29.4.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 29.4.1 milestone
• moby/moby, 29.4.1 milestone

Bug fixes and enhancements

• containerd image store: Fix docker image prune --filter label!=key=value incorrectly skipping images that don't have the specified label. moby/moby#52338
• Fix --log-opt "tag={{.ImageID}}" not stripping the digest's algorithm. moby/moby#52343
• Fix intermittent container start failures (EBUSY on secrets/configs remount) on busy Swarm nodes by retrying the read-only remount. moby/moby#52235

Packaging updates

• Update containerd (static binaries only) to v2.2.3. moby/moby#52360
• Update Go runtime to 1.26.2. docker/cli#6920, moby/moby#52329

Networking

• if a container has an IPv4-only or an IPv6-only endpoint with higher "gateway priority" than a dual stack endpoint, the single stack endpoint will now be used as the default gateway for its address family. moby/moby#52328

Bug fixes

• client: fix ImagePullResponse.Wait, ImagePushResponse.Wait not returning an error if pull/push errors happend during the pull operation. moby/moby#52305

Other

• daemon, client: diskUsage: explicitly exclude "-1" for containers. moby/moby#52309
• go.mod: add back replace rules. moby/moby#52325
• vendor: github.com/docker/go-connections v0.7.0. moby/moby#51311
• vendor: github.com/moby/moby/api v1.54.2. moby/moby#52416

Changelog

• api/docs: cleanup changelog. moby/moby#52379
• api/docs: lower deprecation heading to a h4. moby/moby#52315
• api/docs: restore API docs and change-logs for API v1.0 - v1.23. moby/moby#52312
• api: align Topology swagger with Segments JSON shape. moby/moby#52358

Full Changelog: api/v1.54.1...api/v1.54.2

29.4.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 29.4.0 milestone
• moby/moby, 29.4.0 milestone

Bug fixes and enhancements

• docker cp: report both content size and transferred size. docker/cli#6800
• Fix docker stats --all still showing containers that were removed. docker/cli#6863
• Fix a rare bug that could cause containers to become unremovable. moby/moby#51724
• Fixed privileged containers losing their explicit AppArmor profile (--security-opt apparmor=<profile>) after a container restart. moby/moby#52215
• Improved duplicate container-exit handling by using live containerd task state (not timestamps). moby/moby#52156
• Improved image pull and push performance by enabling HTTP keep-alive for registry connections, avoiding redundant TCP and TLS handshakes. moby/moby#52198
• shell completions: add shell completion for docker rm --link and exclude legacy links for container names. docker/cli#6872
• shell completions: don't provide completions that were already used. docker/cli#6871
• Update runc (in static binaries) to v1.3.5. moby/moby#52244
• Windows: Fix DOCKER_TMPDIR not being respected. moby/moby#52181

Packaging updates

• Update BuildKit to v0.29.0. moby/moby#52272

Networking

• Prevent a daemon crash during startup after upgrading if a container config containers a malformed IP-address. moby/moby#52275

Go SDK

• cli/streams: Out, In: preserve original os.File when available. docker/cli#6906
• Update minimum go version to go1.25. docker/cli#6897

Deprecations

• Go SDK: cli-plugins/hooks: deprecate HookMessage and rename to cli-plugins/hooks.Response. docker/cli#6859
• Go SDK: cli-plugins/hooks: deprecate HookType and rename to cli-plugins/hooks.ResponseType. docker/cli#6859
• Go SDK: cli-plugins/manager: deprecate HookPluginData and move to cli-plugins/hooks.Request. docker/cli#6859

v0.4.0

Bug fixes and enhancements

• api, client: add //go:fix inline directives to deprecated functions to help automatically migrating using go fix. moby/moby#52178
• client/pkg/jsonmessage: add DisplayStream and DisplayMessages utils. moby/moby#52273
• client/pkg/jsonmessage: use functional options for display funcs. moby/moby#52285
• client: prevent panic when passing nil Opts to client.New. moby/moby#52184
• client: the client now sets a default User-Agent if none was set, to prevent Go's default (Go-http-client/1.1) from being used. moby/moby#52167
• Fix /system/df reporting in-use images as reclaimable. moby/moby#51778
• Go SDK: client.WithHTTPHeaders now detects if duplicate headers are set, and produces an error. Previously, duplicate errors would be randomized, resulting in undefined behavior. moby/moby#52204

Full Changelog: client/v0.3.0...client/v0.4.0

Changelog

• api/types/network: add Port.Port() method to return the port-number as a string. moby/moby#52165
• api, client: add //go:fix inline directives to deprecated functions. moby/moby#52178
• api, client: go.mod: remove patch version. moby/moby#52174
• api/types/network: fix handling of unmapped ports (ephemeral ports). moby/moby#52288

Full Changelog: api/v1.54.0...api/v1.54.1

29.4.0-rc.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 29.4.0 milestone
• moby/moby, 29.4.0 milestone

