chore(deps): bump the minor group across 1 directory with 10 updates

[dependabot]

Bumps the minor group with 8 updates in the / directory:

Package	From	To
github.com/containerd/containerd/v2	2.0.5	2.1.1
github.com/docker/cli	28.1.1+incompatible	28.2.2+incompatible
github.com/docker/docker	28.1.1+incompatible	28.2.2+incompatible
github.com/moby/buildkit	0.21.1	0.22.0
github.com/opencontainers/umoci	0.4.7	0.5.0
github.com/vbauerster/mpb/v8	8.10.1	8.10.2
golang.org/x/crypto	0.38.0	0.39.0
google.golang.org/grpc	1.72.1	1.73.0

Updates github.com/containerd/containerd/v2 from 2.0.5 to 2.1.1

Release notes

Sourced from github.com/containerd/containerd/v2's releases.

containerd 2.1.1

Welcome to the v2.1.1 release of containerd!

The first patch release for containerd 2.1 fixes a critical vulnernability (CVE-2025-47290) which was first introduced in 2.1.0. See the Github Advisory for more details. This release also contains a few smaller updates and bux fixes.

Highlights

Image Storage

• Fix erofs media type handling (#11855)

Runtime

• Reduce shim cleanup log level and add more context (#11831)

Deprecations

• Update removal version for deprecated registry config fields (#11835)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Samuel Karp
• Derek McGowan
• Gao Xiang
• Akhil Mohan
• Chris Henzie
• Phil Estes
• Sebastiaan van Stijn
• ningmingxiao

Changes

• cb1076646 Merge commit from fork
• 216667ba0 Prepare release notes for 2.1.1
• ac00b8e61 Revert "perf(applyNaive): avoid walking the tree for each file in the same directory"
• build(deps): bump github.com/Microsoft/hcsshim (#11847)
  • 444ca17cd update runhcs version to v0.13.0
  • 0684f1c44 build(deps): bump github.com/Microsoft/hcsshim
• Fix erofs media type handling (#11855)
  • e1817a401 docs/snapshotters/erofs.md: a tip for improved performance
  • 2168cb92c erofs-differ: fix EROFS native image support
• Reduce shim cleanup log level and add more context (#11831)

... (truncated)

Commits

• cb10766 Merge commit from fork
• 216667b Prepare release notes for 2.1.1
• c6f9835 Merge pull request #11847 from akhilerm/2.1-hcsshim-update
• 837aef0 Merge pull request #11855 from k8s-infra-cherrypick-robot/cherry-pick-11851-t...
• e1817a4 docs/snapshotters/erofs.md: a tip for improved performance
• 2168cb9 erofs-differ: fix EROFS native image support
• 444ca17 update runhcs version to v0.13.0
• 0684f1c build(deps): bump github.com/Microsoft/hcsshim
• ac00b8e Revert "perf(applyNaive): avoid walking the tree for each file in the same di...
• dc795bf Merge pull request #11831 from k8s-infra-cherrypick-robot/cherry-pick-11815-t...
• Additional commits viewable in compare view

Updates github.com/docker/cli from 28.1.1+incompatible to 28.2.2+incompatible

Commits

• e6534b4 Merge pull request #6116 from vvoland/vendor-docker
• 5c3128e vendor: github.com/docker/docker v28.2.2-dev (45873be4ae3f)
• 879ac3f Merge pull request #6110 from thaJeztah/bump_engine
• 92fa1e1 vendor: github.com/docker/docker 0e2cc22d36ae (v28.2-dev)
• 4bec3a6 Merge pull request #6114 from thaJeztah/deprecate_non_compliant_registries
• a007d1a Merge pull request #6113 from thaJeztah/config_suppress_err
• bbfbd54 docs: deprecated: fallback for non-OCI-compliant registries is removed
• 2d21e1f cli/config/configfile: explicitly ignore error
• bc9be0b Merge pull request #6112 from thaJeztah/bump_tools
• 3fe7dc5 Dockerfile: update compose to v2.36.2
• Additional commits viewable in compare view

Updates github.com/docker/docker from 28.1.1+incompatible to 28.2.2+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

28.2.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.2.2 milestone
• moby/moby, 28.2.2 milestone

Bug fixes and enhancements

• containerd image store: Fix a regression causing docker build --push to fail. This reverts the fix for docker build not persisting overridden images as dangling. moby/moby#50105

Networking

• When creating the iptables DOCKER-USER chain, do not add an explicit RETURN rule, allowing users to append as well as insert their own rules. Existing rules are not removed on upgrade, but it won't be replaced after a reboot. moby/moby#50098

28.2.1

Packaging updates

• Fix packaging regression in v28.2.0 which broke creating the docker group/user on fresh installations. docker-ce-packaging#1209

28.2.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.2.0 milestone
• moby/moby, 28.2.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

[!NOTE] RHEL packages are currently not available and will be released later.

New

• Add {{.Platform}} as formatting option for docker ps to show the platform of the image the container is running. docker/cli#6042
• Add support for relative parent paths (../) on bind mount sources when using docker run/create with -v/--volume or --mount type=bind options. docker/cli#4966
• CDI is now enabled by default. moby/moby#49963
• Show discovered CDI devices in docker info. docker/cli#6078
• docker image rm: add --platform option to remove a variant from multi-platform images. docker/cli#6109
• containerd image store: Initial BuildKit support for building Windows container images on Windows (requires an opt-in with DOCKER_BUILDKIT=1). moby/moby#49740

Bug fixes and enhancements

• Add a new log option for fluentd log driver (fluentd-write-timeout), which enables specifying write timeouts for fluentd connections. moby/moby#49911
• Add support for DOCKER_AUTH_CONFIG for the experimental --use-api-socket option. docker/cli#6019
• Fix docker exec waiting for 10 seconds if a non-existing user or group was specified. moby/moby#49868
• Fix docker swarm init ignoring cacert option of --external-ca. docker/cli#5995
• Fix an issue where the CLI would not correctly save the configuration file (~/.docker/config.json) if it was a relative symbolic link. docker/cli#5282
• Fix containers with --restart always policy using CDI devices failing to start on daemon restart. moby/moby#49990

... (truncated)

Commits

• 45873be Merge pull request #50105 from jsternberg/revert-build-dangling
• 7994426 Revert "containerd: images overridden by a build are kept dangling"
• f144264 Merge pull request #50090 from corhere/libn/overlay-netip
• 768cfae Merge pull request #50050 from robmry/nftables_internal_dns
• d3289dd Add nftables NAT rules for internal DNS resolver
• 7a0bf74 Merge pull request #50038 from ctalledo/fix-for-50037
• b43afbf Merge pull request #50098 from robmry/remove_docker-user_return_rule
• c299ba3 Update worker.Platforms() in builder-next worker.
• 0e2cc22 Merge pull request #50049 from robmry/nftables_env_var_enable
• e37efd4 Merge pull request #50068 from mmorel-35/github.com/containerd/errdefs
• Additional commits viewable in compare view

Updates github.com/moby/buildkit from 0.21.1 to 0.22.0

Release notes

Sourced from github.com/moby/buildkit's releases.

v0.22.0

Welcome to the v0.22.0 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi
• CrazyMax
• Akihiro Suda
• Sebastiaan van Stijn
• Alberto Garcia Hierro
• Anthony Nandaa
• Jonathan A. Sternberg
• Bertrand Paquet
• Gleb Nebolyubov
• Justin Chadwell
• liulanzheng

Notable Changes

• Add checksum support to Git source. #5975
• Allow duration based filters on diskusage requests. #5455
• Ignore Apple extended file attributes during copy. #5937 tonistiigi/fsutil#235
• Support for building overlaybd images. #3867 docs
• Improve error message for registry and local cache export when using image-manifest and oci-mediatypes options. #5966
• Fix supported platforms reported by the worker. #5968
• Fix CDI device request by class annotation. #5969
• Fix panic when using a tiny terminal. #5967
• CNI plugins have been updated to v1.7.1. #5533

Dependency Changes

• github.com/containerd/accelerated-container-image v1.2.3 new
• github.com/containerd/containerd/v2 v2.0.4 -> v2.0.5
• github.com/docker/cli v28.0.4 -> v28.1.1
• github.com/docker/docker v28.0.4 -> v28.1.1
• github.com/moby/go-archive 21f3f3385ab7 -> v0.1.0
• github.com/moby/sys/atomicwriter v0.1.0 new
• github.com/tonistiigi/fsutil 5b74a7ad7583 -> 3f76f8130144
• github.com/vbatts/tar-split v0.11.6 -> v0.12.1

