Skip to content

🌱 Bump github.com/moby/buildkit from 0.26.3 to 0.28.1#4983

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/github.com/moby/buildkit-0.28.1
Open

🌱 Bump github.com/moby/buildkit from 0.26.3 to 0.28.1#4983
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/github.com/moby/buildkit-0.28.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 26, 2026
edited
Loading

Bumps github.com/moby/buildkit from 0.26.3 to 0.28.1.

Release notes

Sourced from github.com/moby/buildkit's releases.

v0.28.1

Welcome to the v0.28.1 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

  • Tõnis Tiigi
  • CrazyMax
  • Sebastiaan van Stijn

Notable Changes

  • Fix insufficient validation of Git URL #ref:subdir fragments that could allow access to restricted files outside the checked-out repository root. GHSA-4vrq-3vrq-g6gg
  • Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. GHSA-4c29-8rgm-jvjj
  • Fix a panic when processing invalid .dockerignore patterns during COPY. #6610 moby/patternmatcher#9

Dependency Changes

  • github.com/moby/patternmatcher v0.6.0 -> v0.6.1

Previous release can be found at v0.28.0

v0.28.0

buildkit 0.28.0

Welcome to the v0.28.0 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

  • Tõnis Tiigi
  • CrazyMax
  • Sebastiaan van Stijn
  • Jonathan A. Sternberg
  • Akihiro Suda
  • Amr Mahdi
  • Dan Duvall
  • David Karlsson
  • Jonas Geiler
  • Kevin L.
  • rsteube

... (truncated)

Commits
  • 45b038c git: normalize and validate subdir paths
  • f5462c2 git: harden ref arg handling
  • 71577a5 source: extract SafeFileName into shared pathutil package
  • df43783 source/http: use os.Root for saved file operations
  • 9ce6f62 source/http: sanitize downloaded filenames
  • 099cf80 executor: validate container IDs centrally
  • 2642113 Merge pull request #6610 from thaJeztah/0.28_backport_bump_patternmatcher
  • 802da78 vendor: github.com/moby/patternmatcher v0.6.1
  • 5245d86 Merge pull request #6551 from tonistiigi/v0.28-cherry-picks
  • 90ee5de vendor: update x/net to v0.51.0
  • Additional commits viewable in compare view

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 26, 2026
@dependabot dependabot bot requested a review from a team as a code owner March 26, 2026 20:28
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 26, 2026
@dependabot dependabot bot requested review from jeffmendoza and justaugustus and removed request for a team March 26, 2026 20:28
@dependabot dependabot bot had a problem deploying to integration-test March 26, 2026 20:29 Failure
@dosubot dosubot bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Mar 26, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 6, 2026

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions bot added the Stale label Apr 6, 2026
@dependabot
🌱 Bump github.com/moby/buildkit from 0.26.3 to 0.28.1
a97d4ee 
Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.26.3 to 0.28.1.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](moby/buildkit@v0.26.3...v0.28.1)

---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
  dependency-version: 0.28.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/moby/buildkit-0.28.1 branch from a31e387 to a97d4ee Compare April 6, 2026 08:29
@dependabot dependabot bot had a problem deploying to integration-test April 6, 2026 08:29 Failure
@github-actions github-actions bot removed the Stale label Apr 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justaugustus justaugustus Awaiting requested review from justaugustus justaugustus is a code owner automatically assigned from ossf/scorecard-maintainers

@jeffmendoza jeffmendoza Awaiting requested review from jeffmendoza jeffmendoza is a code owner automatically assigned from ossf/scorecard-maintainers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code size:M This PR changes 30-99 lines, ignoring generated files.

Projects

OpenSSF Scorecard
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants