diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000000..9d866e3928
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "pip" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..26f2e0c7df
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates. For example:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.x   | :white_check_mark: |
+| < 1.0.0 | :x:                |
+
+## Reporting a Vulnerability
+
+We take all security vulnerabilities seriously. To report a security vulnerability, please use the [private vulnerability reporting feature](https://github.com/google/adk-python/security/advisories/new) on GitHub.
+
+We will acknowledge your report within 48 hours and will aim to provide a more detailed response within 72 hours, indicating the next steps in handling your report.
diff --git a/pyproject.toml b/pyproject.toml
index 46348d8491..e68bdbd862 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -25,6 +25,14 @@ classifiers = [ # List of https://pypi.org/classifiers/
 ]
 dependencies = [
   # go/keep-sorted start
+  "PyYAML>=6.0.2, <7.0.0",                                  # For APIHubToolset.
+  "absolufy-imports>=0.3.1, <1.0.0",                        # For Agent Engine deployment.
+  "anyio>=4.9.0, <5.0.0;python_version>='3.10'",            # For MCP Session Manager
+  "authlib>=1.5.1, <2.0.0",                                 # For RestAPI Tool
+  "click>=8.1.8, <9.0.0",                                   # For CLI tools
+  "google-api-python-client>=2.157.0, <3.0.0",              # Google API client discovery
+  "google-cloud-bigtable>=2.32.0",                          # For Bigtable database
+  "opentelemetry-api>=1.31.0, <2.0.0",                      # OpenTelemetry
   "PyYAML>=6.0.2, <7.0.0",                                   # For APIHubToolset.
   "anyio>=4.9.0, <5.0.0;python_version>='3.10'",             # For MCP Session Manager
   "authlib>=1.5.1, <2.0.0",                                  # For RestAPI Tool
@@ -43,7 +51,6 @@ dependencies = [
   "google-genai>=1.45.0, <2.0.0",                            # Google GenAI SDK
   "graphviz>=0.20.2, <1.0.0",                                # Graphviz for graph rendering
   "mcp>=1.8.0, <2.0.0;python_version>='3.10'",               # For MCP Toolset
-  "opentelemetry-api>=1.37.0, <=1.37.0",                     # OpenTelemetry - limit upper version for sdk and api to not risk breaking changes from unstable _logs package.
   "opentelemetry-exporter-gcp-logging>=1.9.0a0, <2.0.0",
   "opentelemetry-exporter-gcp-monitoring>=1.9.0a0, <2.0.0",
   "opentelemetry-exporter-gcp-trace>=1.9.0, <2.0.0",
@@ -117,7 +124,7 @@ test = [
   "crewai[tools];python_version>='3.10'",         # For CrewaiTool tests
   "kubernetes>=29.0.0",                           # For GkeCodeExecutor
   "langchain-community>=0.3.17",
-  "langgraph>=0.2.60, <0.4.8",                    # For LangGraphAgent
+  "langgraph>= 0.2.60, <= 0.6.11",                 # For LangGraphAgent
   "litellm>=1.75.5, <2.0.0",                      # For LiteLLM tests
   "llama-index-readers-file>=0.4.0",              # For retrieval tests
   "openai>=1.100.2",                              # For LiteLLM
diff --git a/src/google/adk/cli/cli_create.py b/src/google/adk/cli/cli_create.py
index 9085586e18..afb33fe4d9 100644
--- a/src/google/adk/cli/cli_create.py
+++ b/src/google/adk/cli/cli_create.py
@@ -189,12 +189,17 @@ def _generate_files(
       lines.append("GOOGLE_GENAI_USE_VERTEXAI=0")
     elif google_cloud_project and google_cloud_region:
       lines.append("GOOGLE_GENAI_USE_VERTEXAI=1")
-    if google_api_key:
-      lines.append(f"GOOGLE_API_KEY={google_api_key}")
-    if google_cloud_project:
-      lines.append(f"GOOGLE_CLOUD_PROJECT={google_cloud_project}")
-    if google_cloud_region:
-      lines.append(f"GOOGLE_CLOUD_LOCATION={google_cloud_region}")
+    if google_api_key or google_cloud_project or google_cloud_region:
+      click.secho(
+          "NOTE: For security, the GOOGLE_API_KEY, GOOGLE_CLOUD_PROJECT, and GOOGLE_CLOUD_LOCATION were NOT written to `.env`.\n"
+          "Please set them as environment variables manually and do not check secrets or sensitive configuration into source control.",
+          fg="yellow",
+      )
+    # Do not write project ID or location to .env; instruct user instead
+    # if google_cloud_project:
+    #   lines.append(f"GOOGLE_CLOUD_PROJECT={google_cloud_project}")
+    # if google_cloud_region:
+    #   lines.append(f"GOOGLE_CLOUD_LOCATION={google_cloud_region}")
     f.write("\n".join(lines))
 
   if type == "config":