Why is vault api at version 1.3.1, while vault is at 1.9.3 (golang)

I’m using Vault for golang
The Vault api module is inside the main Vault repo. The vault repo is currently at v1.9.3, but the vault api still shows v1.3.1, (even in godoc )

This is causing confusion and the risk scanner is showing CVE risks that were in Vault 1.3.1 (because Vault API shows 1.3.1).
Is this something go mod specific? Am I missing something? Happy to be corrected.

Just to be clear, Vault API as in: https://github.com/hashicorp/vault/tree/main/api
which is another go module nested inside https://github.com/hashicorp/vault

Hi @vedantkarandikar, thanks for raising the question. It’s correct that the api module is versioned separately as its own Golang module (as defined by having its own api/go.mod file) within the vault repo, so v1.3.1 and v1.9.3 are the correct latest versions of api and vault respectively.

The api tags are all prepended with “api/”, so e.g. see Release api/v1.3.1 · hashicorp/vault · GitHub. It’s a similar story for the sdk/ folder which contains the sdk module.

It’s possible they could be split out into their own repos one day, but for now this is how they’re managed. Sorry it’s maybe not quite the answer you’re looking for! Hopefully this context helps you update your risk scanner.