

Medium Risk
Wide dependency-metadata change affects consumer resolution for many analytics/engagement kits; narrowed ranges for Radar, Braze 41, and Leanplum reduce but do not eliminate surprise upgrades within the declared bands.

Overview
Android kit modules now declare bounded Maven version ranges on third-party SDKs (inclusive lower bound = previous pin, exclusive upper bound = next unsupported major), matching the iOS “one major per kit” pattern so apps do not float into untested SDK versions.

Adobe Media drops pinned per-artifact Adobe Mobile SDK coordinates in favor of sdk-bom:[3.0.0,4.0.0) plus BOM-aligned core, analytics, media, and related modules. Gradle wiring renames Adobe kit entries from adobe-5 / adobemedia-5 to adobe and adobemedia-3 in settings-kits.gradle, settings-kit-examples.gradle, kits/matrix.json, and example app project() dependencies; adobemedia README now documents android-adobemedia-kit:3+.

Several kits use tighter caps than a full major line: Radar [3.5.11,3.6.0), Braze 41 [41.0.0,41.1.0), and Leanplum 7 [7.0.1,7.1.0) to avoid API, AGP, and minSdk breakage. GA/GA4 test/compile-only Firebase measurement deps use the same range style as the supported analytics line.

^{Reviewed by Cursor Bugbot for commit 3726f3e. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes using default effort and found 2 potential issues.

There are 3 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 421c19f. Configure here.}

[denischilik]

Small nit, rest good to me

[sonarqubecloud]

Quality Gate failed

Failed conditions
8.4% Duplication on New Code (required ≤ 3%)
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE