chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
alpine	final	digest	51b6726 -> c5b1261
alpine	stage	digest	51b6726 -> c5b1261
codecov/codecov-action	action	digest	eaaf4be -> ab904c4
github.com/go-vela/types	require	patch	v0.23.2 -> v0.23.3
github.com/hashicorp/vault/api	require	minor	v1.10.0 -> v1.12.2
github.com/urfave/cli/v2	require	minor	v2.26.0 -> v2.27.1
github/codeql-action	action	digest	305f654 -> a82bad7
reviewdog/action-golangci-lint	action	digest	94d61e3 -> 00311c2

---

Release Notes

go-vela/types (github.com/go-vela/types)

v0.23.3

Compare Source

What's Changed

• fix(ci): address all outstanding linter feedback by @​ecrupper in https://github.com/go-vela/types/pull/363
• enhance(events): add NewEventsFromSlice method by @​ecrupper in https://github.com/go-vela/types/pull/366
• fix(deps): update all non-major dependencies by @​renovate in https://github.com/go-vela/types/pull/364

Full Changelog: go-vela/types@v0.23.2...v0.23.3

hashicorp/vault (github.com/hashicorp/vault/api)

v1.12.2

Compare Source

1.12.2

November 30, 2022

CHANGES:

• core: Bump Go version to 1.19.3.
• plugins: Mounts can no longer be pinned to a specific builtin version. Mounts previously pinned to a specific builtin version will now automatically upgrade to the latest builtin version, and may now be overridden if an unversioned plugin of the same name and type is registered. Mounts using plugin versions without builtin in their metadata remain unaffected. [GH-18051]

IMPROVEMENTS:

• secrets/pki: Allow issuer creation, import to change default issuer via default_follows_latest_issuer. [GH-17824]
• storage/raft: Add retry_join_as_non_voter config option. [GH-18030]

BUG FIXES:

• auth/okta: fix a panic for AuthRenew in Okta [GH-18011]
• auth: Deduplicate policies prior to ACL generation [GH-17914]
• cli: Fix issue preventing kv commands from executing properly when the mount path provided by -mount flag and secret key path are the same. [GH-17679]
• core (enterprise): Supported storage check in vault server command will no longer prevent startup. Instead, a warning will be logged if configured to use storage backend other than raft or consul.
• core/quotas (enterprise): Fix a lock contention issue that could occur and cause Vault to become unresponsive when creating, changing, or deleting lease count quotas.
• core: Fix potential deadlock if barrier ciphertext is less than 4 bytes. [GH-17944]
• core: fix a start up race condition where performance standbys could go into a
  mount loop if default policies are not yet synced from the active node. [GH-17801]
• plugins: Only report deprecation status for builtin plugins. [GH-17816]
• plugins: Vault upgrades will no longer fail if a mount has been created using an explicit builtin plugin version. [GH-18051]
• secret/pki: fix bug with initial legacy bundle migration (from < 1.11 into 1.11+) and missing issuers from ca_chain [GH-17772]
• secrets/azure: add WAL to clean up role assignments if errors occur [GH-18086]
• secrets/gcp: Fixes duplicate service account key for rotate root on standby or secondary [GH-18111]
• secrets/pki: Fix upgrade of missing expiry, delta_rebuild_interval by setting them to the default. [GH-17693]
• ui: Fixes issue with not being able to download raft snapshot via service worker [GH-17769]
• ui: fix entity policies list link to policy show page [GH-17950]

v1.12.1

Compare Source

1.12.1

November 2, 2022

IMPROVEMENTS:

• api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [GH-17352]
• database/snowflake: Allow parallel requests to Snowflake [GH-17593]
• plugins: Add plugin version information to key plugin lifecycle log lines. [GH-17430]
• sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]

BUG FIXES:

• cli: Remove empty table heading for vault secrets list -detailed output. [GH-17577]
• core/managed-keys (enterprise): Return better error messages when encountering key creation failures
• core/managed-keys (enterprise): Switch to using hash length as PSS Salt length within the test/sign api for better PKCS#11 compatibility
• core: Fix panic caused in Vault Agent when rendering certificate templates [GH-17419]
• core: Fixes spurious warnings being emitted relating to "unknown or unsupported fields" for JSON config [GH-17660]
• core: prevent memory leak when using control group factors in a policy [GH-17532]
• core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
• kmip (enterprise): Fix a problem in the handling of attributes that caused Import operations to fail.
• kmip (enterprise): Fix selection of Cryptographic Parameters for Encrypt/Decrypt operations.
• login: Store token in tokenhelper for interactive login MFA [GH-17040]
• secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
• ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]

v1.12.0

Compare Source

1.12.0

October 13, 2022

CHANGES:

