What's Changed
Security
- github.com/moby/buildkit 0.28.0: CVE-2026-33747 CVE-2026-33748
- github.com/go-git/go-git/v5 5.17.0: CVE-2026-34165 CVE-2026-33762
- prevent hijacking via
COPY --from=<image>: #586
Standardization
- activate dockerfile linter: #590
FF_KANIKO_NO_PROPAGATE_ANNOTATIONS=falsestop propagating base image annotations: #566 #605
Maintenance
- build(deps): bump github.com/minio/highwayhash from 1.0.3 to 1.0.4 in the gomod group: #592
- build(deps): bump github.com/containerd/platforms from 1.0.0-rc.2 to 1.0.0-rc.4: #596 #614
- build(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager from 0.1.10 to 0.1.13: #597 #604 #613
- build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.97.1 to 1.98.0: #597 #604 #613
- build(deps): bump github.com/moby/patternmatcher from 0.6.0 to 0.6.1 in the gomod group: #598
- build(deps): bump github.com/moby/buildkit from 0.28.0 to 0.29.0 in the gomod group: #600 #611
- build(deps): bump sigstore/cosign-installer from 4.1.0 to 4.1.1 in the actions group: #601
- build(deps): bump github.com/docker/cli from 29.3.0+incompatible to 29.3.1+incompatible in the gomod group: #602
- build(deps): bump google.golang.org/api from 0.272.0 to 0.273.1: #603 #613
- build(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.4 to 1.41.5: #604
- build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.12 to 1.32.13: #604
- build(deps): bump github.com/go-git/go-git/v5 from 5.17.0 to 5.17.2 in the gomod group: #606 #610
- build(deps): bump actions/setup-go from 6.3.0 to 6.4.0 in the actions group: #607
- build(deps): bump step-security/harden-runner from 2.16.0 to 2.16.1 in the actions group: #609