I have an Android project with it’s fair share of dependencies.
While it may be acceptable to test and vet direct dependencies, they also have certain dependencies for which I would like to have control where they are downloaded from. Security reasons.
I don’t see any way of forcing a certain repository (mine) for transitive dependencies in the documentation - https://docs.gradle.org/current/userguide/managing_transitive_dependencies.html though.
A solution I thought for this would be to
- make a list of al needed dependencies (direct / transitive)
- exclude transitive dependencies from all configurations
- add all dependencies in the original project, hoping that direct dependencies would use these.
This seems too cumbersome for a usecase that should interest many.
Is there any easier solution?