Bump github.com/hashicorp/vault/sdk from 0.25.0 to 0.25.1

[dependabot]

Bumps github.com/hashicorp/vault/sdk from 0.25.0 to 0.25.1.

Changelog

Sourced from github.com/hashicorp/vault/sdk's changelog.

Previous versions

• v1.10.0 - v1.15.16
• v1.0.0 - v1.9.10
• v0.11.6 and earlier

2.0.0

April 14, 2026

BREAKING CHANGES:

• sdk/helpers/docker: Migrate docker helpers from github.com/docker/docker to github.com/moby/moby. This was necessary as github.com/docker/docker is no longer maintained. Resolves GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9.

SECURITY:

• Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• Upgrade filippo.io/edwards25519 to v1.1.1 to resolve GO-2026-4503
• api/auth/gcp: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.
• api/auth: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.
• auth/aws: fix an issue where a user may be able to bypass authentication to Vault due to incorrect caching of the AWS client
• auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.
• core: Correctly remove any Vault tokens from the Authorization header when this header is forwarded to plugin backends. The header will only be forwarded if "Authorization" is explicitly included in the list of passthrough request headers.
• core: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5
• core: Update github.com/aws/aws-sdk-go-v2/ to fix security vulnerability GHSA-xmrv-pmrh-hhx2.
• core: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.
• core: Update github.com/hashicorp/go-getter to fix security vulnerability GHSA-92mm-2pjq-r785.
• core: Update go.opentelemetry.io/otel/sdk to fix CVE-2026-39883.
• core: reject URL-encoded paths that do not specify a canonical path
• http: Added configurable max_token_header_size listener option (default 8 KB) to bound the size of authentication token headers (X-Vault-Token and Authorization: Bearer), preventing a potential denial-of-service attack via oversized header contents. The stdlib-level MaxHeaderBytes backstop is also now set on the HTTP server. Set max_token_header_size = -1 to disable the limit.
• sdk: Resolve GO-2026-4518 and GHSA-jqcq-xjh3-6g23 by upgrading to github.com/jackc/pgx/v5
• sdk: Update github.com/go-jose/go-jose to fix security vulnerability CVE-2026-34986 and GHSA-78h2-9frx-2jm8.
• ui: disable scarf analytics for ui builds
• vault/sdk: Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• vault/sdk: Upgrade go.opentelemetry.io/otel/sdk to v1.40.0 to resolve GO-2026-4394
• Update github.com/dvsekhvalnov/jose2go to fix security vulnerability CVE-2025-63811.
• go: update to golang/x/crypto to v0.45.0 to resolve GHSA-f6x5-jh6r-wrfv, GHSA-j5w8-q4qc-rx2x, GO-2025-4134 and GO-2025-4135.

CHANGES:

• secrets/ldap (enterprise): Static roles will be migrated from a plugin-managed queue to the Vault Enterprise Rotation Manager system. Static role migration progress can be checked and managed through a new static-migration endpoint. See the LDAP documentation for more details on this process.
• audit: A new top-level key called supplemental_audit_data can now appear within audit entries of type "response" within the request and response data structures. These new fields can contain data that further describe the request/response data and are mainly used for non-JSON based requests and responses to help auditing. The audit-non-hmac-request-keys and audit-non-hmac-response-keys apply to keys within supplemental_audit_data to remove the HMAC of the field values if so desired.
• auth/alicloud: Update plugin to v0.23.1
• auth/azure: Update plugin to v0.24.0
• auth/cf: Update plugin to v0.23.0
• auth/gcp: Update plugin to v0.23.1
• auth/jwt: Update plugin to v0.26.1
• auth/kerberos: Update plugin to v0.17.1
• auth/kubernetes: Update plugin to v0.24.1
• auth/oci: Update plugin to v0.21.1
• auth/saml: Update plugin to v0.8.1
• core/managed-keys (enterprise): The response to API endpoint GET sys/managed-keys/:type/:name now returns an array of string values for key usages, rather than an array of integer values. The strings used are 'encrypt' (1), 'decrypt' (2), 'sign' (3), 'verify' (4), 'wrap' (5), 'unwrap' (6), 'generate_random' (7), and 'mac' (8).

... (truncated)

Commits

• 58d7286 Backport [VAULT-43813] go: resolve CVE-2026-34986 and GHSA-78h2-9frx-2jm8 by ...
• 1017b01 pipeline(backport): don't ignore space changes (#13660) (#13671)
• 695eb52 Backport core: upgrade to secrets-store-sync to v0.8.1 in main into ce/main
• 352c6ca Remove extra margin (#13639) (#13648)
• 76241c1 VAULT-43166: Redirect to a cleaned path (#12786) (#13524)
• 608db8c Fix pkixternalca feature bugs in Vault Agent (#13613) (#13622)
• 58009c3 Add ldaputil ValidateSelfManaged and test coverage (#13593) (#13616)
• 39b907a Update CHANGELOG.md (#13610) (#13614)
• fd76450 go: use github.com/cloudflare/circl@v1.6.3 (#13598)
• 9fec846 bump version to 3.0.0-beta1 (#13580) (#13582)
• Additional commits viewable in compare view

[cezmunsta]

@dependabot rebase