• api: Exclusively use GET /sys/plugins/catalog endpoint for listing plugins, and add details field to list responses. [GH-17347]
• auth: GET /sys/auth/:name endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
• auth: GET /sys/auth endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
• auth: POST /sys/auth/:type endpoint response contains a warning for Deprecated auth methods. [GH-17058]
• auth: auth enable returns an error and POST /sys/auth/:type endpoint reports an error for Pending Removal auth methods. [GH-17005]
• core/entities: Fixed stranding of aliases upon entity merge, and require explicit selection of which aliases should be kept when some must be deleted [GH-16539]
• core: Bump Go version to 1.19.2.
• core: Validate input parameters for vault operator init command. Vault 1.12 CLI version is needed to run operator init now. [GH-16379]
• identity: a request to /identity/group that includes member_group_ids that contains a cycle will now be responded to with a 400 rather than 500 [GH-15912]
• licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades will not be allowed if the license termination time is before the build date of the binary.
• plugins: Add plugin version to auth register, list, and mount table [GH-16856]
• plugins: GET /sys/plugins/catalog/:type/:name endpoint contains deprecation status for builtin plugins. [GH-17077]
• plugins: GET /sys/plugins/catalog/:type/:name endpoint now returns an additional version field in the response data. [GH-16688]
• plugins: GET /sys/plugins/catalog/ endpoint contains deprecation status in detailed list. [GH-17077]
• plugins: GET /sys/plugins/catalog endpoint now returns an additional detailed field in the response data with a list of additional plugin metadata. [GH-16688]
• plugins: plugin info displays deprecation status for builtin plugins. [GH-17077]
• plugins: plugin list now accepts a -detailed flag, which display deprecation status and version info. [GH-17077]
• secrets/azure: Removed deprecated AAD graph API support from the secrets engine. [GH-17180]
• secrets: All database-specific (standalone DB) secrets engines are now marked Pending Removal. [GH-17038]
• secrets: GET /sys/mounts/:name endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
• secrets: GET /sys/mounts endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
• secrets: POST /sys/mounts/:type endpoint response contains a warning for Deprecated secrets engines. [GH-17058]
• secrets: secrets enable returns an error and POST /sys/mount/:type endpoint reports an error for Pending Removal secrets engines. [GH-17005]

FEATURES:

• GCP Cloud KMS support for managed keys: Managed keys now support using GCP Cloud KMS keys
• LDAP Secrets Engine: Adds the ldap secrets engine with service account check-out functionality for all supported schemas. [GH-17152]
• OCSP Responder: PKI mounts now have an OCSP responder that implements a subset of RFC6960, answering single serial number OCSP requests for a specific cluster's revoked certificates in a mount. [GH-16723]
• Redis DB Engine: Adding the new Redis database engine that supports the generation of static and dynamic user roles and root credential rotation on a stand alone Redis server. [GH-17070]
• Redis ElastiCache DB Plugin: Added Redis ElastiCache as a built-in plugin. [GH-17075]
• Secrets/auth plugin multiplexing: manage multiple plugin configurations with a single plugin process [GH-14946]
• Transform Key Import (BYOK): The transform secrets engine now supports importing keys for tokenization and FPE transformations
• HCP (enterprise): Adding foundational support for self-managed vault nodes to securely communicate with HashiCorp Cloud Platform as an opt-in feature
• ui: UI support for Okta Number Challenge. [GH-15998]

IMPROVEMENTS:

• :core/managed-keys (enterprise): Allow operators to specify PSS signatures and/or hash algorithm for the test/sign api
• activity (enterprise): Added new clients unit tests to test accuracy of estimates
• agent/auto-auth: Add exit_on_err which when set to true, will cause Agent to exit if any errors are encountered during authentication. [GH-17091]
• agent: Added disable_idle_connections configuration to disable leaving idle connections open in auto-auth, caching and templating. [GH-15986]
• agent: Added disable_keep_alives configuration to disable keep alives in auto-auth, caching and templating. [GH-16479]
• agent: JWT auto auth now supports a remove_jwt_after_reading config option which defaults to true. [GH-11969]
• agent: Send notifications to systemd on start and stop. [GH-9802]
• api/mfa: Add namespace path to the MFA read/list endpoint [GH-16911]
• api: Add a sentinel error for missing KV secrets [GH-16699]
• auth/alicloud: Enables AliCloud roles to be compatible with Vault's role based quotas. [GH-17251]
• auth/approle: SecretIDs can now be generated with an per-request specified TTL and num_uses.
  When either the ttl and num_uses fields are not specified, the role's configuration is used. [GH-14474]
• auth/aws: PKCS7 signatures will now use SHA256 by default in prep for Go 1.18 [GH-16455]
• auth/azure: Enables Azure roles to be compatible with Vault's role based quotas. [GH-17194]
• auth/cert: Add metadata to identity-alias [GH-14751]
• auth/cert: Operators can now specify a CRL distribution point URL, in which case the cert auth engine will fetch and use the CRL from that location rather than needing to push CRLs directly to auth/cert. [GH-17136]
• auth/cf: Enables CF roles to be compatible with Vault's role based quotas. [GH-17196]
• auth/gcp: Add support for GCE regional instance groups [GH-16435]
• auth/gcp: Updates dependencies: google.golang.org/[email protected], github.com/hashicorp/[email protected]. [GH-17160]
• auth/jwt: Adds support for Microsoft US Gov L4 to the Azure provider for groups fetching. [GH-16525]
• auth/jwt: Improves detection of Windows Subsystem for Linux (WSL) for CLI-based logins. [GH-16525]
• auth/kerberos: add add_group_aliases config to include LDAP groups in Vault group aliases [GH-16890]
• auth/kerberos: add remove_instance_name parameter to the login CLI and the Kerberos config in Vault. This removes any instance names found in the keytab service principal name. [GH-16594]
• auth/kubernetes: Role resolution for K8S Auth [GH-156] [GH-17161]
• auth/oci: Add support for role resolution. [GH-17212]
• auth/oidc: Adds support for group membership parsing when using SecureAuth as an OIDC provider. [GH-16274]
• cli: CLI commands will print a warning if flags will be ignored because they are passed after positional arguments. [GH-16441]
• cli: auth and secrets list -detailed commands now show Deprecation Status for builtin plugins. [GH-16849]
• cli: vault plugin list now has a details field in JSON format, and version and type information in table format. [GH-17347]
• command/audit: Improve missing type error message [GH-16409]
• command/server: add -dev-tls and -dev-tls-cert-dir subcommands to create a Vault dev server with generated certificates and private key. [GH-16421]
• command: Fix shell completion for KV v2 mounts [GH-16553]
• core (enterprise): Add HTTP PATCH support for namespaces with an associated namespace patch CLI command
• core (enterprise): Add check to vault server command to ensure configured storage backend is supported.
• core (enterprise): Add custom metadata support for namespaces
• core/activity: generate hyperloglogs containing clientIds for each month during precomputation [GH-16146]
