Skip to content

buildx

v0.34.0 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 21d Build & Package
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Affected surfaces

deps crypto_tls

ReleasePort's take

Light signal
editorial:auto 13d

Buildx v0.34.0 adds opt-in source policy verification for Docker official images, Kubernetes persistent storage support, and addresses stability issues including debug panics and cache determinism bugs.

Why it matters: Source policy verification provides optional image security gates. Kubernetes persistence enables stateful build workloads. Apply to resolve reported issues (debug panics, cache misses, WSL GPU mounting); test policy features in dev.

Summary

AI summary

Add opt‑in default source policy verification for Docker official images.

Changes in this release

Feature Medium

Buildx supports default source policy for Docker Inc images, cryptographically verified.

Buildx supports default source policy for Docker Inc images, cryptographically verified.

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

`bake` command now accepts `--policy` flag for global policy evaluation options.

`bake` command now accepts `--policy` flag for global policy evaluation options.

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Kubernetes driver supports persistent storage using StatefulSet and PVC.

Kubernetes driver supports persistent storage using StatefulSet and PVC.

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Fixed progress policy errors not being lost in progress output.

Fixed progress policy errors not being lost in progress output.

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Resolved stopping `dial-stdio` command when builder connection closes.

Resolved stopping `dial-stdio` command when builder connection closes.

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Fixed possible panic in `buildx debug` command on solve failure.

Fixed possible panic in `buildx debug` command on solve failure.

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Corrected handling of Windows paths in local OCI layout definitions.

Corrected handling of Windows paths in local OCI layout definitions.

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Fixed incorrect error when using `rm` commands on Docker context builders.

Fixed incorrect error when using `rm` commands on Docker context builders.

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Resolved possible cache miss due to nondeterministic ordering of extra hosts.

Resolved possible cache miss due to nondeterministic ordering of extra hosts.

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Fixed mounting of WSL libraries for GPU devices on local docker-container endpoints.

Fixed mounting of WSL libraries for GPU devices on local docker-container endpoints.

Source: llm_adapter@2026-05-21

Confidence: low
Full changelog

Welcome to the v0.34.0 release of buildx!

Please try out the release binaries and report any issues at
https://github.com/docker/buildx/issues.

Contributors

  • CrazyMax
  • Tõnis Tiigi
  • Sebastiaan van Stijn
  • Jonathan A. Sternberg
  • Guillaume Lours
  • Hervé Le Meur
  • Mateusz Gozdek

Notable Changes

  • Buildx now supports a default source policy for common build pipeline images that are provided by Docker Inc and signed by Docker GitHub builder. These include docker/dockerfile frontend (including docker/dockerfile-upstream staging area) and docker/buildkit-syft-scanner image used for SBOM generation. These images are cryptographically verified to be authentic releases before they are used in builds. This feature is currently opt-in behind the BUILDX_DEFAULT_POLICY environment variable, but the intention is to enable it by default in a future release #3807
  • Add --policy flag to bake command to specify global policy evaluation options. #3832
  • Kubernetes driver now supports persistent storage options that change the deployment definition to use a StatefulSet and a persistent volume claim. #3766
  • Fix issue where progress policy errors may have been lost in progress output. #3838
  • Fix stopping dial-stdio command when the builder connection closes #3790
  • Fix possible panic in buildx debug command when solving fails #3823
  • Fix handling of Windows paths in local OCI layout definitions #3825 #3820 #3812
  • Fix possible incorrect error when using rm commands on Docker context based builders #3817
  • Fix possible cache miss due to nondeterministic ordering of extra hosts #3789
  • Fix mounting of WSL libraries for GPU devices only on local docker-container endpoints #3784

