fix(deps): update module github.com/moby/buildkit to v0.31.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/moby/buildkit	v0.29.0 → v0.31.1

---

Release Notes

moby/buildkit (github.com/moby/buildkit)

v0.31.1

Compare Source

buildkit 0.31.1

Welcome to the v0.31.1 release of buildkit!

This is a security patch release with two low severity security fixes.

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi

Notable Changes

• Custom frontend could bypass Seccomp/AppArmor restrictions GHSA-7236-3392-c5c6
• Possible runtime DoS via unbounded group parsing GHSA-72x6-4j93-7w86

Dependency Changes

This release has no dependency changes

Previous release can be found at v0.31.0

v0.31.0

Compare Source

buildkit 0.31.0

Welcome to the v0.31.0 release of buildkit!

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi
• CrazyMax
• Sebastiaan van Stijn
• Bjorn Neergaard
• Jonathan A. Sternberg
• Akihiro Suda
• Bryce Gibson
• Ava Barron
• Brian Goff
• Jiří Moravčík
• ZRHann
• Kevin NZUGUEM
• Maya Chen
• Natnael Gebremariam
• Sai Kiran Maggidi
• okhowang(王沛文)

Notable Changes

• Built-in Dockerfile frontend has been updated to v1.25.0 changelog
• Exec steps now support a network proxy feature where all container traffic will be routed through an HTTP proxy server. This allows capturing the network traffic for inspection in build progress and provenance attestation. Source policies can define the requests that build containers are allowed to make and the ones that should be blocked. Network proxy can be enabled for the whole BuildKit daemon or enabled on a per-build basis. #​6858 #​6816 #​6740 #​6863
• The local exporter now supports a mode=delete attribute which will replace the destination directory with the contents of the build result instead of merging it. Similar to the --delete flag in rsync. #​6561 #​6864
• LLB APIs now support per-step resource limits for CPU and memory. #​6569
• LLB APIs support a new Passthrough operation that allows defining dependency build graph branches that are required to be built but do not add any outputs to the final result. The state.Requires() client helper can be used to define such dependencies in the build graph. #​6829
• All image results now default to using OCI media types. Previously this was applied based on whether annotations or attestations were needed. oci-mediatypes=false can be used for legacy Docker media types. This change raises the compatibility version of BuildKit v0.31.0 to 30. #​6824
• Local cache exporter now supports the reset option to clear the unreferenced existing cache. #​6612
• The local build result outputs now use a new implementation with better security guarantees in case the destination directory is mutated externally during the transfer. #​6561
• New build metrics about build counts and durations have been added to the OTEL provider. #​6736
• Parallel request limits for registry connections can now be set via configuration file. #​6776
• In special modes where the client does not expose the session connection to transfer credentials, builds can now still fall back to anonymous registry auth instead of erroring. #​6760
• Embedded binfmt emulators in the release image have been updated to QEMU v10.2.3. #​6846
• Runc container runtime has been updated to v1.3.6
• Created attestations now use in-toto v1 statement format. #​6823
• Due to the upgraded CLI library, the internal buildctl completion scripts flag --generate-bash-completion is no longer supported and has been replaced with --generate-shell-completion. #​6848
• Fix an issue in default GC policy rules where the first rule for prioritizing releasing cache mounts and local sources did not apply. #​6856
• Fix an issue where parent directories could be created with incorrect permissions due to system umask when using BuildKit embedded in Dockerd. #​6828
• Fix possible segfault from race condition when HTTP server returned 401 error. #​6791
• Fix source policy exact match rules losing the destination value during conversion. #​6861
• Fix potential deadlock race conditions on stdin close. #​6810 #​6815
• Fix premature ref release possibly causing "snapshot does not exist" error. #​6821
• Fix OTLP shutdown stalling buildctl and buildkitd when the trace collector is unreachable. #​6757
• Fix possible reference counting issues. #​6820
• Fix possible hang in local progress writer. #​6811
• Fix a data race when reading worker platform information. #​6867
• Fix possible early release in case of cache computation error. #​6818
• Improve stability of how runc kills build container processes. #​6779

