fix panic / nil pointer dereference on invalid patterns#9
Merged
tonistiigi merged 1 commit intomoby:mainfrom Mar 24, 2026
Merged
fix panic / nil pointer dereference on invalid patterns#9tonistiigi merged 1 commit intomoby:mainfrom
tonistiigi merged 1 commit intomoby:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Fixes a panic in Pattern.match triggered by malformed-but-initially-validated patterns, by ensuring compile() doesn’t leave Pattern in a partially-initialized state and adding a defensive nil-check. Also expands CI to run lint/tests across platforms and Go release channels.
Changes:
- Prevent partial
matchTypeupdates on failed regexp compilation; add defense-in-depth check before usingp.regexp. - Add regression test covering repeated matching on a malformed pattern (no panic; consistent
ErrBadPattern). - Update GitHub Actions workflows to add concurrency cancellation and broaden the Go/platform matrix.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| patternmatcher.go | Fixes the panic by making compile() state updates atomic and guarding against nil regexp. |
| patternmatcher_test.go | Adds regression test ensuring malformed patterns don’t panic on repeated match calls. |
| .github/workflows/validate.yml | Updates lint workflow matrix/platform coverage and adds concurrency control. |
| .github/workflows/test.yml | Updates test workflow matrix/platform coverage and adds concurrency control. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
`Pattern.compile` was updating `Pattern.matchType` in-place. In situations where
the resulting regex failed to compile, it would return early (with an error),
but the `matchType` was already set.
In that situation, `Pattern.match` would consider the `matchType` already
set, skip the `p.matchType == unknownMatch` condition, and fall through
to trying to use `p.regex`, which was nil, and resulted in a panic;
```
journalctl -u docker.service -f
dockerd[423967]: panic: runtime error: invalid memory address or nil pointer dereference
dockerd[423967]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x90 pc=0x557e0f7ebf80]
dockerd[423967]: goroutine 1241 [running]:
dockerd[423967]: regexp.(*Regexp).doExecute(0x557e11b285a0?, {0x0?, 0x0?}, {0x0?, 0x557e11922650?, 0x557e11922650?}, {0xc0009d3db0?, 0xc000061778?}, 0x557e0f6d0d99?, 0x0, ...)
dockerd[423967]: /usr/local/go/src/regexp/exec.go:527 +0x80
dockerd[423967]: regexp.(*Regexp).doMatch(...)
dockerd[423967]: /usr/local/go/src/regexp/exec.go:514
dockerd[423967]: regexp.(*Regexp).MatchString(...)
dockerd[423967]: /usr/local/go/src/regexp/regexp.go:527
dockerd[423967]: github.com/moby/patternmatcher.(*Pattern).match(0x557e11922650?, {0xc0009d3db0, 0x1})
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/patternmatcher/patternmatcher.go:334 +0x26b
dockerd[423967]: github.com/moby/patternmatcher.(*PatternMatcher).MatchesOrParentMatches(0xc000d761e0, {0xc0009d3db0, 0x1})
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/patternmatcher/patternmatcher.go:142 +0xda
dockerd[423967]: github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb.validateCopySourcePath({0xc0009d3db0, 0x1}, 0xc0000621f8)
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert.go:2023 +0x55
dockerd[423967]: github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb.dispatchCopy(_, {{{0xc0009d3dc0, 0x1}, {0xc0009b5d10, 0x1, 0x1}, {0x0, 0x0, 0x0}}, {0x0, ...}, ...})
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert.go:1607 +0xd5c
dockerd[423967]: github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb.dispatch(_, {{_, _}, {_, _, _}, _}, {0xc000aab6a0, {0x557e1214c560, 0xc0007b79e0}, ...})
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert.go:1004 +0xafb
dockerd[423967]: github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb.toDispatchState({_, _}, {_, _, _}, {{0xc000d5c8d0, {0x0, 0x0}, {0x0, 0x0}, ...}, ...})
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert.go:731 +0x3926
dockerd[423967]: github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb.Dockerfile2LLB({_, _}, {_, _, _}, {{0xc000d5c8d0, {0x0, 0x0}, {0x0, 0x0}, ...}, ...})
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert.go:90 +0x65
dockerd[423967]: github.com/moby/buildkit/frontend/dockerfile/builder.Build.func6({0x557e121613e0, 0xc000cfd590}, 0x0, 0x557e0f64accb?)
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/builder/build.go:136 +0xfe
dockerd[423967]: github.com/moby/buildkit/frontend/dockerui.(*Client).Build.func1()
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/buildkit/frontend/dockerui/build.go:39 +0x71
dockerd[423967]: golang.org/x/sync/errgroup.(*Group).Go.func1()
dockerd[423967]: /root/build-deb/engine/vendor/golang.org/x/sync/errgroup/errgroup.go:93 +0x50
dockerd[423967]: created by golang.org/x/sync/errgroup.(*Group).Go in goroutine 1136
dockerd[423967]: /root/build-deb/engine/vendor/golang.org/x/sync/errgroup/errgroup.go:78 +0x95
systemd[1]: docker.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
systemd[1]: docker.service: Failed with result 'exit-code'.
```
This patch:
- updates `Pattern.compile` to use a local variable for the intermediate
state, and only updates `Pattern.matchType` when completing successfully.
- adds a nil-check in `Pattern.match` as defense-in-depth.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Member
Author
|
@tonistiigi @jsternberg PTAL 🤗 |
tonistiigi
approved these changes
Mar 24, 2026
SimonStiil
pushed a commit
to SimonStiil/keyvaluedatabase
that referenced
this pull request
Mar 25, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | Type | Update | |---|---|---|---|---|---| | [github.com/lib/pq](https://redirect.github.com/lib/pq) | `v1.11.2` → `v1.12.0` |  |  | require | minor | | [go](https://go.dev/) ([source](https://redirect.github.com/golang/go)) | `1.26.0` → `1.26.1` |  |  | toolchain | patch | | golang | `1.26.0-alpine` → `1.26.1-alpine` |  |  | | patch | | [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) | `3dfff04` → `7ab1446` |  |  | require | digest | | [moby/buildkit](https://redirect.github.com/moby/buildkit) | `v0.27.1-rootless` → `v0.28.1-rootless` |  |  | | minor | --- ### Release Notes <details> <summary>lib/pq (github.com/lib/pq)</summary> ### [`v1.12.0`](https://redirect.github.com/lib/pq/blob/HEAD/CHANGELOG.md#v1120-2026-03-18) [Compare Source](https://redirect.github.com/lib/pq/compare/v1.11.2...v1.12.0) - The next release may change the default sslmode from `require` to `prefer`. See [#​1271] for details. - `CopyIn()` and `CopyInToSchema()` have been marked as deprecated. These are simple query builders and not needed for `COPY [..] FROM STDIN` support (which is *not* deprecated). ([#​1279]) ``` // Old tx.Prepare(CopyIn("temp", "num", "text", "blob", "nothing")) // Replacement tx.Prepare(`copy temp (num, text, blob, nothing) from stdin`) ``` ##### Features - Support protocol 3.2, and the `min_protocol_version` and `max_protocol_version` DSN parameters ([#​1258]). - Support `sslmode=prefer` and `sslmode=allow` ([#​1270]). - Support `ssl_min_protocol_version` and `ssl_max_protocol_version` ([#​1277]). - Support connection service file to load connection details ([#​1285]). - Support `sslrootcert=system` and use `~/.postgresql/root.crt` as the default value of sslrootcert ([#​1280], [#​1281]). - Add a new `pqerror` package with PostgreSQL error codes ([#​1275]). For example, to test if an error is a UNIQUE constraint violation: ``` if pqErr, ok := errors.AsType[*pq.Error](err); ok && pqErr.Code == pqerror.UniqueViolation { log.Fatalf("email %q already exsts", email) } ``` To make this a bit more convenient, it also adds a `pq.As()` function: ``` pqErr := pq.As(err, pqerror.UniqueViolation) if pqErr != nil { log.Fatalf("email %q already exsts", email) } ``` ##### Fixes - Fix SSL key permission check to allow modes stricter than [0600/0640#1265](https://redirect.github.com/0600/0640/issues/1265) ([#​1265]). - Fix Hstore to work with binary parameters ([#​1278]). - Clearer error when starting a new query while pq is still processing another query ([#​1272]). - Send intermediate CAs with client certificates, so they can be signed by an intermediate CA ([#​1267]). - Use `time.UTC` for UTC aliases such as `Etc/UTC` ([#​1282]). [#​1258]: https://redirect.github.com/lib/pq/pull/1258 [#​1265]: https://redirect.github.com/lib/pq/pull/1265 [#​1267]: https://redirect.github.com/lib/pq/pull/1267 [#​1270]: https://redirect.github.com/lib/pq/pull/1270 [#​1271]: https://redirect.github.com/lib/pq/pull/1271 [#​1272]: https://redirect.github.com/lib/pq/pull/1272 [#​1275]: https://redirect.github.com/lib/pq/pull/1275 [#​1277]: https://redirect.github.com/lib/pq/pull/1277 [#​1278]: https://redirect.github.com/lib/pq/pull/1278 [#​1279]: https://redirect.github.com/lib/pq/pull/1279 [#​1280]: https://redirect.github.com/lib/pq/pull/1280 [#​1281]: https://redirect.github.com/lib/pq/pull/1281 [#​1282]: https://redirect.github.com/lib/pq/pull/1282 [#​1283]: https://redirect.github.com/lib/pq/pull/1283 [#​1285]: https://redirect.github.com/lib/pq/pull/1285 </details> <details> <summary>golang/go (go)</summary> ### [`v1.26.1`](https://redirect.github.com/golang/go/compare/go1.26.0...go1.26.1) </details> <details> <summary>moby/buildkit (moby/buildkit)</summary> ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) ### [`v0.28.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.27.1...v0.28.0) buildkit 0.28.0 Welcome to the v0.28.0 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akihiro Suda - Amr Mahdi - Dan Duvall - David Karlsson - Jonas Geiler - Kevin L. - rsteube ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.22.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.22.0) - The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the `version` attribute. [#​6526](https://redirect.github.com/moby/buildkit/issues/6526) - Provenance attestation for an image can now be directly pulled via Source metadata request. [#​6516](https://redirect.github.com/moby/buildkit/issues/6516) [#​6514](https://redirect.github.com/moby/buildkit/issues/6514) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - Pushing result images and exporting build cache now happens in parallel, for better performance. [#​6451](https://redirect.github.com/moby/buildkit/issues/6451) - LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols `docker-image+blob://` and `oci-layout+blob://`. [#​4286](https://redirect.github.com/moby/buildkit/issues/4286) - LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) - With the update to a newer version of the in-toto library, the provenance attestation key `InvocationID` has changed to `InvocationId` to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. [#​6533](https://redirect.github.com/moby/buildkit/issues/6533) - Embedded Qemu emulator support has been updated to v10.1.3 [#​6524](https://redirect.github.com/moby/buildkit/issues/6524) - Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. [#​6368](https://redirect.github.com/moby/buildkit/issues/6368) - Buildctl binary now supports bash completion. [#​6474](https://redirect.github.com/moby/buildkit/issues/6474) - PGP signature verification now supports combined public keys as input for defining the required signer. [#​6519](https://redirect.github.com/moby/buildkit/issues/6519) - Fix possible "failed to read expected number of bytes" error when reading attestation chains [#​6520](https://redirect.github.com/moby/buildkit/issues/6520) - Fix possible error from race condition when creating images in parallel [#​6477](https://redirect.github.com/moby/buildkit/issues/6477) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.2 -> v1.7.4 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/containerd/nydus-snapshotter** v0.15.10 -> v0.15.11 - **github.com/containerd/stargz-snapshotter** v0.17.0 -> v0.18.2 - **github.com/containerd/stargz-snapshotter/estargz** v0.17.0 -> v0.18.2 - **github.com/coreos/go-systemd/v22** v22.6.0 -> v22.7.0 - **github.com/docker/cli** v29.1.4 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/hanwen/go-fuse/v2** v2.8.0 -> v2.9.0 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.3 -> v1.18.4 - **github.com/moby/policy-helpers** [`eeebf1a`](https://redirect.github.com/moby/buildkit/commit/eeebf1a0ab2b) -> [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](https://redirect.github.com/moby/buildkit/commit/b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.27.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.1) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/SimonStiil/keyvaluedatabase). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OC4xIiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->
SimonStiil
pushed a commit
to SimonStiil/ghcr-cleanup
that referenced
this pull request
Mar 25, 2026
This PR contains the following updates: | Package | Update | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---|---| | [moby/buildkit](https://redirect.github.com/moby/buildkit) | minor | `v0.27.1-rootless` → `v0.28.1-rootless` |  |  | | [requests](https://requests.readthedocs.io) ([source](https://redirect.github.com/psf/requests), [changelog](https://redirect.github.com/psf/requests/blob/master/HISTORY.md)) | minor | `==2.32.5` → `==2.33.0` |  |  | --- ### Release Notes <details> <summary>moby/buildkit (moby/buildkit)</summary> ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) ### [`v0.28.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.27.1...v0.28.0) buildkit 0.28.0 Welcome to the v0.28.0 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akihiro Suda - Amr Mahdi - Dan Duvall - David Karlsson - Jonas Geiler - Kevin L. - rsteube ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.22.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.22.0) - The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the `version` attribute. [#​6526](https://redirect.github.com/moby/buildkit/issues/6526) - Provenance attestation for an image can now be directly pulled via Source metadata request. [#​6516](https://redirect.github.com/moby/buildkit/issues/6516) [#​6514](https://redirect.github.com/moby/buildkit/issues/6514) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - Pushing result images and exporting build cache now happens in parallel, for better performance. [#​6451](https://redirect.github.com/moby/buildkit/issues/6451) - LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols `docker-image+blob://` and `oci-layout+blob://`. [#​4286](https://redirect.github.com/moby/buildkit/issues/4286) - LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) - With the update to a newer version of the in-toto library, the provenance attestation key `InvocationID` has changed to `InvocationId` to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. [#​6533](https://redirect.github.com/moby/buildkit/issues/6533) - Embedded Qemu emulator support has been updated to v10.1.3 [#​6524](https://redirect.github.com/moby/buildkit/issues/6524) - Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. [#​6368](https://redirect.github.com/moby/buildkit/issues/6368) - Buildctl binary now supports bash completion. [#​6474](https://redirect.github.com/moby/buildkit/issues/6474) - PGP signature verification now supports combined public keys as input for defining the required signer. [#​6519](https://redirect.github.com/moby/buildkit/issues/6519) - Fix possible "failed to read expected number of bytes" error when reading attestation chains [#​6520](https://redirect.github.com/moby/buildkit/issues/6520) - Fix possible error from race condition when creating images in parallel [#​6477](https://redirect.github.com/moby/buildkit/issues/6477) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.2 -> v1.7.4 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/containerd/nydus-snapshotter** v0.15.10 -> v0.15.11 - **github.com/containerd/stargz-snapshotter** v0.17.0 -> v0.18.2 - **github.com/containerd/stargz-snapshotter/estargz** v0.17.0 -> v0.18.2 - **github.com/coreos/go-systemd/v22** v22.6.0 -> v22.7.0 - **github.com/docker/cli** v29.1.4 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/hanwen/go-fuse/v2** v2.8.0 -> v2.9.0 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.3 -> v1.18.4 - **github.com/moby/policy-helpers** [`eeebf1a`](https://redirect.github.com/moby/buildkit/commit/eeebf1a0ab2b) -> [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](https://redirect.github.com/moby/buildkit/commit/b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.27.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.1) </details> <details> <summary>psf/requests (requests)</summary> ### [`v2.33.0`](https://redirect.github.com/psf/requests/blob/HEAD/HISTORY.md#2330-2026-03-25) [Compare Source](https://redirect.github.com/psf/requests/compare/v2.32.5...v2.33.0) **Announcements** - 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at [#​7271](https://redirect.github.com/psf/requests/issues/7271). Give it a try, and report any gaps or feedback you may have in the issue. 📣 **Security** - CVE-2026-25645 `requests.utils.extract_zipped_paths` now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly. **Improvements** - Migrated to a PEP 517 build system using setuptools. ([#​7012](https://redirect.github.com/psf/requests/issues/7012)) **Bugfixes** - Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. ([#​7205](https://redirect.github.com/psf/requests/issues/7205)) **Deprecations** - Dropped support for Python 3.9 following its end of support. ([#​7196](https://redirect.github.com/psf/requests/issues/7196)) **Documentation** - Various typo fixes and doc improvements. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/SimonStiil/ghcr-cleanup). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OC4xIiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->
SimonStiil
pushed a commit
to SimonStiil/traefik-out-of-cluster
that referenced
this pull request
Mar 25, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | Type | Update | |---|---|---|---|---|---| | [github.com/traefik/traefik/v3](https://redirect.github.com/traefik/traefik) | `v3.6.8` → `v3.6.11` |  |  | require | patch | | golang | `1.26.0-alpine` → `1.26.1-alpine` |  |  | | patch | | [k8s.io/apimachinery](https://redirect.github.com/kubernetes/apimachinery) | `v0.35.1` → `v0.35.3` |  |  | require | patch | | [k8s.io/client-go](https://redirect.github.com/kubernetes/client-go) | `v0.35.1` → `v0.35.3` |  |  | require | patch | | [moby/buildkit](https://redirect.github.com/moby/buildkit) | `v0.27.1-rootless` → `v0.28.1-rootless` |  |  | | minor | --- ### Release Notes <details> <summary>traefik/traefik (github.com/traefik/traefik/v3)</summary> ### [`v3.6.11`](https://redirect.github.com/traefik/traefik/releases/tag/v3.6.11) [Compare Source](https://redirect.github.com/traefik/traefik/compare/v3.6.10...v3.6.11) **CVE fixed:** - [CVE-2026-32595](https://nvd.nist.gov/vuln/detail/CVE-2026-32595) (Advisory [GHSA-g3hg-j4jv-cwfr](https://redirect.github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr)) - [CVE-2026-32305](https://nvd.nist.gov/vuln/detail/CVE-2026-32305) (Advisory [GHSA-wvvq-wgcr-9q48](https://redirect.github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48)) - [CVE-2026-32695](https://nvd.nist.gov/vuln/detail/CCVE-2026-32695) (Advisory [GHSA-67jx-r9pv-98rj](https://redirect.github.com/traefik/traefik/security/advisories/GHSA-67jx-r9pv-98rj)) **Bug fixes:** - **\[logs, otel]** Add OTel-conformant trace context attributes to access logs ([#​12801](https://redirect.github.com/traefik/traefik/pull/12801) [@​mmatur](https://redirect.github.com/mmatur)) - **\[k8s/gatewayapi]** Fix incorrect hostname matching between listener and route ([#​12599](https://redirect.github.com/traefik/traefik/pull/12599) [@​TheColorman](https://redirect.github.com/TheColorman)) - **\[k8s/ingress]** Fix ingress router's rule ([#​12808](https://redirect.github.com/traefik/traefik/pull/12808) [@​gndz07](https://redirect.github.com/gndz07)) - **\[webui]** Remove AGPL license in code ([#​12799](https://redirect.github.com/traefik/traefik/pull/12799) [@​Desel72](https://redirect.github.com/Desel72)) - **\[k8s/ingress-nginx]** Fix proxy-ssl-verify annotation ([#​12825](https://redirect.github.com/traefik/traefik/pull/12825) [@​LBF38](https://redirect.github.com/LBF38)) - **\[http]** Add maxResponseBodySize configuration on HTTP provider ([#​12788](https://redirect.github.com/traefik/traefik/pull/12788) [@​gndz07](https://redirect.github.com/gndz07)) - **\[tls]** Support fragmented TLS client hello ([#​12787](https://redirect.github.com/traefik/traefik/pull/12787) [@​rtribotte](https://redirect.github.com/rtribotte)) - **\[middleware, authentication]** Make basic auth check timing constant ([#​12803](https://redirect.github.com/traefik/traefik/pull/12803) [@​rtribotte](https://redirect.github.com/rtribotte)) **Documentation:** - **\[k8s]** Improve the multi tenant security note ([#​12822](https://redirect.github.com/traefik/traefik/pull/12822) [@​nmengin](https://redirect.github.com/nmengin)) - Fix unnecessary escaping of pipe in regexp examples ([#​12784](https://redirect.github.com/traefik/traefik/pull/12784) [@​diegmonti](https://redirect.github.com/diegmonti)) - Add vulnerability submission quality guidelines ([#​12807](https://redirect.github.com/traefik/traefik/pull/12807) [@​emilevauge](https://redirect.github.com/emilevauge)) - Fix start up message format ([#​12806](https://redirect.github.com/traefik/traefik/pull/12806) [@​mloiseleur](https://redirect.github.com/mloiseleur)) - Remove unsupported servers\[n].address from TCP label examples ([#​12817](https://redirect.github.com/traefik/traefik/pull/12817) [@​sheddy-traefik](https://redirect.github.com/sheddy-traefik)) - Bump mkdocs-traefiklabs to use consent mode ([#​12804](https://redirect.github.com/traefik/traefik/pull/12804) [@​darkweaver87](https://redirect.github.com/darkweaver87)) ### [`v3.6.10`](https://redirect.github.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v3610-2026-03-06) [Compare Source](https://redirect.github.com/traefik/traefik/compare/v3.6.9...v3.6.10) [All Commits](https://redirect.github.com/traefik/traefik/compare/v3.6.9...v3.6.10) **Bug fixes:** - **\[docker]** Bump Docker and OpenTelemetry dependencies ([#​12761](https://redirect.github.com/traefik/traefik/pull/12761) by [mmatur](https://redirect.github.com/mmatur)) - **\[fastproxy]** Bump github.com/valyala/fasthttp to v1.69.0 ([#​12763](https://redirect.github.com/traefik/traefik/pull/12763) by [kevinpollet](https://redirect.github.com/kevinpollet)) - **\[healthcheck, grpc]** Remove path parsing with grpc healthcheck ([#​12760](https://redirect.github.com/traefik/traefik/pull/12760) by [rtribotte](https://redirect.github.com/rtribotte)) - **\[k8s/gatewayapi]** Fix Gateway API router's rules ([#​12753](https://redirect.github.com/traefik/traefik/pull/12753) by [rtribotte](https://redirect.github.com/rtribotte)) - **\[middleware]** Fix HasSecureHeadersDefined returning false when stsSeconds is 0 ([#​12684](https://redirect.github.com/traefik/traefik/pull/12684) by [veeceey](https://redirect.github.com/veeceey)) - **\[otel]** Bump go.opentelemetry.io/otel dependencies ([#​12754](https://redirect.github.com/traefik/traefik/pull/12754) by [rtribotte](https://redirect.github.com/rtribotte)) - **\[server]** Bump golang.org/x/net to v0.51.0 ([#​12756](https://redirect.github.com/traefik/traefik/pull/12756) by [kevinpollet](https://redirect.github.com/kevinpollet)) - **\[webui]** Fix priority display in dashboard and ACME bypass redirect ([#​12740](https://redirect.github.com/traefik/traefik/pull/12740) by [mmatur](https://redirect.github.com/mmatur)) - **\[webui]** Fix basePath validation for dashboard template ([#​12729](https://redirect.github.com/traefik/traefik/pull/12729) by [gndz07](https://redirect.github.com/gndz07)) **Documentation:** - **\[middleware]** Correct documentation for Digest auth ([#​12651](https://redirect.github.com/traefik/traefik/pull/12651) by [Zash](https://redirect.github.com/Zash)) - Add missing `.http` to TOML table names ([#​12713](https://redirect.github.com/traefik/traefik/pull/12713) by [Darsstar](https://redirect.github.com/Darsstar)) - Fix incorrect TOML example in entrypoints docs ([#​12711](https://redirect.github.com/traefik/traefik/pull/12711) by [mfmfuyu](https://redirect.github.com/mfmfuyu)) - Fix API basepath option documentation ([#​12744](https://redirect.github.com/traefik/traefik/pull/12744) by [nmengin](https://redirect.github.com/nmengin)) ### [`v3.6.9`](https://redirect.github.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v369-2026-02-23) [Compare Source](https://redirect.github.com/traefik/traefik/compare/v3.6.8...v3.6.9) [All Commits](https://redirect.github.com/traefik/traefik/compare/v3.6.8...v3.6.9) **Bug fixes:** - **\[acme]** Bump github.com/go-acme/lego/v4 to v4.32.0 ([#​12702](https://redirect.github.com/traefik/traefik/pull/12702) by [ldez](https://redirect.github.com/ldez)) - **\[middleware]** Fix case sensitivity on x-forwarded headers for Connection ([#​12690](https://redirect.github.com/traefik/traefik/pull/12690) by [LBF38](https://redirect.github.com/LBF38)) - **\[middleware, authentication]** Handle empty/missing User-Agent header ([#​12545](https://redirect.github.com/traefik/traefik/pull/12545) by [a-stangl](https://redirect.github.com/a-stangl)) - **\[middleware, authentication]** Add maxResponseBodySize configuration to forwardAuth middleware ([#​12694](https://redirect.github.com/traefik/traefik/pull/12694) by [gndz07](https://redirect.github.com/gndz07)) - **\[server]** Fix TLS handshake error handling ([#​12692](https://redirect.github.com/traefik/traefik/pull/12692) by [juliens](https://redirect.github.com/juliens)) **Documentation:** - **\[docker]** Update docker in-depth setup guide ([#​12682](https://redirect.github.com/traefik/traefik/pull/12682) by [mdevino](https://redirect.github.com/mdevino)) - **\[k8s]** Make labelSelector option casing more consistent ([#​12658](https://redirect.github.com/traefik/traefik/pull/12658) by [holysoles](https://redirect.github.com/holysoles)) - **\[k8s/ingress-nginx]** Add temporary note to advertise the incoming NGINX annotations ([#​12699](https://redirect.github.com/traefik/traefik/pull/12699) by [nmengin](https://redirect.github.com/nmengin)) - Increased content width in documentation ([#​12632](https://redirect.github.com/traefik/traefik/pull/12632) by [tobiasge](https://redirect.github.com/tobiasge)) - Correct encoded characters allowance in entrypoints.md ([#​12679](https://redirect.github.com/traefik/traefik/pull/12679) by [Apflkuacha](https://redirect.github.com/Apflkuacha)) </details> <details> <summary>kubernetes/apimachinery (k8s.io/apimachinery)</summary> ### [`v0.35.3`](https://redirect.github.com/kubernetes/apimachinery/compare/v0.35.2...v0.35.3) [Compare Source](https://redirect.github.com/kubernetes/apimachinery/compare/v0.35.2...v0.35.3) ### [`v0.35.2`](https://redirect.github.com/kubernetes/apimachinery/compare/v0.35.1...v0.35.2) [Compare Source](https://redirect.github.com/kubernetes/apimachinery/compare/v0.35.1...v0.35.2) </details> <details> <summary>kubernetes/client-go (k8s.io/client-go)</summary> ### [`v0.35.3`](https://redirect.github.com/kubernetes/client-go/compare/v0.35.2...v0.35.3) [Compare Source](https://redirect.github.com/kubernetes/client-go/compare/v0.35.2...v0.35.3) ### [`v0.35.2`](https://redirect.github.com/kubernetes/client-go/compare/v0.35.1...v0.35.2) [Compare Source](https://redirect.github.com/kubernetes/client-go/compare/v0.35.1...v0.35.2) </details> <details> <summary>moby/buildkit (moby/buildkit)</summary> ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) ### [`v0.28.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.27.1...v0.28.0) buildkit 0.28.0 Welcome to the v0.28.0 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akihiro Suda - Amr Mahdi - Dan Duvall - David Karlsson - Jonas Geiler - Kevin L. - rsteube ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.22.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.22.0) - The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the `version` attribute. [#​6526](https://redirect.github.com/moby/buildkit/issues/6526) - Provenance attestation for an image can now be directly pulled via Source metadata request. [#​6516](https://redirect.github.com/moby/buildkit/issues/6516) [#​6514](https://redirect.github.com/moby/buildkit/issues/6514) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - Pushing result images and exporting build cache now happens in parallel, for better performance. [#​6451](https://redirect.github.com/moby/buildkit/issues/6451) - LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols `docker-image+blob://` and `oci-layout+blob://`. [#​4286](https://redirect.github.com/moby/buildkit/issues/4286) - LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) - With the update to a newer version of the in-toto library, the provenance attestation key `InvocationID` has changed to `InvocationId` to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. [#​6533](https://redirect.github.com/moby/buildkit/issues/6533) - Embedded Qemu emulator support has been updated to v10.1.3 [#​6524](https://redirect.github.com/moby/buildkit/issues/6524) - Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. [#​6368](https://redirect.github.com/moby/buildkit/issues/6368) - Buildctl binary now supports bash completion. [#​6474](https://redirect.github.com/moby/buildkit/issues/6474) - PGP signature verification now supports combined public keys as input for defining the required signer. [#​6519](https://redirect.github.com/moby/buildkit/issues/6519) - Fix possible "failed to read expected number of bytes" error when reading attestation chains [#​6520](https://redirect.github.com/moby/buildkit/issues/6520) - Fix possible error from race condition when creating images in parallel [#​6477](https://redirect.github.com/moby/buildkit/issues/6477) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.2 -> v1.7.4 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/containerd/nydus-snapshotter** v0.15.10 -> v0.15.11 - **github.com/containerd/stargz-snapshotter** v0.17.0 -> v0.18.2 - **github.com/containerd/stargz-snapshotter/estargz** v0.17.0 -> v0.18.2 - **github.com/coreos/go-systemd/v22** v22.6.0 -> v22.7.0 - **github.com/docker/cli** v29.1.4 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/hanwen/go-fuse/v2** v2.8.0 -> v2.9.0 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.3 -> v1.18.4 - **github.com/moby/policy-helpers** [`eeebf1a`](https://redirect.github.com/moby/buildkit/commit/eeebf1a0ab2b) -> [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](https://redirect.github.com/moby/buildkit/commit/b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.27.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.1) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/SimonStiil/traefik-out-of-cluster). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNi41IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->
SimonStiil
pushed a commit
to SimonStiil/keyvaluedatabaseweb
that referenced
this pull request
Mar 25, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [go](https://go.dev/) ([source](https://redirect.github.com/golang/go)) | toolchain | patch | `1.26.0` → `1.26.1` | | golang | | patch | `1.26.0-alpine` → `1.26.1-alpine` | | [moby/buildkit](https://redirect.github.com/moby/buildkit) | | minor | `v0.27.1-rootless` → `v0.28.1-rootless` | --- ### Release Notes <details> <summary>golang/go (go)</summary> ### [`v1.26.1`](https://redirect.github.com/golang/go/compare/go1.26.0...go1.26.1) </details> <details> <summary>moby/buildkit (moby/buildkit)</summary> ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) ### [`v0.28.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.27.1...v0.28.0) buildkit 0.28.0 Welcome to the v0.28.0 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akihiro Suda - Amr Mahdi - Dan Duvall - David Karlsson - Jonas Geiler - Kevin L. - rsteube ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.22.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.22.0) - The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the `version` attribute. [#​6526](https://redirect.github.com/moby/buildkit/issues/6526) - Provenance attestation for an image can now be directly pulled via Source metadata request. [#​6516](https://redirect.github.com/moby/buildkit/issues/6516) [#​6514](https://redirect.github.com/moby/buildkit/issues/6514) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - Pushing result images and exporting build cache now happens in parallel, for better performance. [#​6451](https://redirect.github.com/moby/buildkit/issues/6451) - LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols `docker-image+blob://` and `oci-layout+blob://`. [#​4286](https://redirect.github.com/moby/buildkit/issues/4286) - LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) - With the update to a newer version of the in-toto library, the provenance attestation key `InvocationID` has changed to `InvocationId` to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. [#​6533](https://redirect.github.com/moby/buildkit/issues/6533) - Embedded Qemu emulator support has been updated to v10.1.3 [#​6524](https://redirect.github.com/moby/buildkit/issues/6524) - Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. [#​6368](https://redirect.github.com/moby/buildkit/issues/6368) - Buildctl binary now supports bash completion. [#​6474](https://redirect.github.com/moby/buildkit/issues/6474) - PGP signature verification now supports combined public keys as input for defining the required signer. [#​6519](https://redirect.github.com/moby/buildkit/issues/6519) - Fix possible "failed to read expected number of bytes" error when reading attestation chains [#​6520](https://redirect.github.com/moby/buildkit/issues/6520) - Fix possible error from race condition when creating images in parallel [#​6477](https://redirect.github.com/moby/buildkit/issues/6477) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.2 -> v1.7.4 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/containerd/nydus-snapshotter** v0.15.10 -> v0.15.11 - **github.com/containerd/stargz-snapshotter** v0.17.0 -> v0.18.2 - **github.com/containerd/stargz-snapshotter/estargz** v0.17.0 -> v0.18.2 - **github.com/coreos/go-systemd/v22** v22.6.0 -> v22.7.0 - **github.com/docker/cli** v29.1.4 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/hanwen/go-fuse/v2** v2.8.0 -> v2.9.0 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.3 -> v1.18.4 - **github.com/moby/policy-helpers** [`eeebf1a`](https://redirect.github.com/moby/buildkit/commit/eeebf1a0ab2b) -> [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](https://redirect.github.com/moby/buildkit/commit/b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.27.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.1) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/SimonStiil/keyvaluedatabaseweb). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OC4xIiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->
valentindeaconu
added a commit
to SectorLabs/buildkit-ghcr-mirror
that referenced
this pull request
Mar 26, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [moby/buildkit](https://redirect.github.com/moby/buildkit) | | patch | `0.28.0` → `0.28.1` | | [moby/buildkit](https://redirect.github.com/moby/buildkit) | final | patch | `v0.28.0-rootless` → `v0.28.1-rootless` | | [moby/buildkit](https://redirect.github.com/moby/buildkit) | stage | patch | `v0.28.0` → `v0.28.1` | --- ### Release Notes <details> <summary>moby/buildkit (moby/buildkit)</summary> ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/SectorLabs/buildkit-ghcr-mirror). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
SimonStiil
pushed a commit
to SimonStiil/kube-auth-proxy
that referenced
this pull request
Mar 26, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [moby/buildkit](https://redirect.github.com/moby/buildkit) | patch | `v0.28.0-rootless` → `v0.28.1-rootless` | --- ### Release Notes <details> <summary>moby/buildkit (moby/buildkit)</summary> ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/SimonStiil/kube-auth-proxy). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45MS41IiwidXBkYXRlZEluVmVyIjoiNDMuOTEuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->
renovate-coop-norge Bot
added a commit
to coopnorge/engineering-docker-images
that referenced
this pull request
Mar 27, 2026
…devtools-python3.10-v1beta1 (#3806) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [docker.io/moby/buildkit](https://redirect.github.com/moby/buildkit) | stage | patch | `v0.28.0-rootless` → `v0.28.1-rootless` | --- ### Release Notes <details> <summary>moby/buildkit (docker.io/moby/buildkit)</summary> ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44My4yIiwidXBkYXRlZEluVmVyIjoiNDMuODMuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwicmVub3ZhdGUiXX0=--> Co-authored-by: renovate-coop-norge[bot] <151545514+renovate-coop-norge[bot]@users.noreply.github.com>
renovate-coop-norge Bot
added a commit
to coopnorge/engineering-docker-images
that referenced
this pull request
Mar 27, 2026
…devtools-golang-v1beta1 (#3805) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [docker.io/moby/buildkit](https://redirect.github.com/moby/buildkit) | stage | patch | `v0.28.0-rootless` → `v0.28.1-rootless` | --- ### Release Notes <details> <summary>moby/buildkit (docker.io/moby/buildkit)</summary> ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44My4yIiwidXBkYXRlZEluVmVyIjoiNDMuODMuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwicmVub3ZhdGUiXX0=--> Co-authored-by: renovate-coop-norge[bot] <151545514+renovate-coop-norge[bot]@users.noreply.github.com>
github-merge-queue Bot
pushed a commit
to CowDogMoo/warpgate
that referenced
this pull request
Mar 29, 2026
…y] (#1762) This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/moby/buildkit](https://redirect.github.com/moby/buildkit) | `v0.28.0` → `v0.28.1` |  |  | ### GitHub Vulnerability Alerts #### [CVE-2026-33747](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) ### Impact When using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. ### Patches The issue has been fixed in v0.28.1+ ### Workarounds Issue requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected. #### [CVE-2026-33748](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) ### Impact Insufficient validation of Git URL fragment subdir components (`<url>#<ref>:<subdir>`, [docs](https://docs.docker.com/build/concepts/context/#url-fragments)) may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. ### Patches The issue has been fixed in version v0.28.1 ### Workarounds The issue affects only builds that use Git URLs with a subpath component. Avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink. --- ### Release Notes <details> <summary>moby/buildkit (github.com/moby/buildkit)</summary> ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuOTkuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUiXX0=--> Co-authored-by: cowdogmoo-renovate-bot[bot] <157187596+cowdogmoo-renovate-bot[bot]@users.noreply.github.com>
1 task
github-merge-queue Bot
pushed a commit
to elastic/cloudbeat
that referenced
this pull request
Apr 11, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/moby/buildkit](https://redirect.github.com/moby/buildkit) | indirect | minor | `v0.27.1` -> `v0.29.0` | | [github.com/moby/moby/api](https://redirect.github.com/moby/moby) | indirect | minor | `v1.53.0` -> `v1.54.1` | | [github.com/moby/moby/client](https://redirect.github.com/moby/moby) | indirect | minor | `v0.2.2` -> `v0.4.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>moby/buildkit (github.com/moby/buildkit)</summary> ### [`v0.29.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.29.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.1...v0.29.0) Welcome to the v0.29.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - David Karlsson - Akihiro Suda - Sebastiaan van Stijn - Brian Ristuccia - Jonathan A. Sternberg - Mateusz Gozdek - Natnael Gebremariam ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.23.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.23.0) - Git sources can now initialize all files from a Git checkout with commit time in the LLB API for better reproducibility. See [Dockerfile changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.23.0) for how to enable this in the Dockerfile frontend [#​6600](https://redirect.github.com/moby/buildkit/issues/6600) - Various file access operations in Git and HTTP sources have been hardened for improved security [#​6613](https://redirect.github.com/moby/buildkit/issues/6613) - Frontends can now report updated `SOURCE_DATE_EPOCH` with result metadata that can be used by exporters [#​6601](https://redirect.github.com/moby/buildkit/issues/6601) - Fix possible panic when listing build history after recent deletions [#​6614](https://redirect.github.com/moby/buildkit/issues/6614) - Fix possible issue where builds from Git repositories could start to fail after submodule rename [#​6563](https://redirect.github.com/moby/buildkit/issues/6563) - Fix possible process lifecycle event ordering issue in interactive container API that could cause deadlocks in the client [#​6531](https://redirect.github.com/moby/buildkit/issues/6531) - Fix regression where build progress skipped the message about layers being pushed to the registry [#​6587](https://redirect.github.com/moby/buildkit/issues/6587) - Fix possible cgroup initialization failure in BuildKit container image entrypoint on some environments [#​6585](https://redirect.github.com/moby/buildkit/issues/6585) - Fix issue with resolving symlinks via file access methods of the Gateway API [#​6559](https://redirect.github.com/moby/buildkit/issues/6559) - Fix possible "parent snapshot does not exist" error when exporting images in parallel [#​6558](https://redirect.github.com/moby/buildkit/issues/6558) - Fix possible panic from zstd compression [#​6599](https://redirect.github.com/moby/buildkit/issues/6599) - Fix issue where cache imports from an uninitialized local cache tag could fail the build [#​6554](https://redirect.github.com/moby/buildkit/issues/6554) - Included CNI plugins have been updated to v1.9.1 [#​6583](https://redirect.github.com/moby/buildkit/issues/6583) - Included QEMU emulator support has been updated to v10.2.1 [#​6580](https://redirect.github.com/moby/buildkit/issues/6580) - Runc container runtime has been updated to v1.3.5 [#​6625](https://redirect.github.com/moby/buildkit/issues/6625) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.41.1 -> v1.41.4 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.4 -> v1.7.5 - **github.com/aws/aws-sdk-go-v2/config** v1.32.7 -> v1.32.12 - **github.com/aws/aws-sdk-go-v2/credentials** v1.19.7 -> v1.19.12 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.17 -> v1.18.20 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.17 -> v1.4.20 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.17 -> v2.7.20 - **github.com/aws/aws-sdk-go-v2/internal/ini** v1.8.4 -> v1.8.6 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.4 -> v1.13.7 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.17 -> v1.13.20 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 -> v1.0.8 - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.9 -> v1.30.13 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.13 -> v1.35.17 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.41.6 -> v1.41.9 - **github.com/aws/smithy-go** v1.24.0 -> v1.24.2 - **github.com/containerd/cgroups/v3** v3.1.2 -> v3.1.3 - **github.com/containerd/containerd/v2** v2.2.1 -> v2.2.2 - **github.com/containerd/nydus-snapshotter** v0.15.11 -> v0.15.13 - **github.com/containerd/ttrpc** v1.2.7 -> v1.2.8 - **github.com/containernetworking/plugins** v1.9.0 -> v1.9.1 - **github.com/docker/cli** v29.2.1 -> v29.3.1 - **github.com/go-openapi/analysis** v0.24.1 -> v0.24.3 - **github.com/go-openapi/errors** v0.22.6 -> v0.22.7 - **github.com/go-openapi/jsonpointer** v0.22.4 -> v0.22.5 - **github.com/go-openapi/jsonreference** v0.21.4 -> v0.21.5 - **github.com/go-openapi/loads** v0.23.2 -> v0.23.3 - **github.com/go-openapi/spec** v0.22.3 -> v0.22.4 - **github.com/go-openapi/strfmt** v0.25.0 -> v0.26.1 - **github.com/go-openapi/swag/conv** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/fileutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonname** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/loading** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/mangling** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/stringutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/typeutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/yamlutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/validate** v0.25.1 -> v0.25.2 - **github.com/go-viper/mapstructure/v2** v2.4.0 -> v2.5.0 - **github.com/grpc-ecosystem/grpc-gateway/v2** v2.27.3 -> v2.27.7 - **github.com/klauspost/compress** v1.18.4 -> v1.18.5 - **github.com/moby/policy-helpers** [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) -> [`b7c0b99`](https://redirect.github.com/moby/buildkit/commit/b7c0b994300b) - **github.com/oklog/ulid/v2** v2.1.1 ***new*** - **go.opentelemetry.io/otel** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/trace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/proto/otlp** v1.7.1 -> v1.9.0 - **golang.org/x/sys** v0.41.0 -> v0.42.0 - **golang.org/x/term** v0.40.0 -> v0.41.0 - **google.golang.org/genproto/googleapis/api** [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) -> [`8636f87`](https://redirect.github.com/moby/buildkit/commit/8636f8732409) - **google.golang.org/genproto/googleapis/rpc** [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) -> [`8636f87`](https://redirect.github.com/moby/buildkit/commit/8636f8732409) - **google.golang.org/grpc** v1.78.0 -> v1.79.3 Previous release can be found at [v0.28.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) ### [`v0.28.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.27.1...v0.28.0) buildkit 0.28.0 Welcome to the v0.28.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akihiro Suda - Amr Mahdi - Dan Duvall - David Karlsson - Jonas Geiler - Kevin L. - rsteube ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.22.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.22.0) - The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the `version` attribute. [#​6526](https://redirect.github.com/moby/buildkit/issues/6526) - Provenance attestation for an image can now be directly pulled via Source metadata request. [#​6516](https://redirect.github.com/moby/buildkit/issues/6516) [#​6514](https://redirect.github.com/moby/buildkit/issues/6514) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - Pushing result images and exporting build cache now happens in parallel, for better performance. [#​6451](https://redirect.github.com/moby/buildkit/issues/6451) - LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols `docker-image+blob://` and `oci-layout+blob://`. [#​4286](https://redirect.github.com/moby/buildkit/issues/4286) - LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) - With the update to a newer version of the in-toto library, the provenance attestation key `InvocationID` has changed to `InvocationId` to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. [#​6533](https://redirect.github.com/moby/buildkit/issues/6533) - Embedded Qemu emulator support has been updated to v10.1.3 [#​6524](https://redirect.github.com/moby/buildkit/issues/6524) - Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. [#​6368](https://redirect.github.com/moby/buildkit/issues/6368) - Buildctl binary now supports bash completion. [#​6474](https://redirect.github.com/moby/buildkit/issues/6474) - PGP signature verification now supports combined public keys as input for defining the required signer. [#​6519](https://redirect.github.com/moby/buildkit/issues/6519) - Fix possible "failed to read expected number of bytes" error when reading attestation chains [#​6520](https://redirect.github.com/moby/buildkit/issues/6520) - Fix possible error from race condition when creating images in parallel [#​6477](https://redirect.github.com/moby/buildkit/issues/6477) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.2 -> v1.7.4 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/containerd/nydus-snapshotter** v0.15.10 -> v0.15.11 - **github.com/containerd/stargz-snapshotter** v0.17.0 -> v0.18.2 - **github.com/containerd/stargz-snapshotter/estargz** v0.17.0 -> v0.18.2 - **github.com/coreos/go-systemd/v22** v22.6.0 -> v22.7.0 - **github.com/docker/cli** v29.1.4 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/hanwen/go-fuse/v2** v2.8.0 -> v2.9.0 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.3 -> v1.18.4 - **github.com/moby/policy-helpers** [`eeebf1a`](https://redirect.github.com/moby/buildkit/commit/eeebf1a0ab2b) -> [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](https://redirect.github.com/moby/buildkit/commit/b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.27.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.1) </details> <details> <summary>moby/moby (github.com/moby/moby/client)</summary> ### [`v0.4.0`](https://redirect.github.com/moby/moby/compare/v0.3.0...v0.4.0) [Compare Source](https://redirect.github.com/moby/moby/compare/v0.3.0...v0.4.0) ### [`v0.3.0`](https://redirect.github.com/moby/moby/compare/v0.2.2...v0.3.0) [Compare Source](https://redirect.github.com/moby/moby/compare/v0.2.2...v0.3.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "* 1 * * 1-5" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJUZWFtOlNlY3VyaXR5LUNsb3VkIFNlcnZpY2VzIiwiYmFja3BvcnQtc2tpcCIsImRlcGVuZGVuY2llcyIsInJlbm92YXRlIiwicmVub3ZhdGUtYXV0by1hcHByb3ZlIl19--> Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
mergify Bot
pushed a commit
to elastic/cloudbeat
that referenced
this pull request
Apr 13, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/moby/buildkit](https://redirect.github.com/moby/buildkit) | indirect | minor | `v0.27.1` -> `v0.29.0` | | [github.com/moby/moby/api](https://redirect.github.com/moby/moby) | indirect | minor | `v1.53.0` -> `v1.54.1` | | [github.com/moby/moby/client](https://redirect.github.com/moby/moby) | indirect | minor | `v0.2.2` -> `v0.4.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>moby/buildkit (github.com/moby/buildkit)</summary> ### [`v0.29.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.29.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.1...v0.29.0) Welcome to the v0.29.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - David Karlsson - Akihiro Suda - Sebastiaan van Stijn - Brian Ristuccia - Jonathan A. Sternberg - Mateusz Gozdek - Natnael Gebremariam ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.23.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.23.0) - Git sources can now initialize all files from a Git checkout with commit time in the LLB API for better reproducibility. See [Dockerfile changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.23.0) for how to enable this in the Dockerfile frontend [#​6600](https://redirect.github.com/moby/buildkit/issues/6600) - Various file access operations in Git and HTTP sources have been hardened for improved security [#​6613](https://redirect.github.com/moby/buildkit/issues/6613) - Frontends can now report updated `SOURCE_DATE_EPOCH` with result metadata that can be used by exporters [#​6601](https://redirect.github.com/moby/buildkit/issues/6601) - Fix possible panic when listing build history after recent deletions [#​6614](https://redirect.github.com/moby/buildkit/issues/6614) - Fix possible issue where builds from Git repositories could start to fail after submodule rename [#​6563](https://redirect.github.com/moby/buildkit/issues/6563) - Fix possible process lifecycle event ordering issue in interactive container API that could cause deadlocks in the client [#​6531](https://redirect.github.com/moby/buildkit/issues/6531) - Fix regression where build progress skipped the message about layers being pushed to the registry [#​6587](https://redirect.github.com/moby/buildkit/issues/6587) - Fix possible cgroup initialization failure in BuildKit container image entrypoint on some environments [#​6585](https://redirect.github.com/moby/buildkit/issues/6585) - Fix issue with resolving symlinks via file access methods of the Gateway API [#​6559](https://redirect.github.com/moby/buildkit/issues/6559) - Fix possible "parent snapshot does not exist" error when exporting images in parallel [#​6558](https://redirect.github.com/moby/buildkit/issues/6558) - Fix possible panic from zstd compression [#​6599](https://redirect.github.com/moby/buildkit/issues/6599) - Fix issue where cache imports from an uninitialized local cache tag could fail the build [#​6554](https://redirect.github.com/moby/buildkit/issues/6554) - Included CNI plugins have been updated to v1.9.1 [#​6583](https://redirect.github.com/moby/buildkit/issues/6583) - Included QEMU emulator support has been updated to v10.2.1 [#​6580](https://redirect.github.com/moby/buildkit/issues/6580) - Runc container runtime has been updated to v1.3.5 [#​6625](https://redirect.github.com/moby/buildkit/issues/6625) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.41.1 -> v1.41.4 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.4 -> v1.7.5 - **github.com/aws/aws-sdk-go-v2/config** v1.32.7 -> v1.32.12 - **github.com/aws/aws-sdk-go-v2/credentials** v1.19.7 -> v1.19.12 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.17 -> v1.18.20 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.17 -> v1.4.20 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.17 -> v2.7.20 - **github.com/aws/aws-sdk-go-v2/internal/ini** v1.8.4 -> v1.8.6 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.4 -> v1.13.7 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.17 -> v1.13.20 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 -> v1.0.8 - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.9 -> v1.30.13 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.13 -> v1.35.17 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.41.6 -> v1.41.9 - **github.com/aws/smithy-go** v1.24.0 -> v1.24.2 - **github.com/containerd/cgroups/v3** v3.1.2 -> v3.1.3 - **github.com/containerd/containerd/v2** v2.2.1 -> v2.2.2 - **github.com/containerd/nydus-snapshotter** v0.15.11 -> v0.15.13 - **github.com/containerd/ttrpc** v1.2.7 -> v1.2.8 - **github.com/containernetworking/plugins** v1.9.0 -> v1.9.1 - **github.com/docker/cli** v29.2.1 -> v29.3.1 - **github.com/go-openapi/analysis** v0.24.1 -> v0.24.3 - **github.com/go-openapi/errors** v0.22.6 -> v0.22.7 - **github.com/go-openapi/jsonpointer** v0.22.4 -> v0.22.5 - **github.com/go-openapi/jsonreference** v0.21.4 -> v0.21.5 - **github.com/go-openapi/loads** v0.23.2 -> v0.23.3 - **github.com/go-openapi/spec** v0.22.3 -> v0.22.4 - **github.com/go-openapi/strfmt** v0.25.0 -> v0.26.1 - **github.com/go-openapi/swag/conv** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/fileutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonname** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/loading** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/mangling** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/stringutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/typeutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/yamlutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/validate** v0.25.1 -> v0.25.2 - **github.com/go-viper/mapstructure/v2** v2.4.0 -> v2.5.0 - **github.com/grpc-ecosystem/grpc-gateway/v2** v2.27.3 -> v2.27.7 - **github.com/klauspost/compress** v1.18.4 -> v1.18.5 - **github.com/moby/policy-helpers** [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) -> [`b7c0b99`](https://redirect.github.com/moby/buildkit/commit/b7c0b994300b) - **github.com/oklog/ulid/v2** v2.1.1 ***new*** - **go.opentelemetry.io/otel** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/trace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/proto/otlp** v1.7.1 -> v1.9.0 - **golang.org/x/sys** v0.41.0 -> v0.42.0 - **golang.org/x/term** v0.40.0 -> v0.41.0 - **google.golang.org/genproto/googleapis/api** [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) -> [`8636f87`](https://redirect.github.com/moby/buildkit/commit/8636f8732409) - **google.golang.org/genproto/googleapis/rpc** [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) -> [`8636f87`](https://redirect.github.com/moby/buildkit/commit/8636f8732409) - **google.golang.org/grpc** v1.78.0 -> v1.79.3 Previous release can be found at [v0.28.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) ### [`v0.28.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.27.1...v0.28.0) buildkit 0.28.0 Welcome to the v0.28.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akihiro Suda - Amr Mahdi - Dan Duvall - David Karlsson - Jonas Geiler - Kevin L. - rsteube ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.22.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.22.0) - The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the `version` attribute. [#​6526](https://redirect.github.com/moby/buildkit/issues/6526) - Provenance attestation for an image can now be directly pulled via Source metadata request. [#​6516](https://redirect.github.com/moby/buildkit/issues/6516) [#​6514](https://redirect.github.com/moby/buildkit/issues/6514) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - Pushing result images and exporting build cache now happens in parallel, for better performance. [#​6451](https://redirect.github.com/moby/buildkit/issues/6451) - LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols `docker-image+blob://` and `oci-layout+blob://`. [#​4286](https://redirect.github.com/moby/buildkit/issues/4286) - LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) - With the update to a newer version of the in-toto library, the provenance attestation key `InvocationID` has changed to `InvocationId` to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. [#​6533](https://redirect.github.com/moby/buildkit/issues/6533) - Embedded Qemu emulator support has been updated to v10.1.3 [#​6524](https://redirect.github.com/moby/buildkit/issues/6524) - Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. [#​6368](https://redirect.github.com/moby/buildkit/issues/6368) - Buildctl binary now supports bash completion. [#​6474](https://redirect.github.com/moby/buildkit/issues/6474) - PGP signature verification now supports combined public keys as input for defining the required signer. [#​6519](https://redirect.github.com/moby/buildkit/issues/6519) - Fix possible "failed to read expected number of bytes" error when reading attestation chains [#​6520](https://redirect.github.com/moby/buildkit/issues/6520) - Fix possible error from race condition when creating images in parallel [#​6477](https://redirect.github.com/moby/buildkit/issues/6477) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.2 -> v1.7.4 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/containerd/nydus-snapshotter** v0.15.10 -> v0.15.11 - **github.com/containerd/stargz-snapshotter** v0.17.0 -> v0.18.2 - **github.com/containerd/stargz-snapshotter/estargz** v0.17.0 -> v0.18.2 - **github.com/coreos/go-systemd/v22** v22.6.0 -> v22.7.0 - **github.com/docker/cli** v29.1.4 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/hanwen/go-fuse/v2** v2.8.0 -> v2.9.0 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.3 -> v1.18.4 - **github.com/moby/policy-helpers** [`eeebf1a`](https://redirect.github.com/moby/buildkit/commit/eeebf1a0ab2b) -> [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](https://redirect.github.com/moby/buildkit/commit/b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.27.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.1) </details> <details> <summary>moby/moby (github.com/moby/moby/client)</summary> ### [`v0.4.0`](https://redirect.github.com/moby/moby/compare/v0.3.0...v0.4.0) [Compare Source](https://redirect.github.com/moby/moby/compare/v0.3.0...v0.4.0) ### [`v0.3.0`](https://redirect.github.com/moby/moby/compare/v0.2.2...v0.3.0) [Compare Source](https://redirect.github.com/moby/moby/compare/v0.2.2...v0.3.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "* 1 * * 1-5" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJUZWFtOlNlY3VyaXR5LUNsb3VkIFNlcnZpY2VzIiwiYmFja3BvcnQtc2tpcCIsImRlcGVuZGVuY2llcyIsInJlbm92YXRlIiwicmVub3ZhdGUtYXV0by1hcHByb3ZlIl19--> Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> (cherry picked from commit 5cf36ac) # Conflicts: # go.mod # go.sum
