The root WF pom's dependencyManagement depends on the root WF Core pom, with import scope. The result is the WF Core dependencyManagement is pulled into full WF, eliminating the need to duplicate entries. In general this is a good thing, as it produces alignment between core and full.
The downside to it is it is easy to change versions in core without thinking about their use in full WF, e.g. without pinging the leads for the affected components in full.
The tradeoff here is generally worth it IMHO, but where it is not is for libs that are used only for testing in core but are used in production in full WF. There we should explicitly declare the version and dep in full WF and not rely on the import.
Apache Commons IO is the specific case that led to this issue; there may be others.
Note that it's ok to me to let core control test dependencies for truly test libraries where we want alignment on how testing works.
Related to this I want to work out a way to get such dependencies out of the main dependencyManagement in WF Core. That will help prevent problems popping up in the future, plus may make it easier to control test-only deps in core without fearing that what's done in core would impact full WF. Netty is a good example where that's currently a problem in core. Some test frameworks use it, and I'm reluctant to control the version in core's dependencyManagment for fear of getting tangled up with the far more important use in full WF.