fix panic / nil pointer dereference on invalid patterns#9
Merged
tonistiigi merged 1 commit intomoby:mainfrom Mar 24, 2026
Merged
fix panic / nil pointer dereference on invalid patterns#9tonistiigi merged 1 commit intomoby:mainfrom
tonistiigi merged 1 commit intomoby:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Fixes a panic in Pattern.match triggered by malformed-but-initially-validated patterns, by ensuring compile() doesn’t leave Pattern in a partially-initialized state and adding a defensive nil-check. Also expands CI to run lint/tests across platforms and Go release channels.
Changes:
- Prevent partial
matchTypeupdates on failed regexp compilation; add defense-in-depth check before usingp.regexp. - Add regression test covering repeated matching on a malformed pattern (no panic; consistent
ErrBadPattern). - Update GitHub Actions workflows to add concurrency cancellation and broaden the Go/platform matrix.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| patternmatcher.go | Fixes the panic by making compile() state updates atomic and guarding against nil regexp. |
| patternmatcher_test.go | Adds regression test ensuring malformed patterns don’t panic on repeated match calls. |
| .github/workflows/validate.yml | Updates lint workflow matrix/platform coverage and adds concurrency control. |
| .github/workflows/test.yml | Updates test workflow matrix/platform coverage and adds concurrency control. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
`Pattern.compile` was updating `Pattern.matchType` in-place. In situations where
the resulting regex failed to compile, it would return early (with an error),
but the `matchType` was already set.
In that situation, `Pattern.match` would consider the `matchType` already
set, skip the `p.matchType == unknownMatch` condition, and fall through
to trying to use `p.regex`, which was nil, and resulted in a panic;
```
journalctl -u docker.service -f
dockerd[423967]: panic: runtime error: invalid memory address or nil pointer dereference
dockerd[423967]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x90 pc=0x557e0f7ebf80]
dockerd[423967]: goroutine 1241 [running]:
dockerd[423967]: regexp.(*Regexp).doExecute(0x557e11b285a0?, {0x0?, 0x0?}, {0x0?, 0x557e11922650?, 0x557e11922650?}, {0xc0009d3db0?, 0xc000061778?}, 0x557e0f6d0d99?, 0x0, ...)
dockerd[423967]: /usr/local/go/src/regexp/exec.go:527 +0x80
dockerd[423967]: regexp.(*Regexp).doMatch(...)
dockerd[423967]: /usr/local/go/src/regexp/exec.go:514
dockerd[423967]: regexp.(*Regexp).MatchString(...)
dockerd[423967]: /usr/local/go/src/regexp/regexp.go:527
dockerd[423967]: github.com/moby/patternmatcher.(*Pattern).match(0x557e11922650?, {0xc0009d3db0, 0x1})
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/patternmatcher/patternmatcher.go:334 +0x26b
dockerd[423967]: github.com/moby/patternmatcher.(*PatternMatcher).MatchesOrParentMatches(0xc000d761e0, {0xc0009d3db0, 0x1})
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/patternmatcher/patternmatcher.go:142 +0xda
dockerd[423967]: github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb.validateCopySourcePath({0xc0009d3db0, 0x1}, 0xc0000621f8)
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert.go:2023 +0x55
dockerd[423967]: github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb.dispatchCopy(_, {{{0xc0009d3dc0, 0x1}, {0xc0009b5d10, 0x1, 0x1}, {0x0, 0x0, 0x0}}, {0x0, ...}, ...})
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert.go:1607 +0xd5c
dockerd[423967]: github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb.dispatch(_, {{_, _}, {_, _, _}, _}, {0xc000aab6a0, {0x557e1214c560, 0xc0007b79e0}, ...})
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert.go:1004 +0xafb
dockerd[423967]: github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb.toDispatchState({_, _}, {_, _, _}, {{0xc000d5c8d0, {0x0, 0x0}, {0x0, 0x0}, ...}, ...})
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert.go:731 +0x3926
dockerd[423967]: github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb.Dockerfile2LLB({_, _}, {_, _, _}, {{0xc000d5c8d0, {0x0, 0x0}, {0x0, 0x0}, ...}, ...})
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert.go:90 +0x65
dockerd[423967]: github.com/moby/buildkit/frontend/dockerfile/builder.Build.func6({0x557e121613e0, 0xc000cfd590}, 0x0, 0x557e0f64accb?)
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/builder/build.go:136 +0xfe
dockerd[423967]: github.com/moby/buildkit/frontend/dockerui.(*Client).Build.func1()
dockerd[423967]: /root/build-deb/engine/vendor/github.com/moby/buildkit/frontend/dockerui/build.go:39 +0x71
dockerd[423967]: golang.org/x/sync/errgroup.(*Group).Go.func1()
dockerd[423967]: /root/build-deb/engine/vendor/golang.org/x/sync/errgroup/errgroup.go:93 +0x50
dockerd[423967]: created by golang.org/x/sync/errgroup.(*Group).Go in goroutine 1136
dockerd[423967]: /root/build-deb/engine/vendor/golang.org/x/sync/errgroup/errgroup.go:78 +0x95
systemd[1]: docker.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
systemd[1]: docker.service: Failed with result 'exit-code'.
```
This patch:
- updates `Pattern.compile` to use a local variable for the intermediate
state, and only updates `Pattern.matchType` when completing successfully.
- adds a nil-check in `Pattern.match` as defense-in-depth.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Member
Author
|
@tonistiigi @jsternberg PTAL 🤗 |
tonistiigi
approved these changes
Mar 24, 2026
SimonStiil
pushed a commit
to SimonStiil/keyvaluedatabase
that referenced
this pull request
Mar 25, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | Type | Update | |---|---|---|---|---|---| | [github.com/lib/pq](https://redirect.github.com/lib/pq) | `v1.11.2` → `v1.12.0` |  |  | require | minor | | [go](https://go.dev/) ([source](https://redirect.github.com/golang/go)) | `1.26.0` → `1.26.1` |  |  | toolchain | patch | | golang | `1.26.0-alpine` → `1.26.1-alpine` |  |  | | patch | | [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) | `3dfff04` → `7ab1446` |  |  | require | digest | | [moby/buildkit](https://redirect.github.com/moby/buildkit) | `v0.27.1-rootless` → `v0.28.1-rootless` |  |  | | minor | --- ### Release Notes <details> <summary>lib/pq (github.com/lib/pq)</summary> ### [`v1.12.0`](https://redirect.github.com/lib/pq/blob/HEAD/CHANGELOG.md#v1120-2026-03-18) [Compare Source](https://redirect.github.com/lib/pq/compare/v1.11.2...v1.12.0) - The next release may change the default sslmode from `require` to `prefer`. See [#​1271] for details. - `CopyIn()` and `CopyInToSchema()` have been marked as deprecated. These are simple query builders and not needed for `COPY [..] FROM STDIN` support (which is *not* deprecated). ([#​1279]) ``` // Old tx.Prepare(CopyIn("temp", "num", "text", "blob", "nothing")) // Replacement tx.Prepare(`copy temp (num, text, blob, nothing) from stdin`) ``` ##### Features - Support protocol 3.2, and the `min_protocol_version` and `max_protocol_version` DSN parameters ([#​1258]). - Support `sslmode=prefer` and `sslmode=allow` ([#​1270]). - Support `ssl_min_protocol_version` and `ssl_max_protocol_version` ([#​1277]). - Support connection service file to load connection details ([#​1285]). - Support `sslrootcert=system` and use `~/.postgresql/root.crt` as the default value of sslrootcert ([#​1280], [#​1281]). - Add a new `pqerror` package with PostgreSQL error codes ([#​1275]). For example, to test if an error is a UNIQUE constraint violation: ``` if pqErr, ok := errors.AsType[*pq.Error](err); ok && pqErr.Code == pqerror.UniqueViolation { log.Fatalf("email %q already exsts", email) } ``` To make this a bit more convenient, it also adds a `pq.As()` function: ``` pqErr := pq.As(err, pqerror.UniqueViolation) if pqErr != nil { log.Fatalf("email %q already exsts", email) } ``` ##### Fixes - Fix SSL key permission check to allow modes stricter than [0600/0640#1265](https://redirect.github.com/0600/0640/issues/1265) ([#​1265]). - Fix Hstore to work with binary parameters ([#​1278]). - Clearer error when starting a new query while pq is still processing another query ([#​1272]). - Send intermediate CAs with client certificates, so they can be signed by an intermediate CA ([#​1267]). - Use `time.UTC` for UTC aliases such as `Etc/UTC` ([#​1282]). [#​1258]: https://redirect.github.com/lib/pq/pull/1258 [#​1265]: https://redirect.github.com/lib/pq/pull/1265 [#​1267]: https://redirect.github.com/lib/pq/pull/1267 [#​1270]: https://redirect.github.com/lib/pq/pull/1270 [#​1271]: https://redirect.github.com/lib/pq/pull/1271 [#​1272]: https://redirect.github.com/lib/pq/pull/1272 [#​1275]: https://redirect.github.com/lib/pq/pull/1275 [#​1277]: https://redirect.github.com/lib/pq/pull/1277 [#​1278]: https://redirect.github.com/lib/pq/pull/1278 [#​1279]: https://redirect.github.com/lib/pq/pull/1279 [#​1280]: https://redirect.github.com/lib/pq/pull/1280 [#​1281]: https://redirect.github.com/lib/pq/pull/1281 [#​1282]: https://redirect.github.com/lib/pq/pull/1282 [#​1283]: https://redirect.github.com/lib/pq/pull/1283 [#​1285]: https://redirect.github.com/lib/pq/pull/1285 </details> <details> <summary>golang/go (go)</summary> ### [`v1.26.1`](https://redirect.github.com/golang/go/compare/go1.26.0...go1.26.1) </details> <details> <summary>moby/buildkit (moby/buildkit)</summary> ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) ### [`v0.28.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.27.1...v0.28.0) buildkit 0.28.0 Welcome to the v0.28.0 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akihiro Suda - Amr Mahdi - Dan Duvall - David Karlsson - Jonas Geiler - Kevin L. - rsteube ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.22.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.22.0) - The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the `version` attribute. [#​6526](https://redirect.github.com/moby/buildkit/issues/6526) - Provenance attestation for an image can now be directly pulled via Source metadata request. [#​6516](https://redirect.github.com/moby/buildkit/issues/6516) [#​6514](https://redirect.github.com/moby/buildkit/issues/6514) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - Pushing result images and exporting build cache now happens in parallel, for better performance. [#​6451](https://redirect.github.com/moby/buildkit/issues/6451) - LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols `docker-image+blob://` and `oci-layout+blob://`. [#​4286](https://redirect.github.com/moby/buildkit/issues/4286) - LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) - With the update to a newer version of the in-toto library, the provenance attestation key `InvocationID` has changed to `InvocationId` to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. [#​6533](https://redirect.github.com/moby/buildkit/issues/6533) - Embedded Qemu emulator support has been updated to v10.1.3 [#​6524](https://redirect.github.com/moby/buildkit/issues/6524) - Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. [#​6368](https://redirect.github.com/moby/buildkit/issues/6368) - Buildctl binary now supports bash completion. [#​6474](https://redirect.github.com/moby/buildkit/issues/6474) - PGP signature verification now supports combined public keys as input for defining the required signer. [#​6519](https://redirect.github.com/moby/buildkit/issues/6519) - Fix possible "failed to read expected number of bytes" error when reading attestation chains [#​6520](https://redirect.github.com/moby/buildkit/issues/6520) - Fix possible error from race condition when creating images in parallel [#​6477](https://redirect.github.com/moby/buildkit/issues/6477) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.2 -> v1.7.4 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/containerd/nydus-snapshotter** v0.15.10 -> v0.15.11 - **github.com/containerd/stargz-snapshotter** v0.17.0 -> v0.18.2 - **github.com/containerd/stargz-snapshotter/estargz** v0.17.0 -> v0.18.2 - **github.com/coreos/go-systemd/v22** v22.6.0 -> v22.7.0 - **github.com/docker/cli** v29.1.4 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/hanwen/go-fuse/v2** v2.8.0 -> v2.9.0 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.3 -> v1.18.4 - **github.com/moby/policy-helpers** [`eeebf1a`](https://redirect.github.com/moby/buildkit/commit/eeebf1a0ab2b) -> [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](https://redirect.github.com/moby/buildkit/commit/b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.27.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.1) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/SimonStiil/keyvaluedatabase). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OC4xIiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->
SimonStiil
pushed a commit
to SimonStiil/ghcr-cleanup
that referenced
this pull request
Mar 25, 2026
This PR contains the following updates: | Package | Update | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---|---| | [moby/buildkit](https://redirect.github.com/moby/buildkit) | minor | `v0.27.1-rootless` → `v0.28.1-rootless` |  |  | | [requests](https://requests.readthedocs.io) ([source](https://redirect.github.com/psf/requests), [changelog](https://redirect.github.com/psf/requests/blob/master/HISTORY.md)) | minor | `==2.32.5` → `==2.33.0` |  |  | --- ### Release Notes <details> <summary>moby/buildkit (moby/buildkit)</summary> ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) ### [`v0.28.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.27.1...v0.28.0) buildkit 0.28.0 Welcome to the v0.28.0 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akihiro Suda - Amr Mahdi - Dan Duvall - David Karlsson - Jonas Geiler - Kevin L. - rsteube ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.22.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.22.0) - The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the `version` attribute. [#​6526](https://redirect.github.com/moby/buildkit/issues/6526) - Provenance attestation for an image can now be directly pulled via Source metadata request. [#​6516](https://redirect.github.com/moby/buildkit/issues/6516) [#​6514](https://redirect.github.com/moby/buildkit/issues/6514) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - Pushing result images and exporting build cache now happens in parallel, for better performance. [#​6451](https://redirect.github.com/moby/buildkit/issues/6451) - LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols `docker-image+blob://` and `oci-layout+blob://`. [#​4286](https://redirect.github.com/moby/buildkit/issues/4286) - LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) - With the update to a newer version of the in-toto library, the provenance attestation key `InvocationID` has changed to `InvocationId` to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. [#​6533](https://redirect.github.com/moby/buildkit/issues/6533) - Embedded Qemu emulator support has been updated to v10.1.3 [#​6524](https://redirect.github.com/moby/buildkit/issues/6524) - Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. [#​6368](https://redirect.github.com/moby/buildkit/issues/6368) - Buildctl binary now supports bash completion. [#​6474](https://redirect.github.com/moby/buildkit/issues/6474) - PGP signature verification now supports combined public keys as input for defining the required signer. [#​6519](https://redirect.github.com/moby/buildkit/issues/6519) - Fix possible "failed to read expected number of bytes" error when reading attestation chains [#​6520](https://redirect.github.com/moby/buildkit/issues/6520) - Fix possible error from race condition when creating images in parallel [#​6477](https://redirect.github.com/moby/buildkit/issues/6477) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.2 -> v1.7.4 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/containerd/nydus-snapshotter** v0.15.10 -> v0.15.11 - **github.com/containerd/stargz-snapshotter** v0.17.0 -> v0.18.2 - **github.com/containerd/stargz-snapshotter/estargz** v0.17.0 -> v0.18.2 - **github.com/coreos/go-systemd/v22** v22.6.0 -> v22.7.0 - **github.com/docker/cli** v29.1.4 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/hanwen/go-fuse/v2** v2.8.0 -> v2.9.0 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.3 -> v1.18.4 - **github.com/moby/policy-helpers** [`eeebf1a`](https://redirect.github.com/moby/buildkit/commit/eeebf1a0ab2b) -> [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](https://redirect.github.com/moby/buildkit/commit/b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.27.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.1) </details> <details> <summary>psf/requests (requests)</summary> ### [`v2.33.0`](https://redirect.github.com/psf/requests/blob/HEAD/HISTORY.md#2330-2026-03-25) [Compare Source](https://redirect.github.com/psf/requests/compare/v2.32.5...v2.33.0) **Announcements** - 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at [#​7271](https://redirect.github.com/psf/requests/issues/7271). Give it a try, and report any gaps or feedback you may have in the issue. 📣 **Security** - CVE-2026-25645 `requests.utils.extract_zipped_paths` now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly. **Improvements** - Migrated to a PEP 517 build system using setuptools. ([#​7012](https://redirect.github.com/psf/requests/issues/7012)) **Bugfixes** - Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. ([#​7205](https://redirect.github.com/psf/requests/issues/7205)) **Deprecations** - Dropped support for Python 3.9 following its end of support. ([#​7196](https://redirect.github.com/psf/requests/issues/7196)) **Documentation** - Various typo fixes and doc improvements. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/SimonStiil/ghcr-cleanup). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OC4xIiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->
SimonStiil
pushed a commit
to SimonStiil/traefik-out-of-cluster
that referenced
this pull request
Mar 25, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | Type | Update | |---|---|---|---|---|---| | [github.com/traefik/traefik/v3](https://redirect.github.com/traefik/traefik) | `v3.6.8` → `v3.6.11` |  |  | require | patch | | golang | `1.26.0-alpine` → `1.26.1-alpine` |  |  | | patch | | [k8s.io/apimachinery](https://redirect.github.com/kubernetes/apimachinery) | `v0.35.1` → `v0.35.3` |  |  | require | patch | | [k8s.io/client-go](https://redirect.github.com/kubernetes/client-go) | `v0.35.1` → `v0.35.3` |  |  | require | patch | | [moby/buildkit](https://redirect.github.com/moby/buildkit) | `v0.27.1-rootless` → `v0.28.1-rootless` |  |  | | minor | --- ### Release Notes <details> <summary>traefik/traefik (github.com/traefik/traefik/v3)</summary> ### [`v3.6.11`](https://redirect.github.com/traefik/traefik/releases/tag/v3.6.11) [Compare Source](https://redirect.github.com/traefik/traefik/compare/v3.6.10...v3.6.11) **CVE fixed:** - [CVE-2026-32595](https://nvd.nist.gov/vuln/detail/CVE-2026-32595) (Advisory [GHSA-g3hg-j4jv-cwfr](https://redirect.github.com/traefik/traefik/security/advisories/GHSA-g3hg-j4jv-cwfr)) - [CVE-2026-32305](https://nvd.nist.gov/vuln/detail/CVE-2026-32305) (Advisory [GHSA-wvvq-wgcr-9q48](https://redirect.github.com/traefik/traefik/security/advisories/GHSA-wvvq-wgcr-9q48)) - [CVE-2026-32695](https://nvd.nist.gov/vuln/detail/CCVE-2026-32695) (Advisory [GHSA-67jx-r9pv-98rj](https://redirect.github.com/traefik/traefik/security/advisories/GHSA-67jx-r9pv-98rj)) **Bug fixes:** - **\[logs, otel]** Add OTel-conformant trace context attributes to access logs ([#​12801](https://redirect.github.com/traefik/traefik/pull/12801) [@​mmatur](https://redirect.github.com/mmatur)) - **\[k8s/gatewayapi]** Fix incorrect hostname matching between listener and route ([#​12599](https://redirect.github.com/traefik/traefik/pull/12599) [@​TheColorman](https://redirect.github.com/TheColorman)) - **\[k8s/ingress]** Fix ingress router's rule ([#​12808](https://redirect.github.com/traefik/traefik/pull/12808) [@​gndz07](https://redirect.github.com/gndz07)) - **\[webui]** Remove AGPL license in code ([#​12799](https://redirect.github.com/traefik/traefik/pull/12799) [@​Desel72](https://redirect.github.com/Desel72)) - **\[k8s/ingress-nginx]** Fix