• core/activity: refactor activity log api to reuse partial api functions in activity endpoint when current month is specified [GH-16162]
• core/activity: use monthly hyperloglogs to calculate new clients approximation for current month [GH-16184]
• core/quotas (enterprise): Added ability to add path suffixes for lease-count resource quotas
• core/quotas (enterprise): Added ability to add role information for lease-count resource quotas, to limit login requests on auth mounts made using that role
• core/quotas: Added ability to add path suffixes for rate-limit resource quotas [GH-15989]
• core/quotas: Added ability to add role information for rate-limit resource quotas, to limit login requests on auth mounts made using that role [GH-16115]
• core: Activity log goroutine management improvements to allow tests to be more deterministic. [GH-17028]
• core: Add sys/loggers and sys/loggers/:name endpoints to provide ability to modify logging verbosity [GH-16111]
• core: Handle and log deprecated builtin mounts. Introduces VAULT_ALLOW_PENDING_REMOVAL_MOUNTS to override shutdown and error when attempting to mount Pending Removal builtin plugins. [GH-17005]
• core: Limit activity log client count usage by namespaces [GH-16000]
• core: Upgrade github.com/hashicorp/raft [GH-16609]
• core: remove gox [GH-16353]
• docs: Clarify the behaviour of local mounts in the context of DR replication [GH-16218]
• identity/oidc: Adds support for detailed listing of clients and providers. [GH-16567]
• identity/oidc: Adds the client_secret_post token endpoint authentication method. [GH-16598]
• identity/oidc: allows filtering the list providers response by an allowed_client_id [GH-16181]
• identity: Prevent possibility of data races on entity creation. [GH-16487]
• physical/postgresql: pass context to queries to propagate timeouts and cancellations on requests. [GH-15866]
• plugins/multiplexing: Added multiplexing support to database plugins if run as external plugins [GH-16995]
• plugins: Add Deprecation Status method to builtinregistry. [GH-16846]
• plugins: Added environment variable flag to opt-out specific plugins from multiplexing [GH-16972]
• plugins: Adding version to plugin GRPC interface [GH-17088]
• plugins: Plugin catalog supports registering and managing plugins with semantic version information. [GH-16688]
• replication (enterprise): Fix race in merkle sync that can prevent streaming by returning key value matching provided hash if found in log shipper buffer.
• secret/nomad: allow reading CA and client auth certificate from /nomad/config/access [GH-15809]
• secret/pki: Add RSA PSS signature support for issuing certificates, signing CRLs [GH-16519]
• secret/pki: Add signature_bits to sign-intermediate, sign-verbatim endpoints [GH-16124]
• secret/pki: Allow issuing certificates with non-domain, non-email Common Names from roles, sign-verbatim, and as issuers (cn_validations). [GH-15996]
• secret/pki: Allow specifying SKID for cross-signed issuance from older Vault versions. [GH-16494]
• secret/transit: Allow importing Ed25519 keys from PKCS#8 with inner RFC 5915 ECPrivateKey blobs (NSS-wrapped keys). [GH-15742]
• secrets/ad: set config default length only if password_policy is missing [GH-16140]
• secrets/azure: Adds option to permanently delete AzureAD objects created by Vault. [GH-17045]
• secrets/database/hana: Add ability to customize dynamic usernames [GH-16631]
• secrets/database/snowflake: Add multiplexing support [GH-17159]
• secrets/gcp: Updates dependencies: google.golang.org/[email protected], github.com/hashicorp/[email protected]. [GH-17174]
• secrets/gcpkms: Update dependencies: google.golang.org/[email protected]. [GH-17199]
• secrets/kubernetes: upgrade to v0.2.0 [GH-17164]
• secrets/pki/tidy: Add another pair of metrics counting certificates not deleted by the tidy operation. [GH-16702]
• secrets/pki: Add a new flag to issue/sign APIs which can filter out root CAs from the returned ca_chain field [GH-16935]
• secrets/pki: Add a warning to any successful response when the requested TTL is overwritten by MaxTTL [GH-17073]
• secrets/pki: Add ability to cancel tidy operations, control tidy resource usage. [GH-16958]
• secrets/pki: Add ability to periodically rebuild CRL before expiry [GH-16762]
• secrets/pki: Add ability to periodically run tidy operations to remove expired certificates. [GH-16900]
• secrets/pki: Add support for per-issuer Authority Information Access (AIA) URLs [GH-16563]
• secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis [GH-17388]
• secrets/pki: Added gauge metrics "secrets.pki.total_revoked_certificates_stored" and "secrets.pki.total_certificates_stored" to track the number of certificates in storage. [GH-16676]
• secrets/pki: Allow revocation of certificates with explicitly provided certificate (bring your own certificate / BYOC). [GH-16564]
• secrets/pki: Allow revocation via proving possession of certificate's private key [GH-16566]
• secrets/pki: Allow tidy to associate revoked certs with their issuers for OCSP performance [GH-16871]
• secrets/pki: Honor If-Modified-Since header on CA, CRL fetch; requires passthrough_request_headers modification on the mount point. [GH-16249]
• secrets/pki: Improve stability of association of revoked cert with its parent issuer; when an issuer loses crl-signing usage, do not place certs on default issuer's CRL. [GH-16874]
• secrets/pki: Support generating delta CRLs for up-to-date CRLs when auto-building is enabled. [GH-16773]
• secrets/ssh: Add allowed_domains_template to allow templating of allowed_domains. [GH-16056]
• secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [GH-16018]
• secrets/ssh: Allow the use of Identity templates in the default_user field [GH-16351]
• secrets/transit: Add a dedicated HMAC key type, which can be used with key import. [GH-16668]
• secrets/transit: Added a parameter to encrypt/decrypt batch operations to allow the caller to override the HTTP response code in case of partial user-input failures. [GH-17118]
• secrets/transit: Allow configuring the possible salt lengths for RSA PSS signatures. [GH-16549]
• ssh: Addition of an endpoint ssh/issue/:role to allow the creation of signed key pairs [GH-15561]
• storage/cassandra: tuning parameters for clustered environments connection_timeout, initial_connection_timeout, simple_retry_policy_retries. [GH-10467]
• storage/gcs: Add documentation explaining how to configure the gcs backend using environment variables instead of options in the configuration stanza [GH-14455]
• ui: Changed the tokenBoundCidrs tooltip content to clarify that comma separated values are not accepted in this field. [GH-15852]
• ui: Prevents requests to /sys/internal/ui/resultant-acl endpoint when unauthenticated [GH-17139]
• ui: Removed deprecated version of core-js 2.6.11 [GH-15898]
• ui: Renamed labels under Tools for wrap, lookup, rewrap and unwrap with description. [GH-16489]
• ui: Replaces non-inclusive terms [GH-17116]
• ui: redirect_to param forwards from auth route when authenticated [GH-16821]
• website/docs: API generate-recovery-token documentation. [GH-16213]
• website/docs: Add documentation around the expensiveness of making lots of lease count quotas in a short period [GH-16950]
• website/docs: Removes mentions of unauthenticated from internal ui resultant-acl doc [GH-17139]
• website/docs: Update replication docs to mention Integrated Storage [GH-16063]
• website/docs: changed to echo for all string examples instead of (<<<) here-string. [GH-9081]

