Bump github.com/hashicorp/vault/api from 1.10.0 to 1.21.0

[dependabot]

Bumps github.com/hashicorp/vault/api from 1.10.0 to 1.21.0.

Release notes

Sourced from github.com/hashicorp/vault/api's releases.

v1.20.4

No release notes provided.

v1.20.3

No release notes provided.

v1.20.2

August 06, 2025

SECURITY:

• auth/ldap: fix MFA/TOTP enforcement bypass when username_as_alias is enabled [GH-31427,HCSEC-2025-20].

BUG FIXES:

• agent/template: Fixed issue where templates would not render correctly if namespaces was provided by config, and the namespace and mount path of the secret were the same. [GH-31392]
• identity/mfa: revert cache entry change from #31217 and document cache entry values [GH-31421]

v1.20.1

No release notes provided.

v1.20.0

1.20.0

June 25, 2025

SECURITY:

• core: require a nonce when cancelling a rekey operation that was initiated within the last 10 minutes. [GH-30794]

CHANGES:

• UI: remove outdated and unneeded js string extensions [GH-29834]
• activity (enterprise): The sys/internal/counters/activity endpoint will return actual values for new clients in the current month.
• activity (enterprise): provided values for start_time and end_time in sys/internal/counters/activity are aligned to the corresponding billing period.
• activity: provided value for end_time in sys/internal/counters/activity is now capped at the end of the last completed month. [GH-30164]
• api: Update the default API client to check for the Retry-After header and, if it exists, wait for the specified duration before retrying the request. [GH-30887]
• auth/alicloud: Update plugin to v0.21.0 [GH-30810]
• auth/azure: Update plugin to v0.20.2. Login requires resource_group_name, vm_name, and vmss_name to match token claims [GH-30052]
• auth/azure: Update plugin to v0.20.3 [GH-30082]
• auth/azure: Update plugin to v0.20.4 [GH-30543]
• auth/azure: Update plugin to v0.21.0 [GH-30872]
• auth/azure: Update plugin to v0.21.1 [GH-31010]
• auth/cf: Update plugin to v0.20.1 [GH-30583]
• auth/cf: Update plugin to v0.21.0 [GH-30842]
• auth/gcp: Update plugin to v0.20.2 [GH-30081]
• auth/jwt: Update plugin to v0.23.2 [GH-30431]
• auth/jwt: Update plugin to v0.24.1 [GH-30876]
• auth/kerberos: Update plugin to v0.15.0 [GH-30845]
• auth/kubernetes: Update plugin to v0.22.1 [GH-30910]
• auth/oci: Update plugin to v0.19.0 [GH-30841]

... (truncated)

Changelog

Sourced from github.com/hashicorp/vault/api's changelog.

1.15.16 Enterprise

October 09, 2024

SECURITY:

• secrets/identity: A privileged Vault operator with write permissions to the root namespace's identity endpoint could escalate their privileges to Vault's root policy (CVE-2024-9180) HCSEC-2024-21

IMPROVEMENTS:

• core: log at level ERROR rather than INFO when all seals are unhealthy. [GH-28564]

BUG FIXES:

• auth/cert: When using ocsp_ca_certificates, an error was produced though extra certs validation succeeded. [GH-28597]
• auth/token: Fix token TTL calculation so that it uses max_lease_ttl tune value for tokens created via auth/token/create. [GH-28498]

1.15.15 Enterprise

September 25, 2024

SECURITY:

• secrets/ssh: require valid_principals to contain a value or default_user be set by default to guard against potentially insecure configurations. allow_empty_principals can be used for backwards compatibility [HCSEC-2024-20](https://discuss.hashicorp.com/t/hcsec-2024-20-vault-ssh-secrets-engine-configuration-did-not-restrict-valid-principals-by-default/7025

CHANGES:

• core: Bump Go version to 1.22.7.
• secrets/ssh: Add a flag, allow_empty_principals to allow keys or certs to apply to any user/principal. [GH-28466]

BUG FIXES:

• secret/aws: Fixed potential panic after step-down and the queue has not repopulated. [GH-28330]
• auth/cert: During certificate validation, OCSP requests are debug logged even if Vault's log level is above DEBUG. [GH-28450]
• auth/cert: ocsp_ca_certificates field was not honored when validating OCSP responses signed by a CA that did not issue the certificate. [GH-28309]
• auth: Updated error handling for missing login credentials in AppRole and UserPass auth methods to return a 400 error instead of a 500 error. [GH-28441]
• core: Fixed an issue where maximum request duration timeout was not being added to all requests containing strings sys/monitor and sys/events. With this change, timeout is now added to all requests except monitor and events endpoint. [GH-28230]

1.15.14 Enterprise

August 29, 2024

CHANGES:

• activity (enterprise): filter all fields in client count responses by the request namespace [GH-27790]
• core: Bump Go version to 1.22.6

IMPROVEMENTS:

• activity log: Changes how new client counts in the current month are estimated, in order to return more visibly sensible totals. [GH-27547]
• activity: /sys/internal/counters/activity will now include a warning if the specified usage period contains estimated client counts. [GH-28068]
• cli: vault operator usage will now include a warning if the specified usage period contains estimated client counts. [GH-28068]
• core/activity: Ensure client count queries that include the current month return consistent results by sorting the clients before performing estimation [GH-28062]

... (truncated)

Commits

• e40eca1 VAULT-39294: Deprecate recover_snapshot_id query param and use a header inste...
• c9605c7 VAULT-36947: Support force unloading a snapshot (#8740) (#9036)
• 5d632ef [VAULT-38600] Create TOTP Login MFA credential self-enrollment API endpoint (...
• eaf949c VAULT-37633: Database static role recover operations (#8922) (#8982)
• 3c459f7 [VAULT-39267] actions(slack): migrate to v2 action (#8964) (#8990)
• 50af559 VAULT-38796, VAULT-38889 reformat observation schema to version 2 (#9006) (#9...
• a820af0 Backport [VAULT-38600] Fix the name of the CE stub for mfaLoginEnterprisePath...
• 37bd994 VAULT-38463: Fix ldap failure (#8996) (#9001)
• 3edbb13 changelog: fix commit URL in CE generated template (#9010) (#9013)
• bfd2e54 UI: Moving settings/mount-backend-form to secrets/mounts (#8975) (#8998)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #11.