proxy-ssl-verify annotation ([#​12825](https://redirect.github.com/traefik/traefik/pull/12825) [@​LBF38](https://redirect.github.com/LBF38)) - **\[http]** Add maxResponseBodySize configuration on HTTP provider ([#​12788](https://redirect.github.com/traefik/traefik/pull/12788) [@​gndz07](https://redirect.github.com/gndz07)) - **\[tls]** Support fragmented TLS client hello ([#​12787](https://redirect.github.com/traefik/traefik/pull/12787) [@​rtribotte](https://redirect.github.com/rtribotte)) - **\[middleware, authentication]** Make basic auth check timing constant ([#​12803](https://redirect.github.com/traefik/traefik/pull/12803) [@​rtribotte](https://redirect.github.com/rtribotte)) **Documentation:** - **\[k8s]** Improve the multi tenant security note ([#​12822](https://redirect.github.com/traefik/traefik/pull/12822) [@​nmengin](https://redirect.github.com/nmengin)) - Fix unnecessary escaping of pipe in regexp examples ([#​12784](https://redirect.github.com/traefik/traefik/pull/12784) [@​diegmonti](https://redirect.github.com/diegmonti)) - Add vulnerability submission quality guidelines ([#​12807](https://redirect.github.com/traefik/traefik/pull/12807) [@​emilevauge](https://redirect.github.com/emilevauge)) - Fix start up message format ([#​12806](https://redirect.github.com/traefik/traefik/pull/12806) [@​mloiseleur](https://redirect.github.com/mloiseleur)) - Remove unsupported servers\[n].address from TCP label examples ([#​12817](https://redirect.github.com/traefik/traefik/pull/12817) [@​sheddy-traefik](https://redirect.github.com/sheddy-traefik)) - Bump mkdocs-traefiklabs to use consent mode ([#​12804](https://redirect.github.com/traefik/traefik/pull/12804) [@​darkweaver87](https://redirect.github.com/darkweaver87)) ### [`v3.6.10`](https://redirect.github.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v3610-2026-03-06) [Compare Source](https://redirect.github.com/traefik/traefik/compare/v3.6.9...v3.6.10) [All Commits](https://redirect.github.com/traefik/traefik/compare/v3.6.9...v3.6.10) **Bug fixes:** - **\[docker]** Bump Docker and OpenTelemetry dependencies ([#​12761](https://redirect.github.com/traefik/traefik/pull/12761) by [mmatur](https://redirect.github.com/mmatur)) - **\[fastproxy]** Bump github.com/valyala/fasthttp to v1.69.0 ([#​12763](https://redirect.github.com/traefik/traefik/pull/12763) by [kevinpollet](https://redirect.github.com/kevinpollet)) - **\[healthcheck, grpc]** Remove path parsing with grpc healthcheck ([#​12760](https://redirect.github.com/traefik/traefik/pull/12760) by [rtribotte](https://redirect.github.com/rtribotte)) - **\[k8s/gatewayapi]** Fix Gateway API router's rules ([#​12753](https://redirect.github.com/traefik/traefik/pull/12753) by [rtribotte](https://redirect.github.com/rtribotte)) - **\[middleware]** Fix HasSecureHeadersDefined returning false when stsSeconds is 0 ([#​12684](https://redirect.github.com/traefik/traefik/pull/12684) by [veeceey](https://redirect.github.com/veeceey)) - **\[otel]** Bump go.opentelemetry.io/otel dependencies ([#​12754](https://redirect.github.com/traefik/traefik/pull/12754) by [rtribotte](https://redirect.github.com/rtribotte)) - **\[server]** Bump golang.org/x/net to v0.51.0 ([#​12756](https://redirect.github.com/traefik/traefik/pull/12756) by [kevinpollet](https://redirect.github.com/kevinpollet)) - **\[webui]** Fix priority display in dashboard and ACME bypass redirect ([#​12740](https://redirect.github.com/traefik/traefik/pull/12740) by [mmatur](https://redirect.github.com/mmatur)) - **\[webui]** Fix basePath validation for dashboard template ([#​12729](https://redirect.github.com/traefik/traefik/pull/12729) by [gndz07](https://redirect.github.com/gndz07)) **Documentation:** - **\[middleware]** Correct documentation for Digest auth ([#​12651](https://redirect.github.com/traefik/traefik/pull/12651) by [Zash](https://redirect.github.com/Zash)) - Add missing `.http` to TOML table names ([#​12713](https://redirect.github.com/traefik/traefik/pull/12713) by [Darsstar](https://redirect.github.com/Darsstar)) - Fix incorrect TOML example in entrypoints docs ([#​12711](https://redirect.github.com/traefik/traefik/pull/12711) by [mfmfuyu](https://redirect.github.com/mfmfuyu)) - Fix API basepath option documentation ([#​12744](https://redirect.github.com/traefik/traefik/pull/12744) by [nmengin](https://redirect.github.com/nmengin)) ### [`v3.6.9`](https://redirect.github.com/traefik/traefik/blob/HEAD/CHANGELOG.md#v369-2026-02-23) [Compare Source](https://redirect.github.com/traefik/traefik/compare/v3.6.8...v3.6.9) [All Commits](https://redirect.github.com/traefik/traefik/compare/v3.6.8...v3.6.9) **Bug fixes:** - **\[acme]** Bump github.com/go-acme/lego/v4 to v4.32.0 ([#​12702](https://redirect.github.com/traefik/traefik/pull/12702) by [ldez](https://redirect.github.com/ldez)) - **\[middleware]** Fix case sensitivity on x-forwarded headers for Connection ([#​12690](https://redirect.github.com/traefik/traefik/pull/12690) by [LBF38](https://redirect.github.com/LBF38)) - **\[middleware, authentication]** Handle empty/missing User-Agent header ([#​12545](https://redirect.github.com/traefik/traefik/pull/12545) by [a-stangl](https://redirect.github.com/a-stangl)) - **\[middleware, authentication]** Add maxResponseBodySize configuration to forwardAuth middleware ([#​12694](https://redirect.github.com/traefik/traefik/pull/12694) by [gndz07](https://redirect.github.com/gndz07)) - **\[server]** Fix TLS handshake error handling ([#​12692](https://redirect.github.com/traefik/traefik/pull/12692) by [juliens](https://redirect.github.com/juliens)) **Documentation:** - **\[docker]** Update docker in-depth setup guide ([#​12682](https://redirect.github.com/traefik/traefik/pull/12682) by [mdevino](https://redirect.github.com/mdevino)) - **\[k8s]** Make labelSelector option casing more consistent ([#​12658](https://redirect.github.com/traefik/traefik/pull/12658) by [holysoles](https://redirect.github.com/holysoles)) - **\[k8s/ingress-nginx]** Add temporary note to advertise the incoming NGINX annotations ([#​12699](https://redirect.github.com/traefik/traefik/pull/12699) by [nmengin](https://redirect.github.com/nmengin)) - Increased content width in documentation ([#​12632](https://redirect.github.com/traefik/traefik/pull/12632) by [tobiasge](https://redirect.github.com/tobiasge)) - Correct encoded characters allowance in entrypoints.md ([#​12679](https://redirect.github.com/traefik/traefik/pull/12679) by [Apflkuacha](https://redirect.github.com/Apflkuacha)) </details> <details> <summary>kubernetes/apimachinery (k8s.io/apimachinery)</summary> ### [`v0.35.3`](https://redirect.github.com/kubernetes/apimachinery/compare/v0.35.2...v0.35.3) [Compare Source](https://redirect.github.com/kubernetes/apimachinery/compare/v0.35.2...v0.35.3) ### [`v0.35.2`](https://redirect.github.com/kubernetes/apimachinery/compare/v0.35.1...v0.35.2) [Compare Source](https://redirect.github.com/kubernetes/apimachinery/compare/v0.35.1...v0.35.2) </details> <details> <summary>kubernetes/client-go (k8s.io/client-go)</summary> ### [`v0.35.3`](https://redirect.github.com/kubernetes/client-go/compare/v0.35.2...v0.35.3) [Compare Source](https://redirect.github.com/kubernetes/client-go/compare/v0.35.2...v0.35.3) ### [`v0.35.2`](https://redirect.github.com/kubernetes/client-go/compare/v0.35.1...v0.35.2) [Compare Source](https://redirect.github.com/kubernetes/client-go/compare/v0.35.1...v0.35.2) </details> <details> <summary>moby/buildkit (moby/buildkit)</summary> ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) ### [`v0.28.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.27.1...v0.28.0) buildkit 0.28.0 Welcome to the v0.28.0 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akihiro Suda - Amr Mahdi - Dan Duvall - David Karlsson - Jonas Geiler - Kevin L. - rsteube ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.22.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.22.0) - The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the `version` attribute. [#​6526](https://redirect.github.com/moby/buildkit/issues/6526) - Provenance attestation for an image can now be directly pulled via Source metadata request. [#​6516](https://redirect.github.com/moby/buildkit/issues/6516) [#​6514](https://redirect.github.com/moby/buildkit/issues/6514) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - Pushing result images and exporting build cache now happens in parallel, for better performance. [#​6451](https://redirect.github.com/moby/buildkit/issues/6451) - LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols `docker-image+blob://` and `oci-layout+blob://`. [#​4286](https://redirect.github.com/moby/buildkit/issues/4286) - LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) - With the update to a newer version of the in-toto library, the provenance attestation key `InvocationID` has changed to `InvocationId` to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. [#​6533](https://redirect.github.com/moby/buildkit/issues/6533) - Embedded Qemu emulator support has been updated to v10.1.3 [#​6524](https://redirect.github.com/moby/buildkit/issues/6524) - Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. [#​6368](https://redirect.github.com/moby/buildkit/issues/6368) - Buildctl binary now supports bash completion. [#​6474](https://redirect.github.com/moby/buildkit/issues/6474) - PGP signature verification now supports combined public keys as input for defining the required signer. [#​6519](https://redirect.github.com/moby/buildkit/issues/6519) - Fix possible "failed to read expected number of bytes" error when reading attestation chains [#​6520](https://redirect.github.com/moby/buildkit/issues/6520) - Fix possible error from race condition when creating images in parallel [#​6477](https://redirect.github.com/moby/buildkit/issues/6477) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.2 -> v1.7.4 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/containerd/nydus-snapshotter** v0.15.10 -> v0.15.11 - **github.com/containerd/stargz-snapshotter** v0.17.0 -> v0.18.2 - **github.com/containerd/stargz-snapshotter/estargz** v0.17.0 -> v0.18.2 - **github.com/coreos/go-systemd/v22** v22.6.0 -> v22.7.0 - **github.com/docker/cli** v29.1.4 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/hanwen/go-fuse/v2** v2.8.0 -> v2.9.0 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.3 -> v1.18.4 - **github.com/moby/policy-helpers** [`eeebf1a`](https://redirect.github.com/moby/buildkit/commit/eeebf1a0ab2b) -> [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](https://redirect.github.com/moby/buildkit/commit/b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.27.