fix(deps): update go dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
cloud.google.com/go/pubsub	v1.49.0 -> v1.50.0
github.com/Azure/azure-sdk-for-go/sdk/azcore	v1.18.0 -> v1.18.2
github.com/Azure/azure-sdk-for-go/sdk/azidentity	v1.10.1 -> v1.11.0
github.com/aws/aws-sdk-go-v2	v1.36.5 -> v1.37.2
github.com/aws/aws-sdk-go-v2/config	v1.29.17 -> v1.30.3
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.16.32 -> v1.18.2
github.com/aws/aws-sdk-go-v2/service/s3	v1.81.0 -> v1.86.0
github.com/aws/aws-sdk-go-v2/service/servicediscovery	v1.35.4 -> v1.37.0
github.com/docker/go-connections	v0.5.0 -> v0.6.0
github.com/fatih/color	v1.15.0 -> v1.18.0
github.com/go-git/go-git/v5	v5.13.0 -> v5.16.2
github.com/go-sourcemap/sourcemap	v2.1.3+incompatible -> v2.1.4+incompatible
github.com/grafana/alloy-remote-config	v0.0.10 -> v0.0.11
github.com/hashicorp/vault/api	v1.16.0 -> v1.20.0
github.com/jaswdr/faker/v2	v2.3.2 -> v2.8.0
github.com/miekg/dns	v1.1.66 -> v1.1.68
github.com/ohler55/ojg	v1.20.1 -> v1.26.8
github.com/oliver006/redis_exporter	v1.54.0 -> v1.74.0
github.com/ory/dockertest/v3	v3.8.1 -> v3.12.0
github.com/oschwald/geoip2-golang	v1.11.0 -> v1.13.0
github.com/oschwald/maxminddb-golang	v1.13.0 -> v1.13.1
github.com/prometheus/client_golang	v1.22.0 -> v1.23.0
github.com/prometheus/node_exporter	v1.6.0 -> v1.9.1
github.com/samber/lo	v1.49.1 -> v1.51.0
github.com/scaleway/scaleway-sdk-go	v1.0.0-beta.33 -> v1.0.0-beta.34
github.com/spf13/pflag	v1.0.6 -> v1.0.7
github.com/stretchr/testify	v1.8.4 -> v1.10.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp	v1.36.0 -> v1.37.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.36.0 -> v1.37.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	v1.36.0 -> v1.37.0
go.opentelemetry.io/otel/sdk/metric	v1.36.0 -> v1.37.0
go.opentelemetry.io/proto/otlp	v1.6.0 -> v1.7.1
golang.org/x/sys	v0.34.0 -> v0.35.0
golang.org/x/tools	v0.34.0 -> v0.35.0
google.golang.org/grpc	v1.73.0 -> v1.74.2
google.golang.org/protobuf	v1.36.6 -> v1.36.7
sigs.k8s.io/yaml	v1.4.0 -> v1.6.0

---

Release Notes

aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2)

v1.37.2

Compare Source

v1.37.1

Compare Source

v1.37.0

Compare Source

Module Highlights

• github.com/aws/aws-sdk-go-v2/service/aiops: v1.1.0
  • Feature: Adds support for cross account investigations for CloudWatch investigations AI Operations (AIOps).
• github.com/aws/aws-sdk-go-v2/service/batch: v1.53.0
  • Feature: Add userdataType to LaunchTemplateSpecification and LaunchTemplateSpecificationOverride.
• github.com/aws/aws-sdk-go-v2/service/bedrock: v1.37.0
  • Feature: We are making ListFoundationModelAgreementOffers, DeleteFoundationModelAgreement, CreateFoundationModelAgreement, GetFoundationModelAvailability, PutUseCaseForModelAccess and GetUseCaseForModelAccess APIs public, previously they were console.
• github.com/aws/aws-sdk-go-v2/service/ec2: v1.226.0
  • Feature: This release allows you to create and register AMIs while maintaining their underlying EBS snapshots within Local Zones.
• github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2: v1.46.0
  • Feature: Add Paginator for DescribeAccountLimits, and fix Paginators for DescribeTrustStoreAssociations, DescribeTrustStoreRevocations, and DescribeTrustStores
• github.com/aws/aws-sdk-go-v2/service/gamelift: v1.42.0
  • Feature: Add support for UDP ping beacons to ListLocations API, including new PingBeacon and UDPEndpoint data types within its Locations return value. Use UDP ping beacon endpoints to help measure real-time network latency for multiplayer games.
• github.com/aws/aws-sdk-go-v2/service/licensemanager: v1.32.0
  • Feature: AWS License Manager now supports license type conversions for AWS Marketplace products. Customers can provide Marketplace codes in the source license context or destination license context in the CreateLicenseConversionTaskForResource requests.
• github.com/aws/aws-sdk-go-v2/service/rds: v1.98.0
  • Feature: Adding support for RDS on Dedicated Local Zones, including local backup target, snapshot availability zone and snapshot target
• github.com/aws/aws-sdk-go-v2/service/route53resolver: v1.36.0
  • Feature: Add support for iterative DNS queries through the new INBOUND_DELEGATION endpoint. Add delegation support through the Outbound Endpoints with DELEGATE rules.
• github.com/aws/aws-sdk-go-v2/service/transcribe: v1.47.0
  • Feature: This Feature Adds Support for the "et-EE" Locale for Batch Operations

v1.36.6

Compare Source

docker/go-connections (github.com/docker/go-connections)

v0.6.0

Compare Source

fatih/color (github.com/fatih/color)

v1.18.0

Compare Source

What's Changed

• Add RGB API support by @​fatih in https://github.com/fatih/color/pull/225
• Bump GitHub workflow actions by @​deining in https://github.com/fatih/color/pull/235
• Bump golang.org/x/sys from 0.18.0 to 0.24.0 by @​dependabot in https://github.com/fatih/color/pull/236
• Bump golang.org/x/sys from 0.24.0 to 0.25.0 by @​dependabot in https://github.com/fatih/color/pull/237

New Contributors

• @​deining made their first contribution in https://github.com/fatih/color/pull/235

Full Changelog: fatih/color@v1.17.0...v1.18.0

v1.17.0

Compare Source

What's Changed

• Fix multi-parameter println spacing by @​klauspost in https://github.com/fatih/color/pull/228
• ci: update Go and Staticcheck versions by @​fatih in https://github.com/fatih/color/pull/222
• Bump golang.org/x/sys from 0.14.0 to 0.17.0 by @​dependabot in https://github.com/fatih/color/pull/221
• Bump actions/setup-go from 4 to 5 by @​dependabot in https://github.com/fatih/color/pull/217
• Bump golang.org/x/sys from 0.17.0 to 0.18.0 by @​dependabot in https://github.com/fatih/color/pull/224

New Contributors

• @​klauspost made their first contribution in https://github.com/fatih/color/pull/228

Full Changelog: fatih/color@v1.16.0...v1.17.0

v1.16.0

Compare Source

What's Changed

• Update dependabot.yml by @​ilyabrin in https://github.com/fatih/color/pull/200
• color: add newline after wrapping text by @​fatih in https://github.com/fatih/color/pull/192
• [Test] Nil check added by @​hyunsooda in https://github.com/fatih/color/pull/203
• fixes #​206 (using underline with a different fg color breaks) by @​gregpoirson in https://github.com/fatih/color/pull/210

Dependency updates

• Bump dominikh/staticcheck-action from 1.2.0 to 1.3.0 by @​dependabot in https://github.com/fatih/color/pull/201
• Bump github.com/mattn/go-isatty from 0.0.17 to 0.0.18 by @​dependabot in https://github.com/fatih/color/pull/193
• Bump golang.org/x/sys from 0.6.0 to 0.8.0 by @​dependabot in https://github.com/fatih/color/pull/195
• Bump github.com/mattn/go-isatty from 0.0.18 to 0.0.19 by @​dependabot in https://github.com/fatih/color/pull/196
• Bump golang.org/x/sys from 0.8.0 to 0.10.0 by @​dependabot in https://github.com/fatih/color/pull/199
• Bump github.com/mattn/go-isatty from 0.0.19 to 0.0.20 by @​dependabot in https://github.com/fatih/color/pull/212
• Bump golang.org/x/sys from 0.10.0 to 0.13.0 by @​dependabot in https://github.com/fatih/color/pull/209
• Bump actions/setup-go from 3 to 4 by @​dependabot in https://github.com/fatih/color/pull/202
• Bump actions/checkout from 3 to 4 by @​dependabot in https://github.com/fatih/color/pull/208
• Bump golang.org/x/sys from 0.13.0 to 0.14.0 by @​dependabot in https://github.com/fatih/color/pull/213