Dependency Changes

• github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 -> v1.21.1
• github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 -> v1.12.0
• github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 -> v1.7.0
• github.com/aws/aws-sdk-go-v2 v1.41.7 -> v1.42.0
• github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 -> v1.7.13
• github.com/aws/aws-sdk-go-v2/config v1.32.17 -> v1.32.24
• github.com/aws/aws-sdk-go-v2/credentials v1.19.16 -> v1.19.23
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.23 -> v1.18.29
• github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager v0.2.9 new
• github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23 -> v1.4.29
• github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23 -> v2.7.29
• github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24 -> v1.4.30
• github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9 -> v1.13.12
• github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.12 -> v1.9.22
• github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.23 -> v1.13.29
• github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.20 -> v1.19.29
• github.com/aws/aws-sdk-go-v2/service/s3 v1.89.1 -> v1.103.3
• github.com/aws/aws-sdk-go-v2/service/signin v1.0.11 -> v1.1.5
• github.com/aws/aws-sdk-go-v2/service/sso v1.30.17 -> v1.31.3
• github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.21 -> v1.36.6
• github.com/aws/aws-sdk-go-v2/service/sts v1.42.1 -> v1.43.3
• github.com/aws/smithy-go v1.25.1 -> v1.27.2
• github.com/containerd/containerd/v2 v2.2.3 -> v2.2.4
• github.com/containerd/continuity v0.4.5 -> v0.5.0
• github.com/containerd/nydus-snapshotter v0.15.13 -> v0.15.15
• github.com/containerd/platforms v1.0.0-rc.2 -> v1.0.0-rc.4
• github.com/containerd/typeurl/v2 v2.2.3 -> v2.3.0
• github.com/docker/cli v29.4.3 -> v29.5.3
• github.com/docker/docker-credential-helpers v0.9.5 -> v0.9.8
• github.com/go-openapi/analysis v0.24.3 -> v0.25.2
• github.com/go-openapi/jsonpointer v0.22.5 -> v0.23.1
• github.com/go-openapi/jsonreference v0.21.5 -> v0.21.6
• github.com/go-openapi/runtime v0.29.3 -> v0.32.3
• github.com/go-openapi/runtime/server-middleware v0.30.0 new
• github.com/go-openapi/spec v0.22.4 -> v0.22.5
• github.com/go-openapi/strfmt v0.26.1 -> v0.26.3
• github.com/go-openapi/swag v0.25.5 -> v0.26.0
• github.com/go-openapi/swag/cmdutils v0.25.5 -> v0.26.0
• github.com/go-openapi/swag/conv v0.25.5 -> v0.26.0
• github.com/go-openapi/swag/fileutils v0.25.5 -> v0.26.0
• github.com/go-openapi/swag/jsonname v0.25.5 -> v0.26.0
• github.com/go-openapi/swag/jsonutils v0.25.5 -> v0.26.0
• github.com/go-openapi/swag/loading v0.25.5 -> v0.26.0
• github.com/go-openapi/swag/mangling v0.25.5 -> v0.26.0
• github.com/go-openapi/swag/netutils v0.25.5 -> v0.26.0
• github.com/go-openapi/swag/stringutils v0.25.5 -> v0.26.0
• github.com/go-openapi/swag/typeutils v0.25.5 -> v0.26.0
• github.com/go-openapi/swag/yamlutils v0.25.5 -> v0.26.0
• github.com/go-openapi/validate v0.25.2 -> v0.25.3
• github.com/golang-jwt/jwt/v5 v5.3.0 -> v5.3.1
• github.com/google/certificate-transparency-go v1.3.2 -> v1.3.3
• github.com/google/go-containerregistry v0.20.7 -> v0.21.6
• github.com/google/pprof f64d9cf -> 545e8a4
• github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 -> v2.29.0
• github.com/in-toto/attestation v1.1.2 -> v1.2.0
• github.com/moby/policy-helpers a39d601 -> d5411a9
• github.com/moby/sys/mount v0.3.4 -> fc52b72
• github.com/moby/sys/sequential v0.6.0 -> v0.7.0
• github.com/opencontainers/selinux v1.13.1 -> v1.15.1
• github.com/pelletier/go-toml/v2 v2.2.4 -> v2.3.1
• github.com/prometheus/common v0.66.1 -> v0.67.5
• github.com/prometheus/otlptranslator v0.0.2 -> v1.0.0
• github.com/prometheus/procfs v0.17.0 -> v0.20.1
• github.com/secure-systems-lab/go-securesystemslib v0.10.0 -> v0.11.0
• github.com/sigstore/protobuf-specs v0.5.0 -> v0.5.1
• github.com/sigstore/rekor v1.5.0 -> v1.5.2
• github.com/sigstore/rekor-tiles/v2 v2.0.1 -> 5d098a2
• github.com/sigstore/sigstore v1.10.5 -> v1.10.8
• github.com/sigstore/sigstore-go v1.1.4 -> v1.2.1
• github.com/sigstore/timestamp-authority/v2 v2.0.6 -> v2.1.2
• github.com/theupdateframework/go-tuf/v2 v2.4.1 -> v2.4.2
• github.com/tonistiigi/fsutil a2aa163 -> 0257b33
• github.com/transparency-dev/formats 404c0d5 -> v0.1.1
• github.com/urfave/cli/v3 v3.9.0 new
• github.com/vbatts/tar-split v0.12.2 -> v0.12.3
• github.com/youmark/pkcs8 a2c0da2 new
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.68.0 -> v0.69.0
• go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.68.0 -> v0.69.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 -> v0.69.0
• go.opentelemetry.io/otel v1.43.0 -> v1.44.0
• go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.43.0 -> v1.44.0
• go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.43.0 -> v1.44.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 -> v1.44.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 -> v1.44.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 -> v1.44.0
• go.opentelemetry.io/otel/exporters/prometheus v0.60.0 -> v0.65.0
• go.opentelemetry.io/otel/metric v1.43.0 -> v1.44.0
• go.opentelemetry.io/otel/sdk v1.43.0 -> v1.44.0
• go.opentelemetry.io/otel/sdk/metric v1.43.0 -> v1.44.0
• go.opentelemetry.io/otel/trace v1.43.0 -> v1.44.0
• go.yaml.in/yaml/v2 v2.4.3 -> v2.4.4
• golang.org/x/exp df92998 -> 055de63
• google.golang.org/genproto/googleapis/api 6f92a3b -> 3dc84a4
• google.golang.org/genproto/googleapis/rpc 6f92a3b -> 3dc84a4
• google.golang.org/grpc v1.80.0 -> v1.81.1
• google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 -> v1.6.1
• k8s.io/klog/v2 v2.140.0 new

