Skip to content

Update ghcr.io/dexidp/dex Docker tag to v2.45.1#2799

Open
gardener-ci-robot wants to merge 1 commit intomasterfrom
renovate/ghcr.io-dexidp-dex-2.x
Open

Update ghcr.io/dexidp/dex Docker tag to v2.45.1#2799
gardener-ci-robot wants to merge 1 commit intomasterfrom
renovate/ghcr.io-dexidp-dex-2.x

Conversation

@gardener-ci-robot
Copy link
Contributor

@gardener-ci-robot gardener-ci-robot commented Feb 23, 2026
edited
Loading

This PR contains the following updates:

Package Update Change
ghcr.io/dexidp/dex minor v2.44.0-distrolessv2.45.1-distroless

Release Notes

dexidp/dex (ghcr.io/dexidp/dex)

v2.45.1

Compare Source

Bug Fixes 🐛
  • Quote groups reserved word in query replacer to fix MySQL 8.0+ storage migration (#​4580)
  • Update authproxy and oauth to match CallbackConnector interface (#​4589)

Full Changelog: dexidp/dex@v2.45.0...v2.45.1

v2.45.0

Compare Source

Know Before Upgrade

  • The major version of gomplate has been bumped to v5.0.0, which includes breaking changes. Here is the full list.
  • There are two known CVEs in the gomplate binary - CVE-2025-68121 and CVE-2026-25934. gomplate is only used for preprocessing configuration files and is optional. Once the CVEs are fixed upstream, the version of gomplate in the dex image will be updated accordingly.
  • The ContinueOnConnectorFailure feature flag is now enabled by default. To disable it, use the following environment variable: DEX_CONTINUE_ON_CONNECTOR_FAILURE=false.
  • Pre-release versions of dex now use pseudo-versioning for identifying releases. Unreleased versions will follow the pattern v2.minor+1.0-yyyymmdd-commithash.

What's Changed

Exciting New Features 🎉
Enhancements 🚀
Bug Fixes 🐛
Dependency Updates ⬆️
Other Changes

New Contributors

Full Changelog: dexidp/dex@v2.44.0...v2.45.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@gardener-ci-robot gardener-ci-robot added the kind/enhancement Enhancement, improvement, extension label Feb 23, 2026
@gardener-ci-robot gardener-ci-robot added renovate kind/enhancement Enhancement, improvement, extension labels Feb 23, 2026
@gardener-prow
Copy link

gardener-prow bot commented Feb 23, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign klocke-io for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow bot added cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 23, 2026
@coderabbitai
Copy link

coderabbitai bot commented Feb 23, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Updated the Dex identity chart's image tag in the Helm values file from v2.44.0-distroless to v2.45.1-distroless. No other configuration, logic, or public API changes were made.

Changes

Cohort / File(s) Summary
Dex Image Version Update
charts/identity/values.yaml		 Bumped Dex image tag from v2.44.0-distroless to v2.45.1-distroless. Single-line version change only.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

size/XS

Suggested reviewers

  • holgerkoser
  • grolu

Poem

🐰 A version bump, so small and neat,
From 44 to 45.1, a tidy feat!
Dex hops onward, light and spry,
Distroless grin beneath the sky. 🥕✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The PR title accurately describes the main change: updating the ghcr.io/dexidp/dex Docker tag to v2.45.1, which matches the file change from v2.44.0-distroless to v2.45.1-distroless.
Description check ✅ Passed The PR description is mostly complete with update details, release notes, and configuration info, though it lacks some template sections like 'What this PR does/why we need it' and 'Which issue(s) this PR fixes'.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch renovate/ghcr.io-dexidp-dex-2.x

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@petersutter
Copy link
Member

petersutter commented Feb 24, 2026

/hold track next Dex release notes for gomplate/CVE resolution

@gardener-prow gardener-prow bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 24, 2026
@gardener-ci-robot gardener-ci-robot force-pushed the renovate/ghcr.io-dexidp-dex-2.x branch from 8f2e59d to 0f8d440 Compare March 3, 2026 13:51
@gardener-ci-robot gardener-ci-robot changed the title Update ghcr.io/dexidp/dex Docker tag to v2.45.0 Update ghcr.io/dexidp/dex Docker tag to v2.45.1 Mar 3, 2026
coderabbitai[bot]
coderabbitai bot reviewed Mar 3, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/identity/values.yaml`:
- Line 8: The image tag under the YAML key `tag` currently uses the non-existent
value `v2.45.1-distroless`; change that to an existing release (e.g., `v2.45.0`
or `v2.45.0-distroless`) in the values.yaml `tag` entry and, if your deployment
uses gomplate preprocessing, disable or avoid gomplate-based preprocessing until
upstream fixes are released (or explicitly document the CVE risk) so you don't
rely on the vulnerable gomplate in the Dex image.
ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8f2e59d and 0f8d440.

