dependency-check · nhumblot · Dec 2, 2025 · Dec 2, 2025
diff --git a/README.md b/README.md
@@ -12,33 +12,29 @@ Documentation and links to production binary releases can be found on the [githu
 
 This product uses the NVD API but is not endorsed or certified by the NVD.
 
+## Mandatory Upgrade to 12.1.0+
+
+Due to NVD API compatiiblity changes, an upgrade is mandatory. See [#7463](https://github.com/dependency-check/DependencyCheck/issues/7463) for more information.
 
 ## Breaking Changes in 11.0.0
 
-- Java 11 is now required to run dependency-check 11.0.0 or higher
+- Java 11 is now required to run dependency-check `11.0.0` or higher
 - H2 database upgrade
 
-    11.0.0 contains breaking changes using the local H2 database. A full download
+    `11.0.0` contains breaking changes using the local H2 database. A full download
     of the NVD data will occur. Note that if you are using a shared data directory
     the h2 database file is not compatible with older versions of dependency-check.
     If you run into problems you may need to run a purge:
 
     - gradle: `./gradlew dependencyCheckPurge`
-    - maven: `mvn org.owasp:dependency-check-maven:9.0.0:purge`
+    - maven: `mvn org.owasp:dependency-check-maven:11.0.0:purge`
     - cli: `dependency-check.sh --purge`
 
-## Mandatory Upgrade Notice
-
-**Upgrading to 10.0.2 or later is mandatory**
-
-Older versions of dependency-check are causing numerous, duplicative requests that
-end in processing failures are causing unnecassary load on the NVD API. Dependency-check
-10.0.2 uses an updated `User-Agent` header that will allow the NVD to block calls
-from the older client.
+## Other notices
 
 ### NVD API Key Highly Recommended
 
-Dependency-check has moved from using the NVD data-feed to the NVD API.
+Dependency-check moved from using the NVD data-feed to the NVD API since `9.0.0+` (January 2024).
 Users of dependency-check are **highly** encouraged to obtain an NVD API Key; see https://nvd.nist.gov/developers/request-an-api-key
 Without an NVD API Key dependency-check's updates will be **extremely slow**.
 Please see the documentation for the cli, maven, gradle, or ant integrations on
@@ -50,9 +46,18 @@ The NVD API has enforced rate limits. If you are using a single API KEY and
 multiple builds occur you could hit the rate limit and receive 403 errors. In
 a CI environment one must use a caching strategy.
 
-#### Gradle build Environment
+### OSSIndex API Token Now Required for usage
+
+In September 2025 Sonatype OSSIndex started enforcing use of API tokens. If you 
+wish to use Sonatype OSSIndex you must configure Dependency-Check
+to use a username and API token/password; see https://ossindex.sonatype.org/doc/api-token.
+Without OSSIndex credentials, Dependency Check will **automatically disable the OSSIndex analyzer**.
+Please see the documentation for the cli, maven, gradle, or ant integrations on
+how to set the OSSIndex credentials.
+
+### Gradle build Environment
 
-With 9.0.0 users may encounter issues with `NoSuchMethodError` exceptions due to
+With `9.0.0+` users may encounter issues with `NoSuchMethodError` exceptions due to
 dependency resolution. If you encounter this issue you will need to pin some of
 the transitive dependencies of dependency-check to specific versions. For example: