build(deps): bump github.com/hashicorp/vault from 1.17.0-rc1 to 1.21.0

[dependabot]

Bumps github.com/hashicorp/vault from 1.17.0-rc1 to 1.21.0.

Release notes

Sourced from github.com/hashicorp/vault's releases.

v1.21.0

No release notes provided.

v1.21.0-rc1

No release notes provided.

v1.20.4

No release notes provided.

v1.20.3

No release notes provided.

v1.20.2

August 06, 2025

SECURITY:

• auth/ldap: fix MFA/TOTP enforcement bypass when username_as_alias is enabled [GH-31427,HCSEC-2025-20].

BUG FIXES:

• agent/template: Fixed issue where templates would not render correctly if namespaces was provided by config, and the namespace and mount path of the secret were the same. [GH-31392]
• identity/mfa: revert cache entry change from #31217 and document cache entry values [GH-31421]

v1.20.1

No release notes provided.

v1.20.0

1.20.0

June 25, 2025

SECURITY:

• core: require a nonce when cancelling a rekey operation that was initiated within the last 10 minutes. [GH-30794]

CHANGES:

• UI: remove outdated and unneeded js string extensions [GH-29834]
• activity (enterprise): The sys/internal/counters/activity endpoint will return actual values for new clients in the current month.
• activity (enterprise): provided values for start_time and end_time in sys/internal/counters/activity are aligned to the corresponding billing period.
• activity: provided value for end_time in sys/internal/counters/activity is now capped at the end of the last completed month. [GH-30164]
• api: Update the default API client to check for the Retry-After header and, if it exists, wait for the specified duration before retrying the request. [GH-30887]
• auth/alicloud: Update plugin to v0.21.0 [GH-30810]
• auth/azure: Update plugin to v0.20.2. Login requires resource_group_name, vm_name, and vmss_name to match token claims [GH-30052]
• auth/azure: Update plugin to v0.20.3 [GH-30082]
• auth/azure: Update plugin to v0.20.4 [GH-30543]
• auth/azure: Update plugin to v0.21.0 [GH-30872]
• auth/azure: Update plugin to v0.21.1 [GH-31010]
• auth/cf: Update plugin to v0.20.1 [GH-30583]
• auth/cf: Update plugin to v0.21.0 [GH-30842]

... (truncated)

Changelog

Sourced from github.com/hashicorp/vault's changelog.

1.21.0

October 22, 2025

SECURITY:

• auth/aws: fix an issue where a user may be able to bypass authentication to Vault due to incorrect caching of the AWS client
• auth/ldap: fix MFA/TOTP enforcement bypass when username_as_alias is enabled.
• core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-wjrx-6529-hcj3.
• core: Update github.com/ulikunitz/xz to fix security vulnerability GHSA-25xm-hr59-7c27.
• ui: disable scarf analytics for ui builds

CHANGES:

• Secrets Recovery (enterprise): Deprecate the recover_snapshot_id query parameter to pass the snapshot ID for recover operations, in favor of a X-Vault-Recover-Snapshot-Id header. Vault will still accept the query parameter for backward compatibility. Also support setting the HTTP method to RECOVER for recover operations, in addition to POST and PUT.
• activity: Renamed timestamp in export API response to token_creation_time.
• auth/alicloud: Update plugin to v0.22.0
• auth/azure: Update plugin to v0.22.0
• auth/cf: Update plugin to v0.22.0
• auth/gcp: Update plugin to v0.22.0
• auth/jwt: Update plugin to v0.25.0
• auth/kerberos: Update plugin to v0.16.0
• auth/kubernetes: Update plugin to v0.23.0
• auth/oci: Update plugin to v0.20.0
• auth/saml: Update plugin to v0.7.0
• core: Updates post-install script to print updated license information
• database/couchbase: Update plugin to v0.15.0
• database/elasticsearch: Update plugin to v0.19.0
• database/mongodbatlas: Update plugin to v0.16.0
• database/redis-elasticache: Update plugin to v0.8.0
• database/redis: Update plugin to v0.7.0
• database/snowflake: Update plugin to v0.15.0
• http: Add JSON configurable limits to HTTP handling for JSON payloads: max_json_depth, max_json_string_value_length, max_json_object_entry_count, max_json_array_element_count.
• http: Evaluate rate limit quotas before checking JSON limits during request handling.
• policies: change list comparison to allowed_parameters and denied_parameters from "exact match" to "contains all"
• sdk: Upgrade to go-secure-stdlib/[email protected], which also bumps github.com/docker/docker to v28.3.3+incompatible
• secrets/alicloud: Update plugin to v0.21.0
• secrets/azure: Update azure enterprise secrets plugin to include static roles.
• secrets/azure: Update plugin to v0.23.0
• secrets/gcp: Update plugin to v0.23.0
• secrets/kubernetes: Update plugin to v0.12.0
• secrets/kv: Update plugin to v0.25.0
• secrets/mongodbatlas: Update plugin to v0.16.0
• secrets/openldap: Update plugin to v0.17.0
• secrets/terraform: Update plugin to v0.13.0
• ui/client-counts: removes tabs for each client count type and adds split view for counts per type in overview stacked bar chart
• ui: Add client count attribution for the full billing period to the client counts overview table
• ui: Remove namespace context filter for activity in client count dashboard

FEATURES:

... (truncated)

Commits

• 818ca8b [VAULT-40260] This is an automated pull request to build all artifacts for a ...
• b5deaa0 Merge remote-tracking branch 'remotes/from/ce/release/1.21.x' into release/1....
• a20f035 Backport [VAULT-40033] Migrate Slack notifications to ibm-hashicorp workspace...
• 58e59e6 Backport license: update headers to IBM Corp. into release/1.21.x+ent (#10234...
• 59a526a Merge remote-tracking branch 'remotes/from/ce/release/1.21.x' into release/1....
• 1c05b39 pipeline(changed-files): one more small false positive fix (#10247) (#10263) ...
• 29892ad Merge remote-tracking branch 'remotes/from/ce/release/1.21.x' into release/1....
• 054c35d fix: cache aws auth client by account id (#9981) (#10111) (#10125)
• 921938f Merge remote-tracking branch 'remotes/from/ce/release/1.21.x' into release/1....
• fabb0da Backport Backport pipeline(changed-files): fix false positives for some files...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.