chore(deps): update dependency openbao/openbao to v2.5.5

[renovate]

This PR contains the following updates:

Package	Update	Change
openbao/openbao	minor	v2.4.4 → v2.5.5

---

Release Notes

openbao/openbao (openbao/openbao)

v2.5.5

Compare Source

SECURITY

• auth/ldap: Prevent unlikely post-bind LDAP injection via bind DN to group resolution. GHSA-6mwx-4547-5vc9. [GH-3306]
• secrets/ldap: Prevent potential LDAP injection with unsanitized DNs for service accounts. GHSA-6mwx-4547-5vc9. [GH-3306]
• secrets/transit: Prevent server crash due to unlock of unlocked mutex for RSA keys created with derived=true. GHSA-8w8f-r2xv-4q4j. [GH-3309]
• core/leases: Fix unauthorized cross-namespace lease revocation via leaked lease identifiers. GHSA-c36x-h252-g9x2. [GH-3307]
• core/namespaces: Fix namespace path canonicalization of "root" enabling unauthorized operations on the parent namespace. GHSA-mwr2-wmgp-crj6. [GH-3308]

BUG FIXES

• core/ha: Return to read-enabled standby mode instead of read-disabled standby mode after stepping down from active mode when standby reads are enabled. This also fixes SIGHUPs crashing standby nodes if they've previously stepped down from active. [GH-3223]
• auth/mfa: Correctly forward two-phase MFA validations on standby nodes. [GH-3246]
• sys/namespaces: Support clearing a namespace's custom_metadata by providing a patch that sets custom_metadata to null at the top-level. [GH-3273]
• sys/plugins: Fix /sys/plugins/catalog and /sys/plugins/catalog/<type> not returning versioned plugins. [GH-3186]

What's Changed

• fix: versioned plugins missing in catalog response (#​3186 by @​phil9909) backported by @​phil9909 in #​3219
• Replace zlint Docker container with go run (#​3187 by @​tsaarni) backported by @​phil9909 in #​3227
• fix two-phase MFA failure on standby node (#​3246 by @​phil9909) backported by @​phil9909 in #​3248
• Close the HA loop (#​3223 by @​satoqz) backported by @​phil9909 in #​3247
• Refactor namespace patch & support top-level clear (#​3273 by @​satoqz) backported by @​satoqz in #​3279
• Remove expired certs in cassandra tests (#​3256 by @​tsaarni) backported by @​satoqz in #​3278
• v2.5.5 dependency bumps by @​satoqz in #​3303
• Fix panic due to unlock of unlocked mutex in Transit (#​3309 by @​cipherboy) backported by @​cipherboy in #​3312
• Fix LDAP bind DN lookups in auth, secrets engine (#​3306 by @​cipherboy) backported by @​cipherboy in #​3313
• Fix namespace path canonicalization (#​3308 by @​satoqz) backported by @​satoqz in #​3311
• Fix cross-namespace lease lookup routing (#​3307 by @​satoqz) backported by @​satoqz in #​3310
• Add changelog for v2.5.5 by @​satoqz in #​3314

Full Changelog: openbao/openbao@v2.5.4...v2.5.5

v2.5.4

Compare Source

SECURITY

• core/auth: Fix audit logs dropping custom headers when using inline auth. GHSA-q8cj-789h-vg24 / CVE-2026-46358. [GH-3076]
• core: Prevent hidden default token issuance from auth plugin endpoints returning both a logical.Auth{} response object and an error. GHSA-7j6w-vvw2-5f9c / CVE-2026-46405. [GH-3150]
• core: Remove legacy lease endpoints (sys/revoke, sys/renew, sys/revoke-prefix, and sys/revoke-force) due to cross-namespace lease modification. GHSA-v8v8-cm84-m686 / CVE-2026-45808. [GH-3152]

IMPROVEMENTS

• storage/postgresql: Set constraint name to table+"_pkey" and ha_table+"_pkey" and index to table+"_idx" for uniqueness when reusing the same database partition for multiple OpenBao instances. [GH-2876]

BUG FIXES

• auth/kerberos: Do not return logical.Auth{} response during initial negotiation at the same time as an error. [GH-3150]
• core/mfa: Handle invalidation for login MFA, ensuring standby nodes respond appropriately on writes. [GH-3083]
• core/policies: Fix list_scan_response_keys_filter_path incorrectly erring on empty list responses. [GH-3063]
• core/quotas: Correctly handle default rate limit exempt paths on quota configuration invalidation. [GH-2953]
• core: Disallow logical secret engines from creating authentication tokens. [GH-3087]
• core: Forward generate-root, step-down and rekey requests to active node to resolve inconsistent standby behavior. [GH-3006]
• storage/raft: Wait for autopilot shutdown to avoid panic when racing to retrieve known servers. [GH-3054]
• storage/postgresql: Revert accidental rename of ha_table option to haTable. Both spellings are now supported to retain compatibility, though ha_table takes precedence. [GH-2876]

What's Changed

• Remove 2.5.x community docs by @​cipherboy in #​3071
• Disallow non-auth plugins from creating tokens (#​3087 by @​cipherboy) backported by @​phil9909 in #​3112
• Handle invalidation of LoginMFA keys (#​3083 by @​cipherboy) backported by @​phil9909 in #​3113
• Fix audit logs dropping custom headers when using inline auth (#​3076 by @​jackyliao123) backported by @​phil9909 in #​3114
• fix: nil-guard d.autopilot before calling GetState (#​3054 by @​mpldr) backported by @​phil9909 in #​3115
• fix: Fix request handling filtering for the no data case (#​3063 by @​eklatzer) backported by @​phil9909 in #​3116
• Update vulnerable deps before 2.5.4 by @​cipherboy in #​3121
• Fix cache invalidation memory leak (#​3105 by @​cipherboy) backported by @​phil9909 in #​3131
• Use unique constraints, indices in PostgreSQL storage (#​2876 by @​cipherboy) backported by @​phil9909 in #​3132
• Correctly handle default_rate_limit_exempt_paths_toggle invalidation (#​2953 by @​cipherboy) backported by @​phil9909 in #​3134
• Fix /v1/sys/ forwarding regressions for standby instances (#​3006 by @​tsaarni) backported by @​phil9909 in #​3133
• Remove legacy cross-namespace lease endpoints (#​3152 by @​cipherboy) backported by @​cipherboy in #​3153
• Prevent errors from creating orphaned tokens (#​3150 by @​cipherboy) backported by @​cipherboy in #​3151
• Add release notes for v2.5.4 by @​satoqz in #​3154

Full Changelog: openbao/openbao@v2.5.3...v2.5.4

v2.5.3

Compare Source

SECURITY

• auth/cert: Prevent token renewal with different-but-valid certificate. GHSA-7ccv-rp6m-rffr / CVE-2026-39388. [GH-2932]
• auth/token: Prevent cross-namespace token renewal, revocation by accessor. GHSA-p49j-v9wc-wg57 / CVE-2026-40264. [GH-2934]
• core: Disallow sys/generate-root/* by default due to unauthenticated cancellation; use disable_unauthed_generate_root_endpoints=false to temporarily re-enable. Upstream HCSEC-2026-08 / CVE-2026-5807. [GH-2912]
• core: Forbid request path traversal using . and .. segments by default. If required, set the unsafe_relative_paths. Upstream HCSEC-2026-05 / CVE-2026-3605. [GH-2910]
• core/plugins: Validate and restrict downloaded plugin binary size from OCI images; set plugin_download_max_size to limit the size (defaults to 512MB). GHSA-r65v-xgwc-g56j / CVE-2026-39396. [GH-2941]
• core/namespaces: Ensure lease revocation on namespace re-deletion. GHSA-vv66-6rp4-wr4f. [GH-2935]
• database/postgresql: Correctly quote schema name in revoke statement. GHSA-6vgr-cp5c-ffx3 / CVE-2026-39946. [GH-2931]

BUG FIXES

• command/server: Refuse repeated startup if self-initialization failed on initial run. [GH-2908]
• core: Fix namespace invalidation on standby when disable_cache=true is set. [GH-2822]
• core: Loosen overly strict check for view path check, strictly forbidding .. as a substring within path segments. [GH-2910]
• secret/database, secret/openldap, secret/rabbitmq: Fix dynamic secret requests failing with an "Internal Server Error" on standby nodes [GH-2853]

What's Changed

• Add note for direct install using the Arch Linux package manager (#​2718 by @​hashworks) backported by @​hashworks in #​2719
• fix: some dynamic secret engines did not forward the request to the primary (#​2853 by @​phil9909 ) backported by @​phil9909 in #​2855
• Fix namespace invalidation without caching (#​2822 by @​cipherboy) backported by @​phil9909 in #​2856
• Make self-init failures fatal (#​2908 by @​satoqz & #​2195 @​KrzysztofKornalewski-Reply) backported by @​satoqz in #​2924
• v2.5.3 dependency bumps by @​satoqz in #​2907
• Forbid path traversal by default (#​2910 @​cipherboy) backported by @​satoqz in #​2929
• Check certificate match during renewal (#​2932 by @​cipherboy) backported by @​satoqz in #​2937
• Correctly quote schema name in PostgreSQL revoke (#​2931 by @​cipherboy) backported by @​satoqz in #​2938
• Prevent cross-namespace token accessor use (#​2934 by @​cipherboy) backported by @​satoqz in #​2939
• Additional v2.5.3 dependency bumps by @​satoqz in #​2930
• Ensure lease revocation on namespace re-deletion (#​2935 by @​cipherboy) backported by @​satoqz in #​2943
• Validate downloaded plugin binary size (#​2941 by @​JanMa) backported by @​satoqz in #​2944
• Forbid generate-root by default (#​2912 by @​cipherboy) backported by @​cipherboy in #​2945
• Add release notes for v2.5.3 by @​satoqz in #​2946

Full Changelog: openbao/openbao@v2.5.2...v2.5.3

v2.5.2

Compare Source

SECURITY

• auth/jwt: Prevent XSS via error_description parameter in callback_mode=direct auth methods. CVE-2026-33758. [GH-2709]
• auth/jwt: Prompt for confirmation during direct callback mode to authorize OpenBao token issuance. CVE-2026-33757. [GH-2710]

BUG FIXES

• command: External token helpers now inherit environment variables from the parent process. [GH-2570]
• core/metrics: Fix count of leases/tokens/kv-secrets/entities metric not being emitted. [GH-2672]
• core/mounts, core/namespaces: Fix lock ordering in mount deletion racing against namespace updates, causing deadlocks. [GH-2625]
• core/seal: Fix /sys/rotate/root call rotating both root key and unseal key when using a Shamir Seal, losing all key shares. [GH-2619]
• core: Skip re-scheduling lease expiration jobs that need to write to storage when a node unseals in read-only mode. [GH-2549]
• core: Fix potential deadlock in JobManager, which can cause mount deletion timeouts. [GH-2630]
• http: Forward help requests to active node when unable to handle them on standby with read requests handling disabled. [GH-2572]
• identity/oidc: Fix OIDC named key rotation silently skipping in non-root namespaces due to double namespace prefix in storage path lookup. [GH-2669]
• raft: Propagate peer join/remove/promote/demote and autopilot read/update requests to active node. [GH-2574]

What's Changed

• Bump github.com/bgentry/speakeasy to v0.2.0 (#​2535 by @​agrimault-dinum) backported by @​agrimault-dinum in #​2545
• Fix expired test certificates (#​2552 by @​satoqz) backported by @​phil9909 in #​2631
• Skip lease restoration on standby nodes (#​2549 by @​wslabosz-reply) backported by @​phil9909 in #​2632
• Pass full environment to token helper (#​2570 by @​satoqz) backported by @​phil9909 in #​2633
• Handle help requests on standby nodes when reads are disabled (#​2572 by @​wslabosz-reply) backported by @​phil9909 in #​2634
• Don't iterate namespaces on mount deletion (#​2625 by @​satoqz) backported by @​phil9909 in #​2635
• fix race condition in jobmanager (#​2630 by @​phil9909) backported by @​phil9909 in #​2636
• Bump github.com/cloudflare/circl to v1.6.3 (#​2577 by @​satoqz) backported by @​satoqz in #​2652
• Fix root key rotation endpoint rotating Shamir's KEK (#​2619 by @​wslabosz-reply) backported by @​satoqz in #​2650
• Bump to Go 1.25.8 (#​2609 by @​satoqz) backported by @​satoqz in #​2651
• Forward raft autopilot operations (#​2574 by @​wslabosz-reply) backported by @​satoqz in #​2659
• Fix regression in OIDC named key rotation (#​2669 by @​JAYKRISHNAN) backported by @​phil9909 in #​2694
• Fix missing emitMetricsActiveNode metrics (#​2672 by @​wslabosz-reply) backported by @​satoqz in #​2697
• Resolve GHSA-cpj3-3r2f-xj59 (#​2709 by @​gianklug) by @​cipherboy in #​2711
• Resolve GHSA-7q7g-x6vg-xpc3 (#​2710 by @​gianklug) by @​cipherboy in #​2713
• Add changelog for v2.5.2 by @​cipherboy in #​2715

Full Changelog: openbao/openbao@v2.5.1...v2.5.2

v2.5.1

Compare Source

SECURITY

• Build with Go 1.25.7 to resolve CVE-2025-68121 / GO-2026-4337. [GH-2426]
• Bump go.opentelemetry.io/otel/sdk to 1.40.0 to resolve CVE-2026-24051 / GO-2026-4394 / GHSA-9h8m-3fm2-qjrq. [GH-2518]

BUG FIXES

• seal: Fix Auto Unseal failing when upgrading to v2.5.0 or downgrading from v2.5.0 to an earlier version. This affected the following providers: AliCloud KMS, AWS KMS, Azure Key Vault, GCP Cloud KMS & OCI KMS. [GH-2505]
• core/mounts: Don't attempt to upgrade legacy mount tables when in read-only standby mode. [GH-2467]
• core/expiration: Fix total lease count not being decremented when revoking irrevocable leases. [GH-2414]
• pki: Fix "context canceled" issue when processing cache invalidation, leading to pki returning 500 until reload. [GH-2472]
• command: Fix panic when the home directory cannot be trivially deduced via environment variables. [GH-2446]

CHANGES

• core/identity: Remove pre-v2.5.0 corrupt namespace identity groups during unseal; corrupt groups need to be recreated by an admin. Check for deleting corrupt group in server startup logs. [GH-2454]

What's Changed

• Document installing with native package managers on Linux by @​DrDaveD in #​2431
• Bump Go to 1.25.7 (#​2426 by @​satoqz) backported by @​satoqz in #​2451
• docs(snapshot): add kubernetes snapshot cronjob example (#​2276 by @​eyenx) backported by @​satoqz in #​2450
• Internalize github.com/mitchellh/go-homedir (#​2446 by @​satoqz) backported by @​satoqz in #​2453
• Fix extraneous grpclogfaker logging (#​2443 by @​cipherboy) backported by @​satoqz in #​2452
• Don't upgrade mount table in standby mode (#​2467 by @​satoqz) backported by @​phil9909 in #​2502
• fix decrement of total lease count after irrevocable revocation and add tests to check it (#​2414 by @​driif) backported by @​phil9909 in #​2503
• docs: add hash parameter (#​2474) by @​phil9909 in #​2504
• pki: fix "context canceled" issue when processing cache invalidation (#​2472 by @​phil9909) backported by @​phil9909 in #​2501
• Bump go-kms-wrapping to v2.7.0 (#​2505 by @​satoqz) backported by @​satoqz in #​2507
• Bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 (#​2518) backported by @​satoqz in #​2527
• purge corrupt groups during unseal (#​2454 by @​phil9909) backported by @​satoqz in #​2529
• Ensure identity groups, entities deleted on actives (#​2531 by @​cipherboy) backported by @​cipherboy in #​2532
• Add changelog for v2.5.1 by @​satoqz in #​2511

Full Changelog: openbao/openbao@v2.5.0...v2.5.1

v2.5.0

Compare Source

[!TIP]
This release adds support for horizontal read scalability!

SECURITY

• core/sys: BREAKING: default value of disable_unauthed_rekey_endpoints is true, to continue using unauthed rekey endpoints, set disable_unauthed_rekey_endpoints=false in listeners explicitly. [GH-2125]

CHANGES

• Remove the deprecated creation_statements, revocation_statements, rollback_statements, and renew_statements fields from the dbplugin Statements protobuf message [GH-1962]
• api: The deprecated api.MountConfigOutput.PluginName field was removed. This was already always empty. [GH-2036]
• auth/jwt: Return error msg on OIDCDiscoveryURL including .well-known/openid-configuration component. [GH-2066]
• core/audit: removed jsonx as a output format option for audit mounts [GH-2047]
• sys/host-info: This endpoint may start reporting slightly higher memory usage than before (On Linux only). See https://github.com/shirou/gopsutil/releases/tag/v4.25.8 for more information. [GH-1887]

FEATURES

• Add declarative plugin distribution via OCI images: using the plugin configuration keyword.
  • Plugins can be automatically downloaded via the plugin_auto_download=true option.
  • Plugins can be manually downloaded via the bao plugin init command.
  • Plugins can be automatically registered via the plugin_auto_register=true option, regardless if they were manually provisioned or from OCI images. [GH-1824]
• Support Horizontal Read Scalability: all existing HA standby nodes are automatically upgraded with read support.
  • Requests which only perform storage read operations will be handled locally on the standby node.
  • Requests which perform a storage write operation (or as indicated by plugins) are forwarded to the active leader.
  • Results are eventually consistent: a write may not be immediately visible on the standby.
  • To disable, set disable_standby_reads=true in the config file before startup. [GH-1986]
• OIDC Provider: Add Client Credentials flow to OIDC Provider. [GH-1732]
• sdk/framework: add Response.SchemaName to allow custom response schema names in the generated OpenAPI spec. [GH-1714]

IMPROVEMENTS

• audit: Add http audit device for low-volume, webhook-based audit event reporting. [GH-1709]
• auth/jwt: Add type checking to role. [GH-1854]
• command: Add environment variables to provide configuration for Proxy, Agent, and bao operator migrate via BAO_PROXY_CONFIG_PATH, BAO_AGENT_CONFIG_PATH, and BAO_MIGRATE_CONFIG_PATH. [GH-2153]
• command: Support BAO_CONFIG_PATH in plugin init, just like server &c do. [GH-2164]
• command: server, operator diagnose and 'operator validate-config` now support the environment variable BAO_CONFIG_FILE for the -config command option. [GH-2115]
• core/metrics: Support custom path for metrics on metrics-only listeners. [GH-1853]
• core/namespaces: Use JobManager for namespace deletion, decreasing lock contention. [GH-2226]
• core/policies: Add endpoint to allow detailed listing of a subset of policies. [GH-1965]
• core/policies: Use per-namespace write lock, improving parallelism. [GH-2226]
• core: Added metrics_only and disallow_metrics options to control metrics endpoint exposure on a per-listener basis. [GH-1834]
• database/valkey: Adds the ability to configure the Valkey database connection using a single connection_url parameter. [GH-1923]
• database: all database plugins now ignore "not found" errors on revoke by default. See Plugin Author Guide for rationale. [GH-2101]
• openapi: Add response schemas for token store operations and update operation suffixes. [GH-1840]
• pki: add allowed_ip_sans_cidr parameter to PKI role system, to provide additional checks for IP SANs. [GH-1833]
• storage/postgresql: implement physical.FencingHABackend to minimize chances that writes on secondary nodes occur. [GH-1571]
• transit: Add associated_data parameter to generate data key. [GH-1828]
• website: Add an example of current role statement from Valkey. [GH-1811]

DEPRECATIONS

• core/seal: Remove the undocumented "aead" seal mechanism. Consider switching to the static seal instead as a replacement. [GH-1910]
• core: Removed FeatureFlags parsing and related code. [GH-2045]
• sdk: Removed sdk/v2/helper/license package. [GH-2045]
• ui: Removed internal/ui/feature-flags endpoint and all its usage. [GH-2045]