New Contributors

• @​ilyabrin made their first contribution in https://github.com/fatih/color/pull/200
• @​hyunsooda made their first contribution in https://github.com/fatih/color/pull/203
• @​gregpoirson made their first contribution in https://github.com/fatih/color/pull/210

Full Changelog: fatih/color@v1.15.0...v1.16.0

go-git/go-git (github.com/go-git/go-git/v5)

v5.16.2

Compare Source

What's Changed

• utils: fix diff so subpaths work for sparse checkouts, fixes 1455 to releases/v5.x by @​kane8n in https://github.com/go-git/go-git/pull/1567

Full Changelog: go-git/go-git@v5.16.1...v5.16.2

v5.16.1

Compare Source

What's Changed

• utils: merkletrie, Fix diff on sparse-checkout index. Fixes #​1406 to releases/v5.x by @​kane8n in https://github.com/go-git/go-git/pull/1561

New Contributors

• @​kane8n made their first contribution in https://github.com/go-git/go-git/pull/1561

Full Changelog: go-git/go-git@v5.16.0...v5.16.1

v5.16.0

Compare Source

What's Changed

• [v5] plumbing: support mTLS for HTTPS protocol by @​hiddeco in https://github.com/go-git/go-git/pull/1510
• v5: plumbing: transport, Reintroduce SetHostKeyCallback. Fix #​1514 by @​pjbgf in https://github.com/go-git/go-git/pull/1515

Full Changelog: go-git/go-git@v5.15.0...v5.16.0

v5.15.0

Compare Source

What's Changed

• plumbing: add cert auth support to releases/v5.x by @​Javier-varez in https://github.com/go-git/go-git/pull/1482
• v5: Bump dependencies by @​pjbgf in https://github.com/go-git/go-git/pull/1505

Full Changelog: go-git/go-git@v5.14.0...v5.15.0

v5.14.0

Compare Source

What's Changed

• v5: Bump Go and dependencies to mitigate GO-2025-3487 by @​pjbgf in https://github.com/go-git/go-git/pull/1436

⚠️ Note that this version requires Go 1.23, due to the bump to golang.org/x/crypto@v0.35.0 which mitigates the CVE above. User's that can't bump to Go 1.23 will need to remain on the previous v5.13.x release.

Full Changelog: go-git/go-git@v5.13.2...v5.14.0

v5.13.2

Compare Source

What's Changed

• plumbing: use the correct user agent string. Fixes #​883 by @​uragirii in https://github.com/go-git/go-git/pull/1364
• build: bump golang.org/x/sys from 0.28.0 to 0.29.0 in the golang-org group by @​dependabot in https://github.com/go-git/go-git/pull/1365
• build: bump the golang-org group with 2 updates by @​dependabot in https://github.com/go-git/go-git/pull/1367
• build: bump github.com/ProtonMail/go-crypto from 1.1.3 to 1.1.4 by @​dependabot in https://github.com/go-git/go-git/pull/1368
• build: bump github.com/go-git/go-billy/v5 from 5.6.1 to 5.6.2 by @​dependabot in https://github.com/go-git/go-git/pull/1378
• build: bump github/codeql-action from 3.28.0 to 3.28.1 by @​dependabot in https://github.com/go-git/go-git/pull/1376
• build: bump github.com/elazarl/goproxy from 1.2.3 to 1.4.0 by @​dependabot in https://github.com/go-git/go-git/pull/1377
• git: worktree, fix restoring dot slash files (backported to v5). Fixes #​1176 by @​BeChris in https://github.com/go-git/go-git/pull/1361
• build: bump github.com/pjbgf/sha1cd from 0.3.0 to 0.3.2 by @​dependabot in https://github.com/go-git/go-git/pull/1392
• git: worktree_status, fix adding dot slash files to working tree (backported to v5). Fixes #​1150 by @​BeChris in https://github.com/go-git/go-git/pull/1359
• build: bump github.com/ProtonMail/go-crypto from 1.1.4 to 1.1.5 by @​dependabot in https://github.com/go-git/go-git/pull/1383

