Sourced from dexidp/dex's releases.

v2.45.0

Know Before Upgrade

• The major version of gomplate has been bumped to v5.0.0, which includes breaking changes. Here is the full list.
• There are two known CVEs in the gomplate binary - CVE-2025-68121 and CVE-2026-25934. gomplate is only used for preprocessing configuration files and is optional. Once the CVEs are fixed upstream, the version of gomplate in the dex image will be updated accordingly.
• The ContinueOnConnectorFailure feature flag is now enabled by default. To disable it, use the following environment variable: DEX_CONTINUE_ON_CONNECTOR_FAILURE=false.
• Pre-release versions of dex now use pseudo-versioning for identifying releases. Unreleased versions will follow the pattern v2.minor+1.0-yyyymmdd-commithash.

What's Changed

Exciting New Features 🎉

• Add support to PKCE in OIDC connector by @​johnvan7 in dexidp/dex#3777
• Add Vault signer for JWT by @​nabokihms in dexidp/dex#4512
• Support groups and preferred_username for static passwords by @​Jabejixo in dexidp/dex#4456
• Add name and email_verified fields for static passwords by @​Jabejixo in dexidp/dex#4526

Enhancements 🚀

• Example app pkce by @​nabokihms in dexidp/dex#4284
• Only wrap IPv6 addresses in brackets by @​rene-dekker in dexidp/dex#4388
• Update distroless base image to debian13 by @​loosebazooka in dexidp/dex#4453
• Hide internal server error details from users by @​Jabejixo in dexidp/dex#4457
• Gitlab support custom rootCAData by @​Jabejixo in dexidp/dex#4496
• Enable ContinueOnConnectorFailure feature flag by @​manojVivek in dexidp/dex#4495
• Extend example configs for idEnv and public by @​cardoe in dexidp/dex#4443
• Add unprivileged user setup in Dockerfile by @​nabokihms in dexidp/dex#4517
• Add conformance tests for Vault signer integration by @​nabokihms in dexidp/dex#4520
• Add CRD handling behavior and configuration options by @​nabokihms in dexidp/dex#4543
• Enhance git-version script to generate pseudo-versions by @​nabokihms in dexidp/dex#4553
• Validate redirect URIs and safely append parameters by @​nabokihms in dexidp/dex#4559
• Refactor example-app with a new config by @​nabokihms in dexidp/dex#4569
• Implement device code flow in example-app by @​nabokihms in dexidp/dex#4570

Bug Fixes 🐛

• Do not wrap Kubernetes Address in brackets by @​nabokihms in dexidp/dex#4363
• Device callback URL needs to handle a / by @​cardoe in dexidp/dex#4448
• Suppress deprecation warning for userAttr when not set by @​nabokihms in dexidp/dex#4539
• Use correct id value for label by @​loganripplinger in dexidp/dex#4541
• Respond with forbidden if failed to authenticate by @​aljoshare in dexidp/dex#4200

Dependency Updates ⬆️

• build(deps): bump github.com/dexidp/dex/api/v2 from 2.3.0 to 2.4.0 in /examples by @​dependabot[bot] in dexidp/dex#4299
• build(deps): bump actions/setup-go from 5.5.0 to 6.0.0 by @​dependabot[bot] in dexidp/dex#4304
• build(deps): bump aquasecurity/trivy-action from 0.33.0 to 0.33.1 by @​dependabot[bot] in dexidp/dex#4305
• build(deps): bump golang from 1.25.0-alpine3.22 to 1.25.1-alpine3.22 by @​dependabot[bot] in dexidp/dex#4307
• build(deps): bump distroless/static-debian12 from a9f88e0 to e8a4044 by @​dependabot[bot] in dexidp/dex#4313
• build(deps): bump oras-project/setup-oras from 1.2.3 to 1.2.4 by @​dependabot[bot] in dexidp/dex#4314
• build(deps): bump github/codeql-action from 3.29.11 to 3.30.3 by @​dependabot[bot] in dexidp/dex#4320
• build(deps): bump sigstore/cosign-installer from 3.9.2 to 3.10.0 by @​dependabot[bot] in dexidp/dex#4324
• build(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1 by @​dependabot[bot] in dexidp/dex#4302
• build(deps): bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2 by @​dependabot[bot] in dexidp/dex#4309
• build(deps): bump tonistiigi/xx from 1.6.1 to 1.7.0 by @​dependabot[bot] in dexidp/dex#4317
• build(deps): bump golang.org/x/oauth2 from 0.30.0 to 0.31.0 by @​dependabot[bot] in dexidp/dex#4310
• build(deps): bump golang.org/x/oauth2 from 0.30.0 to 0.31.0 in /examples by @​dependabot[bot] in dexidp/dex#4311

... (truncated)

• bcc2283 feat: enhance test commands to support GitHub Actions formatting (#4575)
• ec26e19 build(deps): bump github/codeql-action from 4.32.3 to 4.32.4 (#4573)
• 51c66d2 build(deps): bump aquasecurity/trivy-action from 0.34.0 to 0.34.1 (#4574)
• 8db7699 feat: implement device code flow in example-app (#4570)
• cf17fc6 test: update HandleCallback after merging OIDC PKCE (#4572)
• 83697b0 fix(server): respond with forbidden if failed to authenticate (#4200)
• 25591ee Add support to PKCE in OIDC connector (#3777)
• 5d27abc feat: refactor example-app with a new config (#4569)
• 0807930 feat: add debug step to check image metadata in workflow (#4566)
• 49c8228 build(deps): bump actions/dependency-review-action from 4.8.2 to 4.8.3 (#4563)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)