Previous release can be found at v0.21.1

v0.22.0-rc2

Welcome to the v0.22.0-rc2 release of buildkit! This is a pre-release of buildkit

... (truncated)

Commits

• 13cf07c Merge pull request #5979 from crazy-max/v0.22-picks-0.22.0-rc2
• a3712e2 allow duration based filters on diskusage requests
• 93b71cd git: add testcase for checking that adding checksum doesn't break cache
• 17ae6d0 git: verify checksum early and more tests
• 13f36e6 dockerfile: implement ADD --checksum=COMMIT_HASH GIT_URL
• 8e1bbed git source: add AttrGitChecksum
• 141a4a6 Merge pull request #5533 from crazy-max/update-cni
• 40e8799 Merge pull request #5923 from crazy-max/run-device-docs
• 6b3c423 dockerfile: update cni to 1.7.1
• 4da8760 dockerfile: run device docs
• Additional commits viewable in compare view

Updates github.com/opencontainers/umoci from 0.4.7 to 0.5.0

Changelog

Sourced from github.com/opencontainers/umoci's changelog.

[0.5.0] - 2025-05-21

A wizard is never late, Frodo Baggins. Nor is he early; he arrives precisely when he means to.

This version of umoci requires Go 1.23 to build.

Security

• A security flaw was found in the OCI image-spec, where it is possible to cause a blob with one media-type to be interpreted as a different media-type. As umoci is not a registry nor does it handle signatures, this vulnerability had no real impact on umoci but for safety we implemented the now-recommended media-type embedding and verification. CVE-2021-41190

Breaking

• The method of configuring the on-disk format and MapOptions in RepackOptions and UnpackOptions has been changed. The on-disk format is now represented with the OnDiskFormat interface, with DirRootfs and OverlayfsRootfs as possible options to use. MapOptions is now configured inside the OnDiskFormat setting, which will require callers to adjust their usage of the main umoci APIs. In particular, examples like

  unpackOptions := &layer.UnpackOptions{
      MapOptions: mapOptions,
      WhiteoutMode: layer.StandardOCIWhiteout, // or layer.OverlayFSWhiteout
  }
  err := layer.UnpackManifest(ctx, engineExt, bundle, manifest, unpackOptions)

  will have to now be written as

  unpackOptions := &layer.UnpackOptions{
      OnDiskFormat: layer.DirRootfs{ // or layer.OverlayfsRootfs
          MapOptions: mapOptions,
      },
  }
  err := layer.UnpackManifest(ctx, engineExt, bundle, manifest, unpackOptions)

  and similarly

  repackOptions := &layer.RepackOptions{
      MapOptions: mapOptions,
      TranslateOverlayWhiteouts: false, // or true
  }
  layerRdr, err := layer.GenerateLayer(path, deltas, repackOptions)

... (truncated)

Commits

• 0bb7e0b VERSION: release v0.5.0
• 5a2921b merge #588 into opencontainers/umoci:main
• 486a6a5 oci: layer: handle auto-converting to an opaque whiteout with overlayfs
• a665c67 oci: layer: fix extraction with a non-directory parent component
• 9892049 merge #587 into opencontainers/umoci:main
• 7d2d5e5 oci: layer: add support for userxattr in OverlayfsRootfs
• 55fc2f5 oci: layer: clean up ToDisk and ToTar signatures
• 8375e7a oci: layer: explicitly handle unrelated xattrs for overlayfs xattr filter
• 0cea894 oci: layer: merge is-overlayfs config and mapping into OnDiskFormat config
• fbe9b0e tests: make sure we use a new t.TempDir per-t.Run
• Additional commits viewable in compare view

Updates github.com/vbauerster/mpb/v8 from 8.10.1 to 8.10.2

Release notes

Sourced from github.com/vbauerster/mpb/v8's releases.

v8.10.2

Full Changelog: vbauerster/mpb@v8.10.1...v8.10.2

Commits

• d30b560 v8.10.2
• 7efde3c make [][]io.Reader with capacity
• 0675e6b prefer builtin min (needs Go 1.21)
• db1c068 no need to capture loop var since Go 1.22
• 5146476 prefer defer wg.Done()
• 520a597 bce optimization
• cc8c99a bce optimization
• 7a53fbd minor: assign and nil in one line
• See full diff in compare view

Updates golang.org/x/crypto from 0.38.0 to 0.39.0

Commits

• 3bf9d2a ssh/test: skip KEX test if unsupported by system SSH client
• 9bab967 go.mod: update golang.org/x dependencies
• 4f9f0ca x509roots/fallback: add init time benchmark
• eac7cf0 x509roots/fallback: move parsing code to a non-generated file
• 18228cd acme: return err from deprecated TLS-SNI-[01|02] functions
• 73f6362 acme: remove dead code
• ebc8e46 ssh: add server side support for Diffie Hellman Group Exchange
• e944286 ssh: expose negotiated algorithms
• 78a1fd7 ssh: automatically add curve25519-sha256@libssh.org KEX alias
• ac58737 ssh: export supported algorithms
• Additional commits viewable in compare view

Updates golang.org/x/sync from 0.14.0 to 0.15.0

Commits

• 8a14946 errgroup: remove duplicated comment
• 1869c69 all: replace deprecated ioutil
• d1ac909 sync/errgroup: PanicError.Error print stack trace
• See full diff in compare view

Updates golang.org/x/text from 0.25.0 to 0.26.0

Commits

• 8072180 go.mod: update golang.org/x dependencies
• 6cacac1 go.mod: update tagx:ignore'd golang.org/x dependencies
• See full diff in compare view

Updates google.golang.org/grpc from 1.72.1 to 1.73.0

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.73.0

New Features

• balancer/ringhash: move LB policy from xds/internal to exported path to facilitate use without xds (#8249)
• xds: enable least request LB policy by default. It can be disabled by setting GRPC_EXPERIMENTAL_ENABLE_LEAST_REQUEST=false in your environment. (#8253)
• grpc: add a CallAuthority Call Option that can be used to overwrite the http :authority header on per-RPC basis. (#8068)
• stats/opentelemetry: add trace event for name resolution delay. (#8074)
• health: added List method to gRPC Health service. (#8155)
  • Special Thanks: @​marcoshuck
• ringhash: implement features from gRFC A76. (#8159)
• xds: add functionality to support SPIFFE Bundle Maps as roots of trust in XDS which can be enabled by setting GRPC_EXPERIMENTAL_XDS_MTLS_SPIFFE=true. (#8167, #8180, #8229, #8343)

Bug Fixes

• xds: locality ID metric label is changed to make it consistent with gRFC A78. (#8256)
• client: fail RPCs on the client when using extremely short contexts that expire before the grpc-timeout header is created. (#8312)
• server: non-positive grpc-timeout header values are now rejected. This is consistent with the gRPC protocol spec. (#8290)
  • Special Thanks: @​evanj
• xds: fix reported error string when LRS load reporting interval is invalid. (#8224)
  • Special Thanks: @​alingse

Performance Improvements

• credentials/alts: improve read performance by optimizing buffer copies and allocations. (#8271)
• server: improve performance of RPC handling by avoid a status proto copy (#8282)
  • Special Thanks: @​evanj

Documentation

• examples/features/opentelemetry: modify example to demonstrate tracing using OpenTelemtry plugin. (#8056)

Release 1.72.2

Bug Fixes

• client: restore support for NO_PROXY environment variable when connecting to locally-resolved addresses (case 2 from gRFC A1). (#8329)
• balancer/least_request: fix panic on resolver errors. (#8333)

Commits

• c52d025 Change version to 1.73.0 (#8322)
• ac60db1 Add flag guarding SPIFFE Bundle provider (#8343) (#8382)
• 183c148 balancer/ringhash: Add experimental notice in package comment (#8364) (#8365)
• b610465 delegatingresolver: avoid proxy for resolved addresses in NO_PROXY env (#8329...
• 96c4308 balancer/least_request : Fix panic while handling resolver errors (#8333) (#8...
• af5146b grpc: update contributing.md (#8318)
• 09166b6 cleanup: remove unused constants in generic xdsclient (#8315)
• e3f13e7 transport: Prevent sending negative timeouts (#8312)
• b89909b leakcheck: Fix flaky test TestCheck (#8309)
• 709023d grpcsync/event: Simplify synchronization (#8308)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.