BUG FIXES:

• agent/template: Fix parsing error for the exec stanza [GH-16231]
• agent: Agent will now respect max_retries retry configuration even when caching is set. [GH-16970]
• agent: Update consul-template for pkiCert bug fixes [GH-16087]
• api/sys/internal/specs/openapi: support a new "dynamic" query parameter to generate generic mountpaths [GH-15835]
• api: Fixed erroneous warnings of unrecognized parameters when unwrapping data. [GH-16794]
• api: Fixed issue with internal/ui/mounts and internal/ui/mounts/(?P.+) endpoints where it was not properly handling /auth/ [GH-15552]
• api: properly handle switching to/from unix domain socket when changing client address [GH-11904]
• auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [GH-17138]
• auth/kerberos: Maintain headers set by the client [GH-16636]
• auth/kubernetes: Restore support for JWT signature algorithm ES384 [GH-160] [GH-17161]
• auth/token: Fix ignored parameter warnings for valid parameters on token create [GH-16938]
• command/debug: fix bug where monitor was not honoring configured duration [GH-16834]
• core (enterprise): Fix bug where wrapping token lookup does not work within namespaces. [GH-15583]
• core (enterprise): Fix creation of duplicate entities via alias metadata changes on local auth mounts.
• core/auth: Return a 403 instead of a 500 for a malformed SSCT [GH-16112]
• core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [GH-16088]
• core/license (enterprise): Always remove stored license and allow unseal to complete when license cleanup fails
• core/managed-keys (enterprise): fix panic when having cache_disable true
• core/quotas (enterprise): Fixed issue with improper counting of leases if lease count quota created after leases
• core/quotas: Added globbing functionality on the end of path suffix quota paths [GH-16386]
• core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [GH-17281]
• core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
• core/seal: Fix possible keyring truncation when using the file backend. [GH-15946]
• core: Fix panic when the plugin catalog returns neither a plugin nor an error. [GH-17204]
• core: Fixes parsing boolean values for ha_storage backends in config [GH-15900]
• core: Increase the allowed concurrent gRPC streams over the cluster port. [GH-16327]
• core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [GH-16956]
• database: Invalidate queue should cancel context first to avoid deadlock [GH-15933]
• debug: Fix panic when capturing debug bundle on Windows [GH-14399]
• debug: Remove extra empty lines from vault.log when debug command is run [GH-16714]
• identity (enterprise): Fix a data race when creating an entity for a local alias.
• identity/oidc: Adds claims_supported to discovery document. [GH-16992]
• identity/oidc: Change the state parameter of the Authorization Endpoint to optional. [GH-16599]
• identity/oidc: Detect invalid redirect_uri values sooner in validation of the Authorization Endpoint. [GH-16601]
• identity/oidc: Fixes validation of the request and request_uri parameters. [GH-16600]
• openapi: Fixed issue where information about /auth/token endpoints was not present with explicit policy permissions [GH-15552]
• plugin/multiplexing: Fix panic when id doesn't exist in connection map [GH-16094]
• plugin/secrets/auth: Fix a bug with aliased backends such as aws-ec2 or generic [GH-16673]
• plugins: Corrected the path to check permissions on when the registered plugin name does not match the plugin binary's filename. [GH-17340]
• quotas/lease-count: Fix lease-count quotas on mounts not properly being enforced when the lease generating request is a read [GH-15735]
• replication (enterprise): Fix data race in SaveCheckpoint()
• replication (enterprise): Fix data race in saveCheckpoint.
• replication (enterprise): Fix possible data race during merkle diff/sync
• secret/pki: Do not fail validation with a legacy key_bits default value and key_type=any when signing CSRs [GH-16246]
• secrets/database: Fix a bug where the secret engine would queue up a lot of WAL deletes during startup. [GH-16686]
• secrets/gcp: Fixes duplicate static account key creation from performance secondary clusters. [GH-16534]
• secrets/kv: Fix kv get issue preventing the ability to read a secret when providing a leading slash [GH-16443]
• secrets/pki: Allow import of issuers without CRLSign KeyUsage; prohibit setting crl-signing usage on such issuers [GH-16865]
• secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
• secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17385]
• secrets/pki: Fix migration to properly handle mounts that contain only keys, no certificates [GH-16813]
• secrets/pki: Ignore EC PARAMETER PEM blocks during issuer import (/config/ca, /issuers/import/*, and /intermediate/set-signed) [GH-16721]
• secrets/pki: LIST issuers endpoint is now unauthenticated. [GH-16830]
• secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
• secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
• storage/raft (enterprise): Fix some storage-modifying RPCs used by perf standbys that weren't returning the resulting WAL state.
• storage/raft (enterprise): Prevent unauthenticated voter status change with rejoin [GH-16324]
• storage/raft: Fix retry_join initialization failure [GH-16550]
• storage/raft: Nodes no longer get demoted to nonvoter if we don't know their version due to missing heartbeats. [GH-17019]
• ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
• ui: Fix OIDC callback to accept namespace flag in different formats [GH-16886]
• ui: Fix info tooltip submitting form [GH-16659]
• ui: Fix issue logging in with JWT auth method [GH-16466]
• ui: Fix lease force revoke action [GH-16930]
• ui: Fix naming of permitted_dns_domains form parameter on CA creation (root generation and sign intermediate). [GH-16739]
• ui: Fixed bug where red spellcheck underline appears in sensitive/secret kv values when it should not appear [GH-15681]
• ui: Fixes secret version and status menu links transitioning to auth screen [GH-16983]
• ui: OIDC login type uses localStorage instead of sessionStorage [GH-16170]
• vault: Fix a bug where duplicate policies could be added to an identity group. [GH-15638]