📒 Files selected for processing (1)
  • charts/identity/values.yaml

charts/identity/values.yaml
image:
repository: ghcr.io/dexidp/dex
tag: v2.44.0-distroless
tag: v2.45.1-distroless
Copy link

@coderabbitai coderabbitai bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check Dex versions available and CVE information

echo "=== Checking GitHub releases for v2.45.x ==="
# Using GitHub API to fetch releases containing v2.45
curl -s https://api.github.com/repos/dexidp/dex/releases | jq -r '.[].tag_name' 2>/dev/null | grep -E "v2\.45" | sort -V

echo ""
echo "=== Checking git tags for v2.45.x ==="
curl -s https://api.github.com/repos/dexidp/dex/git/refs/tags | jq -r '.[].ref' 2>/dev/null | grep -E "v2\.45" | sort -V

Repository: gardener/dashboard

Length of output: 197

🌐 Web query:

Dex v2.45.1 release information CVE gomplate

💡 Result:

As of March 3, 2026, the dexidp/dex project does not have a v2.45.1 release tag; the latest in that series is v2.45.0 (Feb 23, 2026). [1]

For the gomplate/CVE part, the v2.45.0 release notes say: [2]

  • gomplate in the Dex container image was bumped to v5.0.0 (breaking changes).
  • The release explicitly calls out two known CVEs in the bundled gomplate binary: CVE-2025-68121 and CVE-2026-25934.
  • gomplate is described as optional and used only for preprocessing configuration files; Dex maintainers plan to update it once upstream fixes are available.

Sources:
[1] Dex tags list (shows latest tag v2.45.0; no v2.45.1) (github.com)
[2] Dex v2.45.0 GitHub release notes (Know Before Upgrade section) (github.com)

Citations:

🌐 Web query:

CVE-2025-68121 CVE-2026-25934 gomplate dex

💡 Result:

  • How this relates to Dex/gomplate: Dex’s v2.45.0 release notes state that the container image includes a gomplate binary with two known CVEs: CVE-2025-68121 and CVE-2026-25934. Dex also notes gomplate is optional and used only to preprocess configuration files, and the image will be updated once gomplate is fixed upstream. [1]

  • CVE-2025-68121 (Go stdlib crypto/tls): A Go standard library issue where, during TLS session resumption, mutating tls.Config trust fields (ClientCAs/RootCAs) between the original and resumed handshake can allow the resumed handshake to succeed when it should fail. Fixed in specific Go patch releases (see Go’s advisory for the exact version ranges). [2][3]

  • CVE-2026-25934 (go-git): A vulnerability in github.com/go-git/go-git where integrity check values for Git .pack and .idx files were not properly verified, potentially causing consumption of corrupted data and errors (e.g., “object not found”). Fixed in go-git v5.16.5; NVD lists CVSS 4.3 (Medium) from GitHub. [4][5]

Practical impact / what to do (Dex context):

  • If you don’t use gomplate features in Dex, avoid enabling gomplate-based preprocessing (Dex calls it optional) to eliminate that exposure path. [1]
  • If you do need gomplate, track for an updated gomplate (or Dex image) that incorporates Go’s fix for CVE-2025-68121 and updates go-git to v5.16.5+ (fix for CVE-2026-25934). [1][2][5]

Sources

  1. Dex v2.45.0 release notes (Know Before Upgrade) — gomplate CVEs called out: CVE-2025-68121, CVE-2026-25934. [1]
  2. Go vulnerability report GO-2026-4337 for CVE-2025-68121 (crypto/tls) and fixed Go version ranges. [2]
  3. NVD entry for CVE-2025-68121. [3]
  4. NVD entry for CVE-2026-25934 (description, fix in 5.16.5, CVSS from GitHub). [4]
  5. GitHub Security Advisory GHSA-37cx-329c-33x3 (CVE-2026-25934) — affected <=5.16.4, patched 5.16.5. [5]

Do not merge: image tag v2.45.1-distroless does not exist.

The official Dex repository (dexidp/dex) does not have a v2.45.1 release; the latest available version is v2.45.0 (Feb 23, 2026). The image tag v2.45.1-distroless referenced in this PR does not exist.

The v2.45.0 release includes two known CVEs in the bundled gomplate binary (CVE-2025-68121 and CVE-2026-25934). Since gomplate is optional and used only for preprocessing configuration files, the exposure can be mitigated by not using gomplate-based preprocessing. Dex maintainers plan to update the image once upstream fixes are available.

Additionally, gomplate has been bumped to v5.0.0, which includes breaking changes. If gomplate preprocessing is used, review the breaking changes carefully.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@charts/identity/values.yaml` at line 8, The image tag under the YAML key
`tag` currently uses the non-existent value `v2.45.1-distroless`; change that to
an existing release (e.g., `v2.45.0` or `v2.45.0-distroless`) in the values.yaml
`tag` entry and, if your deployment uses gomplate preprocessing, disable or
avoid gomplate-based preprocessing until upstream fixes are released (or
explicitly document the CVE risk) so you don't rely on the vulnerable gomplate
in the Dex image.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@grolu grolu Awaiting requested review from grolu grolu is a code owner

@holgerkoser holgerkoser Awaiting requested review from holgerkoser holgerkoser is a code owner

@klocke-io klocke-io Awaiting requested review from klocke-io klocke-io is a code owner

@petersutter petersutter Awaiting requested review from petersutter petersutter is a code owner

Assignees

No one assigned

Labels

cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/enhancement Enhancement, improvement, extension renovate size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gardener-ci-robot @petersutter