build(deps): Bump github.com/hashicorp/vault from 1.19.5 to 1.21.3

[dependabot]

Bumps github.com/hashicorp/vault from 1.19.5 to 1.21.3.

Release notes

Sourced from github.com/hashicorp/vault's releases.

v1.21.2

1.21.2

January 07, 2026

CHANGES:

• auth/oci: bump plugin to v0.20.1
• core: Bump Go version to 1.25.5
• packaging: Container images are now exported using a compressed OCI image layout.
• packaging: UBI container images are now built on the UBI 10 minimal image.
• secrets/azure: Update plugin to v0.25.1+ent. Improves retry handling during Azure application and service principal creation to reduce transient failures.
• storage: Upgrade aerospike client library to v8.

IMPROVEMENTS:

• core: check rotation manager queue every 5 seconds instead of 10 seconds to improve responsiveness
• go: update to golang/x/crypto to v0.45.0 to resolve GHSA-f6x5-jh6r-wrfv, GHSA-j5w8-q4qc-rx2x, GO-2025-4134 and GO-2025-4135.
• rotation: Ensure rotations for shared paths only execute on the Primary cluster's active node. Ensure rotations for local paths execute on the cluster-local active node.
• sdk/rotation: Prevent rotation attempts on read-only storage.
• secrets-sync (enterprise): Added support for a boolean force_delete flag (default: false). When set to true, this flag allows deletion of a destination even if its associations cannot be unsynced. This option should be used only as a last-resort deletion mechanism, as any secrets already synced to the external provider will remain orphaned and require manual cleanup.
• secrets/pki: Avoid loading issuer information multiple times per leaf certificate signing.

BUG FIXES:

• core/activitylog (enterprise): Resolve a stability issue where Vault Enterprise could encounter a panic during month-end billing activity rollover.
• http: skip JSON limit parsing on cluster listener.
• quotas: Vault now protects plugins with ResolveRole operations from panicking on quota creation.
• replication (enterprise): fix rare panic due to race when enabling a secondary with Consul storage.
• rotation: Fix a bug where a performance secondary would panic if a write was made to a local mount.
• secret-sync (enterprise): Improved unsync error handling by treating cases where the destination no longer exists as successful.
• secrets-sync (enterprise): Corrected a bug where the deletion of the latest KV-V2 secret version caused the associated external secret to be deleted entirely. The sync job now implements a version fallback mechanism to find and sync the highest available active version, ensuring continuity and preventing the unintended deletion of the external secret resource.
• secrets-sync (enterprise): Fix issue where secrets were not properly un-synced after destination config changes.
• secrets-sync (enterprise): Fix issue where sync store deletion could be attempted when sync is disabled.
• ui/pki: Fix handling of values that contain commas in list fields like crl_distribution_points.

v1.21.1

1.21.1

November 20, 2025

SECURITY:

• auth/aws: fix an issue where a user may be able to bypass authentication to Vault due to incorrect caching of the AWS client
• ui: disable scarf analytics for ui builds

CHANGES:

• auth/kubernetes: Update plugin to v0.23.1
• auth/saml: Update plugin to v0.7.0
• auth/saml: Update plugin to v0.7.1, which adds the environment variable VAULT_SAML_DENY_INTERNAL_URLS to allow prevention of idp_metadata_url, idp_sso_url, or acs_urls fields from containing URLs that resolve to internal IP addresses
• core: Bump Go version to 1.25.4

... (truncated)

Changelog

Sourced from github.com/hashicorp/vault's changelog.

1.21.3

February 05, 2026

SECURITY:

• auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.

CHANGES:

• core: Bump Go version to 1.25.6

FEATURES:

• UI: Hashi-Built External Plugin Support: Recognize and support Hashi-built plugins when run as external binaries

IMPROVEMENTS:

• core/managed-keys (enterprise): Allow GCP managed keys to leverage workload identity federation credentials
• sdk: Add alias_metadata to tokenutil fields that auth method roles use.
• secret-sync (enterprise): Added telemetry counters for reconciliation loop operations, including the number of corrections detected, retry attempts, and operation outcomes (success or failure with internal/external cause labels).
• secret-sync (enterprise): Added telemetry counters for sync/unsync operations with status breakdown by destination type, and exposed operation counters in the destinations list API response.

BUG FIXES:

• agent: Fix Vault Agent discarding cached tokens on transient server errors instead of retrying
• core (enterprise): Fix crash when seal HSM is disconnected
• default-auth: Fix issue when specifying "root" explicitly in Default Auth UI
• identity: Fix issue where Vault may consume more memory than intended under heavy authentication load.
• secrets/pki (enterprise): Fix SCEP related digest errors when requests contained compound octet strings
• ui: Fixes login form so ?with=<path> query param correctly displays only the specified mount when multiple mounts of the same auth type are configured with listing_visibility="unauth"
• ui: Reverts Kubernetes CA Certificate auth method configuration form field type to file selector

1.21.2

January 07, 2026

CHANGES:

• auth/oci: bump plugin to v0.20.1
• core: Bump Go version to 1.25.5
• packaging: Container images are now exported using a compressed OCI image layout.
• packaging: UBI container images are now built on the UBI 10 minimal image.
• secrets/azure: Update plugin to v0.25.1+ent. Improves retry handling during Azure application and service principal creation to reduce transient failures.
• storage: Upgrade aerospike client library to v8.

IMPROVEMENTS:

• core: check rotation manager queue every 5 seconds instead of 10 seconds to improve responsiveness
• go: update to golang/x/crypto to v0.45.0 to resolve GHSA-f6x5-jh6r-wrfv, GHSA-j5w8-q4qc-rx2x, GO-2025-4134 and GO-2025-4135.
• rotation: Ensure rotations for shared paths only execute on the Primary cluster's active node. Ensure rotations for local paths execute on the cluster-local active node.
• sdk/rotation: Prevent rotation attempts on read-only storage.

... (truncated)

Commits

• f4f0f4e This is an automated pull request to build all artifacts for a release (#31737)
• a717c14 Merge remote-tracking branch 'remotes/from/ce/release/1.21.x' into release/1....
• e207a23 update tar to latest (#12107) (#12111)
• aff131f Merge remote-tracking branch 'remotes/from/ce/release/1.21.x' into release/1....
• e613e81 Put alias_metadata tokenutil field into public SDK (#11468) (#12036) (#12037)
• e010b33 Merge remote-tracking branch 'remotes/from/ce/release/1.21.x' into release/1....
• 69beaf2 LDAP Check out Check in System test Cases Part-1 (#11792) (#11990) (#12016)
• 891be98 Merge remote-tracking branch 'remotes/from/ce/release/1.21.x' into release/1....
• 046192d Root Credential Rotation Workflows (#11647) (#12000) (#12014)
• ab38c44 Backport PKI (SCEP): support compound octet strings for inner PKCS7 content i...
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
github.com/hashicorp/vault	[>= 1.20.a, < 1.21]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(\[wip\]|\[backport\]|\[cherry-pick\])?( )?(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\(.+\))?:

🟢 Enforce verified commits

Wonderful, this rule succeeded.

Make sure that we have verified commits

• #commits-unverified = 0

🟢 Enforce linear history

Wonderful, this rule succeeded.

Make sure that we have a linear history, no merge commits are allowed

• linear-history