chore(deps): Bump github.com/moby/buildkit from 0.26.3 to 0.28.1 by dependabot[bot] · Pull Request #4615 · devantler-tech/ksail

dependabot · 2026-05-05T18:07:03Z

Bumps github.com/moby/buildkit from 0.26.3 to 0.28.1.

Release notes

Sourced from github.com/moby/buildkit's releases.

v0.28.1

Welcome to the v0.28.1 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

Tõnis Tiigi

CrazyMax

Sebastiaan van Stijn

Notable Changes

Fix insufficient validation of Git URL #ref:subdir fragments that could allow access to restricted files outside the checked-out repository root. GHSA-4vrq-3vrq-g6gg

Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. GHSA-4c29-8rgm-jvjj

Fix a panic when processing invalid .dockerignore patterns during COPY. #6610 moby/patternmatcher#9

Dependency Changes

github.com/moby/patternmatcher v0.6.0 -> v0.6.1

Previous release can be found at v0.28.0

v0.28.0

buildkit 0.28.0

Welcome to the v0.28.0 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

Tõnis Tiigi

CrazyMax

Sebastiaan van Stijn

Jonathan A. Sternberg

Akihiro Suda

Amr Mahdi

Dan Duvall

David Karlsson

Jonas Geiler

Kevin L.

rsteube

... (truncated)

Commits

45b038c git: normalize and validate subdir paths
f5462c2 git: harden ref arg handling
71577a5 source: extract SafeFileName into shared pathutil package
df43783 source/http: use os.Root for saved file operations
9ce6f62 source/http: sanitize downloaded filenames
099cf80 executor: validate container IDs centrally
2642113 Merge pull request #6610 from thaJeztah/0.28_backport_bump_patternmatcher
802da78 vendor: github.com/moby/patternmatcher v0.6.1
5245d86 Merge pull request #6551 from tonistiigi/v0.28-cherry-picks
90ee5de vendor: update x/net to v0.51.0
Additional commits viewable in compare view

github-actions · 2026-05-05T18:09:27Z

✅MegaLinter analysis: Success

✅ Linters with no issues

actionlint, bash-exec, git_diff, hadolint, jscpd, jsonlint, lychee, markdown-table-formatter, markdownlint, prettier, prettier, shellcheck, shfmt, stylelint, syft, trivy-sbom, trufflehog, v8r, v8r, yamllint

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

Show us your support by starring ⭐ the repository

devantler · 2026-05-06T03:13:28Z

❌ Cannot merge — two upstream incompatibilities

moby/buildkit v0.28.1 is incompatible with two other modules in our module graph. There is no fix available within ksail's codebase; the fixes belong upstream. Closing per ways-of-working: "upstream first — when a fix belongs in a dependency or upstream project, contribute it there."

Root cause 1 — `docker/docker v28.5.2+incompatible` × `moby/go-archive v0.2.0`

moby/buildkit v0.28.1 requires moby/go-archive v0.2.0. In v0.2.0, the deprecated archive.Compression type alias was removed from the top-level package (moved to compression.Compression sub-package only).

docker/docker v28.5.2+incompatible/pkg/archive/archive_deprecated.go:103 still returns archive.Compression, causing:

undefined: archive.Compression

docker/docker is pinned via a replace directive for k3d compatibility and cannot be upgraded independently.

Root cause 2 — `kubescape/kubescape v3.0.48` × buildkit authprovider API break

Between buildkit v0.26.x and v0.27.x, DockerAuthProviderConfig.ConfigFile *configfile.ConfigFile was replaced by an AuthConfigProvider function. kubescape v3.0.48/core/core/patch.go:201 still uses the old field:

cfg := authprovider.DockerAuthProviderConfig{ConfigFile: dockerConfig}
// error: unknown field ConfigFile in struct literal

v3.0.48 is the latest kubescape release; no newer compatible version exists.

Why a `replace` directive workaround is not appropriate

Pinning github.com/moby/buildkit => v0.26.3 in the replace block would make the build succeed, but would effectively revert this PR to a no-op: the module graph would use v0.26.3 behaviour while the require line shows v0.28.1. This is pure technical debt with no net benefit.

