Force all transitive dependencies use project repository

I have an Android project with it’s fair share of dependencies.
While it may be acceptable to test and vet direct dependencies, they also have certain dependencies for which I would like to have control where they are downloaded from. Security reasons.

I don’t see any way of forcing a certain repository (mine) for transitive dependencies in the documentation - though.

A solution I thought for this would be to

  • make a list of al needed dependencies (direct / transitive)
  • exclude transitive dependencies from all configurations
  • add all dependencies in the original project, hoping that direct dependencies would use these.

This seems too cumbersome for a usecase that should interest many.
Is there any easier solution?