Full Changelog: go-git/go-git@v5.13.1...v5.13.2

v5.13.1

Compare Source

What's Changed

• build: bump github.com/go-git/go-billy/v5 from 5.6.0 to 5.6.1 by @​dependabot in https://github.com/go-git/go-git/pull/1327
• build: bump github.com/elazarl/goproxy from 1.2.1 to 1.2.2 by @​dependabot in https://github.com/go-git/go-git/pull/1329
• build: bump github.com/elazarl/goproxy from 1.2.2 to 1.2.3 by @​dependabot in https://github.com/go-git/go-git/pull/1340
• Revert "plumbing: transport/ssh, Add support for SSH @​cert-authority." by @​pjbgf in #​1346

Full Changelog: go-git/go-git@v5.13.0...v5.13.1

go-sourcemap/sourcemap (github.com/go-sourcemap/sourcemap)

v2.1.4+incompatible

Compare Source

grafana/alloy-remote-config (github.com/grafana/alloy-remote-config)

v0.0.11

Compare Source

What's Changed

• Add RemoteConfigStatus to the GetConfig request by @​erikbaranowski in https://github.com/grafana/alloy-remote-config/pull/17

Full Changelog: grafana/alloy-remote-config@v0.0.10...v0.0.11

hashicorp/vault (github.com/hashicorp/vault/api)

v1.20.0

Compare Source

1.20.0

June 25, 2025

SECURITY:

• core: require a nonce when cancelling a rekey operation that was initiated within the last 10 minutes. [GH-30794]

CHANGES:

• UI: remove outdated and unneeded js string extensions [GH-29834]
• activity (enterprise): The sys/internal/counters/activity endpoint will return actual values for new clients in the current month.
• activity (enterprise): provided values for start_time and end_time in sys/internal/counters/activity are aligned to the corresponding billing period.
• activity: provided value for end_time in sys/internal/counters/activity is now capped at the end of the last completed month. [GH-30164]
• api: Update the default API client to check for the Retry-After header and, if it exists, wait for the specified duration before retrying the request. [GH-30887]
• auth/alicloud: Update plugin to v0.21.0 [GH-30810]
• auth/azure: Update plugin to v0.20.2. Login requires resource_group_name, vm_name, and vmss_name to match token claims [GH-30052]
• auth/azure: Update plugin to v0.20.3 [GH-30082]
• auth/azure: Update plugin to v0.20.4 [GH-30543]
• auth/azure: Update plugin to v0.21.0 [GH-30872]
• auth/azure: Update plugin to v0.21.1 [GH-31010]
• auth/cf: Update plugin to v0.20.1 [GH-30583]
• auth/cf: Update plugin to v0.21.0 [GH-30842]
• auth/gcp: Update plugin to v0.20.2 [GH-30081]
• auth/jwt: Update plugin to v0.23.2 [GH-30431]
• auth/jwt: Update plugin to v0.24.1 [GH-30876]
• auth/kerberos: Update plugin to v0.15.0 [GH-30845]
• auth/kubernetes: Update plugin to v0.22.1 [GH-30910]
• auth/oci: Update plugin to v0.19.0 [GH-30841]
• auth/saml: Update plugin to v0.6.0
• core: Bump Go version to 1.24.4.
• core: Verify that the client IP address extracted from an X-Forwarded-For header is a valid IPv4 or IPv6 address [GH-29774]
• database/couchbase: Update plugin to v0.14.0 [GH-30836]
• database/elasticsearch: Update plugin to v0.18.0 [GH-30796]
• database/mongodbatlas: Update plugin to v0.15.0 [GH-30856]
• database/redis-elasticache: Update plugin to v0.7.0 [GH-30785]
• database/redis: Update plugin to v0.6.0 [GH-30797]
• database/snowflake: Update plugin to v0.14.0 [GH-30748]
• database/snowflake: Update plugin to v0.14.1 [GH-30868]
• logical/system: add ent stub for plugin catalog handling [GH-30890]
• quotas/rate-limit: Round up the Retry-After value to the nearest second when calculating the retry delay. [GH-30887]
• secrets/ad: Update plugin to v0.21.0 [GH-30819]
• secrets/alicloud: Update plugin to v0.20.0 [GH-30809]
• secrets/azure: Update plugin to v0.21.2 [GH-30037]
• secrets/azure: Update plugin to v0.21.3 [GH-30083]
• secrets/azure: Update plugin to v0.22.0 [GH-30832]
• secrets/gcp: Update plugin to v0.21.2 [GH-29970]
• secrets/gcp: Update plugin to v0.21.3 [GH-30080]
• secrets/gcp: Update plugin to v0.22.0 [GH-30846]
• secrets/gcpkms: Update plugin to v0.21.0 [GH-30835]
• secrets/kubernetes: Update plugin to v0.11.0 [GH-30855]
• secrets/kv: Update plugin to v0.24.0 [GH-30826]
• secrets/mongodbatlas: Update plugin to v0.15.0 [GH-30860]
• secrets/openldap: Update plugin to v0.15.2 [GH-30079]
• secrets/openldap: Update plugin to v0.15.4 [GH-30279]
• secrets/openldap: Update plugin to v0.16.0 [GH-30844]
• secrets/terraform: Update plugin to v0.12.0 [GH-30905]
• server: disable_mlock configuration option is now required for integrated storage and no longer has a default. If you are using the default value with integrated storage, you must now explicitly set disable_mlock to true or false or Vault server will fail to start. [GH-29974]
• ui/activity: Replaces mount and namespace attribution charts with a table to allow sorting
  client count data by namespace, mount_path, mount_type or number of clients for
  a selected month. [GH-30678]
• ui: Client count side nav link 'Vault Usage Metrics' renamed to 'Client Usage' [GH-30765]
• ui: Client counting "running total" charts now reflect new clients only [GH-30506]
• ui: Removed FormError component (not used) [GH-34699]
• ui: Selecting a different method in the login form no longer updates the /vault/auth?with= query parameter [GH-30500]
• ui: /vault/auth?with= query parameter now exclusively refers to the auth mount path and renders a simplified form [GH-30500]

FEATURES:

• Auto Irrevocable Lease Removal (Enterprise): Add the Vault Enterprise configuration param, remove_irrevocable_lease_after. When set to a non-zero value, this will automatically delete irrevocable leases after the configured duration exceeds the lease's expire time. The minimum duration allowed for this field is two days. [GH-30703]
• Development Cluster Configuration (Enterprise): Added development_cluster as a field to Vault's utilization reports.
  The field is configurable via HCL and indicates whether the cluster is being used in a development environment, defaults to false if not set. [GH-30659]
• Entity-based and collective rate limit quotas (Enterprise): Add new group_by field to the rate limit quota API to support different grouping modes.
• Login form customization (Enterprise): Adds support to choose a default and/or backup auth methods for the web UI login form to streamline the web UI login experience. [GH-30700]
• Plugin Downloads: Support automatically downloading official HashiCorp secret and auth plugins from releases.hashicorp.com (beta)
• SSH Key Signing Improvements (Enterprise): Add support for using managed keys to sign SSH keys in the SSH secrets engine.
• Secret Recovery from Snapshot (Enterprise): Adds a framework to load an integrated storage
  snapshot into Vault and read, list, and recover KV v1 and cubbyhole secrets from the snapshot. [GH-30739]
• UI Secrets Engines: TOTP secrets engine is now supported. [GH-29751]
• UI Telemetry: Add Posthog for UI telemetry tracking on Vault Dedicated managed clusters [GH-30425]
• Vault Namespace Picker: Updating the Vault Namespace Picker to enable search functionality, allow direct navigation to nested namespaces and improve accessibility. [GH-30490]
• Vault PKI SCEP Server (Enterprise): Support for the Simple Certificate Enrollment Protocol (SCEP) has been added to the Vault PKI Plugin. This allows standard SCEP clients to request certificates from a Vault server with no knowledge of Vault APIs.

IMPROVEMENTS:

• activity (enterprise): Added vault.client.billing_period.activity telemetry metric to emit information about the total number of distinct clients used in the current billing period.
• activity: mount_type was added to the API response of sys/internal/counters/activity [GH-30071]
• activity: mount_type was added to the API response of sys/internal/counters/activity
• api (enterprise): Added a new API, /sys/utilization-report, giving a snapshot overview of Vault's utilization at a high level.
• api/client: Add Cert auth method support. This allows the client to authenticate using a client certificate. [GH-29546]
• core (enterprise): Updated code and documentation to support FIPS 140-3 compliant algorithms.
• core (enterprise): allow a root token to relock a namespace locked by the Namespace API Lock feature.
• core (enterprise): report errors from the underlying seal when getting entropy.
• core (enterprise): update to FIPS 140-3 cryptographic module in the FIPS builds.
• core/metrics: added a new telemetry metric, vault.core.response_status_code, with two labels, code, and type, detailing the status codes of all responses to requests that Vault handles. [GH-30354]
• core: Improve memory use of path management for namespaces, auth methods, and secrets engines. Now Vault should handle larger numbers of namespaces and multiple instances of the same secrets engine or auth method more efficiently. [GH-31022]
• core: Updated code and documentation to support FIPS 140-3 compliant algorithms. [GH-30576]
• core: support for X25519MLKEM768 (post quantum key agreement) in the Go TLS stack. [GH-30603]
• events: Add vault_index to an event's metadata if the metadata contains modified=true, to support client consistency controls when reading from Vault in response to an event where storage was modified. [GH-30725]
• physical/postgres: Adds support to authenticate with the PostgreSQL Backend server with cloud based identities (AWS IAM, Azure MSI and GCP IAM) [GH-30681]
• plugins: Support registration of CE plugins with extracted artifact directory. [GH-30673]
• secrets/aws: Add LIST endpoint to the AWS secrets engine static roles. [GH-29842]
• secrets/pki: Add Delta (Freshest) CRL support to AIA information (both mount-level and issuer configured) [GH-30319]
• secrets/transit (enterprise): enable the use of 192-bit keys for AES CMAC
• storage/mysql: Added support for getting mysql backend username and password from the environment variables VAULT_MYSQL_USERNAME and VAULT_MYSQL_PASSWORD. [GH-30136]
• storage/raft: Upgrade hashicorp/raft library to v1.7.3 which includes additional logging on the leader when opening and sending a snapshot to a follower. [GH-29976]
• transit: Exclude the partial wrapping key path from the transit/keys LIST operation. [GH-30728]
• ui (enterprise): Replace date selector in client count usage page with fixed start and end dates that align with billing periods in order to return more relevant client counting data. [GH-30349]
• ui/database: Adding input field for setting skip static role password rotation for database connection config, updating static role skip field to use toggle button [GH-29820]
• ui/database: Adding password input field for creating a static role [GH-30275]
• ui/database: Adding warning modal pop up when creating a static role that will be rotated immediately [GH-30119]
• ui/database: Glimmerizing and adding validations to role create [GH-29754]
• ui/database: Updating toggle buttons for skip_rotation_import to reverse polarity of values that get displayed versus whats sent to api [GH-30055]
• ui: Add 'Refresh list' button to the namespace list page. [GH-30692]
• ui: Enable search for a namespace on the namespace list page. [GH-30680]
• ui: Hide "Other" tab when mounts are configured with listing_visibility="unauth"; all methods can be accessed via the "Sign in with other methods" link [GH-30500]
• ui: Improve accessibility of login form to meet a11y standards [GH-30500]
• ui: Replaces all instances of the deprecated event.keyCode with event.key [GH-30493]
• ui: Update date selector in client count usage page to disable current month selection for Vault clusters without a license. [GH-30488]
• ui: Use Hds::CodeBlock component to replace readonly JsonEditor instances [GH-29720]
• ui: adds key value pair string inputs as optional form for wrap tool [GH-29677]
• ui: remove ember-svg-jar dependency [GH-30181]

DEPRECATIONS:

• api: Deprecated the /sys/internal/counters/tokens endpoint. Attempting to call this endpoint will return a 403 "unsupported path" exception. [GH-30561]
• core: deprecate duplicate attributes in HCL configuration files and policy definitions [GH-30386]

BUG FIXES:

• api/tokenhelper: Exec token_helper without a shell [GH-29653]
• auth/aws: fix a panic when a performance standby node attempts to write/update config. [GH-30039]
• auth/ldap: Fix a bug that does not properly delete users and groups by first converting their names to lowercase when case senstivity option is off. [GH-29922]
• auth/ldap: fix a panic when a performance standby node attempts to write/update config. [GH-30039]
• aws/secrets: Prevent vault from rejecting secret role configurations where no regions or endpoints are set [GH-29996]
• core (enterprise): add nil check before attempting to use Rotation Manager operations.
• core (enterprise): fix a bug where plugin automated root rotations would stop after seal/unseal operations
• core (enterprise): fix issue with errors being swallowed on failed HSM logins.
  core/managed-keys (enterprise): fix RSA encryption/decryption with OAEP on managed keys.
• core: Fix a bug that prevents certain loggers from writing to a log file. [GH-29917]
• core: Fix string contains check in Identity APIs to be case-insensitive. [GH-31045]
• core: Omit automatic version control information of the main module from compiled Vault binaries [GH-30926]
• database: Prevent static roles created in versions prior to 1.15.0 from rotating on backend restart. [GH-30320]
• database: no longer incorrectly add an "unrecognized parameters" warning for certain SQL database secrets config operations when another warning is returned [GH-30327]
• identity: Fix non-deterministic merge behavior when two entities have
  conflicting local aliases. [GH-30390]
• identity: reintroduce RPC functionality for group creates, allowing performance standbys to handle external group changes during login and token renewal [GH-30069]
• plugins (enterprise): Fix an issue where Enterprise plugins can't run on a standby node
  when it becomes active because standby nodes don't extract the artifact when the plugin
  is registered. Remove extracting from Vault and require the operator to place
  the extracted artifact in the plugin directory before registration.
• plugins (enterprise): Fix plugin registration with artifact when a binary for the same plugin is already present in the plugin directory.
• plugins: plugin registration should honor the plugin_tmpdir config [GH-29978]
• plugins: plugin registration should honor the plugin_tmpdir config
• raft/retry_join: Fix decoding auto_join configurations that include escape characters [GH-29874]
• secrets/aws: fix a bug where environment and shared credential providers were overriding the WIF configuration [GH-29982]
• secrets/aws: fix a case where GovCloud wasn't taken into account; fix a case where the region setting wasn't respected [GH-30312]
• secrets/aws: fix a panic when a performance standby node attempts to write/update config. [GH-30039]
• secrets/database: Fix a bug where a global database plugin reload exits if any of the database connections are no

---

Configuration

📅 Schedule: Branch creation - Between 06:00 AM and 10:59 AM, only on Monday ( * 6-10 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[BoweFlex]

Is there any timeline on this being reviewed? We're waiting on the postgres_exporter update for our environment

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 30 additional dependencies were updated

Details:

Package	Change
google.golang.org/api	v0.239.0 -> v0.243.0
cloud.google.com/go	v0.121.1 -> v0.121.4
cloud.google.com/go/auth	v0.16.2 -> v0.16.3
github.com/Azure/azure-sdk-for-go/sdk/internal	v1.11.1 -> v1.11.2
github.com/ProtonMail/go-crypto	v1.1.3 -> v1.1.6
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.6.11 -> v1.7.0
github.com/aws/aws-sdk-go-v2/credentials	v1.17.70 -> v1.18.3
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.3.36 -> v1.4.2
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.6.36 -> v2.7.2
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.3.36 -> v1.4.2
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.12.4 -> v1.13.0
github.com/aws/aws-sdk-go-v2/service/internal/checksum	v1.7.4 -> v1.8.2
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.12.17 -> v1.13.2
github.com/aws/aws-sdk-go-v2/service/internal/s3shared	v1.18.17 -> v1.19.2
github.com/aws/aws-sdk-go-v2/service/sso	v1.25.5 -> v1.27.0
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.30.3 -> v1.32.0
github.com/aws/aws-sdk-go-v2/service/sts	v1.34.0 -> v1.36.0
github.com/aws/smithy-go	v1.22.4 -> v1.22.5
github.com/cncf/xds/go	v0.0.0-20250326154945-ae57f3c0d45f -> v0.0.0-20250501225837-2ac532fd4443
github.com/go-git/go-billy/v5	v5.6.0 -> v5.6.2
github.com/golang-jwt/jwt/v5	v5.2.2 -> v5.3.0
github.com/gomodule/redigo	v1.8.9 -> v1.9.2
github.com/googleapis/gax-go/v2	v2.14.2 -> v2.15.0
github.com/grpc-ecosystem/grpc-gateway/v2	v2.26.3 -> v2.27.1
github.com/mna/redisc	v1.3.2 -> v1.4.0
github.com/pjbgf/sha1cd	v0.3.0 -> v0.3.2
golang.org/x/mod	v0.25.0 -> v0.26.0
google.golang.org/genproto	v0.0.0-20250505200425-f936aa4a68b2 -> v0.0.0-20250603155806-513f23925822
google.golang.org/genproto/googleapis/api	v0.0.0-20250519155744-55703ea1f237 -> v0.0.0-20250728155136-f173205681a0
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250603155806-513f23925822 -> v0.0.0-20250728155136-f173205681a0

File name: syntax/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
github.com/mattn/go-isatty	v0.0.17 -> v0.0.20
golang.org/x/sys	v0.6.0 -> v0.25.0

[jharvey10]

This PR looks to depend on updating the build image to match the go version. This should be handled in #4163.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.