From 265f285aadc86fa0b898b01b2d3447fec744aa4a Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Fri, 5 Sep 2025 00:45:24 +0530 Subject: [PATCH 1/9] Create dependabot.yml --- .github/dependabot.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..9d866e3928 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "pip" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" From 2ba55a524c3a3ed19b810726f02c792cb3cf3259 Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Fri, 5 Sep 2025 00:46:03 +0530 Subject: [PATCH 2/9] Create SECURITY.md --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..034e848032 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. From 503800989d65cd52ca24bf6a63157bf8dce46504 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Sep 2025 19:17:06 +0000 Subject: [PATCH 3/9] chore(deps): update tenacity requirement Updates the requirements on [tenacity](https://github.com/jd/tenacity) to permit the latest version. - [Release notes](https://github.com/jd/tenacity/releases) - [Commits](https://github.com/jd/tenacity/compare/8.0.0...9.1.2) --- updated-dependencies: - dependency-name: tenacity dependency-version: 9.1.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 1105e345ce..60a7e7ad54 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -51,7 +51,7 @@ dependencies = [ "sqlalchemy-spanner>=1.14.0", # Spanner database session service "sqlalchemy>=2.0, <3.0.0", # SQL database ORM "starlette>=0.46.2, <1.0.0", # For FastAPI CLI - "tenacity>=8.0.0, <9.0.0", # For Retry management + "tenacity>=8.0.0, <10.0.0", # For Retry management "typing-extensions>=4.5, <5", "tzlocal>=5.3, <6.0", # Time zone utilities "uvicorn>=0.34.0, <1.0.0", # ASGI server for FastAPI From b67d9c8b85104439dbc0b53a12ce55e3af8e0eed Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Sep 2025 19:17:13 +0000 Subject: [PATCH 4/9] chore(deps): update google-cloud-storage requirement Updates the requirements on [google-cloud-storage](https://github.com/googleapis/python-storage) to permit the latest version. - [Release notes](https://github.com/googleapis/python-storage/releases) - [Changelog](https://github.com/googleapis/python-storage/blob/main/CHANGELOG.md) - [Commits](https://github.com/googleapis/python-storage/compare/v2.18.0...v3.3.1) --- updated-dependencies: - dependency-name: google-cloud-storage dependency-version: 3.3.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 1105e345ce..4bdf342a58 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -37,7 +37,7 @@ dependencies = [ "google-cloud-secret-manager>=2.22.0, <3.0.0", # Fetching secrets in RestAPI Tool "google-cloud-spanner>=3.56.0, <4.0.0", # For Spanner database "google-cloud-speech>=2.30.0, <3.0.0", # For Audio Transcription - "google-cloud-storage>=2.18.0, <3.0.0", # For GCS Artifact service + "google-cloud-storage>=2.18.0, <4.0.0", # For GCS Artifact service "google-genai>=1.21.1, <2.0.0", # Google GenAI SDK "graphviz>=0.20.2, <1.0.0", # Graphviz for graph rendering "mcp>=1.8.0, <2.0.0;python_version>='3.10'", # For MCP Toolset From f2aff33cd4d923c12bf097189986c6dfbec48396 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Sep 2025 19:17:26 +0000 Subject: [PATCH 5/9] chore(deps): update langgraph requirement Updates the requirements on [langgraph](https://github.com/langchain-ai/langgraph) to permit the latest version. - [Release notes](https://github.com/langchain-ai/langgraph/releases) - [Commits](https://github.com/langchain-ai/langgraph/compare/0.2.60...0.6.6) --- updated-dependencies: - dependency-name: langgraph dependency-version: 0.6.6 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 1105e345ce..bb49714dc9 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -102,7 +102,7 @@ test = [ "a2a-sdk>=0.3.0,<0.4.0;python_version>='3.10'", "anthropic>=0.43.0", # For anthropic model tests "langchain-community>=0.3.17", - "langgraph>=0.2.60, <= 0.4.10", # For LangGraphAgent + "langgraph>= 0.2.60, <= 0.6.6", # For LangGraphAgent "litellm>=1.75.5, <2.0.0", # For LiteLLM tests "llama-index-readers-file>=0.4.0", # For retrieval tests "openai>=1.100.2", # For LiteLLM From 449b502bc9fff5a7b11cba4a26118296495ab52f Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Fri, 5 Sep 2025 00:49:54 +0530 Subject: [PATCH 6/9] Potential fix for code scanning alert no. 2: Clear-text storage of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- src/google/adk/cli/cli_create.