Bug fixes and enhancements

• docker cp: report both content size and transferred size. docker/cli#6800
• Fix docker stats --all still showing containers that were removed. docker/cli#6863
• Fix a rare bug that could cause containers to become unremovable. moby/moby#51724
• Fixed privileged containers losing their explicit AppArmor profile (--security-opt apparmor=<profile>) after a container restart. moby/moby#52215
• Improved duplicate container-exit handling by using live containerd task state (not timestamps). moby/moby#52156
• Improved image pull and push performance by enabling HTTP keep-alive for registry connections, avoiding redundant TCP and TLS handshakes. moby/moby#52198
• shell completions: add shell completion for docker rm --link and exclude legacy links for container names. docker/cli#6872
• shell completions: don't provide completions that were already used. docker/cli#6871
• Update runc (in static binaries) to v1.3.5. moby/moby#52244
• Windows: Fix DOCKER_TMPDIR not being respected. moby/moby#52181

Packaging updates

• Update BuildKit to v0.29.0. moby/moby#52272

Networking

• Prevent a daemon crash during startup after upgrading if a container config containers a malformed IP-address. moby/moby#52275

29.3.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 29.3.1 milestone
• moby/moby, 29.3.1 milestone

Security

This release includes fixes for multiple security vulnerabilities affecting Docker Engine and related components.

• CVE-2026-34040 Fix an authorization bypass in AuthZ plugins that could allow authorization plugins to be bypassed under specific conditions.
  GHSA-x744-4wpc-v9h2

• CVE-2026-33997 Fix a flaw in docker plugin install where privilege validation could be partially bypassed, potentially leading to unauthorized privilege escalation.
  GHSA-pxq6-2prw-chj9

• CVE-2026-33748 Fix insufficient validation of Git URL #ref:subdir fragments in BuildKit, which could allow access to files outside the intended repository scope.
  GHSA-4vrq-3vrq-g6gg

• CVE-2026-33747 Fix a vulnerability in BuildKit where an untrusted frontend could cause files to be written outside the BuildKit state directory.
  GHSA-3c29-8rgm-jvjj

Bug fixes and enhancements

• Fix a daemon crash during docker build if .dockerignore contained an invalid pattern. moby/moby#52214
• Fix a panic when the containerd client uses a closed stream. moby/moby#52211

Packaging updates

• Update containerd (static binaries) to v2.2.2. moby/moby#52213
• Update Go runtime to 1.25.8. moby/moby#52210, docker/cli#6883

Go SDK

• Add missing build-tag, which could cause cannot range over 10 (untyped int constant) when importing the cli/command package. docker/cli#6884

29.3.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 29.3.0 milestone
• moby/moby, 29.3.0 milestone

New

• Add bind-create-src option to --mount flag for bind mounts. docker/cli#6792
• CLI plugin hooks now fire on command failure (not just success), and plugins can use "error-hooks" to show hints only when commands fail. docker/cli#6794
• Lower minimum API version from v1.44 to v1.40 (Docker 19.03). moby/moby#52067

Packaging updates

• Update BuildKit to v0.28.0. moby/moby#52135

Networking

• Fix DNS config corruption on daemon reload. moby/moby#52060

API

• POST /networks/{id}/connect now correctly applies the MacAddress field in EndpointSettings. This field was added in API v1.44, but was previously ignored. moby/moby#52040
• GET /images/json now supports an identity query parameter. When set, the response includes manifest summaries and may include an Identity field for each manifest with trusted identity and origin information. moby/moby#52030

Bug fixes and enhancements

• The --gpus option now uses CDI-based injection for AMD GPUs. moby/moby#52048
• Add sd_notify "RELOADING" notifications when signalling the daemon to reload its configuration. moby/moby#52041
• Send sd_notify "READY" and "STOPPING" synchronously to make sure they are sent before we proceed. moby/moby#52041
• Add support for the systemd 253 Type=notify-reload service reload protocol. moby/moby#52041
• Don't log "failed to determine if container is already mounted" warnings for stopped containers during startup. moby/moby#52076
• Fix docker system prune failing with "rw layer snapshot not found" when a container is concurrently removed. moby/moby#52090
• Fix a panic when running docker top on a non-running Windows container. moby/moby#52025
• Fix a regression in v29.2.0 that prevented registering the dockerd service on Windows if system requirements were not yet installed. moby/moby#52006
• Fix shared mount detection for paths mounted multiple times, which caused "not a shared mount" errors when using bind propagation. moby/moby#51787
• Fix spurious "ShouldRestart failed" warning on shutdown. moby/moby#52079
• Preserve leading and trailing whitespace when storing registry passwords. docker/cli#6784
• Prevent logging "not found" warnings when calculating volume sizes. moby/moby#52018
• Update Go runtime to 1.25.7. moby/moby#52003, docker/cli#6780

0.3.0

New

• client: ImageListOptions now supports Identity field. When set, the response includes manifest summaries and may include an Identity field for each manifest with trusted identity and origin information. moby/moby#52030

Bug fixes and enhancements

• Lower minimum API version from v1.44. to v1.40 (Docker 19.03). moby/moby#52067
• client/pkg/jsonmessage.DisplayJSONMessages now accepts an iter.Seq2[jsonstream.Message, error] instead of only a JSONMessagesStream,. moby/moby#52062