How can I query group-level maven endpoint for artifacts that depend on (any version of) a given “group:module”?

Our group has multiple projects. We are using a CI pipeline in each project to build artifacts (via gradle) and publish them to the project’s maven repository. Each project’s build pulls artifacts from the group level maven endpoint, as there are dependencies between our projects.

Each project’s build depends on exact versions of artifacts. This is good for repeatability, but we’d like to at least partially automate the process of upgrading the versions of dependencies in our build files. When we publish a new version of an artifact in one project, we want to trigger a process in the other projects that depend on any version of it so that they can automatically create a merge request to update their dependency versions.

The problem is, if app1 depends on lib2, only app1 knows about this dependency. lib2 doesn’t know what dependes on it, so when it publishes a new version, how can we figure out which other projects need to upgrade?

The maven repository has the full dependency graph, so what I’m hoping to do is:

  1. When we publish a given artifact, say mygroup:project1, ask the group maven endpoint which artifacts depend on mygroup:project1:*.
  2. From the returned artifact names, figure out which projects need updating. (This is easy because of naming convention we use, though perhaps the group endpoint can tell us which project endpoint it got the artifact from?)
  3. Tell each of those projects to check their dependency versions, perhaps by triggering a pipeline that in turn creates a merge request with the upgrade.

Is there a way to ask the group level maven endpoint for the list of artifacts that depend on a known artifact in gradle?

There are tools out there to help. Renovate, Greenkeeper and dependabot help. Integration/implementation is use-case specific, but this blog post discusses some options, Automated dependency updates for your internal GitLab server️ | Blog | simplabs