Previous release can be found at v0.30.0

v0.30.0

Compare Source

Welcome to the v0.30.0 release of buildkit!

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi
• CrazyMax
• Sebastiaan van Stijn
• Jonathan A. Sternberg
• Natnael Gebremariam
• Akihiro Suda
• Dawei Wei
• Dmitrii Kostyrev
• Jiří Moravčík
• Vladimir Kuznichenkov

Notable Changes

• Builtin Dockerfile frontend has been updated to v1.24.0 changelog
• BuildKit now supports the concept of "compatibility version" for improved reproducible builds support across different BuildKit versions. This allows users to specify a version for which the build should be compatible with, and BuildKit will attempt to maintain compatibility with that version when possible. Compatibility version will be stored in the provenance attestation of the build and can be used to independently verify the artifacts of the build on other BuildKit versions. The current compatibility version and backward compatibility with old versions are defined in Build reproducibility docs #​6681
• Git sources now support fetch-by-commit option where commit is fetched by the SHA and then associated with the reference. This is useful when checking out mutable references refs/NR/merge where the commit SHA may change during invocation and cause checksum mismatch error #​6708
• The LLB API now supports Git bundle format. Git bundles can be loaded from registry or OCI layout blobs and Git sources can be checked out into bundle format for snapshotting #​6711
• Provenance attestations for multi-pass or chained builds now include request details for root requests and individual input requests, allowing full reconstruction of such complex builds #​6739
• The version of the built-in Dockerfile frontend that was used is now included in the provenance metadata and reported via worker info APIs. #​6705
• Improve error reporting for registry errors on cache export #​6762
• S3 cache now supports additional options retry_mode and retry_max_attempts to configure retry behavior of S3 client #​6657
• S3 cache now supports disable_accept_encoding option for GCS interoperability #​6642
• Reduce potential lock contention in gateway forwarder for improved performance on parallel builds #​6741
• A new log level option has been added to the buildkitd TOML configuration; previous "debug" and "trace" options have been deprecated #​6732
• Allow gateway frontend requests to forward to the built-in Dockerfile frontend the same way as to external frontends #​6643
• Session connection health checks have been improved to better detect loss of connectivity and avoid stuck builds #​6649
• Fix issue with Git subdirectory value not being included in ConfigSource section of SLSA provenance for builds from Git sources #​6724
• Avoid potential deadlock if the credential helper in the client is misbehaving and never returns credentials #​6709
• Fix possible data race in provenance computation on parallel builds #​6758
• Fix possible provenance capture race in concurrent no-cache builds that could leave source pins empty and fail with an invalid checksum digest error #​6764
• Fix possible data race in progress writer #​6679
• Fix data race in S3 cache reader #​6675
• Fix possible Git config lookup errors on Windows #​6639
• Fix build cancellation not working properly when blocked on credential callback #​6641

