Bump github.com/hashicorp/vault from 1.18.2 to 1.20.4

[dependabot]

Bumps github.com/hashicorp/vault from 1.18.2 to 1.20.4.

Release notes

Sourced from github.com/hashicorp/vault's releases.

v1.20.4

No release notes provided.

v1.20.3

No release notes provided.

v1.20.2

August 06, 2025

SECURITY:

• auth/ldap: fix MFA/TOTP enforcement bypass when username_as_alias is enabled [GH-31427,HCSEC-2025-20].

BUG FIXES:

• agent/template: Fixed issue where templates would not render correctly if namespaces was provided by config, and the namespace and mount path of the secret were the same. [GH-31392]
• identity/mfa: revert cache entry change from #31217 and document cache entry values [GH-31421]

v1.20.1

No release notes provided.

v1.20.0

1.20.0

June 25, 2025

SECURITY:

• core: require a nonce when cancelling a rekey operation that was initiated within the last 10 minutes. [GH-30794]

CHANGES:

• UI: remove outdated and unneeded js string extensions [GH-29834]
• activity (enterprise): The sys/internal/counters/activity endpoint will return actual values for new clients in the current month.
• activity (enterprise): provided values for start_time and end_time in sys/internal/counters/activity are aligned to the corresponding billing period.
• activity: provided value for end_time in sys/internal/counters/activity is now capped at the end of the last completed month. [GH-30164]
• api: Update the default API client to check for the Retry-After header and, if it exists, wait for the specified duration before retrying the request. [GH-30887]
• auth/alicloud: Update plugin to v0.21.0 [GH-30810]
• auth/azure: Update plugin to v0.20.2. Login requires resource_group_name, vm_name, and vmss_name to match token claims [GH-30052]
• auth/azure: Update plugin to v0.20.3 [GH-30082]
• auth/azure: Update plugin to v0.20.4 [GH-30543]
• auth/azure: Update plugin to v0.21.0 [GH-30872]
• auth/azure: Update plugin to v0.21.1 [GH-31010]
• auth/cf: Update plugin to v0.20.1 [GH-30583]
• auth/cf: Update plugin to v0.21.0 [GH-30842]
• auth/gcp: Update plugin to v0.20.2 [GH-30081]
• auth/jwt: Update plugin to v0.23.2 [GH-30431]
• auth/jwt: Update plugin to v0.24.1 [GH-30876]
• auth/kerberos: Update plugin to v0.15.0 [GH-30845]
• auth/kubernetes: Update plugin to v0.22.1 [GH-30910]
• auth/oci: Update plugin to v0.19.0 [GH-30841]

... (truncated)

Changelog

Sourced from github.com/hashicorp/vault's changelog.

1.20.4

September 24, 2025

SECURITY:

• core: Update github.com/ulikunitz/xz to fix security vulnerability GHSA-25xm-hr59-7c27. (ce4b4264)

CHANGES:

• database/snowflake: Update plugin to v0.14.2 (9f06df77)

IMPROVEMENTS:

• Raft: Auto-join will now allow you to enforce IPv4 on networks that allow IPv6 and dual-stack enablement, which is on by default in certain regions. (1fd38796)
• auth/cert: Support RFC 9440 colon-wrapped Base64 certificates in x_forwarded_for_client_cert_header, to fix TLS certificate auth errors with Google Cloud Application Load Balancer. [GH-31501]
• secrets/database (enterprise): Add support for reading, listing, and recovering static roles from a loaded snapshot. Also add support for reading static credentials from a loaded snapshot. (24cd1aa5)
• secrets/ssh: Add support for recovering the SSH plugin CA from a loaded snapshot (enterprise only). (0087af9d)

BUG FIXES:

• auth/cert: Recover from partially populated caches of trusted certificates if one or more certificates fails to load. [GH-31438]
• core: Role based quotas now work for cert auth (fc775dea)
• sys/mounts: enable unsetting allowed_response_headers [GH-31555]
• ui: Fix page loading error when users navigate away from identity entities and groups list views. (81170963)

1.20.3

August 28, 2025

FEATURES:

• IBM RACF Static Role Password Phrase Management (Enterprise): Add support for static role password phrase management to the LDAP secrets engine. (hashicorp/vault-plugin-secrets-openldap#184)

SECURITY:

• core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-wjrx-6529-hcj3. (8b3a9ce1)

CHANGES:

• core: Bump Go version to 1.24.6. (ce56e14e)
• http: Add JSON configurable limits to HTTP handling for JSON payloads: max_json_depth, max_json_string_value_length, max_json_object_entry_count, max_json_array_element_count. [GH-31069]
• sdk: Upgrade to go-secure-stdlib/[email protected], which also bumps github.com/docker/docker to v28.3.3+incompatible (8f172169)
• secrets/openldap (enterprise): update plugin to v0.16.1

IMPROVEMENTS:

• auth/ldap: add explicit logging to rotations in ldap [GH-31401]
• core (enterprise): improve rotation manager logging to include specific lines for rotation success and failure
• secrets/database: log password rotation success (info) and failure (error). Some relevant log lines have been updated to include "path" fields. [GH-31402]
• secrets/transit: add logging on both success and failure of key rotation [GH-31420]

... (truncated)

Commits

• 55bd8f1 [VAULT-39673] This is an automated pull request to build all artifacts for a ...
• f7cc2f3 Merge remote-tracking branch 'remotes/from/ce/release/1.20.x' into release/1....
• 66449e9 pipeline(hcp): fix JSON text output (#9302) (#9318) (#9328)
• 1fd3879 Merge remote-tracking branch 'remotes/from/ce/release/1.20.x' into release/1....
• 0951f7f VAULT-39383 updating go-discover (#9523) (#9537) (#9574)
• 92da7f9 Merge remote-tracking branch 'remotes/from/ce/release/1.20.x' into release/1....
• 5bf481f pipeline(changed-files): add 'github' changed file group (#9512) (#9547) (#9565)
• ed16922 Merge remote-tracking branch 'remotes/from/ce/release/1.20.x' into release/1....
• a7996aa pipeline(create-backport): fix inactive branch detection (#9531) (#9542) (#9559)
• 0553001 Merge remote-tracking branch 'remotes/from/ce/release/1.20.x' into release/1....
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)