dexidp/dex v2.27.0

on GitHub

Action Required

This security release addresses the following advisory: GHSA-m9hp-7r99-94h5

Dex users should immediately update to v2.27.0.

Assets

The official container images for this release can be pulled from:

• dexidp/dex:v2.27.0
• ghcr.io/dexidp/dex:v2.27.0

Make sure to always use an image with a version tag.

Changelog since v2.26.0

• connector/saml: Validate XML roundtrip data before processing request

• Build the sqlite storage backend via build tag so Dex can compile when cgo is disabled

• Update image versions

  • golang:1.15.6-alpine3.12
  • postgres:10.15
  • gcr.io/etcd-development/etcd:v3.4.9

• Copy module dependencies to Docker image for CVE scanning / dependency analysis

Maintenance

• MAINTAINERS: @srenatus is now Emeritus

• README.md: Use maintainers list for reporting security issues

• .github: Add release notes block to pull request template

• Fully automate dev setup with Gitpod

  Implements a fully-automated development setup using Gitpod.io, an
  online IDE for GitHub and GitLab that enables Dev-Environments-As-Code.
  This makes it easy for anyone to get a ready-to-code workspace for any branch,
  issue or pull request almost instantly with a single click.

• Enable CodeQL for the Dex repository

• docs: Fixup broken links

Dependencies

Added

• github.com/mattermost/xml-roundtrip-validator: 1a8688a
• gopkg.in/yaml.v3: 9f266ea

Changed

• github.com/jonboulle/clockwork: v0.1.0 → v0.2.0
• github.com/pkg/errors: v0.8.1 → v0.9.1
• github.com/russellhaering/goxmldsig: 7acd5e4 → v1.1.0
• github.com/stretchr/testify: v1.4.0 → v1.6.1

Removed

Nothing has changed.