v1.11.0

Compare Source

1.11.0

Unreleased

CHANGES:

• auth/aws: Add RoleSession to DisplayName when using assumeRole for authentication [GH-14954]
• auth: Remove support for legacy MFA
  (https://www.vaultproject.io/docs/v1.10.x/auth/mfa) [GH-14869]
• core: A request that fails path validation due to relative path check will now be responded to with a 400 rather than 500. [GH-14328]
• core: Bump Go version to 1.17.9. [GH-go-ver-1110]
• licensing (enterprise): Remove support for stored licenses and associated sys/license and sys/license/signed
  endpoints in favor of autoloaded licenses.
• replication (enterprise): The /sys/replication/performance/primary/mount-filter endpoint has been removed. Please use Paths Filter instead.
• ui: Upgrade Ember to version 3.28 [GH-14763]

FEATURES:

• Non-Disruptive Intermediate/Root Certificate Rotation: This allows
  import, generation and configuration of any number of keys and/or issuers
  within a PKI mount, providing operators the ability to rotate certificates
  in place without affecting existing client configurations. [GH-15277]
• api/command: Global -output-policy flag to determine minimum required policy HCL for a given operation [GH-14899]
• nomad: Bootstrap Nomad ACL system if no token is provided [GH-12451]
• storage/dynamodb: Added AWS_DYNAMODB_REGION environment variable. [GH-15054]

IMPROVEMENTS:

• agent/auto-auth: Add min_backoff to the method stanza for configuring initial backoff duration. [GH-15204]
• agent: Update consult-template to v0.29.0 [GH-15293]
• agent: Upgrade hashicorp/consul-template version for sprig template functions and improved writeTo function [GH-15092]
• api: Add ability to pass certificate as PEM bytes to api.Client. [GH-14753]
• api: Add context-aware functions to vault/api for each API wrapper function. [GH-14388]
• api: Added MFALogin() for handling MFA flow when using login helpers. [GH-14900]
• api: If the parameters supplied over the API payload are ignored due to not
  being what the endpoints were expecting, or if the parameters supplied get
  replaced by the values in the endpoint's path itself, warnings will be added to
  the non-empty responses listing all the ignored and replaced parameters. [GH-14962]
• api: Provide a helper method WithNamespace to create a cloned client with a new NS [GH-14963]
• api: Use the context passed to the api/auth Login helpers. [GH-14775]
• auth/okta: Add support for Google provider TOTP type in the Okta auth method [GH-14985]
• auth: enforce a rate limit for TOTP passcode validation attempts [GH-14864]
• cli/debug: added support for retrieving metrics from DR clusters if unauthenticated_metrics_access is enabled [GH-15316]
• cli/vault: warn when policy name contains upper-case letter [GH-14670]
• cli: Alternative flag-based syntax for KV to mitigate confusion from automatically appended /data [GH-14807]
• cockroachdb: add high-availability support [GH-12965]
• core (enterprise): Include termination_time in sys/license/status response
• core (enterprise): Include termination time in license inspect command output
• core : check uid and permissions of config dir, config file, plugin dir and plugin binaries [GH-14817]
• core,transit: Allow callers to choose random byte source including entropy augmentation sources for the sys/tools/random and transit/random endpoints. [GH-15213]
• core/activity: Order month data in ascending order of timestamps [GH-15259]
• core: Add new DB methods that do not prepare statements. [GH-15166]
• core: Fix some identity data races found by Go race detector (no known impact yet). [GH-15123]
• core: Include build date in sys/seal-status and sys/version-history endpoints. [GH-14957]
• core: Upgrade github.org/x/crypto/ssh [GH-15125]
• sdk: Change OpenAPI code generator to extract request objects into /components/schemas and reference them by name. [GH-14217]
• secrets/consul: Add support for Consul node-identities and service-identities [GH-15295]
• secrets/consul: Vault is now able to automatically bootstrap the Consul ACL system. [GH-10751]
• secrets/pki: Warn when generate_lease and no_store are both set to true on requests. [GH-14292]
• sentinel (enterprise): Upgrade sentinel to v0.18.5 to avoid potential naming collisions in the remote installer
• storage/raft: Use larger timeouts at startup to reduce likelihood of inducing elections. [GH-15042]
• ui: Parse schema refs from OpenAPI [GH-14508]
• ui: Remove storybook. [GH-15074]
• ui: Replaces the IvyCodemirror wrapper with a custom ember modifier. [GH-14659]
• website/docs: added a link to an Enigma secret plugin. [GH-14389]

BUG FIXES:

• Fixed panic when adding or modifying a Duo MFA Method in Enterprise
• agent: Fix log level mismatch between ERR and ERROR [GH-14424]
• api/sys/raft: Update RaftSnapshotRestore to use net/http client allowing bodies larger than allocated memory to be streamed [GH-14269]
• api: Fixes bug where OutputCurlString field was unintentionally being copied over during client cloning [GH-14968]
• api: Respect increment value in grace period calculations in LifetimeWatcher [GH-14836]
• auth/approle: Add maximum length for input values that result in SHA56 HMAC calculation [GH-14746]
• auth: forward requests subject to login MFA from perfStandby to Active node [GH-15009]
• auth: load login MFA configuration upon restart [GH-15261]
• cassandra: Update gocql Cassandra client to fix "no hosts available in the pool" error [GH-14973]
• cli: Fix panic caused by parsing key=value fields whose value is a single backslash [GH-14523]
• cli: kv get command now honors trailing spaces to retrieve secrets [GH-15188]
• core (enterprise): Allow local alias create RPCs to persist alias metadata
• core (enterprise): Fix some races in merkle index flushing code found in testing
• core/config: Only ask the system about network interfaces when address configs contain a template having the format: {{ ... }} [GH-15224]
• core/managed-keys (enterprise): Allow PKCS#11 managed keys to use 0 as a slot number
• core/metrics: Fix incorrect table size metric for local mounts [GH-14755]
• core: Fix double counting for "route" metrics [GH-12763]
• core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited integers [GH-15072]
• core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited strings [GH-14522]
• core: Fix panic caused by parsing policies with empty slice values. [GH-14501]
• core: Fix panic for help request URL paths without /v1/ prefix [GH-14704]
• core: fixed systemd reloading notification [GH-15041]
• core: fixing excessive unix file permissions [GH-14791]
• core: fixing excessive unix file permissions on dir, files and archive created by vault debug command [GH-14846]
• core: pre-calculate namespace specific paths when tainting a route during postUnseal [GH-15067]
• core: report unused or redundant keys in server configuration [GH-14752]
• core: time.After() used in a select statement can lead to memory leak [GH-14814]
• rafft: fix Raft TLS key rotation panic that occurs if active key is more than 24 hours old [GH-15156]
• raft: Ensure initialMmapSize is set to 0 on Windows [GH-14977]
• replication (enterprise): fix panic due to missing entity during invalidation of local aliases. [GH-14622]
• sdk/cidrutil: Only check if cidr contains remote address for IP addresses [GH-14487]
• sdk: Fix OpenApi spec generator to properly convert TypeInt64 to OAS supported int64 [GH-15104]
• sdk: Fix OpenApi spec generator to remove duplicate sha_256 parameter [GH-15163]
• secrets/database: Ensure that a connection_url password is redacted in all cases. [GH-14744]
• secrets/pki: Fix handling of "any" key type with default zero signature bits value. [GH-14875]
• secrets/pki: Fixed bug where larger SHA-2 hashes were truncated with shorter ECDSA CA certificates [GH-14943]
• ui: Fix Generated Token's Policies helpText to clarify that comma separated values are not accepted in this field. [GH-15046]
• ui: Fix KV secret showing in the edit form after a user creates a new version but doesn't have read capabilities [GH-14794]
• ui: Fix issue with KV not recomputing model when you changed versions. [GH-14941]
• ui: Fixes edit auth method capabilities issue [GH-14966]
• ui: Fixes issue logging in with OIDC from a listed auth mounts tab [GH-14916]
• ui: fix firefox inability to recognize file format of client count csv export [GH-15364]
• ui: fix search-select component showing blank selections when editing group member entity [GH-15058]
• ui: masked values no longer give away length or location of special characters [GH-15025]

urfave/cli (github.com/urfave/cli/v2)

v2.27.1

Compare Source

What's Changed

• v2: Add build tag urfave_cli_no_suggest by @​dolmen in https://github.com/urfave/cli/pull/1847

Full Changelog: urfave/cli@v2.27.0...v2.27.1

v2.27.0

Compare Source

What's Changed

• v2 Add integration with golangci-lint by @​skelouse in https://github.com/urfave/cli/pull/1830
• v2: GitHub Actions: upgrade Go, upgrade actions by @​dolmen in https://github.com/urfave/cli/pull/1848
• Feat:(issue_1797) Add Args for app/cmd/subcmd to avoid argument... be… by @​dearchap in https://github.com/urfave/cli/pull/1829
• Fix:(issue_1850) Add RunAction for uint/uint64 slice flags by @​dearchap in https://github.com/urfave/cli/pull/1851

Full Changelog: urfave/cli@v2.26.0...v2.27.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 46.54%. Comparing base (5e65a37) to head (b56920b).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #435   +/-   ##
=======================================
  Coverage   46.54%   46.54%           
=======================================
  Files           7        7           
  Lines         318      318           
=======================================
  Hits          148      148           
  Misses        155      155           
  Partials       15       15