mergify Bot
pushed a commit
to elastic/cloudbeat
that referenced
this pull request
Apr 13, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/moby/buildkit](https://redirect.github.com/moby/buildkit) | indirect | minor | `v0.27.1` -> `v0.29.0` | | [github.com/moby/moby/api](https://redirect.github.com/moby/moby) | indirect | minor | `v1.53.0` -> `v1.54.1` | | [github.com/moby/moby/client](https://redirect.github.com/moby/moby) | indirect | minor | `v0.2.2` -> `v0.4.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>moby/buildkit (github.com/moby/buildkit)</summary> ### [`v0.29.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.29.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.1...v0.29.0) Welcome to the v0.29.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - David Karlsson - Akihiro Suda - Sebastiaan van Stijn - Brian Ristuccia - Jonathan A. Sternberg - Mateusz Gozdek - Natnael Gebremariam ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.23.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.23.0) - Git sources can now initialize all files from a Git checkout with commit time in the LLB API for better reproducibility. See [Dockerfile changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.23.0) for how to enable this in the Dockerfile frontend [#​6600](https://redirect.github.com/moby/buildkit/issues/6600) - Various file access operations in Git and HTTP sources have been hardened for improved security [#​6613](https://redirect.github.com/moby/buildkit/issues/6613) - Frontends can now report updated `SOURCE_DATE_EPOCH` with result metadata that can be used by exporters [#​6601](https://redirect.github.com/moby/buildkit/issues/6601) - Fix possible panic when listing build history after recent deletions [#​6614](https://redirect.github.com/moby/buildkit/issues/6614) - Fix possible issue where builds from Git repositories could start to fail after submodule rename [#​6563](https://redirect.github.com/moby/buildkit/issues/6563) - Fix possible process lifecycle event ordering issue in interactive container API that could cause deadlocks in the client [#​6531](https://redirect.github.com/moby/buildkit/issues/6531) - Fix regression where build progress skipped the message about layers being pushed to the registry [#​6587](https://redirect.github.com/moby/buildkit/issues/6587) - Fix possible cgroup initialization failure in BuildKit container image entrypoint on some environments [#​6585](https://redirect.github.com/moby/buildkit/issues/6585) - Fix issue with resolving symlinks via file access methods of the Gateway API [#​6559](https://redirect.github.com/moby/buildkit/issues/6559) - Fix possible "parent snapshot does not exist" error when exporting images in parallel [#​6558](https://redirect.github.com/moby/buildkit/issues/6558) - Fix possible panic from zstd compression [#​6599](https://redirect.github.com/moby/buildkit/issues/6599) - Fix issue where cache imports from an uninitialized local cache tag could fail the build [#​6554](https://redirect.github.com/moby/buildkit/issues/6554) - Included CNI plugins have been updated to v1.9.1 [#​6583](https://redirect.github.com/moby/buildkit/issues/6583) - Included QEMU emulator support has been updated to v10.2.1 [#​6580](https://redirect.github.com/moby/buildkit/issues/6580) - Runc container runtime has been updated to v1.3.5 [#​6625](https://redirect.github.com/moby/buildkit/issues/6625) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.41.1 -> v1.41.4 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.4 -> v1.7.5 - **github.com/aws/aws-sdk-go-v2/config** v1.32.7 -> v1.32.12 - **github.com/aws/aws-sdk-go-v2/credentials** v1.19.7 -> v1.19.12 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.17 -> v1.18.20 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.17 -> v1.4.20 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.17 -> v2.7.20 - **github.com/aws/aws-sdk-go-v2/internal/ini** v1.8.4 -> v1.8.6 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.4 -> v1.13.7 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.17 -> v1.13.20 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 -> v1.0.8 - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.9 -> v1.30.13 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.13 -> v1.35.17 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.41.6 -> v1.41.9 - **github.com/aws/smithy-go** v1.24.0 -> v1.24.2 - **github.com/containerd/cgroups/v3** v3.1.2 -> v3.1.3 - **github.com/containerd/containerd/v2** v2.2.1 -> v2.2.2 - **github.com/containerd/nydus-snapshotter** v0.15.11 -> v0.15.13 - **github.com/containerd/ttrpc** v1.2.7 -> v1.2.8 - **github.com/containernetworking/plugins** v1.9.0 -> v1.9.1 - **github.com/docker/cli** v29.2.1 -> v29.3.1 - **github.com/go-openapi/analysis** v0.24.1 -> v0.24.3 - **github.com/go-openapi/errors** v0.22.6 -> v0.22.7 - **github.com/go-openapi/jsonpointer** v0.22.4 -> v0.22.5 - **github.com/go-openapi/jsonreference** v0.21.4 -> v0.21.5 - **github.com/go-openapi/loads** v0.23.2 -> v0.23.3 - **github.com/go-openapi/spec** v0.22.3 -> v0.22.4 - **github.com/go-openapi/strfmt** v0.25.0 -> v0.26.1 - **github.com/go-openapi/swag/conv** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/fileutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonname** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/loading** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/mangling** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/stringutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/typeutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/yamlutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/validate** v0.25.1 -> v0.25.2 - **github.com/go-viper/mapstructure/v2** v2.4.0 -> v2.5.0 - **github.com/grpc-ecosystem/grpc-gateway/v2** v2.27.3 -> v2.27.7 - **github.com/klauspost/compress** v1.18.4 -> v1.18.5 - **github.com/moby/policy-helpers** [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) -> [`b7c0b99`](https://redirect.github.com/moby/buildkit/commit/b7c0b994300b) - **github.com/oklog/ulid/v2** v2.1.1 ***new*** - **go.opentelemetry.io/otel** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/trace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/proto/otlp** v1.7.1 -> v1.9.0 - **golang.org/x/sys** v0.41.0 -> v0.42.0 - **golang.org/x/term** v0.40.0 -> v0.41.0 - **google.golang.org/genproto/googleapis/api** [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) -> [`8636f87`](https://redirect.github.com/moby/buildkit/commit/8636f8732409) - **google.golang.org/genproto/googleapis/rpc** [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) -> [`8636f87`](https://redirect.github.com/moby/buildkit/commit/8636f8732409) - **google.golang.org/grpc** v1.78.0 -> v1.79.3 Previous release can be found at [v0.28.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) ### [`v0.28.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.27.1...v0.28.0) buildkit 0.28.0 Welcome to the v0.28.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akihiro Suda - Amr Mahdi - Dan Duvall - David Karlsson - Jonas Geiler - Kevin L. - rsteube ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.22.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.22.0) - The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the `version` attribute. [#​6526](https://redirect.github.com/moby/buildkit/issues/6526) - Provenance attestation for an image can now be directly pulled via Source metadata request. [#​6516](https://redirect.github.com/moby/buildkit/issues/6516) [#​6514](https://redirect.github.com/moby/buildkit/issues/6514) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - Pushing result images and exporting build cache now happens in parallel, for better performance. [#​6451](https://redirect.github.com/moby/buildkit/issues/6451) - LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols `docker-image+blob://` and `oci-layout+blob://`. [#​4286](https://redirect.github.com/moby/buildkit/issues/4286) - LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) - With the update to a newer version of the in-toto library, the provenance attestation key `InvocationID` has changed to `InvocationId` to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. [#​6533](https://redirect.github.com/moby/buildkit/issues/6533) - Embedded Qemu emulator support has been updated to v10.1.3 [#​6524](https://redirect.github.com/moby/buildkit/issues/6524) - Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. [#​6368](https://redirect.github.com/moby/buildkit/issues/6368) - Buildctl binary now supports bash completion. [#​6474](https://redirect.github.com/moby/buildkit/issues/6474) - PGP signature verification now supports combined public keys as input for defining the required signer. [#​6519](https://redirect.github.com/moby/buildkit/issues/6519) - Fix possible "failed to read expected number of bytes" error when reading attestation chains [#​6520](https://redirect.github.com/moby/buildkit/issues/6520) - Fix possible error from race condition when creating images in parallel [#​6477](https://redirect.github.com/moby/buildkit/issues/6477) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.2 -> v1.7.4 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/containerd/nydus-snapshotter** v0.15.10 -> v0.15.11 - **github.com/containerd/stargz-snapshotter** v0.17.0 -> v0.18.2 - **github.com/containerd/stargz-snapshotter/estargz** v0.17.0 -> v0.18.2 - **github.com/coreos/go-systemd/v22** v22.6.0 -> v22.7.0 - **github.com/docker/cli** v29.1.4 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/hanwen/go-fuse/v2** v2.8.0 -> v2.9.0 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.3 -> v1.18.4 - **github.com/moby/policy-helpers** [`eeebf1a`](https://redirect.github.com/moby/buildkit/commit/eeebf1a0ab2b) -> [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](https://redirect.github.com/moby/buildkit/commit/b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.27.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.1) </details> <details> <summary>moby/moby (github.com/moby/moby/client)</summary> ### [`v0.4.0`](https://redirect.github.com/moby/moby/compare/v0.3.0...v0.4.0) [Compare Source](https://redirect.github.com/moby/moby/compare/v0.3.0...v0.4.0) ### [`v0.3.0`](https://redirect.github.com/moby/moby/compare/v0.2.2...v0.3.0) [Compare Source](https://redirect.github.com/moby/moby/compare/v0.2.2...v0.3.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "* 1 * * 1-5" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJUZWFtOlNlY3VyaXR5LUNsb3VkIFNlcnZpY2VzIiwiYmFja3BvcnQtc2tpcCIsImRlcGVuZGVuY2llcyIsInJlbm92YXRlIiwicmVub3ZhdGUtYXV0by1hcHByb3ZlIl19--> Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> (cherry picked from commit 5cf36ac) # Conflicts: # go.mod # go.sum
mergify Bot
pushed a commit
to elastic/cloudbeat
that referenced
this pull request
Apr 13, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/moby/buildkit](https://redirect.github.com/moby/buildkit) | indirect | minor | `v0.27.1` -> `v0.29.0` | | [github.com/moby/moby/api](https://redirect.github.com/moby/moby) | indirect | minor | `v1.53.0` -> `v1.54.1` | | [github.com/moby/moby/client](https://redirect.github.com/moby/moby) | indirect | minor | `v0.2.2` -> `v0.4.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>moby/buildkit (github.com/moby/buildkit)</summary> ### [`v0.29.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.29.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.1...v0.29.0) Welcome to the v0.29.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - David Karlsson - Akihiro Suda - Sebastiaan van Stijn - Brian Ristuccia - Jonathan A. Sternberg - Mateusz Gozdek - Natnael Gebremariam ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.23.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.23.0) - Git sources can now initialize all files from a Git checkout with commit time in the LLB API for better reproducibility. See [Dockerfile changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.23.0) for how to enable this in the Dockerfile frontend [#​6600](https://redirect.github.com/moby/buildkit/issues/6600) - Various file access operations in Git and HTTP sources have been hardened for improved security [#​6613](https://redirect.github.com/moby/buildkit/issues/6613) - Frontends can now report updated `SOURCE_DATE_EPOCH` with result metadata that can be used by exporters [#​6601](https://redirect.github.com/moby/buildkit/issues/6601) - Fix possible panic when listing build history after recent deletions [#​6614](https://redirect.github.com/moby/buildkit/issues/6614) - Fix possible issue where builds from Git repositories could start to fail after submodule rename [#​6563](https://redirect.github.com/moby/buildkit/issues/6563) - Fix possible process lifecycle event ordering issue in interactive container API that could cause deadlocks in the client [#​6531](https://redirect.github.com/moby/buildkit/issues/6531) - Fix regression where build progress skipped the message about layers being pushed to the registry [#​6587](https://redirect.github.com/moby/buildkit/issues/6587) - Fix possible cgroup initialization failure in BuildKit container image entrypoint on some environments [#​6585](https://redirect.github.com/moby/buildkit/issues/6585) - Fix issue with resolving symlinks via file access methods of the Gateway API [#​6559](https://redirect.github.com/moby/buildkit/issues/6559) - Fix possible "parent snapshot does not exist" error when exporting images in parallel [#​6558](https://redirect.github.com/moby/buildkit/issues/6558) - Fix possible panic from zstd compression [#​6599](https://redirect.github.com/moby/buildkit/issues/6599) - Fix issue where cache imports from an uninitialized local cache tag could fail the build [#​6554](https://redirect.github.com/moby/buildkit/issues/6554) - Included CNI plugins have been updated to v1.9.1 [#​6583](https://redirect.github.com/moby/buildkit/issues/6583) - Included QEMU emulator support has been updated to v10.2.1 [#​6580](https://redirect.github.com/moby/buildkit/issues/6580) - Runc container runtime has been updated to v1.3.5 [#​6625](https://redirect.github.com/moby/buildkit/issues/6625) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.41.1 -> v1.41.4 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.4 -> v1.7.5 - **github.com/aws/aws-sdk-go-v2/config** v1.32.7 -> v1.32.12 - **github.com/aws/aws-sdk-go-v2/credentials** v1.19.7 -> v1.19.12 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.17 -> v1.18.20 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.17 -> v1.4.20 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.17 -> v2.7.20 - **github.com/aws/aws-sdk-go-v2/internal/ini** v1.8.4 -> v1.8.6 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.4 -> v1.13.7 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.17 -> v1.13.20 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 -> v1.0.8 - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.9 -> v1.30.13 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.13 -> v1.35.17 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.41.6 -> v1.41.9 - **github.com/aws/smithy-go** v1.24.0 -> v1.24.2 - **github.com/containerd/cgroups/v3** v3.1.2 -> v3.1.3 - **github.com/containerd/containerd/v2** v2.2.1 -> v2.2.2 - **github.com/containerd/nydus-snapshotter** v0.15.11 -> v0.15.13 - **github.com/containerd/ttrpc** v1.2.7 -> v1.2.8 - **github.com/containernetworking/plugins** v1.9.0 -> v1.9.1 - **github.com/docker/cli** v29.2.1 -> v29.3.1 - **github.com/go-openapi/analysis** v0.24.1 -> v0.24.3 - **github.com/go-openapi/errors** v0.22.6 -> v0.22.7 - **github.com/go-openapi/jsonpointer** v0.22.4 -> v0.22.5 - **github.com/go-openapi/jsonreference** v0.21.4 -> v0.21.5 - **github.com/go-openapi/loads** v0.23.2 -> v0.23.3 - **github.com/go-openapi/spec** v0.22.3 -> v0.22.4 - **github.com/go-openapi/strfmt** v0.25.0 -> v0.26.1 - **github.com/go-openapi/swag/conv** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/fileutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonname** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/loading** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/mangling** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/stringutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/typeutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/yamlutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/validate** v0.25.1 -> v0.25.2 - **github.com/go-viper/mapstructure/v2** v2.4.0 -> v2.5.0 - **github.com/grpc-ecosystem/grpc-gateway/v2** v2.27.3 -> v2.27.7 - **github.com/klauspost/compress** v1.18.4 -> v1.18.5 - **github.com/moby/policy-helpers** [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) -> [`b7c0b99`](https://redirect.github.com/moby/buildkit/commit/b7c0b994300b) - **github.com/oklog/ulid/v2** v2.1.1 ***new*** - **go.opentelemetry.io/otel** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/trace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/proto/otlp** v1.7.1 -> v1.9.0 - **golang.org/x/sys** v0.41.0 -> v0.42.0 - **golang.org/x/term** v0.40.0 -> v0.41.0 - **google.golang.org/genproto/googleapis/api** [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) -> [`8636f87`](https://redirect.github.com/moby/buildkit/commit/8636f8732409) - **google.golang.org/genproto/googleapis/rpc** [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) -> [`8636f87`](https://redirect.github.com/moby/buildkit/commit/8636f8732409) - **google.golang.org/grpc** v1.78.0 -> v1.79.3 Previous release can be found at [v0.28.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) ### [`v0.28.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.27.1...v0.28.0) buildkit 0.28.0 Welcome to the v0.28.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akihiro Suda - Amr Mahdi - Dan Duvall - David Karlsson - Jonas Geiler - Kevin L. - rsteube ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.22.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.22.0) - The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the `version` attribute. [#​6526](https://redirect.github.com/moby/buildkit/issues/6526) - Provenance attestation for an image can now be directly pulled via Source metadata request. [#​6516](https://redirect.github.com/moby/buildkit/issues/6516) [#​6514](https://redirect.github.com/moby/buildkit/issues/6514) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - Pushing result images and exporting build cache now happens in parallel, for better performance. [#​6451](https://redirect.github.com/moby/buildkit/issues/6451) - LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols `docker-image+blob://` and `oci-layout+blob://`. [#​4286](https://redirect.github.com/moby/buildkit/issues/4286) - LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) - With the update to a newer version of the in-toto library, the provenance attestation key `InvocationID` has changed to `InvocationId` to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. [#​6533](https://redirect.github.com/moby/buildkit/issues/6533) - Embedded Qemu emulator support has been updated to v10.1.3 [#​6524](https://redirect.github.com/moby/buildkit/issues/6524) - Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. [#​6368](https://redirect.github.com/moby/buildkit/issues/6368) - Buildctl binary now supports bash completion. [#​6474](https://redirect.github.com/moby/buildkit/issues/6474) - PGP signature verification now supports combined public keys as input for defining the required signer. [#​6519](https://redirect.github.com/moby/buildkit/issues/6519) - Fix possible "failed to read expected number of bytes" error when reading attestation chains [#​6520](https://redirect.github.com/moby/buildkit/issues/6520) - Fix possible error from race condition when creating images in parallel [#​6477](https://redirect.github.com/moby/buildkit/issues/6477) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.2 -> v1.7.4 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/containerd/nydus-snapshotter** v0.15.10 -> v0.15.11 - **github.com/containerd/stargz-snapshotter** v0.17.0 -> v0.18.2 - **github.com/containerd/stargz-snapshotter/estargz** v0.17.0 -> v0.18.2 - **github.com/coreos/go-systemd/v22** v22.6.0 -> v22.7.0 - **github.com/docker/cli** v29.1.4 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/hanwen/go-fuse/v2** v2.8.0 -> v2.9.0 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.3 -> v1.18.4 - **github.com/moby/policy-helpers** [`eeebf1a`](https://redirect.github.com/moby/buildkit/commit/eeebf1a0ab2b) -> [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](https://redirect.github.com/moby/buildkit/commit/b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.27.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.1) </details> <details> <summary>moby/moby (github.com/moby/moby/client)</summary> ### [`v0.4.0`](https://redirect.github.com/moby/moby/compare/v0.3.0...v0.4.0) [Compare Source](https://redirect.github.com/moby/moby/compare/v0.3.0...v0.4.0) ### [`v0.3.0`](https://redirect.github.com/moby/moby/compare/v0.2.2...v0.3.0) [Compare Source](https://redirect.github.com/moby/moby/compare/v0.2.2...v0.3.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "* 1 * * 1-5" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJUZWFtOlNlY3VyaXR5LUNsb3VkIFNlcnZpY2VzIiwiYmFja3BvcnQtc2tpcCIsImRlcGVuZGVuY2llcyIsInJlbm92YXRlIiwicmVub3ZhdGUtYXV0by1hcHByb3ZlIl19--> Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> (cherry picked from commit 5cf36ac)
olegsu
added a commit
to elastic/cloudbeat
that referenced
this pull request
Apr 13, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/moby/buildkit](https://redirect.github.com/moby/buildkit) | indirect | minor | `v0.27.1` -> `v0.29.0` | | [github.com/moby/moby/api](https://redirect.github.com/moby/moby) | indirect | minor | `v1.53.0` -> `v1.54.1` | | [github.com/moby/moby/client](https://redirect.github.com/moby/moby) | indirect | minor | `v0.2.2` -> `v0.4.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>moby/buildkit (github.com/moby/buildkit)</summary> ### [`v0.29.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.29.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.1...v0.29.0) Welcome to the v0.29.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - David Karlsson - Akihiro Suda - Sebastiaan van Stijn - Brian Ristuccia - Jonathan A. Sternberg - Mateusz Gozdek - Natnael Gebremariam ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.23.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.23.0) - Git sources can now initialize all files from a Git checkout with commit time in the LLB API for better reproducibility. See [Dockerfile changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.23.0) for how to enable this in the Dockerfile frontend [#​6600](https://redirect.github.com/moby/buildkit/issues/6600) - Various file access operations in Git and HTTP sources have been hardened for improved security [#​6613](https://redirect.github.com/moby/buildkit/issues/6613) - Frontends can now report updated `SOURCE_DATE_EPOCH` with result metadata that can be used by exporters [#​6601](https://redirect.github.com/moby/buildkit/issues/6601) - Fix possible panic when listing build history after recent deletions [#​6614](https://redirect.github.com/moby/buildkit/issues/6614) - Fix possible issue where builds from Git repositories could start to fail after submodule rename [#​6563](https://redirect.github.com/moby/buildkit/issues/6563) - Fix possible process lifecycle event ordering issue in interactive container API that could cause deadlocks in the client [#​6531](https://redirect.github.com/moby/buildkit/issues/6531) - Fix regression where build progress skipped the message about layers being pushed to the registry [#​6587](https://redirect.github.com/moby/buildkit/issues/6587) - Fix possible cgroup initialization failure in BuildKit container image entrypoint on some environments [#​6585](https://redirect.github.com/moby/buildkit/issues/6585) - Fix issue with resolving symlinks via file access methods of the Gateway API [#​6559](https://redirect.github.com/moby/buildkit/issues/6559) - Fix possible "parent snapshot does not exist" error when exporting images in parallel [#​6558](https://redirect.github.com/moby/buildkit/issues/6558) - Fix possible panic from zstd compression [#​6599](https://redirect.github.com/moby/buildkit/issues/6599) - Fix issue where cache imports from an uninitialized local cache tag could fail the build [#​6554](https://redirect.github.com/moby/buildkit/issues/6554) - Included CNI plugins have been updated to v1.9.1 [#​6583](https://redirect.github.com/moby/buildkit/issues/6583) - Included QEMU emulator support has been updated to v10.2.1 [#​6580](https://redirect.github.com/moby/buildkit/issues/6580) - Runc container runtime has been updated to v1.3.5 [#​6625](https://redirect.github.com/moby/buildkit/issues/6625) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.41.1 -> v1.41.4 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.4 -> v1.7.5 - **github.com/aws/aws-sdk-go-v2/config** v1.32.7 -> v1.32.12 - **github.com/aws/aws-sdk-go-v2/credentials** v1.19.7 -> v1.19.12 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.17 -> v1.18.20 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.17 -> v1.4.20 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.17 -> v2.7.20 - **github.com/aws/aws-sdk-go-v2/internal/ini** v1.8.4 -> v1.8.6 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.4 -> v1.13.7 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.17 -> v1.13.20 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 -> v1.0.8 - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.9 -> v1.30.13 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.13 -> v1.35.17 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.41.6 -> v1.41.9 - **github.com/aws/smithy-go** v1.24.0 -> v1.24.2 - **github.com/containerd/cgroups/v3** v3.1.2 -> v3.1.3 - **github.com/containerd/containerd/v2** v2.2.1 -> v2.2.2 - **github.com/containerd/nydus-snapshotter** v0.15.11 -> v0.15.13 - **github.com/containerd/ttrpc** v1.2.7 -> v1.2.8 - **github.com/containernetworking/plugins** v1.9.0 -> v1.9.1 - **github.com/docker/cli** v29.2.1 -> v29.3.1 - **github.com/go-openapi/analysis** v0.24.1 -> v0.24.3 - **github.com/go-openapi/errors** v0.22.6 -> v0.22.7 - **github.com/go-openapi/jsonpointer** v0.22.4 -> v0.22.5 - **github.com/go-openapi/jsonreference** v0.21.4 -> v0.21.5 - **github.com/go-openapi/loads** v0.23.2 -> v0.23.3 - **github.com/go-openapi/spec** v0.22.3 -> v0.22.4 - **github.com/go-openapi/strfmt** v0.25.0 -> v0.26.1 - **github.com/go-openapi/swag/conv** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/fileutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonname** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/loading** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/mangling** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/stringutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/typeutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/yamlutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/validate** v0.25.1 -> v0.25.2 - **github.com/go-viper/mapstructure/v2** v2.4.0 -> v2.5.0 - **github.com/grpc-ecosystem/grpc-gateway/v2** v2.27.3 -> v2.27.7 - **github.com/klauspost/compress** v1.18.4 -> v1.18.5 - **github.com/moby/policy-helpers** [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) -> [`b7c0b99`](https://redirect.github.com/moby/buildkit/commit/b7c0b994300b) - **github.com/oklog/ulid/v2** v2.1.1 ***new*** - **go.opentelemetry.io/otel** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/trace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/proto/otlp** v1.7.1 -> v1.9.0 - **golang.org/x/sys** v0.41.0 -> v0.42.0 - **golang.org/x/term** v0.40.0 -> v0.41.0 - **google.golang.org/genproto/googleapis/api** [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) -> [`8636f87`](https://redirect.github.com/moby/buildkit/commit/8636f8732409) - **google.golang.org/genproto/googleapis/rpc** [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) -> [`8636f87`](https://redirect.github.com/moby/buildkit/commit/8636f8732409) - **google.golang.org/grpc** v1.78.0 -> v1.79.3 Previous release can be found at [v0.28.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) ### [`v0.28.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.27.1...v0.28.0) buildkit 0.28.0 Welcome to the v0.28.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akihiro Suda - Amr Mahdi - Dan Duvall - David Karlsson - Jonas Geiler - Kevin L. - rsteube ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.22.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.22.0) - The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the `version` attribute. [#​6526](https://redirect.github.com/moby/buildkit/issues/6526) - Provenance attestation for an image can now be directly pulled via Source metadata request. [#​6516](https://redirect.github.com/moby/buildkit/issues/6516) [#​6514](https://redirect.github.com/moby/buildkit/issues/6514) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - Pushing result images and exporting build cache now happens in parallel, for better performance. [#​6451](https://redirect.github.com/moby/buildkit/issues/6451) - LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols `docker-image+blob://` and `oci-layout+blob://`. [#​4286](https://redirect.github.com/moby/buildkit/issues/4286) - LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) - With the update to a newer version of the in-toto library, the provenance attestation key `InvocationID` has changed to `InvocationId` to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. [#​6533](https://redirect.github.com/moby/buildkit/issues/6533) - Embedded Qemu emulator support has been updated to v10.1.3 [#​6524](https://redirect.github.com/moby/buildkit/issues/6524) - Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. [#​6368](https://redirect.github.com/moby/buildkit/issues/6368) - Buildctl binary now supports bash completion. [#​6474](https://redirect.github.com/moby/buildkit/issues/6474) - PGP signature verification now supports combined public keys as input for defining the required signer. [#​6519](https://redirect.github.com/moby/buildkit/issues/6519) - Fix possible "failed to read expected number of bytes" error when reading attestation chains [#​6520](https://redirect.github.com/moby/buildkit/issues/6520) - Fix possible error from race condition when creating images in parallel [#​6477](https://redirect.github.com/moby/buildkit/issues/6477) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.2 -> v1.7.4 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/containerd/nydus-snapshotter** v0.15.10 -> v0.15.11 - **github.com/containerd/stargz-snapshotter** v0.17.0 -> v0.18.2 - **github.com/containerd/stargz-snapshotter/estargz** v0.17.0 -> v0.18.2 - **github.com/coreos/go-systemd/v22** v22.6.0 -> v22.7.0 - **github.com/docker/cli** v29.1.4 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/hanwen/go-fuse/v2** v2.8.0 -> v2.9.0 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.3 -> v1.18.4 - **github.com/moby/policy-helpers** [`eeebf1a`](https://redirect.github.com/moby/buildkit/commit/eeebf1a0ab2b) -> [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](https://redirect.github.com/moby/buildkit/commit/b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.27.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.1) </details> <details> <summary>moby/moby (github.com/moby/moby/client)</summary> ### [`v0.4.0`](https://redirect.github.com/moby/moby/compare/v0.3.0...v0.4.0) [Compare Source](https://redirect.github.com/moby/moby/compare/v0.3.0...v0.4.0) ### [`v0.3.0`](https://redirect.github.com/moby/moby/compare/v0.2.2...v0.3.0) [Compare Source](https://redirect.github.com/moby/moby/compare/v0.2.2...v0.3.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "* 1 * * 1-5" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <hr>This is an automatic backport of pull request #4352 done by [Mergify](https://mergify.com). --------- Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Oleg Sucharevich <oleg.sucharevich@elastic.co> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
olegsu
added a commit
to elastic/cloudbeat
that referenced
this pull request
Apr 13, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/moby/buildkit](https://redirect.github.com/moby/buildkit) | indirect | minor | `v0.27.1` -> `v0.29.0` | | [github.com/moby/moby/api](https://redirect.github.com/moby/moby) | indirect | minor | `v1.53.0` -> `v1.54.1` | | [github.com/moby/moby/client](https://redirect.github.com/moby/moby) | indirect | minor | `v0.2.2` -> `v0.4.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>moby/buildkit (github.com/moby/buildkit)</summary> ### [`v0.29.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.29.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.1...v0.29.0) Welcome to the v0.29.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - David Karlsson - Akihiro Suda - Sebastiaan van Stijn - Brian Ristuccia - Jonathan A. Sternberg - Mateusz Gozdek - Natnael Gebremariam ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.23.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.23.0) - Git sources can now initialize all files from a Git checkout with commit time in the LLB API for better reproducibility. See [Dockerfile changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.23.0) for how to enable this in the Dockerfile frontend [#​6600](https://redirect.github.com/moby/buildkit/issues/6600) - Various file access operations in Git and HTTP sources have been hardened for improved security [#​6613](https://redirect.github.com/moby/buildkit/issues/6613) - Frontends can now report updated `SOURCE_DATE_EPOCH` with result metadata that can be used by exporters [#​6601](https://redirect.github.com/moby/buildkit/issues/6601) - Fix possible panic when listing build history after recent deletions [#​6614](https://redirect.github.com/moby/buildkit/issues/6614) - Fix possible issue where builds from Git repositories could start to fail after submodule rename [#​6563](https://redirect.github.com/moby/buildkit/issues/6563) - Fix possible process lifecycle event ordering issue in interactive container API that could cause deadlocks in the client [#​6531](https://redirect.github.com/moby/buildkit/issues/6531) - Fix regression where build progress skipped the message about layers being pushed to the registry [#​6587](https://redirect.github.com/moby/buildkit/issues/6587) - Fix possible cgroup initialization failure in BuildKit container image entrypoint on some environments [#​6585](https://redirect.github.com/moby/buildkit/issues/6585) - Fix issue with resolving symlinks via file access methods of the Gateway API [#​6559](https://redirect.github.com/moby/buildkit/issues/6559) - Fix possible "parent snapshot does not exist" error when exporting images in parallel [#​6558](https://redirect.github.com/moby/buildkit/issues/6558) - Fix possible panic from zstd compression [#​6599](https://redirect.github.com/moby/buildkit/issues/6599) - Fix issue where cache imports from an uninitialized local cache tag could fail the build [#​6554](https://redirect.github.com/moby/buildkit/issues/6554) - Included CNI plugins have been updated to v1.9.1 [#​6583](https://redirect.github.com/moby/buildkit/issues/6583) - Included QEMU emulator support has been updated to v10.2.1 [#​6580](https://redirect.github.com/moby/buildkit/issues/6580) - Runc container runtime has been updated to v1.3.5 [#​6625](https://redirect.github.com/moby/buildkit/issues/6625) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.41.1 -> v1.41.4 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.4 -> v1.7.5 - **github.com/aws/aws-sdk-go-v2/config** v1.32.7 -> v1.32.12 - **github.com/aws/aws-sdk-go-v2/credentials** v1.19.7 -> v1.19.12 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.17 -> v1.18.20 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.17 -> v1.4.20 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.17 -> v2.7.20 - **github.com/aws/aws-sdk-go-v2/internal/ini** v1.8.4 -> v1.8.6 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.4 -> v1.13.7 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.17 -> v1.13.20 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 -> v1.0.8 - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.9 -> v1.30.13 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.13 -> v1.35.17 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.41.6 -> v1.41.9 - **github.com/aws/smithy-go** v1.24.0 -> v1.24.2 - **github.com/containerd/cgroups/v3** v3.1.2 -> v3.1.3 - **github.com/containerd/containerd/v2** v2.2.1 -> v2.2.2 - **github.com/containerd/nydus-snapshotter** v0.15.11 -> v0.15.13 - **github.com/containerd/ttrpc** v1.2.7 -> v1.2.8 - **github.com/containernetworking/plugins** v1.9.0 -> v1.9.1 - **github.com/docker/cli** v29.2.1 -> v29.3.1 - **github.com/go-openapi/analysis** v0.24.1 -> v0.24.3 - **github.com/go-openapi/errors** v0.22.6 -> v0.22.7 - **github.com/go-openapi/jsonpointer** v0.22.4 -> v0.22.5 - **github.com/go-openapi/jsonreference** v0.21.4 -> v0.21.5 - **github.com/go-openapi/loads** v0.23.2 -> v0.23.3 - **github.com/go-openapi/spec** v0.22.3 -> v0.22.4 - **github.com/go-openapi/strfmt** v0.25.0 -> v0.26.1 - **github.com/go-openapi/swag/conv** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/fileutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonname** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/loading** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/mangling** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/stringutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/typeutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/yamlutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/validate** v0.25.1 -> v0.25.2 - **github.com/go-viper/mapstructure/v2** v2.4.0 -> v2.5.0 - **github.com/grpc-ecosystem/grpc-gateway/v2** v2.27.3 -> v2.27.7 - **github.com/klauspost/compress** v1.18.4 -> v1.18.5 - **github.com/moby/policy-helpers** [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) -> [`b7c0b99`](https://redirect.github.com/moby/buildkit/commit/b7c0b994300b) - **github.com/oklog/ulid/v2** v2.1.1 ***new*** - **go.opentelemetry.io/otel** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/trace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/proto/otlp** v1.7.1 -> v1.9.0 - **golang.org/x/sys** v0.41.0 -> v0.42.0 - **golang.org/x/term** v0.40.0 -> v0.41.0 - **google.golang.org/genproto/googleapis/api** [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) -> [`8636f87`](https://redirect.github.com/moby/buildkit/commit/8636f8732409) - **google.golang.org/genproto/googleapis/rpc** [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) -> [`8636f87`](https://redirect.github.com/moby/buildkit/commit/8636f8732409) - **google.golang.org/grpc** v1.78.0 -> v1.79.3 Previous release can be found at [v0.28.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) ### [`v0.28.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.27.1...v0.28.0) buildkit 0.28.0 Welcome to the v0.28.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akihiro Suda - Amr Mahdi - Dan Duvall - David Karlsson - Jonas Geiler - Kevin L. - rsteube ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.22.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.22.0) - The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the `version` attribute. [#​6526](https://redirect.github.com/moby/buildkit/issues/6526) - Provenance attestation for an image can now be directly pulled via Source metadata request. [#​6516](https://redirect.github.com/moby/buildkit/issues/6516) [#​6514](https://redirect.github.com/moby/buildkit/issues/6514) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - Pushing result images and exporting build cache now happens in parallel, for better performance. [#​6451](https://redirect.github.com/moby/buildkit/issues/6451) - LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols `docker-image+blob://` and `oci-layout+blob://`. [#​4286](https://redirect.github.com/moby/buildkit/issues/4286) - LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) - With the update to a newer version of the in-toto library, the provenance attestation key `InvocationID` has changed to `InvocationId` to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. [#​6533](https://redirect.github.com/moby/buildkit/issues/6533) - Embedded Qemu emulator support has been updated to v10.1.3 [#​6524](https://redirect.github.com/moby/buildkit/issues/6524) - Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. [#​6368](https://redirect.github.com/moby/buildkit/issues/6368) - Buildctl binary now supports bash completion. [#​6474](https://redirect.github.com/moby/buildkit/issues/6474) - PGP signature verification now supports combined public keys as input for defining the required signer. [#​6519](https://redirect.github.com/moby/buildkit/issues/6519) - Fix possible "failed to read expected number of bytes" error when reading attestation chains [#​6520](https://redirect.github.com/moby/buildkit/issues/6520) - Fix possible error from race condition when creating images in parallel [#​6477](https://redirect.github.com/moby/buildkit/issues/6477) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.2 -> v1.7.4 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/containerd/nydus-snapshotter** v0.15.10 -> v0.15.11 - **github.com/containerd/stargz-snapshotter** v0.17.0 -> v0.18.2 - **github.com/containerd/stargz-snapshotter/estargz** v0.17.0 -> v0.18.2 - **github.com/coreos/go-systemd/v22** v22.6.0 -> v22.7.0 - **github.com/docker/cli** v29.1.4 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/hanwen/go-fuse/v2** v2.8.0 -> v2.9.0 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.3 -> v1.18.4 - **github.com/moby/policy-helpers** [`eeebf1a`](https://redirect.github.com/moby/buildkit/commit/eeebf1a0ab2b) -> [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](https://redirect.github.com/moby/buildkit/commit/b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.27.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.1) </details> <details> <summary>moby/moby (github.com/moby/moby/client)</summary> ### [`v0.4.0`](https://redirect.github.com/moby/moby/compare/v0.3.0...v0.4.0) [Compare Source](https://redirect.github.com/moby/moby/compare/v0.3.0...v0.4.0) ### [`v0.3.0`](https://redirect.github.com/moby/moby/compare/v0.2.2...v0.3.0) [Compare Source](https://redirect.github.com/moby/moby/compare/v0.2.2...v0.3.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "* 1 * * 1-5" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <hr>This is an automatic backport of pull request #4352 done by [Mergify](https://mergify.com). --------- Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Oleg Sucharevich <oleg.sucharevich@elastic.co>
olegsu
added a commit
to elastic/cloudbeat
that referenced
this pull request
Apr 13, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/moby/buildkit](https://redirect.github.com/moby/buildkit) | indirect | minor | `v0.27.1` -> `v0.29.0` | | [github.com/moby/moby/api](https://redirect.github.com/moby/moby) | indirect | minor | `v1.53.0` -> `v1.54.1` | | [github.com/moby/moby/client](https://redirect.github.com/moby/moby) | indirect | minor | `v0.2.2` -> `v0.4.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>moby/buildkit (github.com/moby/buildkit)</summary> ### [`v0.29.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.29.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.1...v0.29.0) Welcome to the v0.29.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - David Karlsson - Akihiro Suda - Sebastiaan van Stijn - Brian Ristuccia - Jonathan A. Sternberg - Mateusz Gozdek - Natnael Gebremariam ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.23.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.23.0) - Git sources can now initialize all files from a Git checkout with commit time in the LLB API for better reproducibility. See [Dockerfile changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.23.0) for how to enable this in the Dockerfile frontend [#​6600](https://redirect.github.com/moby/buildkit/issues/6600) - Various file access operations in Git and HTTP sources have been hardened for improved security [#​6613](https://redirect.github.com/moby/buildkit/issues/6613) - Frontends can now report updated `SOURCE_DATE_EPOCH` with result metadata that can be used by exporters [#​6601](https://redirect.github.com/moby/buildkit/issues/6601) - Fix possible panic when listing build history after recent deletions [#​6614](https://redirect.github.com/moby/buildkit/issues/6614) - Fix possible issue where builds from Git repositories could start to fail after submodule rename [#​6563](https://redirect.github.com/moby/buildkit/issues/6563) - Fix possible process lifecycle event ordering issue in interactive container API that could cause deadlocks in the client [#​6531](https://redirect.github.com/moby/buildkit/issues/6531) - Fix regression where build progress skipped the message about layers being pushed to the registry [#​6587](https://redirect.github.com/moby/buildkit/issues/6587) - Fix possible cgroup initialization failure in BuildKit container image entrypoint on some environments [#​6585](https://redirect.github.com/moby/buildkit/issues/6585) - Fix issue with resolving symlinks via file access methods of the Gateway API [#​6559](https://redirect.github.com/moby/buildkit/issues/6559) - Fix possible "parent snapshot does not exist" error when exporting images in parallel [#​6558](https://redirect.github.com/moby/buildkit/issues/6558) - Fix possible panic from zstd compression [#​6599](https://redirect.github.com/moby/buildkit/issues/6599) - Fix issue where cache imports from an uninitialized local cache tag could fail the build [#​6554](https://redirect.github.com/moby/buildkit/issues/6554) - Included CNI plugins have been updated to v1.9.1 [#​6583](https://redirect.github.com/moby/buildkit/issues/6583) - Included QEMU emulator support has been updated to v10.2.1 [#​6580](https://redirect.github.com/moby/buildkit/issues/6580) - Runc container runtime has been updated to v1.3.5 [#​6625](https://redirect.github.com/moby/buildkit/issues/6625) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.41.1 -> v1.41.4 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.4 -> v1.7.5 - **github.com/aws/aws-sdk-go-v2/config** v1.32.7 -> v1.32.12 - **github.com/aws/aws-sdk-go-v2/credentials** v1.19.7 -> v1.19.12 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.17 -> v1.18.20 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.17 -> v1.4.20 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.17 -> v2.7.20 - **github.com/aws/aws-sdk-go-v2/internal/ini** v1.8.4 -> v1.8.6 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.4 -> v1.13.7 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.17 -> v1.13.20 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 -> v1.0.8 - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.9 -> v1.30.13 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.13 -> v1.35.17 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.41.6 -> v1.41.9 - **github.com/aws/smithy-go** v1.24.0 -> v1.24.2 - **github.com/containerd/cgroups/v3** v3.1.2 -> v3.1.3 - **github.com/containerd/containerd/v2** v2.2.1 -> v2.2.2 - **github.com/containerd/nydus-snapshotter** v0.15.11 -> v0.15.13 - **github.com/containerd/ttrpc** v1.2.7 -> v1.2.8 - **github.com/containernetworking/plugins** v1.9.0 -> v1.9.1 - **github.com/docker/cli** v29.2.1 -> v29.3.1 - **github.com/go-openapi/analysis** v0.24.1 -> v0.24.3 - **github.com/go-openapi/errors** v0.22.6 -> v0.22.7 - **github.com/go-openapi/jsonpointer** v0.22.4 -> v0.22.5 - **github.com/go-openapi/jsonreference** v0.21.4 -> v0.21.5 - **github.com/go-openapi/loads** v0.23.2 -> v0.23.3 - **github.com/go-openapi/spec** v0.22.3 -> v0.22.4 - **github.com/go-openapi/strfmt** v0.25.0 -> v0.26.1 - **github.com/go-openapi/swag/conv** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/fileutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonname** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/loading** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/mangling** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/stringutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/typeutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/yamlutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/validate** v0.25.1 -> v0.25.2 - **github.com/go-viper/mapstructure/v2** v2.4.0 -> v2.5.0 - **github.com/grpc-ecosystem/grpc-gateway/v2** v2.27.3 -> v2.27.7 - **github.com/klauspost/compress** v1.18.4 -> v1.18.5 - **github.com/moby/policy-helpers** [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) -> [`b7c0b99`](https://redirect.github.com/moby/buildkit/commit/b7c0b994300b) - **github.com/oklog/ulid/v2** v2.1.1 ***new*** - **go.opentelemetry.io/otel** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/trace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/proto/otlp** v1.7.1 -> v1.9.0 - **golang.org/x/sys** v0.41.0 -> v0.42.0 - **golang.org/x/term** v0.40.0 -> v0.41.0 - **google.golang.org/genproto/googleapis/api** [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) -> [`8636f87`](https://redirect.github.com/moby/buildkit/commit/8636f8732409) - **google.golang.org/genproto/googleapis/rpc** [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) -> [`8636f87`](https://redirect.github.com/moby/buildkit/commit/8636f8732409) - **google.golang.org/grpc** v1.78.0 -> v1.79.3 Previous release can be found at [v0.28.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) ### [`v0.28.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.27.1...v0.28.0) buildkit 0.28.0 Welcome to the v0.28.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akihiro Suda - Amr Mahdi - Dan Duvall - David Karlsson - Jonas Geiler - Kevin L. - rsteube ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.22.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.22.0) - The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the `version` attribute. [#​6526](https://redirect.github.com/moby/buildkit/issues/6526) - Provenance attestation for an image can now be directly pulled via Source metadata request. [#​6516](https://redirect.github.com/moby/buildkit/issues/6516) [#​6514](https://redirect.github.com/moby/buildkit/issues/6514) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - Pushing result images and exporting build cache now happens in parallel, for better performance. [#​6451](https://redirect.github.com/moby/buildkit/issues/6451) - LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols `docker-image+blob://` and `oci-layout+blob://`. [#​4286](https://redirect.github.com/moby/buildkit/issues/4286) - LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) - With the update to a newer version of the in-toto library, the provenance attestation key `InvocationID` has changed to `InvocationId` to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. [#​6533](https://redirect.github.com/moby/buildkit/issues/6533) - Embedded Qemu emulator support has been updated to v10.1.3 [#​6524](https://redirect.github.com/moby/buildkit/issues/6524) - Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. [#​6368](https://redirect.github.com/moby/buildkit/issues/6368) - Buildctl binary now supports bash completion. [#​6474](https://redirect.github.com/moby/buildkit/issues/6474) - PGP signature verification now supports combined public keys as input for defining the required signer. [#​6519](https://redirect.github.com/moby/buildkit/issues/6519) - Fix possible "failed to read expected number of bytes" error when reading attestation chains [#​6520](https://redirect.github.com/moby/buildkit/issues/6520) - Fix possible error from race condition when creating images in parallel [#​6477](https://redirect.github.com/moby/buildkit/issues/6477) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.2 -> v1.7.4 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/containerd/nydus-snapshotter** v0.15.10 -> v0.15.11 - **github.com/containerd/stargz-snapshotter** v0.17.0 -> v0.18.2 - **github.com/containerd/stargz-snapshotter/estargz** v0.17.0 -> v0.18.2 - **github.com/coreos/go-systemd/v22** v22.6.0 -> v22.7.0 - **github.com/docker/cli** v29.1.4 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/hanwen/go-fuse/v2** v2.8.0 -> v2.9.0 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.3 -> v1.18.4 - **github.com/moby/policy-helpers** [`eeebf1a`](https://redirect.github.com/moby/buildkit/commit/eeebf1a0ab2b) -> [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](https://redirect.github.com/moby/buildkit/commit/b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.27.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.1) </details> <details> <summary>moby/moby (github.com/moby/moby/client)</summary> ### [`v0.4.0`](https://redirect.github.com/moby/moby/compare/v0.3.0...v0.4.0) [Compare Source](https://redirect.github.com/moby/moby/compare/v0.3.0...v0.4.0) ### [`v0.3.0`](https://redirect.github.com/moby/moby/compare/v0.2.2...v0.3.0) [Compare Source](https://redirect.github.com/moby/moby/compare/v0.2.2...v0.3.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "* 1 * * 1-5" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <hr>This is an automatic backport of pull request #4352 done by [Mergify](https://mergify.com). --------- Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Oleg Sucharevich <oleg.sucharevich@elastic.co>
chhe
pushed a commit
to chhe/act_runner
that referenced
this pull request
Apr 29, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/moby/patternmatcher](https://github.com/moby/patternmatcher) | `v0.6.0` → `v0.6.1` |  |  | --- ### Release Notes <details> <summary>moby/patternmatcher (github.com/moby/patternmatcher)</summary> ### [`v0.6.1`](https://github.com/moby/patternmatcher/releases/tag/v0.6.1) [Compare Source](moby/patternmatcher@v0.6.0...v0.6.1) #### What's Changed - fix panic / nil pointer dereference on invalid patterns [#​9](moby/patternmatcher#9) - ci: update actions and test against "oldest", "oldstable" and "stable" [#​8](moby/patternmatcher#8) **Full Changelog**: <moby/patternmatcher@v0.6.0...v0.6.1> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDUuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE0NS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Reviewed-on: https://gitea.com/gitea/act_runner/pulls/868 Reviewed-by: silverwind <2021+silverwind@noreply.gitea.com> Co-authored-by: Renovate Bot <renovate-bot@gitea.com> Co-committed-by: Renovate Bot <renovate-bot@gitea.com>
olegsu
pushed a commit
to elastic/cloudbeat
that referenced
this pull request