Resolution path

This PR can be reopened once either:

kubescape/kubescape is updated to support the buildkit ≥ v0.27.0 AuthConfigProvider API (tracked in upstream kubescape repo), or
docker/docker is upgraded to a version compatible with moby/go-archive v0.2.0 (unblocks the docker/docker replace-directive pin)

Until then, the module graph naturally resolves moby/buildkit to v0.26.1 via docker/buildx v0.30.1 and kubescape v3.0.48, with no explicit pin needed in go.mod.

devantler · 2026-05-06T03:13:34Z

Closing — see explanation above. Can be reopened once kubescape or docker/docker unblocks the upgrade.

dependabot · 2026-05-06T03:13:37Z

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

devantler · 2026-05-29T16:51:04Z

@dependabot recreate

dependabot · 2026-05-29T16:51:08Z

Looks like this PR is closed. If the branch still exists, you can re-open the PR and then use @dependabot rebase or @dependabot recreate. If the branch was deleted, Dependabot will create a new PR on the next scheduled run, or you can trigger an update from the Dependency graph page.

devantler · 2026-05-29T16:51:21Z

@dependabot recreate

dependabot · 2026-05-29T17:21:13Z

Dependabot can't resolve your Go dependency files. Because of this, Dependabot cannot update this pull request.

devantler · 2026-05-29T21:30:06Z

@dependabot recreate

dependabot · 2026-05-29T22:00:17Z

Dependabot can't resolve your Go dependency files. Because of this, Dependabot cannot update this pull request.

devantler · 2026-05-29T23:37:35Z

Superseded by #4954.

A direct bump can't compile: buildkit ≥ v0.28 removed authprovider.DockerAuthProviderConfig.ConfigFile, still used by kubescape v3.0.48's core/core/patch.go (which KSail imports via core/core); and every kubescape build that fixes that (master, v4.x) forces docker/buildx → v0.33 and the moby/moby/client split universe, which conflicts with KSail's k3d-required docker monolith pin. #4954 resolves it via a minimal kubescape fork (v3.0.48 + the one-line upstream patch.go fix) and bumps buildkit to v0.28.1, fixing CVE-2026-33747 / CVE-2026-33748. It should auto-close this PR on merge.

dependabot · 2026-05-29T23:39:40Z

Dependabot can't resolve your Go dependency files. Because of this, Dependabot cannot update this pull request.

Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.26.3 to 0.28.1. - [Release notes](https://github.com/moby/buildkit/releases) - [Commits](moby/buildkit@v0.26.3...v0.28.1) --- updated-dependencies: - dependency-name: github.com/moby/buildkit dependency-version: 0.28.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

Copilot

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

github-actions

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.50.

Benchmark suite	Current: `2459ec9`	Previous: `8c45953`	Ratio
`BenchmarkCluster_MarshalJSON/WithBasicConfig (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1)`	`217501` ns/op 18709 B/op 452 allocs/op	`131281` ns/op 18580 B/op 448 allocs/op	`1.66`
`BenchmarkCluster_MarshalJSON/WithBasicConfig (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1) - ns/op`	`217501` ns/op	`131281` ns/op	`1.66`
`BenchmarkCluster_MarshalJSON/FullProductionCluster (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1)`	`245778` ns/op 24794 B/op 551 allocs/op	`92633` ns/op 24647 B/op 547 allocs/op	`2.65`
`BenchmarkCluster_MarshalJSON/FullProductionCluster (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1) - ns/op`	`245778` ns/op	`92633` ns/op	`2.65`
`BenchmarkYAMLEncode/Minimal (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1)`	`227015` ns/op 25432 B/op 474 allocs/op	`87526` ns/op 25304 B/op 470 allocs/op	`2.59`
`BenchmarkYAMLEncode/Minimal (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1) - ns/op`	`227015` ns/op	`87526` ns/op	`2.59`
`BenchmarkYAMLEncode/FullProductionCluster (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1)`	`295849` ns/op 36560 B/op 519 allocs/op	`96383` ns/op 36432 B/op 515 allocs/op	`3.07`
`BenchmarkYAMLEncode/FullProductionCluster (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1) - ns/op`	`295849` ns/op	`96383` ns/op	`3.07`
`BenchmarkJSONEncode (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1)`	`227301` ns/op 19948 B/op 470 allocs/op	`84382` ns/op 19816 B/op 466 allocs/op	`2.69`
`BenchmarkJSONEncode (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1) - ns/op`	`227301` ns/op	`84382` ns/op	`2.69`
`BenchmarkPruneClusterDefaults/MostlyDefaults (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1)`	`82012` ns/op 9872 B/op 267 allocs/op	`39822` ns/op 9792 B/op 265 allocs/op	`2.06`
`BenchmarkPruneClusterDefaults/MostlyDefaults (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1) - ns/op`	`82012` ns/op	`39822` ns/op	`2.06`

