google · venkateshpabbati · Sep 4, 2025 · Sep 4, 2025 · Sep 4, 2025 · Sep 4, 2025
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "pip" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 5.1.x   | :white_check_mark: |
+| 5.0.x   | :x:                |
+| 4.0.x   | :white_check_mark: |
+| < 4.0   | :x:                |
+
+## Reporting a Vulnerability
+
+Use this section to tell people how to report a vulnerability.
+
+Tell them where to go, how often they can expect to get an update on a
+reported vulnerability, what to expect if the vulnerability is accepted or
+declined, etc.
diff --git a/pyproject.toml b/pyproject.toml
@@ -37,7 +37,7 @@ dependencies = [
   "google-cloud-secret-manager>=2.22.0, <3.0.0",            # Fetching secrets in RestAPI Tool
   "google-cloud-spanner>=3.56.0, <4.0.0",                   # For Spanner database
   "google-cloud-speech>=2.30.0, <3.0.0",                    # For Audio Transcription
-  "google-cloud-storage>=2.18.0, <3.0.0",                   # For GCS Artifact service
+  "google-cloud-storage>=2.18.0, <4.0.0",                   # For GCS Artifact service
   "google-genai>=1.21.1, <2.0.0",                           # Google GenAI SDK
   "graphviz>=0.20.2, <1.0.0",                               # Graphviz for graph rendering
   "mcp>=1.8.0, <2.0.0;python_version>='3.10'",              # For MCP Toolset
@@ -51,7 +51,7 @@ dependencies = [
   "sqlalchemy-spanner>=1.14.0",                             # Spanner database session service
   "sqlalchemy>=2.0, <3.0.0",                                # SQL database ORM
   "starlette>=0.46.2, <1.0.0",                              # For FastAPI CLI
-  "tenacity>=8.0.0, <9.0.0",                                # For Retry management
+  "tenacity>=8.0.0, <10.0.0",                                # For Retry management
   "typing-extensions>=4.5, <5",
   "tzlocal>=5.3, <6.0",                                     # Time zone utilities
   "uvicorn>=0.34.0, <1.0.0",                                # ASGI server for FastAPI
@@ -108,7 +108,7 @@ test = [
   "a2a-sdk>=0.3.0,<0.4.0;python_version>='3.10'",
   "anthropic>=0.43.0",                            # For anthropic model tests
   "langchain-community>=0.3.17",
-  "langgraph>=0.2.60, <= 0.4.10",                 # For LangGraphAgent
+  "langgraph>= 0.2.60, <= 0.6.6",                 # For LangGraphAgent
   "litellm>=1.75.5, <2.0.0",                      # For LiteLLM tests
   "llama-index-readers-file>=0.4.0",              # For retrieval tests
   "openai>=1.100.2",                              # For LiteLLM

diff --git a/src/google/adk/cli/cli_create.py b/src/google/adk/cli/cli_create.py
@@ -189,12 +189,17 @@ def _generate_files(
       lines.append("GOOGLE_GENAI_USE_VERTEXAI=0")
     elif google_cloud_project and google_cloud_region:
       lines.append("GOOGLE_GENAI_USE_VERTEXAI=1")
-    if google_api_key:
-      lines.append(f"GOOGLE_API_KEY={google_api_key}")
-    if google_cloud_project:
-      lines.append(f"GOOGLE_CLOUD_PROJECT={google_cloud_project}")
-    if google_cloud_region:
-      lines.append(f"GOOGLE_CLOUD_LOCATION={google_cloud_region}")
+    if google_api_key or google_cloud_project or google_cloud_region:
+      click.secho(
+          "NOTE: For security, the GOOGLE_API_KEY, GOOGLE_CLOUD_PROJECT, and GOOGLE_CLOUD_LOCATION were NOT written to `.env`.\n"
+          "Please set them as environment variables manually and do not check secrets or sensitive configuration into source control.",
+          fg="yellow",
+      )
+    # Do not write project ID or location to .env; instruct user instead
+    # if google_cloud_project:
+    #   lines.append(f"GOOGLE_CLOUD_PROJECT={google_cloud_project}")
+    # if google_cloud_region:
+    #   lines.append(f"GOOGLE_CLOUD_LOCATION={google_cloud_region}")
     f.write("\n".join(lines))
 
   if type == "config":