Apr 30, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/moby/buildkit](https://redirect.github.com/moby/buildkit) | indirect | minor | `v0.23.2` -> `v0.29.0` | | [github.com/moby/moby/api](https://redirect.github.com/moby/moby) | indirect | minor | `v1.53.0` -> `v1.54.2` | | [github.com/moby/moby/client](https://redirect.github.com/moby/moby) | indirect | minor | `v0.2.2` -> `v0.4.1` | | [github.com/moby/spdystream](https://redirect.github.com/moby/spdystream) | indirect | patch | `v0.5.0` -> `v0.5.1` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>moby/buildkit (github.com/moby/buildkit)</summary> ### [`v0.29.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.29.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.1...v0.29.0) Welcome to the v0.29.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - David Karlsson - Akihiro Suda - Sebastiaan van Stijn - Brian Ristuccia - Jonathan A. Sternberg - Mateusz Gozdek - Natnael Gebremariam ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.23.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.23.0) - Git sources can now initialize all files from a Git checkout with commit time in the LLB API for better reproducibility. See [Dockerfile changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.23.0) for how to enable this in the Dockerfile frontend [#​6600](https://redirect.github.com/moby/buildkit/issues/6600) - Various file access operations in Git and HTTP sources have been hardened for improved security [#​6613](https://redirect.github.com/moby/buildkit/issues/6613) - Frontends can now report updated `SOURCE_DATE_EPOCH` with result metadata that can be used by exporters [#​6601](https://redirect.github.com/moby/buildkit/issues/6601) - Fix possible panic when listing build history after recent deletions [#​6614](https://redirect.github.com/moby/buildkit/issues/6614) - Fix possible issue where builds from Git repositories could start to fail after submodule rename [#​6563](https://redirect.github.com/moby/buildkit/issues/6563) - Fix possible process lifecycle event ordering issue in interactive container API that could cause deadlocks in the client [#​6531](https://redirect.github.com/moby/buildkit/issues/6531) - Fix regression where build progress skipped the message about layers being pushed to the registry [#​6587](https://redirect.github.com/moby/buildkit/issues/6587) - Fix possible cgroup initialization failure in BuildKit container image entrypoint on some environments [#​6585](https://redirect.github.com/moby/buildkit/issues/6585) - Fix issue with resolving symlinks via file access methods of the Gateway API [#​6559](https://redirect.github.com/moby/buildkit/issues/6559) - Fix possible "parent snapshot does not exist" error when exporting images in parallel [#​6558](https://redirect.github.com/moby/buildkit/issues/6558) - Fix possible panic from zstd compression [#​6599](https://redirect.github.com/moby/buildkit/issues/6599) - Fix issue where cache imports from an uninitialized local cache tag could fail the build [#​6554](https://redirect.github.com/moby/buildkit/issues/6554) - Included CNI plugins have been updated to v1.9.1 [#​6583](https://redirect.github.com/moby/buildkit/issues/6583) - Included QEMU emulator support has been updated to v10.2.1 [#​6580](https://redirect.github.com/moby/buildkit/issues/6580) - Runc container runtime has been updated to v1.3.5 [#​6625](https://redirect.github.com/moby/buildkit/issues/6625) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.41.1 -> v1.41.4 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.4 -> v1.7.5 - **github.com/aws/aws-sdk-go-v2/config** v1.32.7 -> v1.32.12 - **github.com/aws/aws-sdk-go-v2/credentials** v1.19.7 -> v1.19.12 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.17 -> v1.18.20 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.17 -> v1.4.20 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.17 -> v2.7.20 - **github.com/aws/aws-sdk-go-v2/internal/ini** v1.8.4 -> v1.8.6 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.4 -> v1.13.7 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.17 -> v1.13.20 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 -> v1.0.8 - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.9 -> v1.30.13 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.13 -> v1.35.17 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.41.6 -> v1.41.9 - **github.com/aws/smithy-go** v1.24.0 -> v1.24.2 - **github.com/containerd/cgroups/v3** v3.1.2 -> v3.1.3 - **github.com/containerd/containerd/v2** v2.2.1 -> v2.2.2 - **github.com/containerd/nydus-snapshotter** v0.15.11 -> v0.15.13 - **github.com/containerd/ttrpc** v1.2.7 -> v1.2.8 - **github.com/containernetworking/plugins** v1.9.0 -> v1.9.1 - **github.com/docker/cli** v29.2.1 -> v29.3.1 - **github.com/go-openapi/analysis** v0.24.1 -> v0.24.3 - **github.com/go-openapi/errors** v0.22.6 -> v0.22.7 - **github.com/go-openapi/jsonpointer** v0.22.4 -> v0.22.5 - **github.com/go-openapi/jsonreference** v0.21.4 -> v0.21.5 - **github.com/go-openapi/loads** v0.23.2 -> v0.23.3 - **github.com/go-openapi/spec** v0.22.3 -> v0.22.4 - **github.com/go-openapi/strfmt** v0.25.0 -> v0.26.1 - **github.com/go-openapi/swag/conv** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/fileutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonname** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/loading** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/mangling** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/stringutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/typeutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/yamlutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/validate** v0.25.1 -> v0.25.2 - **github.com/go-viper/mapstructure/v2** v2.4.0 -> v2.5.0 - **github.com/grpc-ecosystem/grpc-gateway/v2** v2.27.3 -> v2.27.7 - **github.com/klauspost/compress** v1.18.4 -> v1.18.5 - **github.com/moby/policy-helpers** [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) -> [`b7c0b99`](https://redirect.github.com/moby/buildkit/commit/b7c0b994300b) - **github.com/oklog/ulid/v2** v2.1.1 ***new*** - **go.opentelemetry.io/otel** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/trace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/proto/otlp** v1.7.1 -> v1.9.0 - **golang.org/x/sys** v0.41.0 -> v0.42.0 - **golang.org/x/term** v0.40.0 -> v0.41.0 - **google.golang.org/genproto/googleapis/api** [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) -> [`8636f87`](https://redirect.github.com/moby/buildkit/commit/8636f8732409) - **google.golang.org/genproto/googleapis/rpc** [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) -> [`8636f87`](https://redirect.github.com/moby/buildkit/commit/8636f8732409) - **google.golang.org/grpc** v1.78.0 -> v1.79.3 Previous release can be found at [v0.28.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) ### [`v0.28.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.27.1...v0.28.0) buildkit 0.28.0 Welcome to the v0.28.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akihiro Suda - Amr Mahdi - Dan Duvall - David Karlsson - Jonas Geiler - Kevin L. - rsteube ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.22.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.22.0) - The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the `version` attribute. [#​6526](https://redirect.github.com/moby/buildkit/issues/6526) - Provenance attestation for an image can now be directly pulled via Source metadata request. [#​6516](https://redirect.github.com/moby/buildkit/issues/6516) [#​6514](https://redirect.github.com/moby/buildkit/issues/6514) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - Pushing result images and exporting build cache now happens in parallel, for better performance. [#​6451](https://redirect.github.com/moby/buildkit/issues/6451) - LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols `docker-image+blob://` and `oci-layout+blob://`. [#​4286](https://redirect.github.com/moby/buildkit/issues/4286) - LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) - With the update to a newer version of the in-toto library, the provenance attestation key `InvocationID` has changed to `InvocationId` to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. [#​6533](https://redirect.github.com/moby/buildkit/issues/6533) - Embedded Qemu emulator support has been updated to v10.1.3 [#​6524](https://redirect.github.com/moby/buildkit/issues/6524) - Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. [#​6368](https://redirect.github.com/moby/buildkit/issues/6368) - Buildctl binary now supports bash completion. [#​6474](https://redirect.github.com/moby/buildkit/issues/6474) - PGP signature verification now supports combined public keys as input for defining the required signer. [#​6519](https://redirect.github.com/moby/buildkit/issues/6519) - Fix possible "failed to read expected number of bytes" error when reading attestation chains [#​6520](https://redirect.github.com/moby/buildkit/issues/6520) - Fix possible error from race condition when creating images in parallel [#​6477](https://redirect.github.com/moby/buildkit/issues/6477) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.2 -> v1.7.4 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/containerd/nydus-snapshotter** v0.15.10 -> v0.15.11 - **github.com/containerd/stargz-snapshotter** v0.17.0 -> v0.18.2 - **github.com/containerd/stargz-snapshotter/estargz** v0.17.0 -> v0.18.2 - **github.com/coreos/go-systemd/v22** v22.6.0 -> v22.7.0 - **github.com/docker/cli** v29.1.4 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/hanwen/go-fuse/v2** v2.8.0 -> v2.9.0 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.3 -> v1.18.4 - **github.com/moby/policy-helpers** [`eeebf1a`](https://redirect.github.com/moby/buildkit/commit/eeebf1a0ab2b) -> [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](https://redirect.github.com/moby/buildkit/commit/b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.27.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.1) ### [`v0.27.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.27.0...v0.27.1) Welcome to the v0.27.1 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - CrazyMax - Sebastiaan van Stijn - Tõnis Tiigi ##### Notable Changes - Fix possible panic when verifying signature of GitHub Actions cache [moby/policy-helpers#21](https://redirect.github.com/moby/policy-helpers/pull/21) ##### Dependency Changes - **github.com/klauspost/compress** v1.18.2 -> v1.18.3 - **github.com/moby/policy-helpers** [`9fcc1a9`](https://redirect.github.com/moby/buildkit/commit/9fcc1a9ec5c9) -> [`eeebf1a`](https://redirect.github.com/moby/buildkit/commit/eeebf1a0ab2b) Previous release can be found at [v0.27.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.0) ### [`v0.27.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.26.3...v0.27.0) buildkit 0.27.0 Welcome to the v0.27.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Akihiro Suda - Sebastiaan van Stijn - Justin Chadwell - Jonathan A. Sternberg - David Karlsson - Dawei Wei - Natnael Gebremariam - Aleksandr Karpinskii - Amr Mahdi - Brian Goff - Joyal George K J - Matt Coster - Roberto Villarreal - Rodolfo Carvalho - Silvin Lubecki - Tiger Kaovilai ##### Notable Changes - Built-in Dockerfile frontend has been updated to [v1.21.0](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.21.0) - This is a first version of BuildKit with signed release images and artifacts built using [Docker Github Builder](https://redirect.github.com/docker/github-builder-experimental) - Allow convert decisions from Session Source Policy implementations [#​6427](https://redirect.github.com/moby/buildkit/issues/6427) - Github Cache backend now support optional signed cache that is cryptographically verified on import [#​6397](https://redirect.github.com/moby/buildkit/issues/6397) - Provide a gateway interface for reading container filesystems during builds [#​6262](https://redirect.github.com/moby/buildkit/issues/6262) - Push registry remote cache blobs in parallel for faster uploads [#​6455](https://redirect.github.com/moby/buildkit/issues/6455) - Cache attestation chain pull-through responses for better performance [#​6435](https://redirect.github.com/moby/buildkit/issues/6435) - Allow custom `AuthConfig` providers in client [#​6408](https://redirect.github.com/moby/buildkit/issues/6408) - Surface policy deny messages in build errors [#​6458](https://redirect.github.com/moby/buildkit/issues/6458) - Fix Git 2.52 support for matching some error conditions [#​6452](https://redirect.github.com/moby/buildkit/issues/6452) - Expose the build reference in exporter buildinfo [#​6424](https://redirect.github.com/moby/buildkit/issues/6424) - Improve expired keys handling in Git signature verification [#​6412](https://redirect.github.com/moby/buildkit/issues/6412) - Cache gateway forwarder mounts and deduplicate snapshot responses [#​6387](https://redirect.github.com/moby/buildkit/issues/6387) - Remove development gateway frontend options in favor of build-contexts [#​6350](https://redirect.github.com/moby/buildkit/issues/6350) - Prevent status stream from closing too early by using an inactivity timeout [#​6396](https://redirect.github.com/moby/buildkit/issues/6396) - Recover from history.db corruption [#​6371](https://redirect.github.com/moby/buildkit/issues/6371) - Fix xattr copy failures on SELinux systems [#​6015](https://redirect.github.com/moby/buildkit/issues/6015) - Fix error return when requesting attestation from non-index image [#​6473](https://redirect.github.com/moby/buildkit/issues/6473) - Fix possible "digest not found" error when fetching attestation chain due to missing lease [#​6464](https://redirect.github.com/moby/buildkit/issues/6464) - Fix Windows copy operations around protected files [#​6369](https://redirect.github.com/moby/buildkit/issues/6369) - Fix possible race condition in gateway bridge forwarder [#​6355](https://redirect.github.com/moby/buildkit/issues/6355) - Fix concurrency in source policy evaluation to prevent parallel panics [#​6448](https://redirect.github.com/moby/buildkit/issues/6448) ##### Dependency Changes - **cyphar.com/go-pathrs** v0.2.1 ***new*** - **github.com/Azure/azure-sdk-for-go/sdk/azcore** v1.18.2 -> v1.20.0 - **github.com/Azure/azure-sdk-for-go/sdk/azidentity** v1.11.0 -> v1.13.1 - **github.com/AzureAD/microsoft-authentication-library-for-go** v1.4.2 -> v1.6.0 - **github.com/asaskevich/govalidator** [`a9d515a`](https://redirect.github.com/moby/buildkit/commit/a9d515a09cc2) ***new*** - **github.com/aws/aws-sdk-go-v2** v1.38.1 -> v1.39.6 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.0 -> v1.7.2 - **github.com/aws/aws-sdk-go-v2/config** v1.31.3 -> v1.31.20 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.7 -> v1.18.24 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.4 -> v1.18.13 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.4 -> v1.4.13 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.4 -> v2.7.13 - **github.com/aws/aws-sdk-go-v2/internal/ini** v1.8.3 -> v1.8.4 - **github.com/aws/aws-sdk-go-v2/internal/v4a** v1.4.4 -> v1.4.12 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.0 -> v1.13.3 - **github.com/aws/aws-sdk-go-v2/service/internal/checksum** v1.8.4 -> v1.9.3 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.4 -> v1.13.13 - **github.com/aws/aws-sdk-go-v2/service/internal/s3shared** v1.19.4 -> v1.19.12 - **github.com/aws/aws-sdk-go-v2/service/s3** v1.87.1 -> v1.89.1 - **github.com/aws/aws-sdk-go-v2/service/sso** v1.28.2 -> v1.30.3 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.34.0 -> v1.35.7 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.38.0 -> v1.40.2 - **github.com/aws/smithy-go** v1.22.5 -> v1.23.2 - **github.com/blang/semver** v3.5.1 ***new*** - **github.com/cloudflare/circl** v1.6.0 -> v1.6.1 - **github.com/containerd/cgroups/v3** v3.1.0 -> v3.1.2 - **github.com/containerd/containerd/v2** v2.2.0 -> v2.2.1 - **github.com/containerd/fuse-overlayfs-snapshotter/v2** v2.1.6 -> v2.1.7 - **github.com/containerd/nydus-snapshotter** v0.15.4 -> v0.15.10 - **github.com/cyberphone/json-canonicalization** [`19d51d7`](https://redirect.github.com/moby/buildkit/commit/19d51d7fe467) ***new*** - **github.com/cyphar/filepath-securejoin** v0.6.0 ***new*** - **github.com/digitorus/pkcs7** [`3a137a8`](https://redirect.github.com/moby/buildkit/commit/3a137a874352) ***new*** - **github.com/digitorus/timestamp** [`220c5c2`](https://redirect.github.com/moby/buildkit/commit/220c5c2851b7) ***new*** - **github.com/docker/cli** v28.5.0 -> v29.1.4 - **github.com/docker/docker-credential-helpers** v0.9.3 -> v0.9.5 - **github.com/go-openapi/analysis** v0.24.1 ***new*** - **github.com/go-openapi/errors** v0.22.4 ***new*** - **github.com/go-openapi/jsonpointer** v0.22.1 ***new*** - **github.com/go-openapi/jsonreference** v0.21.3 ***new*** - **github.com/go-openapi/loads** v0.23.2 ***new*** - **github.com/go-openapi/runtime** v0.29.2 ***new*** - **github.com/go-openapi/spec** v0.22.1 ***new*** - **github.com/go-openapi/strfmt** v0.25.0 ***new*** - **github.com/go-openapi/swag** v0.25.3 ***new*** - **github.com/go-openapi/swag/cmdutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/conv** v0.25.3 ***new*** - **github.com/go-openapi/swag/fileutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/jsonname** v0.25.3 ***new*** - **github.com/go-openapi/swag/jsonutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/loading** v0.25.3 ***new*** - **github.com/go-openapi/swag/mangling** v0.25.3 ***new*** - **github.com/go-openapi/swag/netutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/stringutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/typeutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/yamlutils** v0.25.3 ***new*** - **github.com/go-openapi/validate** v0.25.1 ***new*** - **github.com/go-viper/mapstructure/v2** v2.4.0 ***new*** - **github.com/google/certificate-transparency-go** v1.3.2 ***new*** - **github.com/google/go-containerregistry** v0.20.6 ***new*** - **github.com/grafana/regexp** [`a468a5b`](https://redirect.github.com/moby/buildkit/commit/a468a5bfb3bc) ***new*** - **github.com/grpc-ecosystem/grpc-gateway/v2** v2.27.2 -> v2.27.3 - **github.com/in-toto/attestation** v1.1.2 ***new*** - **github.com/klauspost/compress** v1.18.1 -> v1.18.2 - **github.com/moby/go-archive** v0.1.0 -> v0.2.0 - **github.com/moby/policy-helpers** [`bcaa71c`](https://redirect.github.com/moby/buildkit/commit/bcaa71c99f14) -> [`9fcc1a9`](https://redirect.github.com/moby/buildkit/commit/9fcc1a9ec5c9) - **github.com/oklog/ulid** v1.3.1 ***new*** - **github.com/opencontainers/runtime-spec** v1.2.1 -> v1.3.0 - **github.com/opencontainers/runtime-tools** [`0ea5ed0`](https://redirect.github.com/moby/buildkit/commit/0ea5ed0382a2) -> [`edf4cb3`](https://redirect.github.com/moby/buildkit/commit/edf4cb3d2116) - **github.com/opencontainers/selinux** v1.12.0 -> v1.13.1 - **github.com/prometheus/otlptranslator** v0.0.2 ***new*** - **github.com/prometheus/procfs** v0.16.1 -> v0.17.0 - **github.com/sigstore/protobuf-specs** v0.5.0 ***new*** - **github.com/sigstore/rekor** v1.4.3 ***new*** - **github.com/sigstore/rekor-tiles/v2** v2.0.1 ***new*** - **github.com/sigstore/sigstore** v1.10.0 ***new*** - **github.com/sigstore/sigstore-go** [`b5fe07a`](https://redirect.github.com/moby/buildkit/commit/b5fe07a5a7d7) ***new*** - **github.com/sigstore/timestamp-authority/v2** v2.0.2 ***new*** - **github.com/sirupsen/logrus** v1.9.3 -> v1.9.4 - **github.com/spdx/tools-golang** v0.5.5 -> v0.5.7 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 ***new*** - **github.com/tonistiigi/fsutil** [`586307a`](https://redirect.github.com/moby/buildkit/commit/586307ad452f) -> [`a2aa163`](https://redirect.github.com/moby/buildkit/commit/a2aa163d723f) - **github.com/tonistiigi/go-actions-cache** [`378c5ed`](https://redirect.github.com/moby/buildkit/commit/378c5ed1ddd9) -> [`54bc28c`](https://redirect.github.com/moby/buildkit/commit/54bc28c26fd2) - **github.com/transparency-dev/formats** [`404c0d5`](https://redirect.github.com/moby/buildkit/commit/404c0d5b696c) ***new*** - **github.com/transparency-dev/merkle** v0.0.2 ***new*** - **go.mongodb.org/mongo-driver** v1.17.6 ***new*** - **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc** v0.61.0 -> v0.63.0 - **go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace** v0.61.0 -> v0.63.0 - **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp** v0.61.0 -> v0.63.0 - **go.opentelemetry.io/otel/exporters/prometheus** v0.42.0 -> v0.60.0 - **go.yaml.in/yaml/v2** v2.4.2 -> v2.4.3 - **go.yaml.in/yaml/v3** v3.0.4 ***new*** - **golang.org/x/term** v0.38.0 ***new*** - **google.golang.org/genproto/googleapis/api** [`c5933d9`](https://redirect.github.com/moby/buildkit/commit/c5933d9347a5) -> [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) - **google.golang.org/genproto/googleapis/rpc** [`c5933d9`](https://redirect.github.com/moby/buildkit/commit/c5933d9347a5) -> [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) - **kernel.org/pub/linux/libs/security/libcap/cap** v1.2.76 -> v1.2.77 - **kernel.org/pub/linux/libs/security/libcap/psx** v1.2.76 -> v1.2.77 - **tags.cncf.io/container-device-interface** v1.0.1 -> v1.1.0 - **tags.cncf.io/container-device-interface/specs-go** v1.0.0 -> v1.1.0 Previous release can be found at [v0.26.3](https://redirect.github.com/moby/buildkit/releases/tag/v0.26.3) ### [`v0.26.3`](https://redirect.github.com/moby/buildkit/releases/tag/v0.26.3) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.26.2...v0.26.3) Welcome to the v0.26.3 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Sebastiaan van Stijn - Jonathan A. Sternberg - Tõnis Tiigi ##### Notable Changes - Fix session policy metadata resolution for git attributes and image attestations [#​6383](https://redirect.github.com/moby/buildkit/issues/6383) ##### Dependency Changes - **github.com/containernetworking/plugins** v1.8.0 -> v1.9.0 Previous release can be found at [v0.26.2](https://redirect.github.com/moby/buildkit/releases/tag/v0.26.2) ### [`v0.26.2`](https://redirect.github.com/moby/buildkit/releases/tag/v0.26.2) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.26.1...v0.26.2) Welcome to the v0.26.2 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - CrazyMax - Tõnis Tiigi ##### Notable Changes - Fix possible error when uploading big files to S3 cache exporter [#​6373](https://redirect.github.com/moby/buildkit/issues/6373) ##### Dependency Changes This release has no dependency changes Previous release can be found at [v0.26.