chore(deps): bump the moby group with 3 updates

[dependabot]

Bumps the moby group with 3 updates: github.com/docker/cli, github.com/docker/docker and github.com/moby/buildkit.

Updates github.com/docker/cli from 28.1.1+incompatible to 28.2.2+incompatible

Commits

• e6534b4 Merge pull request #6116 from vvoland/vendor-docker
• 5c3128e vendor: github.com/docker/docker v28.2.2-dev (45873be4ae3f)
• 879ac3f Merge pull request #6110 from thaJeztah/bump_engine
• 92fa1e1 vendor: github.com/docker/docker 0e2cc22d36ae (v28.2-dev)
• 4bec3a6 Merge pull request #6114 from thaJeztah/deprecate_non_compliant_registries
• a007d1a Merge pull request #6113 from thaJeztah/config_suppress_err
• bbfbd54 docs: deprecated: fallback for non-OCI-compliant registries is removed
• 2d21e1f cli/config/configfile: explicitly ignore error
• bc9be0b Merge pull request #6112 from thaJeztah/bump_tools
• 3fe7dc5 Dockerfile: update compose to v2.36.2
• Additional commits viewable in compare view

Updates github.com/docker/docker from 28.1.1+incompatible to 28.3.3+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.3.3

28.3.3

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.3.3 milestone
• moby/moby, 28.3.3 milestone

Security

This release fixes an issue where, after a firewalld reload, published container ports could be accessed directly from the local network, even when they were intended to be accessible only via a loopback address. CVE-2025-54388 / GHSA-x4rx-4gw3-53p4 / moby/moby#50506.

Packaging updates

• Update Buildx to v0.26.1. docker/docker-ce-packaging#1230
• Update Compose to v2.39.1. docker/docker-ce-packaging#1234
• Update Docker Model CLI plugin to v0.1.36. docker/docker-ce-packaging#1233

Go SDK

• cli/command/formatter: add TrunateID() utility as alternative for github.com/docker/docker/pkg/stringid.TrunateID(). docker/cli#6180

28.3.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.3.2 milestone
• moby/moby, 28.3.2 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Fix --use-api-socket not working correctly when targeting a remote daemon. docker/cli#6157
• Fix stray "otel error" logs being printed if debug logging is enabled. docker/cli#6160
• Quote SSH arguments when connecting to a remote daemon over an SSH connection to avoid unexpected expansion. docker/cli#6147
• Warn when DOCKER_AUTH_CONFIG is set during docker login and docker logout. docker/cli#6163

Packaging updates

• Update Compose to v2.38.2. docker/docker-ce-packaging#1225
• Update Docker Model CLI plugin to v0.1.33. docker/docker-ce-packaging#1227
• Update Go runtime to 1.24.5. moby/moby#50354

28.3.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.3.1 milestone

... (truncated)

Commits

• bea959c Merge pull request #50506 from robmry/backport-28.x/fix_firewalld_reload
• 3e9ff78 bridge: Reapply endpoint iptables rules on firewalld reload
• 29ed80a bridge: Trigger firewalld reload during bridge integration tests
• da489a1 Merge pull request #50478 from thaJeztah/28.x_backport_gha_bump_bk
• f173e45 Merge pull request #50480 from austinvazquez/cherry-pick-ea29dffaa541289591aa...
• e4b1f89 daemon/server: remove compatibility with API v1.4 auth-config on push
• 0c9e14d hack/buildkit-ref: temporarily bump BuildKit to head of v0.23 branch
• bf6d688 Merge pull request #50471 from austinvazquez/cherry-pick-b1ce0c89f0214cc6711c...
• 4205776 client: always send (empty) body on push
• e77ff99 Merge pull request #50354 from vvoland/50353-28.x
• Additional commits viewable in compare view

Updates github.com/moby/buildkit from 0.22.0 to 0.23.2

Release notes

Sourced from github.com/moby/buildkit's releases.

v0.23.2

Welcome to the v0.23.2 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

• CrazyMax
• Tõnis Tiigi

Notable Changes

• Fix attestation filename in local exporter. #6051
• Fix expired cache URLs in GitHub Actions cache exporter. #6053

Dependency Changes

• github.com/tonistiigi/go-actions-cache 388a2ec8cdf8 -> 378c5ed1ddd9

Previous release can be found at v0.23.1

v0.23.1

Welcome to the v0.23.1 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

• Derek McGowan

Notable Changes

• Fix a possible issue where pulling images from some registries that don't handle the Range header correctly(Artifactory) would fail. #6040

Dependency Changes

• github.com/containerd/containerd/v2 v2.1.1 -> v2.1.3

Previous release can be found at v0.23.0

v0.23.0

Welcome to the v0.23.0 release of buildkit!

... (truncated)

Commits

• 40b2ede Merge pull request #6056 from crazy-max/v0.23_picks_0.23.2
• 858cb7c gha cache: reload expired cache URLs
• a8a1485 test: provenance local export
• 090ffce local: fix attestation filename
• c51ecee frontend: group provenance tests
• 0a23057 Merge pull request #6039 from tonistiigi/v0.23-container-patch
• 1d9a271 Update containerd to v2.1.3
• cc8ff80 Merge pull request #6031 from tonistiigi/v0.23-rc2-picks
• 2a2ea09 resolver: allow reference matches for local image lookups
• 7fdda10 Merge pull request #6027 from crazy-max/fix-docs-provenance
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
github.com/docker/cli	[>= 28.3.a, < 28.3.1000001]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Superseded by #3779.