It appears that dependency resolution for detached and bundled plugins makes no guarantees about which version of a dependency gets installed if different versions are requested. Discovered by while investigating JENKINS-48604, see https://github.com/jenkinsci/jenkins/pull/3201#discussion_r157554968.

I don't have an actual example of this in the wild, but here is the idea of how to reproduce:

1. Assume a plugin artifactA with two releases: 1.0 and 2.0
2. Assume a plugin artifactB, with a single release 1.0, which has a dependency on artifactA:1.0
3. Assume a plugin artifactC, with a single release 1.0, which has a dependency on artifactA:2.0
4. Create a fresh Jenkins installation.
5. Upgrade Jenkins using a jenkins.war with artifactB:1.0 and artifactC:1.0 in /WEB-INF/detached-plugins
6. Expected Result: artifactA:2.0 should be installed.
7. Actual Result: The installed version of artifactA depends on which of artifactB and artifactC is processed first, (alphabetical order, hashset iteration order?).