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.26.1) ### [`v0.26.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.26.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.26.0...v0.26.1) Welcome to the v0.26.1 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi ##### Notable Changes - Fix excessive chunking when fetching blobs [#​6366](https://redirect.github.com/moby/buildkit/issues/6366) ##### Dependency Changes This release has no dependency changes Previous release can be found at [v0.26.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.26.0) ### [`v0.26.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.26.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.25.2...v0.26.0) buildkit 0.26.0 Welcome to the v0.26.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Akihiro Suda - Sebastiaan van Stijn - Jonathan A. Sternberg - Brian Goff - Dawei Wei - Alberto Garcia Hierro - Damon Holden - David Karlsson - Justin Chadwell - Mikhail Dmitrichenko - bpascard ##### Notable Changes - Change how file checksum is calculated when wildcards and include/exclude patterns are involved to better align with how they are calculated in the non-wildcard path. [#​6238](https://redirect.github.com/moby/buildkit/issues/6238) - LLB Copy operation now allows specifying required paths to be included in the copy. [#​6229](https://redirect.github.com/moby/buildkit/issues/6229) - Fixed race condition between cache and snapshot for the Git source. [#​6281](https://redirect.github.com/moby/buildkit/issues/6281) - Fixed race condition in HTTP cache key digest computation that could cause duplicate requests and digest mismatch errors. [#​6292](https://redirect.github.com/moby/buildkit/issues/6292) - Runc container runtime has been updated to v1.3.3. [#​6331](https://redirect.github.com/moby/buildkit/issues/6331) - Source metadata requests via `ResolveSourceMeta`, previously available for image sources, can now be performed for Git sources. This can be used to resolve Git commit and tag checksums and also to access the raw commit and tag objects for further verification. [#​6283](https://redirect.github.com/moby/buildkit/issues/6283) - Source metadata requests via `ResolveSourceMeta`, previously available for image sources, can now be performed for HTTP sources. This can be used to access artifact checksums, last-modified time etc. [#​6285](https://redirect.github.com/moby/buildkit/issues/6285) - Git sources can now perform verification of GPG or SSH signatures on commits and tags. Enable git signature checks via source policy. [#​6300](https://redirect.github.com/moby/buildkit/issues/6300) [#​6344](https://redirect.github.com/moby/buildkit/issues/6344) - `contentutil` package now supports moving referrer objects when using `CopyChain` function. [#​6336](https://redirect.github.com/moby/buildkit/issues/6336) - Fix fetch by commit for git source when tags change or branch names are updated. [#​6259](https://redirect.github.com/moby/buildkit/issues/6259) - Fix http connection leak when resolving metadata from http source on non-2xx HTTP status codes. [#​6313](https://redirect.github.com/moby/buildkit/issues/6313) - A new type of source policies has been added that supports making policy decisions on the client side via session tunnel. [#​6276](https://redirect.github.com/moby/buildkit/issues/6276) - Add buildkit capability for detecting if source policy decisions can be made via session tunnel. [#​6345](https://redirect.github.com/moby/buildkit/issues/6345) - Avoid intermediate type wrappers for custom fields in provenance. [#​6275](https://redirect.github.com/moby/buildkit/issues/6275) - Add raw commit/tag object access when resolving git source metadata. [#​6298](https://redirect.github.com/moby/buildkit/issues/6298) - Move image source resolver away from the `ResolveImageConfig` type to `ResolveSourceMetadata`. [#​6330](https://redirect.github.com/moby/buildkit/issues/6330) # probably not needed for changelog - Fix inline cache used with multiple exporters. [#​6263](https://redirect.github.com/moby/buildkit/issues/6263) - Fix handling multiple inline cache exporters configured for single build. [#​6272](https://redirect.github.com/moby/buildkit/issues/6272) - Fix handling of annotated Git tags. The pin of the annotated tag should be the SHA of the tag and not the commit it is pointing to. [#​6251](https://redirect.github.com/moby/buildkit/issues/6251) - Fix source policy attributes validation when multiple rules use the same identifier. [#​6342](https://redirect.github.com/moby/buildkit/issues/6342) ##### Dependency Changes - **github.com/Azure/azure-sdk-for-go/sdk/azcore** v1.16.0 -> v1.18.2 - **github.com/Azure/azure-sdk-for-go/sdk/azidentity** v1.8.0 -> v1.11.0 - **github.com/Azure/azure-sdk-for-go/sdk/internal** v1.10.0 -> v1.11.2 - **github.com/AzureAD/microsoft-authentication-library-for-go** v1.3.2 -> v1.4.2 - **github.com/Microsoft/hcsshim** v0.13.0 -> v0.14.0-rc.1 - **github.com/ProtonMail/go-crypto** v1.3.0 ***new*** - **github.com/aws/aws-sdk-go-v2** v1.30.3 -> v1.38.1 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.6.3 -> v1.7.0 - **github.com/aws/aws-sdk-go-v2/config** v1.27.27 -> v1.31.3 - **github.com/aws/aws-sdk-go-v2/credentials** v1.17.27 -> v1.18.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.16.11 -> v1.18.4 - **github.com/aws/aws-sdk-go-v2/feature/s3/manager** v1.17.8 -> v1.17.10 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.3.15 -> v1.4.4 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.6.15 -> v2.7.4 - **github.com/aws/aws-sdk-go-v2/internal/ini** v1.8.0 -> v1.8.3 - **github.com/aws/aws-sdk-go-v2/internal/v4a** v1.3.15 -> v1.4.4 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.11.3 -> v1.13.0 - **github.com/aws/aws-sdk-go-v2/service/internal/checksum** v1.3.17 -> v1.8.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.11.17 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/s3shared** v1.17.15 -> v1.19.4 - **github.com/aws/aws-sdk-go-v2/service/s3** v1.58.2 -> v1.87.1 - **github.com/aws/aws-sdk-go-v2/service/sso** v1.22.4 -> v1.28.2 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.26.4 -> v1.34.0 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.30.3 -> v1.38.0 - **github.com/aws/smithy-go** v1.20.3 -> v1.22.5 - **github.com/cenkalti/backoff/v5** v5.0.3 ***new*** - **github.com/cloudflare/circl** v1.6.0 ***new*** - **github.com/containerd/cgroups/v3** v3.0.5 -> v3.1.0 - **github.com/containerd/containerd/api** v1.9.0 -> v1.10.0 - **github.com/containerd/containerd/v2** v2.1.4 -> v2.2.0 - **github.com/containerd/go-cni** v1.1.12 -> v1.1.13 - **github.com/containerd/nydus-snapshotter** v0.15.2 -> v0.15.4 - **github.com/containerd/platforms** v1.0.0-rc.1 -> v1.0.0-rc.2 - **github.com/containerd/stargz-snapshotter** v0.16.3 -> v0.17.0 - **github.com/containerd/stargz-snapshotter/estargz** v0.16.3 -> v0.17.0 - **github.com/containernetworking/plugins** v1.7.1 -> v1.8.0 - **github.com/coreos/go-systemd/v22** v22.5.0 -> v22.6.0 - **github.com/docker/cli** v28.4.0 -> v28.5.0 - **github.com/fatih/color** v1.18.0 ***new*** - **github.com/go-logr/logr** v1.4.2 -> v1.4.3 - **github.com/gofrs/flock** v0.12.1 -> v0.13.0 - **github.com/golang-jwt/jwt/v5** v5.2.2 -> v5.3.0 - **github.com/golang/groupcache** [`41bb18b`](https://redirect.github.com/moby/buildkit/commit/41bb18bfe9da) -> [`2c02b82`](https://redirect.github.com/moby/buildkit/commit/2c02b8208cf8) - **github.com/google/pprof** [`27863c8`](https://redirect.github.com/moby/buildkit/commit/27863c87afa6) -> [`f64d9cf`](https://redirect.github.com/moby/buildkit/commit/f64d9cf942d6) - **github.com/grpc-ecosystem/grpc-gateway/v2** v2.26.1 -> v2.27.2 - **github.com/hanwen/go-fuse/v2** v2.6.3 -> v2.8.0 - **github.com/hashicorp/go-retryablehttp** v0.7.7 -> v0.7.8 - **github.com/hiddeco/sshsig** v0.2.0 ***new*** - **github.com/klauspost/compress** v1.18.0 -> v1.18.1 - **github.com/mattn/go-colorable** v0.1.14 ***new*** - **github.com/moby/policy-helpers** [`bcaa71c`](https://redirect.github.com/moby/buildkit/commit/bcaa71c99f14) ***new*** - **github.com/moby/sys/capability** v0.4.0 ***new*** - **github.com/opencontainers/runtime-tools** [`2e043c6`](https://redirect.github.com/moby/buildkit/commit/2e043c6bd626) -> [`0ea5ed0`](https://redirect.github.com/moby/buildkit/commit/0ea5ed0382a2) - **github.com/prometheus/client_golang** v1.22.0 -> v1.23.2 - **github.com/prometheus/client_model** v0.6.1 -> v0.6.2 - **github.com/prometheus/common** v0.62.0 -> v0.66.1 - **github.com/prometheus/procfs** v0.15.1 -> v0.16.1 - **github.com/secure-systems-lab/go-securesystemslib** v0.6.0 -> v0.9.1 - **github.com/stretchr/testify** v1.10.0 -> v1.11.1 - **github.com/vbatts/tar-split** v0.12.1 -> v0.12.2 - **go.opentelemetry.io/auto/sdk** v1.1.0 -> v1.2.1 - **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc** v0.60.0 -> v0.61.0 - **go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace** v0.60.0 -> v0.61.0 - **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp** v0.60.0 -> v0.61.0 - **go.opentelemetry.io/otel** v1.35.0 -> v1.38.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc** v1.35.0 -> v1.38.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp** v1.35.0 -> v1.38.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.35.0 -> v1.38.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.35.0 -> v1.38.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.35.0 -> v1.38.0 - **go.opentelemetry.io/otel/metric** v1.35.0 -> v1.38.0 - **go.opentelemetry.io/otel/sdk** v1.35.0 -> v1.38.0 - **go.opentelemetry.io/otel/sdk/metric** v1.35.0 -> v1.38.0 - **go.opentelemetry.io/otel/trace** v1.35.0 -> v1.38.0 - **go.opentelemetry.io/proto/otlp** v1.5.0 -> v1.7.1 - **go.yaml.in/yaml/v2** v2.4.2 ***new*** - **golang.org/x/crypto** v0.37.0 -> v0.42.0 - **golang.org/x/exp** [`7e4ce0a`](https://redirect.github.com/moby/buildkit/commit/7e4ce0ab07d0) -> [`df92998`](https://redirect.github.com/moby/buildkit/commit/df9299821621) - **golang.org/x/mod** v0.24.0 -> v0.29.0 - **golang.org/x/net** v0.39.0 -> v0.44.0 - **golang.org/x/sync** v0.16.0 -> v0.17.0 - **golang.org/x/sys** v0.33.0 -> v0.37.0 - **golang.org/x/text** v0.24.0 -> v0.29.0 - **golang.org/x/time** v0.11.0 -> v0.14.0 - **google.golang.org/genproto/googleapis/api** [`56aae31`](https://redirect.github.com/moby/buildkit/commit/56aae31c358a) -> [`c5933d9`](https://redirect.github.com/moby/buildkit/commit/c5933d9347a5) - **google.golang.org/genproto/googleapis/rpc** [`56aae31`](https://redirect.github.com/moby/buildkit/commit/56aae31c358a) -> [`c5933d9`](https://redirect.github.com/moby/buildkit/commit/c5933d9347a5) - **google.golang.org/grpc** v1.72.2 -> v1.76.0 - **google.golang.org/protobuf** v1.36.9 -> v1.36.10 - **sigs.k8s.io/yaml** v1.4.0 -> v1.6.0 Previous release can be found at [v0.25.2](https://redirect.github.com/moby/buildkit/releases/tag/v0.25.2) ### [`v0.25.2`](https://redirect.github.com/moby/buildkit/releases/tag/v0.25.2) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.25.1...v0.25.2) Welcome to the v0.25.2 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - CrazyMax - Tõnis Tiigi ##### Notable Changes - Update Runc to v1.3.3 [#​6332](https://redirect.github.com/moby/buildkit/issues/6332) ##### Dependency Changes This release has no dependency changes Previous release can be found at [v0.25.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.25.1) ### [`v0.25.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.25.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.25.0...v0.25.1) buildkit 0.25.1 Welcome to the v0.25.1 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax ##### Notable Changes - Fix possible cache export failure when previously exported cache blob has been deleted [#​6261](https://redirect.github.com/moby/buildkit/issues/6261) - Fix possible cache corruption or error when using inline cache with multiple exporters [#​6263](https://redirect.github.com/moby/buildkit/issues/6263) - Fix intermediate wrapper for custom provenance attestation fields [#​6275](https://redirect.github.com/moby/buildkit/issues/6275) ##### Dependency Changes This release has no dependency changes Previous release can be found at [v0.25.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.25.0) ### [`v0.25.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.25.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.24.0...v0.25.0) buildkit 0.25.0 Welcome to the v0.25.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tiigi - CrazyMax - Jonathan A. Sternberg - Akihiro Suda - Brian Goff - greggu - Sebastiaan van Stijn - Søren Hansen - Vigilans - Sam Oluwalana - Shivam - Tianon Gravi - nikelborm ##### Notable Changes - Git sources now support working with SHA-256 based code repositories. [#​6194](https://redirect.github.com/moby/buildkit/issues/6194) - New `Checksum` has been added to `llb.Image` to specify verification digest of the image. Unlike the existing digest in the image reference, where digest overrides the tag if both are set, in this mode, the image is resolved by the tag and only verified by checksum. [#​6234](https://redirect.github.com/moby/buildkit/issues/6234) - The remote cache exporter (also used in provenance creation) has been completely rewritten to solve various concurrency and loop issues. There should be no user-visible changes in the cache format itself. [#​6129](https://redirect.github.com/moby/buildkit/issues/6129) - BuildKit daemon now supports a way to add custom fields to the provenance attestation to specify the environment BuildKit is running in. Additional field are picked up from config files in `/etc/buildkitd/provenance.d` directory. [#​6210](https://redirect.github.com/moby/buildkit/issues/6210) - Containerd executor on Windows now supports `HyperVIsolation` option. [#​6224](https://redirect.github.com/moby/buildkit/issues/6224) - Included runc container runtime has been updated to v1.3.1 [#​6236](https://redirect.github.com/moby/buildkit/issues/6236) - CNI plugins have been updated to v1.8.0 [#​6185](https://redirect.github.com/moby/buildkit/issues/6185) - Qemu emulation binaries have been updated to v10.0.4. [#​6215](https://redirect.github.com/moby/buildkit/issues/6215) - Fix possible infinite loop when exporting cache [#​6186](https://redirect.github.com/moby/buildkit/issues/6186) - Fix issue where some errors could lose their source or stack information when wrapped with `errors.Join`. [#​6226](https://redirect.github.com/moby/buildkit/issues/6226) - Multiple fixes to how the builds from Git context are recorded in provenance. [#​6213](https://redirect.github.com/moby/buildkit/issues/6213) - Fix issue where build arguments could be missing in the history record's provenance attestation. [#​6221](https://redirect.github.com/moby/buildkit/issues/6221) - Fix issue where `materials=false` could be incorrectly set in provenance attestation for a build that used frontend inputs. [#​6203](https://redirect.github.com/moby/buildkit/issues/6203) - Fix not setting the platform in the subject descriptor of the OCI artifact-style attestation manifest. This confused some registries. [#​6191](https://redirect.github.com/moby/buildkit/issues/6191) - Fix some improper formatting in error messages. [#​6192](https://redirect.github.com/moby/buildkit/issues/6192) - Fix issue with checking out annotated tags by full reference. [#​6244](https://redirect.github.com/moby/buildkit/issues/6244) ##### Dependency Changes - **github.com/docker/cli** v28.3.3 -> v28.4.0 - **google.golang.org/protobuf** v1.36.6 -> v1.36.9 Previous release can be found at [v0.24.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.24.0) ### [`v0.24.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.24.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.23.2...v0.24.0) Welcome to the v0.24.0 release of buildkit! Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues. ##### Contributors - Tõnis Tii </details> --- ### Configuration 📅 **Schedule**: Branch creation - "* 1 * * 1-5" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoiOS4yIiwibGFiZWxzIjpbIlRlYW06U2VjdXJpdHktQ2xvdWQgU2VydmljZXMiLCJiYWNrcG9ydC1za2lwIiwiZGVwZW5kZW5jaWVzIiwicmVub3ZhdGUiLCJyZW5vdmF0ZS1hdXRvLWFwcHJvdmUiXX0=--> Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix panic / nil pointer dereference on invalid patterns
Pattern.compilewas updatingPattern.matchTypein-place. In situations wherethe resulting regex failed to compile, it would return early (with an error),
but the
matchTypewas already set.In that situation,
Pattern.matchwould consider thematchTypealreadyset, skip the
p.matchType == unknownMatchcondition, and fall throughto trying to use
p.regex, which was nil, and resulted in a panic;This patch:
Pattern.compileto use a local variable for the intermediatestate, and only updates
Pattern.matchTypewhen completing successfully.Pattern.matchas defense-in-depth.