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.1) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/SimonStiil/traefik-out-of-cluster). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNi41IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->
SimonStiil
pushed a commit
to SimonStiil/keyvaluedatabaseweb
that referenced
this pull request
Mar 25, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [go](https://go.dev/) ([source](https://redirect.github.com/golang/go)) | toolchain | patch | `1.26.0` → `1.26.1` | | golang | | patch | `1.26.0-alpine` → `1.26.1-alpine` | | [moby/buildkit](https://redirect.github.com/moby/buildkit) | | minor | `v0.27.1-rootless` → `v0.28.1-rootless` | --- ### Release Notes <details> <summary>golang/go (go)</summary> ### [`v1.26.1`](https://redirect.github.com/golang/go/compare/go1.26.0...go1.26.1) </details> <details> <summary>moby/buildkit (moby/buildkit)</summary> ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) ### [`v0.28.0`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.27.1...v0.28.0) buildkit 0.28.0 Welcome to the v0.28.0 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akihiro Suda - Amr Mahdi - Dan Duvall - David Karlsson - Jonas Geiler - Kevin L. - rsteube ##### Notable Changes - Builtin Dockerfile frontend has been updated to v1.22.0 [changelog](https://redirect.github.com/moby/buildkit/releases/tag/dockerfile%2F1.22.0) - The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the `version` attribute. [#​6526](https://redirect.github.com/moby/buildkit/issues/6526) - Provenance attestation for an image can now be directly pulled via Source metadata request. [#​6516](https://redirect.github.com/moby/buildkit/issues/6516) [#​6514](https://redirect.github.com/moby/buildkit/issues/6514) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - Pushing result images and exporting build cache now happens in parallel, for better performance. [#​6451](https://redirect.github.com/moby/buildkit/issues/6451) - LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols `docker-image+blob://` and `oci-layout+blob://`. [#​4286](https://redirect.github.com/moby/buildkit/issues/4286) - LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) [#​6537](https://redirect.github.com/moby/buildkit/issues/6537) - LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. [#​6527](https://redirect.github.com/moby/buildkit/issues/6527) - With the update to a newer version of the in-toto library, the provenance attestation key `InvocationID` has changed to `InvocationId` to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. [#​6533](https://redirect.github.com/moby/buildkit/issues/6533) - Embedded Qemu emulator support has been updated to v10.1.3 [#​6524](https://redirect.github.com/moby/buildkit/issues/6524) - Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. [#​6368](https://redirect.github.com/moby/buildkit/issues/6368) - Buildctl binary now supports bash completion. [#​6474](https://redirect.github.com/moby/buildkit/issues/6474) - PGP signature verification now supports combined public keys as input for defining the required signer. [#​6519](https://redirect.github.com/moby/buildkit/issues/6519) - Fix possible "failed to read expected number of bytes" error when reading attestation chains [#​6520](https://redirect.github.com/moby/buildkit/issues/6520) - Fix possible error from race condition when creating images in parallel [#​6477](https://redirect.github.com/moby/buildkit/issues/6477) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream** v1.7.2 -> v1.7.4 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/containerd/nydus-snapshotter** v0.15.10 -> v0.15.11 - **github.com/containerd/stargz-snapshotter** v0.17.0 -> v0.18.2 - **github.com/containerd/stargz-snapshotter/estargz** v0.17.0 -> v0.18.2 - **github.com/coreos/go-systemd/v22** v22.6.0 -> v22.7.0 - **github.com/docker/cli** v29.1.4 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/hanwen/go-fuse/v2** v2.8.0 -> v2.9.0 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.3 -> v1.18.4 - **github.com/moby/policy-helpers** [`eeebf1a`](https://redirect.github.com/moby/buildkit/commit/eeebf1a0ab2b) -> [`824747b`](https://redirect.github.com/moby/buildkit/commit/824747bfdd3c) - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](https://redirect.github.com/moby/buildkit/commit/b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`ff82c1b`](https://redirect.github.com/moby/buildkit/commit/ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](https://redirect.github.com/moby/buildkit/commit/f26f9409b101) -> [`0a764e5`](https://redirect.github.com/moby/buildkit/commit/0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.27.1](https://redirect.github.com/moby/buildkit/releases/tag/v0.27.1) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/SimonStiil/keyvaluedatabaseweb). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OC4xIiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->