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/google/adk/cli/cli_create.py b/src/google/adk/cli/cli_create.py index 9085586e18..6b876789e2 100644 --- a/src/google/adk/cli/cli_create.py +++ b/src/google/adk/cli/cli_create.py @@ -190,7 +190,10 @@ def _generate_files( elif google_cloud_project and google_cloud_region: lines.append("GOOGLE_GENAI_USE_VERTEXAI=1") if google_api_key: - lines.append(f"GOOGLE_API_KEY={google_api_key}") + click.secho( + "NOTE: For security, the GOOGLE_API_KEY was NOT written to `.env`. Please set it as an environment variable manually and do not check secrets into source control.", + fg="yellow", + ) if google_cloud_project: lines.append(f"GOOGLE_CLOUD_PROJECT={google_cloud_project}") if google_cloud_region: From 0ed60eaf2cc9667fc92c848d9fdd1802e310f551 Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Mon, 8 Sep 2025 10:54:26 +0530 Subject: [PATCH 7/9] Potential fix for code scanning alert no. 2: Clear-text storage of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- src/google/adk/cli/cli_create.py | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/google/adk/cli/cli_create.py b/src/google/adk/cli/cli_create.py index 6b876789e2..afb33fe4d9 100644 --- a/src/google/adk/cli/cli_create.py +++ b/src/google/adk/cli/cli_create.py @@ -189,15 +189,17 @@ def _generate_files( lines.append("GOOGLE_GENAI_USE_VERTEXAI=0") elif google_cloud_project and google_cloud_region: lines.append("GOOGLE_GENAI_USE_VERTEXAI=1") - if google_api_key: + if google_api_key or google_cloud_project or google_cloud_region: click.secho( - "NOTE: For security, the GOOGLE_API_KEY was NOT written to `.env`. Please set it as an environment variable manually and do not check secrets into source control.", + "NOTE: For security, the GOOGLE_API_KEY, GOOGLE_CLOUD_PROJECT, and GOOGLE_CLOUD_LOCATION were NOT written to `.env`.\n" + "Please set them as environment variables manually and do not check secrets or sensitive configuration into source control.", fg="yellow", ) - if google_cloud_project: - lines.append(f"GOOGLE_CLOUD_PROJECT={google_cloud_project}") - if google_cloud_region: - lines.append(f"GOOGLE_CLOUD_LOCATION={google_cloud_region}") + # Do not write project ID or location to .env; instruct user instead + # if google_cloud_project: + # lines.append(f"GOOGLE_CLOUD_PROJECT={google_cloud_project}") + # if google_cloud_region: + # lines.append(f"GOOGLE_CLOUD_LOCATION={google_cloud_region}") f.write("\n".join(lines)) if type == "config": From f2141c487b4bd0491bd2350d973d3d43bc2c22c5 Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Mon, 8 Sep 2025 10:55:28 +0530 Subject: [PATCH 8/9] Potential fix for code scanning alert no. 2: Clear-text storage of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- src/google/adk/cli/cli_create.py | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/google/adk/cli/cli_create.py b/src/google/adk/cli/cli_create.py index 6b876789e2..afb33fe4d9 100644 --- a/src/google/adk/cli/cli_create.py +++ b/src/google/adk/cli/cli_create.py @@ -189,15 +189,17 @@ def _generate_files( lines.append("GOOGLE_GENAI_USE_VERTEXAI=0") elif google_cloud_project and google_cloud_region: lines.append("GOOGLE_GENAI_USE_VERTEXAI=1") - if google_api_key: + if google_api_key or google_cloud_project or google_cloud_region: click.secho( - "NOTE: For security, the GOOGLE_API_KEY was NOT written to `.env`. Please set it as an environment variable manually and do not check secrets into source control.", + "NOTE: For security, the GOOGLE_API_KEY, GOOGLE_CLOUD_PROJECT, and GOOGLE_CLOUD_LOCATION were NOT written to `.env`.\n" + "Please set them as environment variables manually and do not check secrets or sensitive configuration into source control.", fg="yellow", ) - if google_cloud_project: - lines.append(f"GOOGLE_CLOUD_PROJECT={google_cloud_project}") - if google_cloud_region: - lines.append(f"GOOGLE_CLOUD_LOCATION={google_cloud_region}") + # Do not write project ID or location to .env; instruct user instead + # if google_cloud_project: + # lines.append(f"GOOGLE_CLOUD_PROJECT={google_cloud_project}") + # if google_cloud_region: + # lines.append(f"GOOGLE_CLOUD_LOCATION={google_cloud_region}") f.write("\n".join(lines)) if type == "config": From 8a0a0c2f0de42232de6e4711729a76eec0336215 Mon Sep 17 00:00:00 2001 From: VenkateshPabbati Date: Mon, 20 Oct 2025 05:49:04 +0530 Subject: [PATCH 9/9] Update SECURITY.md Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- SECURITY.md | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 034e848032..26f2e0c7df 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -3,19 +3,15 @@ ## Supported Versions Use this section to tell people about which versions of your project are -currently being supported with security updates. +currently being supported with security updates. For example: | Version | Supported | | ------- | ------------------ | -| 5.1.x | :white_check_mark: | -| 5.0.x | :x: | -| 4.0.x | :white_check_mark: | -| < 4.0 | :x: | +| 1.x.x | :white_check_mark: | +| < 1.0.0 | :x: | ## Reporting a Vulnerability -Use this section to tell people how to report a vulnerability. +We take all security vulnerabilities seriously. To report a security vulnerability, please use the [private vulnerability reporting feature](https://github.com/google/adk-python/security/advisories/new) on GitHub. -Tell them where to go, how often they can expect to get an update on a -reported vulnerability, what to expect if the vulnerability is accepted or -declined, etc. +We will acknowledge your report within 48 hours and will aim to provide a more detailed response within 72 hours, indicating the next steps in handling your report.