From 84b591a465e848d53722ccf6a9d007bd5f7fe72b Mon Sep 17 00:00:00 2001
From: kurok <22548029+kurok@users.noreply.github.com>
Date: Tue, 16 Jun 2026 19:04:10 +0100
Subject: [PATCH] chore(release): 2.0.1

Bump version to 2.0.1 and add CHANGELOG notes covering the changes since
2.0.0: the debug secret-logging fix, the runtime dependency removals
(bluebird, assign-deep, pretty-ms, url-join) with the lodash floor bump,
and the stricter substitution-value validation.

Signed-off-by: kurok <22548029+kurok@users.noreply.github.com>
---
 CHANGELOG.md      | 14 ++++++++++++++
 package-lock.json |  4 ++--
 package.json      |  2 +-
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a55b9bc..670ed8f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,17 @@
+# 2.0.1 Release notes (2026-06-16)
+
+- Security: stop logging secrets at debug level. The Kubernetes auth backend no longer logs the
+  service-account JWT or the issued Vault client token, and `VaultApiClient` no longer logs full
+  response bodies (which carry auth tokens and secret reads). Debug logs now record only
+  non-sensitive metadata — token paths, request method/URI, and HTTP status codes.
+- Dependencies: drop four runtime dependencies. `bluebird` and `assign-deep` are replaced with
+  native promises and `lodash`; `pretty-ms` and `url-join` are inlined as small helpers (their
+  latest majors are ESM-only and cannot be used from this CommonJS package). The `lodash` floor is
+  raised to `^4.17.21`. Runtime dependencies are now `@aws-sdk/credential-providers`, `aws4`,
+  `lodash`, and `long-timeout`.
+- Reject malformed substitution values whose path or key is empty (e.g. `#value` or `path#`) with
+  `InvalidArgumentsError`, instead of failing later with a less clear error.
+
 # 2.0.0 Release notes (2026-06-12)
 
 - Fix a process that never exits after reading with a renewable token. The background
diff --git a/package-lock.json b/package-lock.json
index 4d70263..c92de50 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "node-vault-client",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "node-vault-client",
-      "version": "2.0.0",
+      "version": "2.0.1",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-sdk/credential-providers": "^3.382.0",
diff --git a/package.json b/package.json
index 03c9f11..b65ea96 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "node-vault-client",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "A Vault Client implemented in pure javascript for HashiCorp Vault. It supports variety of Auth Backends and performs lease renewal for issued auth token.",
   "repository": {
     "url": "git+https://github.com/namecheap/node-vault-client.git"