Docker — releases.sh

Docker is shipping concurrent stability fixes across its platform layers while building out policy-driven builds and credential handling improvements.

Compose stabilized TTY and watch mode edge cases. v5.1.x releases fixed deadlocks in TTY rendering, post-connect fallback handling for multi-network stacks on older APIs, and a panic when watch rebuilds without up. The watch system also tightened file change batch handling for large operations. Provider output handling and hook hint navigation received targeted fixes in v5.1.3.

Engine 29.3+ added bind mount granularity and plugin error hooks. The bind-create-src mount option lets you control whether bind mount sources are auto-created; CLI plugin hooks now fire on command failure so plugins can display context-specific hints only when needed. The minimum API version dropped from v1.44 to v1.40 (Docker 19.03). Networking fixes prevented DNS config corruption on daemon reload, and POST /networks/{id}/connect now correctly applies MacAddress fields. 29.2.0 introduced experimental NRI support and a new Identity field for trusted origin information on images.

Four security fixes landed in 29.3.1: CVE-2026-34040 (AuthZ plugin authorization bypass), CVE-2026-33997 (docker plugin install privilege validation), and two BuildKit flaws—CVE-2026-33748 (Git URL fragment validation) and CVE-2026-33747 (untrusted frontend file writes). BuildKit updated to v0.27+ across releases.

Buildx v0.31+ shipped policy enforcement and improved registry auth. Rego-based source policy validation is now experimental—policies load automatically for Dockerfiles and can validate builds from Git and HTTP sources. Imagetools gained --metadata-file to capture descriptor/digest properties, and auth now supports scoped credentials with automatic Docker Hardened Images fallback. Many commands support --timeout for remote builder responses. v0.31.0-rc2 added buildx policy test for policy validation and a bake --var flag for inline variable setting. v0.32.0 unified imagetools auth with build command auth libraries and added --timeout support broadly.