evervault · matt-evervault · Feb 6, 2026 · Feb 4, 2026 · Feb 5, 2026 · Feb 5, 2026
diff --git a/.changeset/thin-lines-prove.md b/.changeset/thin-lines-prove.md
@@ -0,0 +1,5 @@
+---
+"evervault-android": patch
+---
+
+Update dependenciesa to fix security vulnerabilities and restore kotlin serialization plugin
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -50,7 +50,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -64,7 +64,7 @@ jobs:
     # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v4
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -77,6 +77,6 @@ jobs:
     #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v4
       with:
         category: "/language:${{matrix.language}}"
diff --git a/README.md b/README.md
@@ -63,5 +63,13 @@ Enclave attestation is written in Rust and Kotlin bindings can be found [here](h
 
 If you wish to update the Rust bindings, make any necessary changes in the Attesation crate and run the following [script](https://github.com/evervault/attestation-doc-validation/blob/main/kotlin-attestation-bindings/build-libs.sh) to build and copy the shared library files for each architecture into this repo.
 
+## Dependencies
+Dependencies are managed with Gradle lock files.  If a dependency is updated, the build will fail until the lock files are updated.  To update the lock files, run the tool:
+```bash
+./tools/update-lockfiles.sh
+```
+
+Some transitive dependencies are also manually forced to a version in [build.gradle.kts](./build.gradle.kts), generally to resolve security vulnerabilties.  When updating dependencies please go through the transitive dependencies and see if any 'forces' can now be removed because the direct dependency has been updated.
+
 ## License
 The sample app is released under the MIT License. See the [LICENSE](https://github.com/evervault/evervault-android/tree/main/LICENSE) file for more information.
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -23,6 +23,22 @@ plugins {
 }
 
 allprojects {
+    configurations.all {
+        resolutionStrategy {
+            // https://github.com/evervault/evervault-android/security/dependabot/4
+            force("io.netty:netty-handler:4.1.94.Final")
+
+            // https://github.com/evervault/evervault-android/security/dependabot/22
+            force("io.netty:netty-codec:4.1.125.Final")
+
+            // https://github.com/evervault/evervault-android/security/dependabot/26
+            force("io.netty:netty-codec-http:4.1.129.Final")
+
+            // https://github.com/evervault/evervault-android/security/dependabot/3
+            force("com.google.android.gms:play-services-basement:18.0.2")
+        }
+    }
+
     repositories {
         mavenLocal()
         google()

diff --git a/evervault-cages/build.gradle.kts b/evervault-cages/build.gradle.kts
@@ -76,10 +76,9 @@ dependencies {
     implementation("androidx.lifecycle:lifecycle-runtime-ktx:2.3.1")
     implementation("androidx.activity:activity-compose:1.5.1")
     implementation("net.java.dev.jna:jna:5.17.0@aar")
-    implementation("com.squareup.okhttp3:okhttp:4.11.0")
     implementation("junit:junit:4.12")
     implementation("org.jetbrains.kotlinx:kotlinx-serialization-json:1.3.2")
-    implementation("com.squareup.okhttp3:okhttp:4.9.3")
+    implementation("com.squareup.okhttp3:okhttp:5.3.2")
     implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:1.5.2")
     testImplementation("junit:junit:4.13.2")
     testImplementation("org.jetbrains.kotlinx:kotlinx-coroutines-test:1.7.3")

diff --git a/evervault-cages/gradle.lockfile b/evervault-cages/gradle.lockfile
diff --git a/evervault-core/build.gradle.kts b/evervault-core/build.gradle.kts
@@ -98,11 +98,11 @@ dependencies {
     // Explicitly specify kotlin-stdlib-common version to ensure all configurations (including Android test)
     // are properly locked. Version must match the Kotlin plugin version in settings.gradle.kts (2.0.21).
     // This resolves the issue where debugAndroidTestRuntimeClasspath isn't captured during lockfile generation.
-    implementation("org.jetbrains.kotlin:kotlin-stdlib-common:2.1.21")
+    implementation("org.jetbrains.kotlin:kotlin-stdlib-common:2.2.21")
 
     // ktor
-    implementation("io.ktor:ktor-client-core:2.3.1")
-    implementation("io.ktor:ktor-client-okhttp:2.3.1")
+    implementation("io.ktor:ktor-client-core:3.4.0")
+    implementation("io.ktor:ktor-client-okhttp:3.4.0")
     implementation("org.bouncycastle:bcprov-jdk15to18:1.78.1")
 
     // JSON