chore(deps): bump github.com/moby/buildkit from 0.28.0 to 0.28.1

[dependabot]

Bumps github.com/moby/buildkit from 0.28.0 to 0.28.1.

Release notes

Sourced from github.com/moby/buildkit's releases.

v0.28.1

Welcome to the v0.28.1 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi
• CrazyMax
• Sebastiaan van Stijn

Notable Changes

• Fix insufficient validation of Git URL #ref:subdir fragments that could allow access to restricted files outside the checked-out repository root. GHSA-4vrq-3vrq-g6gg
• Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. GHSA-4c29-8rgm-jvjj
• Fix a panic when processing invalid .dockerignore patterns during COPY. #6610 moby/patternmatcher#9

Dependency Changes

• github.com/moby/patternmatcher v0.6.0 -> v0.6.1

Previous release can be found at v0.28.0

Commits

• 45b038c git: normalize and validate subdir paths
• f5462c2 git: harden ref arg handling
• 71577a5 source: extract SafeFileName into shared pathutil package
• df43783 source/http: use os.Root for saved file operations
• 9ce6f62 source/http: sanitize downloaded filenames
• 099cf80 executor: validate container IDs centrally
• 2642113 Merge pull request #6610 from thaJeztah/0.28_backport_bump_patternmatcher
• 802da78 vendor: github.com/moby/patternmatcher v0.6.1
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 51.20%. Comparing base (b0999ab) to head (4697ccc).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #5429   +/-   ##
=======================================
  Coverage   51.20%   51.20%           
=======================================
  Files         324      324           
  Lines       75565    75565           
=======================================
  Hits        38691    38691           
  Misses      35398    35398           
  Partials     1476     1476           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.