Dependency Changes

• github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 -> v1.21.0
• github.com/Microsoft/hcsshim v0.14.0-rc.1 -> v0.14.1
• github.com/aws/aws-sdk-go-v2 v1.41.4 -> v1.41.7
• github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.5 -> v1.7.8
• github.com/aws/aws-sdk-go-v2/config v1.32.12 -> v1.32.17
• github.com/aws/aws-sdk-go-v2/credentials v1.19.12 -> v1.19.16
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 -> v1.18.23
• github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 -> v1.4.23
• github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 -> v2.7.23
• github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.12 -> v1.4.24
• github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 -> v1.13.9
• github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.3 -> v1.9.12
• github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 -> v1.13.23
• github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.12 -> v1.19.20
• github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 -> v1.0.11
• github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 -> v1.30.17
• github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 -> v1.35.21
• github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 -> v1.42.1
• github.com/aws/smithy-go v1.24.2 -> v1.25.1
• github.com/containerd/containerd/v2 v2.2.2 -> v2.2.3
• github.com/docker/cli v29.3.1 -> v29.4.3
• github.com/go-openapi/runtime v0.29.2 -> v0.29.3
• github.com/go-openapi/swag v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/cmdutils v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/netutils v0.25.4 -> v0.25.5
• github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7 -> v2.28.0
• github.com/in-toto/in-toto-golang v0.10.0 -> v0.11.0
• github.com/klauspost/compress v1.18.5 -> v1.18.6
• github.com/moby/policy-helpers b7c0b99 -> a39d601
• github.com/moby/profiles/seccomp v0.1.0 -> v0.2.3
• github.com/sigstore/sigstore v1.10.4 -> v1.10.5
• github.com/sigstore/timestamp-authority/v2 v2.0.3 -> v2.0.6
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 -> v0.68.0
• go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.63.0 -> v0.68.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 -> v0.68.0
• go.opentelemetry.io/otel v1.40.0 -> v1.43.0
• go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.40.0 -> v1.43.0
• go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.40.0 -> v1.43.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 -> v1.43.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.40.0 -> v1.43.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0 -> v1.43.0
• go.opentelemetry.io/otel/metric v1.40.0 -> v1.43.0
• go.opentelemetry.io/otel/sdk v1.40.0 -> v1.43.0
• go.opentelemetry.io/otel/sdk/metric v1.40.0 -> v1.43.0
• go.opentelemetry.io/otel/trace v1.40.0 -> v1.43.0
• go.opentelemetry.io/proto/otlp v1.9.0 -> v1.10.0
• golang.org/x/crypto v0.48.0 -> v0.50.0
• golang.org/x/mod v0.33.0 -> v0.34.0
• golang.org/x/net v0.51.0 -> v0.53.0
• golang.org/x/sync v0.19.0 -> v0.20.0
• golang.org/x/sys v0.42.0 -> v0.43.0
• golang.org/x/term v0.41.0 -> v0.42.0
• golang.org/x/text v0.34.0 -> v0.36.0
• golang.org/x/time v0.14.0 -> v0.15.0
• google.golang.org/genproto/googleapis/api 8636f87 -> 6f92a3b
• google.golang.org/genproto/googleapis/rpc 8636f87 -> 6f92a3b
• google.golang.org/grpc v1.79.3 -> v1.80.0
• kernel.org/pub/linux/libs/security/libcap/cap v1.2.77 -> v1.2.78
• kernel.org/pub/linux/libs/security/libcap/psx v1.2.77 -> v1.2.78

Previous release can be found at v0.29.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 7 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.7 -> 1.25.9
github.com/google/go-containerregistry	v0.21.5 -> v0.21.6
github.com/containerd/typeurl/v2	v2.2.3 -> v2.3.0
github.com/docker/cli	v29.4.0+incompatible -> v29.5.3+incompatible
github.com/docker/docker-credential-helpers	v0.9.5 -> v0.9.8
github.com/klauspost/compress	v1.18.5 -> v1.18.6
github.com/vbatts/tar-split	v0.12.2 -> v0.12.3
golang.org/x/sys	v0.43.0 -> v0.45.0