chore(deps): update minor and patch dependency updates

[github-actions]

This PR contains the following updates:

Package	Update	Change	Age	Confidence
DaspawnW/vault-crd-helm-renderer	patch	1.0.8 → 1.0.10
ansible (source)	minor	11.12.0 → 11.13.0
checkov	patch	3.2.528 → 3.2.529
getsentry/sentry-cli	patch	2.58.4 → 2.58.5
hashicorp/vault	patch	1.21.2 → 1.21.4
sigstore/cosign	patch	2.6.2 → 2.6.3

---

Release Notes

DaspawnW/vault-crd-helm-renderer (DaspawnW/vault-crd-helm-renderer)

v1.0.10

Compare Source

What's Changed

• ci: fix plugin version by @​camaeel in #​7

Full Changelog: DaspawnW/vault-crd-helm-renderer@v1.0.9...v1.0.10

v1.0.9

Compare Source

What's Changed

• feat: helm plugin support by @​camaeel in #​5
• chore(): update dependencies by @​Lerentis in #​6

New Contributors

• @​camaeel made their first contribution in #​5

Full Changelog: DaspawnW/vault-crd-helm-renderer@v1.0.8...v1.0.9

ansible-community/ansible-build-data (ansible)

v11.13.0

Compare Source

getsentry/sentry-cli (getsentry/sentry-cli)

v2.58.5

Compare Source

Fixes

• Updated minimatch dependency to fix a vulnerability (#​3152)

hashicorp/vault (hashicorp/vault)

v1.21.4

Compare Source

SECURITY:

• Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• Upgrade filippo.io/edwards25519 to v1.1.1 to resolve GO-2026-4503
• vault/sdk: Upgrade cloudflare/circl to v1.6.3 to resolve CVE-2026-1229
• vault/sdk: Upgrade go.opentelemetry.io/otel/sdk to v1.40.0 to resolve GO-2026-4394

CHANGES:

• core: Bump Go version to 1.25.7
• mfa/duo: Upgrade duo_api_golang client to 0.2.0 to include the new Duo certificate authorities
• ui: Remove ability to bulk delete secrets engines from the list view.

IMPROVEMENTS:

• core/seal: Enhance sys/seal-backend-status to provide more information about seal backends.
• secrets/kmip (Enterprise): Obey configured best_effort_wal_wait_duration when forwarding kmip requests.
• secrets/pki (enterprise): Return the POSTPKIOperation capability within SCEP GetCACaps endpoint for better legacy client support.

BUG FIXES:

• core (enterprise): Buffer the POST body on binary paths to allow re-reading on non-logical forwarding attempts. Addresses an issue for SCEP, EST and CMPv2 certificate issuances with slow replication of entities
• core/identity (enterprise): Fix excessive logging when updating existing aliases
• core/managed-keys (enterprise): client credentials should not be required when using Azure Managed Identities in managed keys.
• plugins (enterprise): Fix bug where requests to external plugins that modify storage weren't populating the X-Vault-Index response header.
• secrets (pki): Allow issuance of certificates without the server_flag key usage from SCEP, EST and CMPV2 protocols.
• secrets/pki (enterprise): Address cache invalidation issues with CMPv2 on performance standby nodes.
• secrets/pki (enterprise): Address issues using SCEP on performance standby nodes failing due to configuration invalidation issues along with errors writing to storage
• secrets/pki (enterprise): Modify the SCEP GetCACaps endpoint to dynamically reflect the configured encryption and digest algorithms.
• secrets/pki: The root/sign-intermediate endpoint should not fail when provided a CSR with a basic constraint extension containing isCa set to true
• secrets/pki: allow glob-style DNS names in alt_names.

v1.21.3

Compare Source

February 05, 2026

SECURITY:

auth/cert: ensure that the certificate being renewed matches the certificate attached to the session.

CHANGES:

core: Bump Go version to 1.25.6

FEATURES:

UI: Hashi-Built External Plugin Support: Recognize and support Hashi-built plugins when run as external binaries

IMPROVEMENTS:

core/managed-keys (enterprise): Allow GCP managed keys to leverage workload identity federation credentials
sdk: Add alias_metadata to tokenutil fields that auth method roles use.
secret-sync (enterprise): Added telemetry counters for reconciliation loop operations, including the number of corrections detected, retry attempts, and operation outcomes (success or failure with internal/external cause labels).
secret-sync (enterprise): Added telemetry counters for sync/unsync operations with status breakdown by destination type, and exposed operation counters in the destinations list API response.

BUG FIXES:

agent: Fix Vault Agent discarding cached tokens on transient server errors instead of retrying
core (enterprise): Fix crash when seal HSM is disconnected
default-auth: Fix issue when specifying "root" explicitly in Default Auth UI
identity: Fix issue where Vault may consume more memory than intended under heavy authentication load.
secrets/pki (enterprise): Fix SCEP related digest errors when requests contained compound octet strings
ui: Fixes login form so ?with= query param correctly displays only the specified mount when multiple mounts of the same auth type are configured with listing_visibility="unauth"
ui: Reverts Kubernetes CA Certificate auth method configuration form field type to file selector

sigstore/cosign (sigstore/cosign)

v2.6.3

Compare Source

Changelog

v2.6.3 resolves GHSA-w6c6-c85g-mmv6.

• fecddd3 Fix DSSE predicate check (#​4802)
• 564c5b1 Backport bundle detection to sign and attest (#​4727)

Thanks to all contributors!

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.