Skip to content

chore(deps): bump github.com/moby/buildkit from 0.28.0 to 0.28.1 in /tests#6083

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/tests/github.com/moby/buildkit-0.28.1
Open

chore(deps): bump github.com/moby/buildkit from 0.28.0 to 0.28.1 in /tests#6083
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/tests/github.com/moby/buildkit-0.28.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 26, 2026
edited
Loading

Bumps github.com/moby/buildkit from 0.28.0 to 0.28.1.

Release notes

Sourced from github.com/moby/buildkit's releases.

v0.28.1

Welcome to the v0.28.1 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

  • Tõnis Tiigi
  • CrazyMax
  • Sebastiaan van Stijn

Notable Changes

  • Fix insufficient validation of Git URL #ref:subdir fragments that could allow access to restricted files outside the checked-out repository root. GHSA-4vrq-3vrq-g6gg
  • Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. GHSA-4c29-8rgm-jvjj
  • Fix a panic when processing invalid .dockerignore patterns during COPY. #6610 moby/patternmatcher#9

Dependency Changes

  • github.com/moby/patternmatcher v0.6.0 -> v0.6.1

Previous release can be found at v0.28.0

Commits
  • 45b038c git: normalize and validate subdir paths
  • f5462c2 git: harden ref arg handling
  • 71577a5 source: extract SafeFileName into shared pathutil package
  • df43783 source/http: use os.Root for saved file operations
  • 9ce6f62 source/http: sanitize downloaded filenames
  • 099cf80 executor: validate container IDs centrally
  • 2642113 Merge pull request #6610 from thaJeztah/0.28_backport_bump_patternmatcher
  • 802da78 vendor: github.com/moby/patternmatcher v0.6.1
  • See full diff in compare view

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 26, 2026
@dependabot dependabot bot requested a review from a team as a code owner March 26, 2026 19:09
@dependabot dependabot bot added go Pull requests that update Go code dependencies Pull requests that update a dependency file labels Mar 26, 2026
@otavio
Copy link
Copy Markdown
Member

otavio commented Mar 31, 2026

@dependabot rebase

@dependabot
chore(deps): bump github.com/moby/buildkit in /tests
d362c98 
Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.28.0 to 0.28.1.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](moby/buildkit@v0.28.0...v0.28.1)

---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
  dependency-version: 0.28.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/tests/github.com/moby/buildkit-0.28.1 branch from c47db66 to d362c98 Compare March 31, 2026 10:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@otavio