This comment was automatically generated by workflow using github-action-benchmark.

dependabot Bot added the dependencies label May 5, 2026

Copilot AI review requested due to automatic review settings May 5, 2026 18:07

dependabot Bot added the go label May 5, 2026

dependabot Bot requested a review from devantler as a code owner May 5, 2026 18:07

dependabot Bot review requested due to automatic review settings May 5, 2026 18:07

dependabot Bot added the dependencies label May 5, 2026

github-project-automation Bot added this to 🌊 Project Board May 5, 2026

dependabot Bot added the go label May 5, 2026

github-project-automation Bot moved this to 🫴 Ready in 🌊 Project Board May 5, 2026

ksail-bot Bot approved these changes May 5, 2026

View reviewed changes

ksail-bot Bot enabled auto-merge May 5, 2026 18:07

devantler closed this May 6, 2026

auto-merge was automatically disabled May 6, 2026 03:13
Pull request was closed

github-project-automation Bot moved this from 🫴 Ready to ✅ Done in 🌊 Project Board May 6, 2026

dependabot Bot deleted the dependabot/go_modules/github.com/moby/buildkit-0.28.1 branch May 6, 2026 03:13

devantler restored the dependabot/go_modules/github.com/moby/buildkit-0.28.1 branch May 29, 2026 16:50

devantler reopened this May 29, 2026

github-project-automation Bot moved this from ✅ Done to 🫴 Ready in 🌊 Project Board May 29, 2026

This was referenced May 29, 2026

fix(deps): bump golang.org/x/{crypto,net,image} to clear reachable CVEs #4951

Merged

fix(deps): bump buildkit to v0.28.1 (CVE-2026-33747/33748) via kubescape fork #4954

Open

Copilot AI review requested due to automatic review settings May 30, 2026 00:25

dependabot Bot force-pushed the dependabot/go_modules/github.com/moby/buildkit-0.28.1 branch from 6cd395b to 2459ec9 Compare May 30, 2026 00:25

Copilot AI reviewed May 30, 2026

View reviewed changes

ksail-bot Bot approved these changes May 30, 2026

View reviewed changes

ksail-bot Bot enabled auto-merge (squash) May 30, 2026 00:25

github-actions Bot reviewed May 30, 2026

View reviewed changes

Uh oh!

Conversation

dependabot Bot commented on behalf of github May 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v0.28.1

Contributors

Notable Changes

Dependency Changes

v0.28.0

Contributors

Uh oh!

github-actions Bot commented May 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅MegaLinter analysis: Success

✅ Linters with no issues

Notices

Uh oh!

devantler commented May 6, 2026

❌ Cannot merge — two upstream incompatibilities

Root cause 1 — docker/docker v28.5.2+incompatible × moby/go-archive v0.2.0

Root cause 2 — kubescape/kubescape v3.0.48 × buildkit authprovider API break

Why a replace directive workaround is not appropriate

Resolution path

Uh oh!

devantler commented May 6, 2026

Uh oh!

dependabot Bot commented on behalf of github May 6, 2026

Uh oh!

devantler commented May 29, 2026

Uh oh!

dependabot Bot commented on behalf of github May 29, 2026

Uh oh!

devantler commented May 29, 2026

Uh oh!

dependabot Bot commented on behalf of github May 29, 2026

Uh oh!

devantler commented May 29, 2026

Uh oh!

dependabot Bot commented on behalf of github May 29, 2026

Uh oh!

devantler commented May 29, 2026

Uh oh!

dependabot Bot commented on behalf of github May 29, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

⚠️ Performance Alert ⚠️

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

dependabot Bot commented on behalf of github May 5, 2026 •

edited

Loading

github-actions Bot commented May 5, 2026 •

edited

Loading

Root cause 1 — `docker/docker v28.5.2+incompatible` × `moby/go-archive v0.2.0`

Root cause 2 — `kubescape/kubescape v3.0.48` × buildkit authprovider API break

Why a `replace` directive workaround is not appropriate