Under semver, any dependency version X.Y.* is supposed to be compatible with any software that was built with version X.Z.* when Y > Z. If not, the author of the dependency has broken semver.

"Supposed to" being the operative phrase. This is of little comfort when you need version X.Y for a security fix but your build breaks.

Note that Maven is more complex than others here have mentioned. In some cases, Maven compares versions lexically (e.g. version 1.2 is considered newer than version 1.10).

Dependency management is indeed hell.