valentindeaconu
added a commit
to SectorLabs/buildkit-ghcr-mirror
that referenced
this pull request
Mar 26, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [moby/buildkit](https://redirect.github.com/moby/buildkit) | | patch | `0.28.0` → `0.28.1` | | [moby/buildkit](https://redirect.github.com/moby/buildkit) | final | patch | `v0.28.0-rootless` → `v0.28.1-rootless` | | [moby/buildkit](https://redirect.github.com/moby/buildkit) | stage | patch | `v0.28.0` → `v0.28.1` | --- ### Release Notes <details> <summary>moby/buildkit (moby/buildkit)</summary> ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/SectorLabs/buildkit-ghcr-mirror). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
SimonStiil
pushed a commit
to SimonStiil/kube-auth-proxy
that referenced
this pull request
Mar 26, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [moby/buildkit](https://redirect.github.com/moby/buildkit) | patch | `v0.28.0-rootless` → `v0.28.1-rootless` | --- ### Release Notes <details> <summary>moby/buildkit (moby/buildkit)</summary> ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/SimonStiil/kube-auth-proxy). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45MS41IiwidXBkYXRlZEluVmVyIjoiNDMuOTEuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->
renovate-coop-norge bot
added a commit
to coopnorge/engineering-docker-images
that referenced
this pull request
Mar 27, 2026
…devtools-python3.10-v1beta1 (#3806) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [docker.io/moby/buildkit](https://redirect.github.com/moby/buildkit) | stage | patch | `v0.28.0-rootless` → `v0.28.1-rootless` | --- ### Release Notes <details> <summary>moby/buildkit (docker.io/moby/buildkit)</summary> ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44My4yIiwidXBkYXRlZEluVmVyIjoiNDMuODMuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwicmVub3ZhdGUiXX0=--> Co-authored-by: renovate-coop-norge[bot] <151545514+renovate-coop-norge[bot]@users.noreply.github.com>
renovate-coop-norge bot
added a commit
to coopnorge/engineering-docker-images
that referenced
this pull request
Mar 27, 2026
…devtools-golang-v1beta1 (#3805) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [docker.io/moby/buildkit](https://redirect.github.com/moby/buildkit) | stage | patch | `v0.28.0-rootless` → `v0.28.1-rootless` | --- ### Release Notes <details> <summary>moby/buildkit (docker.io/moby/buildkit)</summary> ### [`v0.28.1`](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.1) [Compare Source](https://redirect.github.com/moby/buildkit/compare/v0.28.0...v0.28.1) Welcome to the v0.28.1 release of buildkit! Please try out the release binaries and report any issues at <https://github.com/moby/buildkit/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn ##### Notable Changes - Fix insufficient validation of Git URL `#ref:subdir` fragments that could allow access to restricted files outside the checked-out repository root. [GHSA-4vrq-3vrq-g6gg](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg) - Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. [GHSA-4c29-8rgm-jvjj](https://redirect.github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj) - Fix a panic when processing invalid `.dockerignore` patterns during `COPY`. [#​6610](https://redirect.github.com/moby/buildkit/issues/6610) [moby/patternmatcher#9](https://redirect.github.com/moby/patternmatcher/issues/9) ##### Dependency Changes - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 Previous release can be found at [v0.28.0](https://redirect.github.com/moby/buildkit/releases/tag/v0.28.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44My4yIiwidXBkYXRlZEluVmVyIjoiNDMuODMuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwicmVub3ZhdGUiXX0=--> Co-authored-by: renovate-coop-norge[bot] <151545514+renovate-coop-norge[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix panic / nil pointer dereference on invalid patterns
Pattern.compilewas updatingPattern.matchTypein-place. In situations wherethe resulting regex failed to compile, it would return early (with an error),
but the
matchTypewas already set.In that situation,
Pattern.matchwould consider thematchTypealreadyset, skip the
p.matchType == unknownMatchcondition, and fall throughto trying to use
p.regex, which was nil, and resulted in a panic;This patch:
Pattern.compileto use a local variable for the intermediatestate, and only updates
Pattern.matchTypewhen completing successfully.Pattern.matchas defense-in-depth.