Skip to content

build(deps): bump github.com/moby/buildkit from 0.26.3 to 0.28.1#2553

Merged
jjbustamante merged 1 commit intomainfrom
dependabot/go_modules/github.com/moby/buildkit-0.28.1
Mar 27, 2026
Merged

build(deps): bump github.com/moby/buildkit from 0.26.3 to 0.28.1#2553
jjbustamante merged 1 commit intomainfrom
dependabot/go_modules/github.com/moby/buildkit-0.28.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 26, 2026
edited
Loading

Bumps github.com/moby/buildkit from 0.26.3 to 0.28.1.

Release notes

Sourced from github.com/moby/buildkit's releases.

v0.28.1

Welcome to the v0.28.1 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

  • Tõnis Tiigi
  • CrazyMax
  • Sebastiaan van Stijn

Notable Changes

  • Fix insufficient validation of Git URL #ref:subdir fragments that could allow access to restricted files outside the checked-out repository root. GHSA-4vrq-3vrq-g6gg
  • Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. GHSA-4c29-8rgm-jvjj
  • Fix a panic when processing invalid .dockerignore patterns during COPY. #6610 moby/patternmatcher#9

Dependency Changes

  • github.com/moby/patternmatcher v0.6.0 -> v0.6.1

Previous release can be found at v0.28.0

v0.28.0

buildkit 0.28.0

Welcome to the v0.28.0 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

  • Tõnis Tiigi
  • CrazyMax
  • Sebastiaan van Stijn
  • Jonathan A. Sternberg
  • Akihiro Suda
  • Amr Mahdi
  • Dan Duvall
  • David Karlsson
  • Jonas Geiler
  • Kevin L.
  • rsteube

... (truncated)

Commits
  • 45b038c git: normalize and validate subdir paths
  • f5462c2 git: harden ref arg handling
  • 71577a5 source: extract SafeFileName into shared pathutil package
  • df43783 source/http: use os.Root for saved file operations
  • 9ce6f62 source/http: sanitize downloaded filenames
  • 099cf80 executor: validate container IDs centrally
  • 2642113 Merge pull request #6610 from thaJeztah/0.28_backport_bump_patternmatcher
  • 802da78 vendor: github.com/moby/patternmatcher v0.6.1
  • 5245d86 Merge pull request #6551 from tonistiigi/v0.28-cherry-picks
  • 90ee5de vendor: update x/net to v0.51.0
  • Additional commits viewable in compare view

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code type/chore Issue that requests non-user facing changes. labels Mar 26, 2026
@dependabot dependabot bot requested review from a team as code owners March 26, 2026 18:58
@dependabot dependabot bot added type/chore Issue that requests non-user facing changes. dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 26, 2026
@github-actions github-actions bot added this to the 0.41.0 milestone Mar 26, 2026
@dependabot
build(deps): bump github.com/moby/buildkit from 0.26.3 to 0.28.1
87d97aa 
Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.26.3 to 0.28.1.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](moby/buildkit@v0.26.3...v0.28.1)

---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
  dependency-version: 0.28.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/moby/buildkit-0.28.1 branch from 87dd4a7 to 87d97aa Compare March 27, 2026 11:38
@jjbustamante jjbustamante enabled auto-merge (squash) March 27, 2026 11:39
@jjbustamante jjbustamante merged commit 01b469e into main Mar 27, 2026
15 checks passed
@jjbustamante jjbustamante deleted the dependabot/go_modules/github.com/moby/buildkit-0.28.1 branch March 27, 2026 11:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jjbustamante jjbustamante jjbustamante approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code type/chore Issue that requests non-user facing changes.

Projects

None yet

Milestone

0.41.0

Development

Successfully merging this pull request may close these issues.

1 participant

@jjbustamante