chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets from 1.4.0 to 1.5.0

[dependabot]

Bumps github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets from 1.4.0 to 1.5.0.

Release notes

Sourced from github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets's releases.

sdk/storage/azdatalake/v1.5.0

1.5.0 (2026-05-15)

Features Added

• Includes all features from 1.5.0-beta.1

sdk/security/keyvault/azadmin/v1.5.0

1.5.0 (2026-05-25)

Other Changes

• Upgraded to API service version 2025-07-01

sdk/security/keyvault/azkeys/v1.5.0

1.5.0 (2026-05-25)

Other Changes

• Upgraded to API service version 2025-07-01

sdk/security/keyvault/azcertificates/v1.5.0

1.5.0 (2026-05-26)

Features Added

• Includes all changes from 1.5.0-beta.1.

sdk/security/keyvault/azsecrets/v1.5.0

1.5.0 (2026-05-26)

Features Added

• Includes all changes from 1.5.0-beta.1.

sdk/data/azcosmos/v1.5.0-beta.7

1.5.0-beta.7 (2026-06-02)

Features Added

• Added retry policy for transient 500, 502, and 504 server errors on read requests. The request is retried once in the current region and, if applicable, once against the next preferred region. Writes are not retried. This matches the behavior of the .NET, Java, and Python Cosmos SDKs. See PR 26821.

Bugs Fixed

• Fixed missing OTel tracing spans for internal queries executed by ReadManyItems. Each per-partition query page now creates a query_items span, matching the tracing behavior of NewQueryItemsPager. See PR 26813.
• 403/WriteForbidden retries refresh the global endpoint manager fire-and-forget (CAS-gated) instead of blocking on a synchronous gem.Update. See PR 26889.
• Connection-error retry policy now attempts up to 3 retries against the current region before failing over, and performs at most one cross-region failover per call. Cross-region failover for writes only occurs when the error proves the request never reached the service (DNS, dial, TLS handshake, ECONNREFUSED, etc.); writes on ambiguous transport failures (e.g. ECONNRESET, EOF, transport-level timeouts) no longer fail over to another region, avoiding potential duplicate writes. Reads still fail over for any transport error. Caller-set context deadlines or cancellations short-circuit the policy without consuming the caller's budget with retries. See PR 26858 and PR 26915.
• HTTP 408 Request Timeout responses are now handled by the Cosmos client retry policy: reads are retried exactly once against another region, and writes are returned to the caller immediately to avoid potential duplicates. See PR 26858.
• Fixed excessive GetDatabaseAccount HTTP calls when using preferred regions, and stopped data-plane retries from trailing into the customer-supplied (default) endpoint once account topology is populated. See PR 26815.
• Partition key range cache now serves concurrent callers from a single in-flight refresh per container, and the cached routing map remains readable while a refresh is in progress. The refresh runs on a detached background context.Background() so a caller's cancellation no longer aborts the shared fetch for other waiters; each caller continues to honor its own context deadline. See PR 26855.
• Partition key range cache change-feed pagination is now resilient to mid-drain throttling. 429 responses are retried indefinitely (with capped linear backoff + jitter) since the service is explicitly asking the client to slow down, and the pages already accumulated are preserved instead of restarting the drain from page 1 on the next refresh. See PR 26855.

Other Changes

• Tightened the default HTTP client: 5s dial timeout (down from azcore's 30s), 65s http.Client.Timeout wall-clock cap per HTTP attempt (was unbounded), larger idle connection pool (1000 total / 100 per host, up from azcore's 100 / 10), and faster HTTP/2 health checks. Caller-supplied Transport and shorter context deadlines are unaffected. See PR 26856.

... (truncated)

Commits

• f4ab3aa Remove arm/ClientOptions.AuxiliaryTenants (#20573)
• a554ef0 Remove azcore multitenant auth API (#20572)
• 0a42300 PutBlobFromURL/UploadBlobFromURL API (#20558)
• be3f449 Fix azcore changelog entry (#20569)
• 380d05a Fix regression - base name overrides in CI (#20563)
• 4bdfb89 Modified challenge policy test (#20554)
• 5ab558f Added support for copy source authorization to append block from url (#20557)
• d2534f7 [Azquery][Readme] Edit pass (#20382)
• e9c77a5 Bump credscan to 2.3.12.23 (#20562)
• dd74ea3 Transaction Validation - Blob Client (#20550)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[cursor]

PR Summary

Medium Risk
Touches the Azure Key Vault secrets client used for secret retrieval; behavior may shift with the newer Key Vault API surface even though call sites are unchanged.

Overview
Bumps github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets from 1.4.0 to 1.5.0 in go.mod and refreshes go.sum. The upgrade also pulls newer indirect auth-related modules (MSAL for Go 1.6.0→1.7.0, golang-jwt/jwt/v5 5.3.0→5.3.1).

There are no application code changes; Azure Key Vault access in pkg/secrets still uses the same azsecrets client APIs. Per upstream release notes, 1.5.0 aligns with Key Vault API service version 2025-07-01 and includes the 1.5.0-beta feature set.

^{Reviewed by Cursor Bugbot for commit ba859a2. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​github.com/​Azure/​azure-sdk-for-go/​sdk/​security/​keyvault/​azsecrets@​v1.4.0 ⏵ v1.5.0

View full report

[haasonsaas]

🔒 Hermes automated security scan flagged this PR.

🔴 Secrets / credentials (please remove before merge):

• go.sum — generic-api-key

Automated gitleaks + pattern scan. Dismiss this review if it's a false positive.

False positive — go.sum contains dependency hashes, not a secret. Hermes gate rule fixed to skip lock/sum files. Dismissing.