Dependency Changes

  • github.com/aws/aws-sdk-go-v2 v1.41.4 -> v1.41.7
  • github.com/aws/aws-sdk-go-v2/config v1.32.12 -> v1.32.17
  • github.com/aws/aws-sdk-go-v2/credentials v1.19.12 -> v1.19.16
  • github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 -> v1.18.23
  • github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 -> v1.4.23
  • github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 -> v2.7.23
  • github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24 new
  • github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 -> v1.13.9
  • github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 -> v1.13.23
  • github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 -> v1.0.11
  • github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 -> v1.30.17
  • github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 -> v1.35.21
  • github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 -> v1.42.1
  • github.com/aws/smithy-go v1.24.2 -> v1.25.1
  • github.com/clipperhouse/uax29/v2 v2.2.0 new
  • github.com/compose-spec/compose-go/v2 v2.9.1 -> v2.10.2
  • github.com/containerd/containerd/v2 v2.2.2 -> v2.2.3
  • github.com/docker/cli v29.3.1 -> v29.4.3
  • github.com/docker/go-connections v0.6.0 -> v0.7.0
  • github.com/go-openapi/runtime v0.29.2 -> v0.29.3
  • github.com/go-openapi/swag v0.25.4 -> v0.25.5
  • github.com/go-openapi/swag/cmdutils v0.25.4 -> v0.25.5
  • github.com/go-openapi/swag/netutils v0.25.4 -> v0.25.5
  • github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7 -> v2.28.0
  • github.com/in-toto/in-toto-golang v0.10.0 -> v0.11.0
  • github.com/klauspost/compress v1.18.5 -> v1.18.6
  • github.com/mattn/go-runewidth v0.0.16 -> v0.0.23
  • github.com/moby/buildkit v0.29.0 -> v0.30.0
  • github.com/moby/moby/api v1.54.0 -> v1.54.2
  • github.com/moby/moby/client v0.3.0 -> v0.4.1
  • github.com/moby/policy-helpers b7c0b994300b -> a39d60132186
  • github.com/moby/spdystream v0.5.0 -> v0.5.1
  • github.com/sigstore/sigstore v1.10.4 -> v1.10.5
  • github.com/sigstore/timestamp-authority/v2 v2.0.3 -> v2.0.6
  • go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 -> v0.68.0
  • go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.63.0 -> v0.68.0
  • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 -> v0.68.0
  • go.opentelemetry.io/otel v1.40.0 -> v1.43.0
  • go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.40.0 -> v1.43.0
  • go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.40.0 -> v1.43.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 -> v1.43.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.40.0 -> v1.43.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0 -> v1.43.0
  • go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0 -> v1.42.0
  • go.opentelemetry.io/otel/metric v1.40.0 -> v1.43.0
  • go.opentelemetry.io/otel/sdk v1.40.0 -> v1.43.0
  • go.opentelemetry.io/otel/sdk/metric v1.40.0 -> v1.43.0
  • go.opentelemetry.io/otel/trace v1.40.0 -> v1.43.0
  • go.opentelemetry.io/proto/otlp v1.9.0 -> v1.10.0
  • go.yaml.in/yaml/v4 v4.0.0-rc.4 new
  • golang.org/x/crypto v0.48.0 -> v0.50.0
  • golang.org/x/mod v0.33.0 -> v0.34.0
  • golang.org/x/net v0.51.0 -> v0.53.0
  • golang.org/x/oauth2 v0.34.0 -> v0.36.0
  • golang.org/x/sync v0.19.0 -> v0.20.0
  • golang.org/x/sys v0.42.0 -> v0.43.0
  • golang.org/x/term v0.41.0 -> v0.42.0
  • golang.org/x/text v0.34.0 -> v0.36.0
  • golang.org/x/time v0.14.0 -> v0.15.0
  • golang.org/x/tools v0.41.0 -> v0.43.0
  • google.golang.org/genproto/googleapis/api 8636f8732409 -> 6f92a3bedf2d
  • google.golang.org/genproto/googleapis/rpc 8636f8732409 -> 6f92a3bedf2d
  • google.golang.org/grpc v1.79.3 -> v1.80.0
  • k8s.io/api v0.35.2 -> v0.35.4
  • k8s.io/apimachinery v0.35.2 -> v0.35.4
  • k8s.io/client-go v0.35.2 -> v0.35.4

Previous release can be found at v0.33.0

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track buildx

Get notified when new releases ship.

Sign up free

About buildx

Docker CLI plugin for extended build capabilities with BuildKit

All releases →

Related context

Beta — feedback welcome: [email protected]