BUG FIXES

• agent/auth: Fix token reissue error with kerberos method. [GH-2373]
• auth/jwt: Fix ordering of variable declarations in CEL program roles. [GH-1854]
• core/identity: Ensure periodic func only operates on a single namespace at a time, decreasing storage contention. [GH-2226]
• core/identity: fix corrupt data being stored when referencing member_group_ids across namespaces (requires unsafe_cross_namespace_identity=true) [GH-2321]
• core/namespaces: Ensure namespace creation is interruptable, allowing namespace deletion for cleanup. [GH-2226]
• core/namespaces: Fix deadlock on namespace creation, deletion due to transaction/lock ordering. [GH-2226]
• core/namespaces: Fix storage failures in namespace creation leading to a total system deadlock. [GH-2166]
• core/namespaces: improve recovery from partial deletion of namespaces, preventing server startup failure. [GH-2188]
• database/valkey: The creation_statements parameter now correctly accepts a standard array of strings for ACL rules (e.g., ["+@​read", "~*"]). Previously, it incorrectly required a stringified JSON array. The old format is still supported for backward compatibility. [GH-1959]
• helper/jobmanager: Fix queue length metrics to report as gauges. [GH-2226]
• physical/postgresql: ensure underlying HA lock removal from database causes lock loss, write failures. [GH-2100]
• raft: return correct raft leader id from read replica nodes when using bao operator raft list-peers. [GH-2331]
• sdk/logical: Use created transaction for WithTransaction callback. [GH-2226]
• secrets/pki: Fix ordering of variable declarations in CEL program roles. [GH-1854]

What's Changed over Beta

• Fix audit log configuration on active node (#​2169 by @​cipherboy) backported by @​phil9909 in #​2170
• backport: detect platform to download correct OCI image variant (#​2183 by @​JanMa) backported by @​JanMa in #​2186
• Fix standby namespace deletion (#​2188 by @​cipherboy) backported by @​phil9909 in #​2206
• Update go-kms-wrapping/wrappers/static (#​2292 by @​JanMa) backported by @​satoqz in #​2297
• Support BAO_CONFIG_PATH in plugin init (#​2164 by @​satoqz) backported by @​phil9909 in #​2304
• Fix deadlock in transactional namespace creation (#​2166 by @​satoqz) backported by @​phil9909 in #​2303
• Add BAO_{AGENT,PROXY,MIGRATE}_CONFIG_PATH variables (#​2153 by @​kyounghunJang) backported by @​satoqz in #​2306
• Fix incorrectly returned leader nodes from read replicas (#​2331 by @​phyrog) backported by @​phyrog in #​2334
• Fix timing issue in runAutoseal test function (#​2335 by @​phyrog) backported by @​phyrog in #​2348
• Forward secret mount disable request (#​2357 by @​wslabosz-reply) backported by @​phil9909 in #​2359
• Fix cross namespace identity corrupts data (#​2321 by @​phil9909) backported by @​phil9909 in #​2358
• SDK: Update Docker client packages (#​2339 by @​JanMa) backported by @​phil9909 in #​2374
• Build with Go 1.25.6 & bump dependencies by @​satoqz in #​2367
• Clean up created backends when an error occurs later (#​2371 by @​phyrog) backported by @​phyrog in #​2389
• Fix namespace locking, transaction issues around creation, deletion (#​2226 by @​cipherboy) backported by @​satoqz in #​2391
• Bump container base images (#​2393 by @​satoqz) backported by @​satoqz in #​2394
• Fix race condition in mount invalidation (#​2361 by @​phyrog) backported by @​phyrog in #​2397
• Fix data race when cloning API client (#​2399 by @​satoqz) backported by @​satoqz in #​2400
• Fix duplicate headers in bao agent re-authentication (#​2373 by @​tsipinakis) backported by @​satoqz in #​2401
• Fix mount cleanup again... (#​2402 by @​satoqz) backported by @​satoqz in #​2403
• feat(goreleaser): publish packages to S3 (#​1870 by @​pree) backported by @​satoqz in #​2405
• Bump API to v2.5.1 in SDK by @​satoqz in #​2410
• Bump SDK to v2.5.1 in main module by @​satoqz in #​2411
• Add v2.5.0 release notes by @​satoqz in #​2409

Release notes: https://openbao.org/docs/release-notes/2-5-0/#v250
Full Changelog: openbao/openbao@v2.4.0...v2.5.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.