hashicorp/vault
Dependencies
Vault is a large project; go.sum is 183k bytes. This page surfaces the dependencies most relevant to readers of the code, grouped by what they're used for.
HashiCorp libraries
Vault leans heavily on its sister libraries:
| Module | What it does |
|---|---|
github.com/hashicorp/go-hclog |
The logger every component uses. |
github.com/hashicorp/go-multierror, errwrap |
Error aggregation/wrapping (older patterns). |
github.com/hashicorp/hcl (v1 and v2) |
Server config parsing. |
github.com/hashicorp/cli |
Subcommand framework used by command/. |
github.com/hashicorp/raft |
Used by physical/raft/. |
github.com/hashicorp/raft-autopilot |
Health-driven peer management. |
github.com/hashicorp/raft-boltdb/v2 |
BoltDB store under raft. |
github.com/hashicorp/go-kms-wrapping/v2 |
Auto-unseal abstractions and vendor wrappers. |
github.com/hashicorp/go-secure-stdlib/* |
Shared stdlib helpers (parseutil, mlock, reloadutil, ...). |
github.com/hashicorp/go-plugin |
gRPC plugin transport. |
github.com/hashicorp/golang-lru/v2 |
LRU caches. |
github.com/hashicorp/eventlogger |
Audit broker pipeline backbone. |
github.com/hashicorp/go-bexpr |
Predicate language for event-bus filters. |
github.com/hashicorp/go-memdb |
In-memory indexes (used by identity store). |
github.com/hashicorp/yamux |
TCP multiplexing for cluster TLS. |
github.com/hashicorp/vault-hcp-lib |
HCP integration. |
github.com/hashicorp/vault-plugin-* |
Built-in auth/secret/database plugins. |
github.com/hashicorp/consul-template |
Templating engine (in agent). |
Cryptography
| Module | What it does |
|---|---|
crypto/... (stdlib) |
Primary primitives. |
golang.org/x/crypto |
Bcrypt, ssh, chacha20-poly1305. |
github.com/google/go-cmp |
Used in tests. |
github.com/pquerna/otp |
TOTP/HOTP. |
github.com/aead/... |
Some AEAD primitives. |
Storage / database clients
Each physical/<name>/ and plugins/database/<name>/ pulls in its own driver. Notable ones:
cloud.google.com/go/spanner,cloud.google.com/go/storagegithub.com/aws/aws-sdk-go-v2github.com/Azure/azure-sdk-for-go/sdk/...github.com/oracle/oci-go-sdkgithub.com/etcd-io/etcdgithub.com/coreos/go-systemdgithub.com/jackc/pgxgithub.com/go-sql-driver/mysqlgithub.com/microsoft/go-mssqldbgithub.com/gocql/gocql(Cassandra)github.com/snowflakedb/gosnowflakego.mongodb.org/mongo-driver
Test infrastructure
| Module | What it does |
|---|---|
github.com/ory/dockertest |
Spinning real backends in containers for tests. |
github.com/sasha-s/go-deadlock |
Optional deadlock detector. |
github.com/hashicorp/go-version |
SemVer comparisons. |
UI dependencies
The Ember/JS world has its own dependency story under ui/package.json and ui/pnpm-lock.yaml. ui/DEP_OVERRIDE_REPORT.md documents pnpm overrides applied for security or compatibility.
Version pinning
Vault occasionally uses replace directives to dodge upstream defects. The most prominent in go.mod:
github.com/99designs/keyring => github.com/Jeffail/keyring v1.2.3— works around a zombie-process bug introduced throughgosnowflake's indirect dependency.github.com/ma314smith/signedxml v1.1.1 => github.com/moov-io/signedxml v1.1.1— fork to keep build green.github.com/hashicorp/vault/api => ./apiand similar self-replaces — let the in-repo modules see each other during development.
Where to find more
tools/dep-overrides/generatesDEP_OVERRIDE_REPORT.mddescribing the active overrides.mend-pr-scan.ymlruns Mend on every PR for license + vulnerability tracking.security-scan.ymlrunsgovulncheckand friends.
Watching the dep graph
go.mod and go.sum change about once a week, mostly via the Vault Automation and hc-github-team-secure-vault-core bots that drive backports and dep bumps. New dependencies require explicit license review; HashiCorp policy is to avoid GPL/copyleft transitively.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.