diff --git a/README.md b/README.md
index 5272482..0c78f52 100644
--- a/README.md
+++ b/README.md
@@ -3,6 +3,15 @@ Doordeck SDK
 
 The official Doordeck SDK for Android
 
+> ## ⚠️ End of Life
+>
+> **This SDK is end of life and is no longer actively maintained.**
+>
+> New and existing integrations should migrate to the
+> [**Doordeck Headless SDK**](https://github.com/doordeck/doordeck-headless-sdk/), which is the
+> actively supported, cross-platform replacement. See the migration note in
+> [Breaking Changes in v3.0.0](#️-breaking-changes-in-v300) below.
+
 ### What Is This?
 
 The Doordeck SDK enables you to unlock doors. You can unlock doors using the NFC on your android 
diff --git a/build.gradle.kts b/build.gradle.kts
index c4667a8..0d658e4 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -10,9 +10,23 @@ buildscript {
             force(libs.jose4j)
 
             eachDependency {
-                if (requested.group == "io.netty") {
-                    useVersion(libs.versions.netty.get())
-                    because("Various security fixes")
+                when {
+                    requested.group == "io.netty" -> {
+                        useVersion(libs.versions.netty.get())
+                        because("Various security fixes")
+                    }
+                    requested.group == "org.bouncycastle" -> {
+                        useVersion(libs.versions.bouncycastle.get())
+                        because("Timing channel (CVE-2026-5598), LDAP injection and broken-crypto fixes")
+                    }
+                    requested.group == "org.apache.commons" && requested.name == "commons-lang3" -> {
+                        useVersion(libs.versions.commonsLang3.get())
+                        because("Uncontrolled recursion fix (CVE-2025-48924)")
+                    }
+                    requested.group == "org.apache.httpcomponents" && requested.name == "httpclient" -> {
+                        useVersion(libs.versions.httpclient.get())
+                        because("Cross-site scripting fix (CVE-2020-13956)")
+                    }
                 }
             }
         }
@@ -22,9 +36,19 @@ buildscript {
 allprojects {
     configurations.all {
         resolutionStrategy.eachDependency {
-            if (requested.group == "io.netty") {
-                useVersion(rootProject.libs.versions.netty.get())
-                because("Various security fixes")
+            when {
+                requested.group == "io.netty" -> {
+                    useVersion(rootProject.libs.versions.netty.get())
+                }
+                requested.group == "org.bouncycastle" -> {
+                    useVersion(rootProject.libs.versions.bouncycastle.get())
+                }
+                requested.group == "org.apache.commons" && requested.name == "commons-lang3" -> {
+                    useVersion(rootProject.libs.versions.commonsLang3.get())
+                }
+                requested.group == "org.apache.httpcomponents" && requested.name == "httpclient" -> {
+                    useVersion(rootProject.libs.versions.httpclient.get())
+                }
             }
         }
     }
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index cc32f14..1694f9e 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -3,7 +3,10 @@ agp = "9.1.0"
 kotlin = "2.2.10"
 jdom = "2.0.6.1"
 jose4j = "0.9.6"
-netty = "4.1.132.Final"
+netty = "4.1.135.Final"
+bouncycastle = "1.84"
+commonsLang3 = "3.18.0"
+httpclient = "4.5.14"
 
 [libraries]
 androidx-appcompat = "androidx.appcompat:appcompat:1.7.1"