Why is vault api at version 1.3.1, while vault is at 1.9.3 (golang)

vedantkarandikar · February 3, 2022, 4:51am

Hi,
I’m using Vault for golang
The Vault api module is inside the main Vault repo. The vault repo is currently at v1.9.3, but the vault api still shows v1.3.1, (even in godoc )

This is causing confusion and the risk scanner is showing CVE risks that were in Vault 1.3.1 (because Vault API shows 1.3.1).
Is this something go mod specific? Am I missing something? Happy to be corrected.

Edit:
Just to be clear, Vault API as in: https://github.com/hashicorp/vault/tree/main/api
which is another go module nested inside https://github.com/hashicorp/vault

tomhjp · February 3, 2022, 12:36pm

Hi @vedantkarandikar, thanks for raising the question. It’s correct that the api module is versioned separately as its own Golang module (as defined by having its own api/go.mod file) within the vault repo, so v1.3.1 and v1.9.3 are the correct latest versions of api and vault respectively.

The api tags are all prepended with “api/”, so e.g. see Release api/v1.3.1 · hashicorp/vault · GitHub. It’s a similar story for the sdk/ folder which contains the sdk module.

It’s possible they could be split out into their own repos one day, but for now this is how they’re managed. Sorry it’s maybe not quite the answer you’re looking for! Hopefully this context helps you update your risk scanner.

maxb · July 16, 2023, 10:57am

Future readers may be interested in: New documentation about Vault `api` and `sdk` versions

Topic		Replies	Views
[solved] Why can't I go get github.com/hashicorp/vault/api@v1.11? Vault	2	633	October 7, 2022
Unable to fetch v.1.14.0 using go get Vault	3	215	July 5, 2023
New documentation about Vault `api` and `sdk` versions Vault	0	294	July 16, 2023
Separate Golang API Vault	0	207	July 12, 2020
When can we expect a new vault/api release with the upgrade for go-retryablehttp? Vault	1	49	July 8, 2024

Why is vault api at version 1.3.1, while vault is at 1.9.3 (golang)

Related topics