Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(deps): Bump github.com/hashicorp/vault/sdk from 0.9.2 to 0.10.0 #11

Merged

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 18, 2023

Bumps github.com/hashicorp/vault/sdk from 0.9.2 to 0.10.0.

Changelog

Sourced from github.com/hashicorp/vault/sdk's changelog.

0.10.0 (April 10th, 2018)

SECURITY:

  • Log sanitization for Combined Database Secret Engine: In certain failure scenarios with incorrectly formatted connection urls, the raw connection errors were being returned to the user with the configured database credentials. Errors are now sanitized before being returned to the user.

DEPRECATIONS/CHANGES:

  • Database plugin compatibility: The database plugin interface was enhanced to support some additional functionality related to root credential rotation and supporting templated URL strings. The changes were made in a backwards-compatible way and all builtin plugins were updated with the new features. Custom plugins not built into Vault will need to be upgraded to support templated URL strings and root rotation. Additionally, the Initialize method was deprecated in favor of a new Init method that supports configuration modifications that occur in the plugin back to the primary data store.
  • Removal of returned secret information: For a long time Vault has returned configuration given to various secret engines and auth methods with secret values (such as secret API keys or passwords) still intact, and with a warning to the user on write that anyone with read access could see the secret. This was mostly done to make it easy for tools like Terraform to judge whether state had drifted. However, it also feels quite un-Vault-y to do this and we've never felt very comfortable doing so. In 0.10 we have gone through and removed this behavior from the various backends; fields which contained secret values are simply no longer returned on read. We are working with the Terraform team to make changes to their provider to accommodate this as best as possible, and users of other tools may have to make adjustments, but in the end we felt that the ends did not justify the means and we needed to prioritize security over operational convenience.
  • LDAP auth method case sensitivity: We now treat usernames and groups configured locally for policy assignment in a case insensitive fashion by default. Existing configurations will continue to work as they do now; however, the next time a configuration is written case_sensitive_names will need to be explicitly set to true.
  • TTL handling within core: All lease TTL handling has been centralized within the core of Vault to ensure consistency across all backends. Since this was previously delegated to individual backends, there may be some slight differences in TTLs generated from some backends.
  • Removal of default secret/ mount: In 0.12 we will stop mounting secret/ by default at initialization time (it will still be available in dev mode).

FEATURES:

  • OSS UI: The Vault UI is now fully open-source. Similarly to the CLI, some features are only available with a supporting version of Vault, but the code

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Sep 18, 2023
Bumps [github.com/hashicorp/vault/sdk](https://github.com/hashicorp/vault) from 0.9.2 to 0.10.0.
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG-v0.md)
- [Commits](hashicorp/vault@v0.9.2...v0.10.0)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/vault/sdk
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/hashicorp/vault/sdk-0.10.0 branch from 8079b18 to ea045f4 Compare September 19, 2023 19:24
@ilijamt ilijamt merged commit d4d4dae into main Sep 19, 2023
1 of 2 checks passed
@dependabot dependabot bot deleted the dependabot/go_modules/github.com/hashicorp/vault/sdk-0.10.0 branch September 19, 2023 19:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant