fix(security): update module github.com/docker/compose/v2 to v2.40.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/docker/compose/v2	v2.35.0 -> v2.40.2

GitHub Vulnerability Alerts

CVE-2025-62725

Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.extends or com.docker.compose.envfile, Compose joins the attacker‑supplied value from com.docker.compose.file/com.docker.compose.envfile with its local cache directory and writes the file there.

Impact

This affects any platform or workflow that resolves remote OCI compose artifacts, Docker Desktop, standalone Compose binaries on Linux, CI/CD runners, cloud dev environments is affected.
An attacker can escape the cache directory and overwrite arbitrary files on the machine running docker compose, even if the user only runs read‑only commands such as docker compose config or docker compose ps.

Patches

v2.40.2

Workarounds

NA

---

Release Notes

docker/compose (github.com/docker/compose/v2)

v2.40.2

Compare Source

What's Changed

🐛 Fixes

• Compose can't create a tar with adequate uid:gid ownership by @​ndeloof in #​13299
• Test digest or canonical reference, not only tag, when checking if an image is already present by @​glours in #​13302

🔧 Internal

• Fail build if minimal required version of buildx isn't installed by @​ndeloof in #​13295
• remove unused code to only rely on api.Service by @​ndeloof in #​13300
• Introduce WithPrompt to configure compose backend to use a plugable UI component for user interaction by @​ndeloof in #​13308

Full Changelog: docker/compose@v2.40.1...v2.40.2

v2.40.1

Compare Source

What's Changed

🐛 Fixes

• Write error to watcher error channel if Start() fails by @​Trolldemorted in #​13263
• Fix: set PWD only if not set by @​kianelbo in #​13268
• bake only interpolates ${*} by @​ndeloof in #​13270
• Fix: make "publish" push all compose files addressed in "extends" statements when using "profiles". by @​ogoulpeau-ledger in #​13277
• Support Ctrl+Z to run compose in background by @​ndeloof in #​13289
• Fix race-condition bug in publish command by @​paul-kinexon in #​13291
• Set secret/config uid:gid to match container's USER by @​ndeloof in #​13288
• Fix failure to delegate build with bake by @​ndeloof in #​13275
• Make CTRL+Z a no-op operation on Windows by @​glours in #​13293

🔧 Internal

• pkg/compose: align classic builder implementation with docker/cli by @​thaJeztah in #​13278
• pkg/compose: build with bake: drop support for buildx v0.16 and lower by @​thaJeztah in #​13280
• Use fixed version of compose bridge transformer images by @​glours in #​13284

⚙️ Dependencies

• Build(deps): bump github.com/docker/docker from 28.5.0+incompatible to 28.5.1+incompatible by @​dependabot[bot] in #​13274
• Build(deps): bump github.com/docker/cli from 28.5.0+incompatible to 28.5.1+incompatible by @​dependabot[bot] in #​13273
• Build(deps): bump golang.org/x/sys from 0.36.0 to 0.37.0 by @​dependabot[bot] in #​13272
• Build(deps): bump docker/buildx v0.29.1, moby/buildkit v0.25.1 by @​thaJeztah in #​13279
• Bump golang to version 1.24.9 by @​glours in #​13285

New Contributors

• @​Trolldemorted made their first contribution in #​13263
• @​ogoulpeau-ledger made their first contribution in #​13277
• @​paul-kinexon made their first contribution in #​13291

Full Changelog: docker/compose@v2.40.0...v2.40.1

v2.40.0

Compare Source

What's Changed

✨ Improvements

• publish Compose application as compose.yaml + images by @​ndeloof in #​13257

🐛 Fixes

• resolve secrets based on env var before executing bake by @​ndeloof in #​13237
• pass bake secrets by env by @​ndeloof in #​13249
• escape $ in bake.json as interpolation already has been managed by cpmpose by @​ndeloof in #​13259

🔧 Internal

• pkg/compose: remove uses of deprecated mitchellh/mapstructure module by @​thaJeztah in #​13239
• pkg/watch: remove unused IsWindowsShortReadError by @​thaJeztah in #​13052
• pkg/compose: build: remove permissions warning on Windows by @​thaJeztah in #​13236
• pluginMain: remove uses of DockerCLI.Apply by @​thaJeztah in #​13240
• use containerd registry client by @​ndeloof in #​13245
• provider services: use '--project-name=' notation by @​glours in #​13250
• gha: update test-matrix: remove docker 26.x by @​thaJeztah in #​13254
• pkg/compose: explicitly map AuthConfig fields instead of a direct cast by @​thaJeztah in #​13253
• cmd/compose: fix minor linting issues by @​thaJeztah in #​13252
• use containerd client for OCI operations by @​ndeloof in #​13251

⚙️ Dependencies

• build(deps): bump github.com/docker/docker, docker/cli v28.5.0-rc.1 by @​thaJeztah in #​13241
• build(deps): bump github.com/docker/docker from 28.5.0-rc.1+incompatible to 28.5.0+incompatible by @​dependabot[bot] in #​13260
• build(deps): bump github.com/docker/cli from 28.5.0-rc.1+incompatible to 28.5.0+incompatible by @​dependabot[bot] in #​13261

Full Changelog: docker/compose@v2.39.4...v2.40.0

v2.39.4

Compare Source

What's Changed

✨ Improvements

• Add support of develop.watch.initial_sync attribute by @​glours in #​13232

🐛 Fixes

• Volume ls command can run without a project by @​ndeloof in #​13221
• Fix support for build with bake when target docker endpoint requires TLS by @​ndeloof in #​13231
• Disable Tty if run command started from a piped command by @​glours in #​13233

🔧 Internal

• Test: Set stop_signal to SIGTERM by @​ricardobranco777 in #​13214

⚙️ Dependencies

• Bump compose-go to version v2.9.0 by @​glours in #​13234

New Contributors

• @​ricardobranco777 made their first contribution in #​13214

Full Changelog: docker/compose@v2.39.3...v2.39.4

v2.39.3

Compare Source

What's Changed

✨ Improvements

• Add completions for the --progress flag by @​m4rch3n1ng in #​13158

🐛 Fixes

• Add --provenance and --sbom flag to generated bake command line, by @​glours in #​13147
• Fix runtime operations failing when env file is missing by @​maxproske in #​13156
• Check the assume yes publish flag command before the presence of bind mounts by @​glours in #​13151
• Fix: incorrect time when last tag time is not set by @​kianelbo in #​13171
• Fix sigint/sigterm support in logs --follow by @​ndeloof in #​13193
• Prefer application container vs one-off running exec without index by @​ndeloof in #​13178
• Only force plain mode build if progress is set to auto by @​ndeloof in #​13181
• Only propagate os.Env to bake, not the whole project.Environment by @​ndeloof in #​13180
• Detect container is restarted by @​ndeloof in #​13210
• Fix run --build support for service:* reference in additional_context by @​ndeloof in #​13183
• Detect compose run wit --host and set DOCKER_HOST accordingly running bake by @​ndeloof in #​13182

🔧 Internal

• Refactor to use maps.Copy by @​cuiweixie in #​13174
• Replace most uses of hashicorp/go-multierror for stdlib by @​thaJeztah in #​13176
• pkg/compose: composeService.Up: rewrite without go-multierror by @​thaJeztah in #​13177
• Use enum-consts for State and Health by @​thaJeztah in #​13186
• Unquote volume names in creation events by @​rrjjvv in #​13188
• pkg/compose: use state consts from moby API by @​thaJeztah in #​13216
• Document (hidden) --tty --interactive flags by @​ndeloof in #​13201

⚙️ Dependencies

• go.mod: github.com/docker/buildx v0.27.0 by @​thaJeztah in #​13170
• Build(deps): bump go.uber.org/mock from 0.5.2 to 0.6.0 by @​dependabot[bot] in #​13162
• go.mod: bump buildkit v0.24.0-rc1, buildx v0.28.0-rc1 by @​thaJeztah in #​13185
• Build(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.1 by @​dependabot[bot] in #​13184
• go.mod: bump buildx v0.28.0-rc2, buildkit v0.24.0-rc2 by @​thaJeztah in #​13197
• Build(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.9 by @​dependabot[bot] in #​13195
• Build(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1 by @​dependabot[bot] in #​13198
• go.mod: bump github.com/docker/docker, docker/cli v28.4.0 by @​thaJeztah in #​13168
• Build(deps): bump github.com/docker/buildx from 0.28.0-rc2 to 0.28.0 by @​dependabot[bot] in #​13207
• Build(deps): bump github.com/spf13/pflag from 1.0.9 to 1.0.10 by @​dependabot[bot] in #​13200
• Bump golang to version 1.24.7 by @​glours in #​13219
• Build(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0 by @​dependabot[bot] in #​13218
• Build(deps): bump golang.org/x/sys from 0.35.0 to 0.36.0 by @​dependabot[bot] in #​13217
• Bump compose-go to version v2.8.2 by @​glours in #​13220

New Contributors

• @​cuiweixie made their first contribution in #​13174
• @​m4rch3n1ng made their first contribution in #​13158
• @​kianelbo made their first contribution in #​13171
• @​rrjjvv made their first contribution in #​13188

Full Changelog: docker/compose@v2.39.2...v2.39.3

v2.39.2

Compare Source

What's Changed

🐛 Fixes

• Fix (regression): compose build render build output with tty support by @​ndeloof in #​13107
• Add missing _MODEL suffix to model variable pass to dependent services of a model by @​glours in #​13109
• Apply BUILDKIT_PROGRESS value when building with bake by @​glours in #​13110
• Define pull and no_cache from either service or flags values when building with bake by @​glours in #​13133
• Only monitor attached services on up command by @​glours in #​13114

🔧 Internal

• Add Streams Comment by @​suwakei in #​13103
• Add test of json.go by @​suwakei in #​13106
• Refactoring of redundant condition checks by @​suwakei in #​13104
• Eliminated magic string by @​suwakei in #​13105
• Use log API for containers we didn't attached to by @​ndeloof in #​13111
• Use cli-plugins/metadata package by @​thaJeztah in #​13130
• pkg/compose: simplify getting auth-config key by @​thaJeztah in #​13120
• Add go as a prerequisite in build instructions by @​mattrunyon in #​13131

⚙️ Dependencies

• Build(deps): bump github.com/docker/cli from 28.3.2+incompatible to 28.3.3+incompatible by @​dependabot[bot] in #​13116
• Build(deps): bump github.com/docker/docker from 28.3.2+incompatible to 28.3.3+incompatible by @​dependabot[bot] in #​13115
• Build(deps): bump github.com/containerd/containerd/v2 from 2.1.3 to 2.1.4 by @​dependabot[bot] in #​13119
• Build(deps): bump github.com/docker/go-connections from 0.5.0 to 0.6.0 by @​dependabot[bot] in #​13137
• Build(deps): bump golang.org/x/sys from 0.34.0 to 0.35.0 by @​dependabot[bot] in #​13138
• Bump golang to 1.23.12 by @​austinvazquez in #​13142

New Contributors

• @​mattrunyon made their first contribution in #​13131
• @​austinvazquez made their first contribution in #​13142

Full Changelog: docker/compose@v2.39.1...v2.39.2

v2.39.1

Compare Source

What's Changed

🔧 Internal

• Add info about models usage to OpenTelemetry spans by @​glours in #​13094

⚙️ Dependencies

• Bump compose-go to v2.8.1 by @​glours in #​13096

Full Changelog: docker/compose@v2.39.0...v2.39.1

v2.39.0

Compare Source

What's Changed

✨ Improvements

• Add --since & --until flags to events command by @​jarqvi in #​13030
• Feat(os): add FreeBSD support by @​atagtm in #​13036
• Add --models flag to config command by @​jarqvi in #​13022
• Warn user COMPOSE_BAKE=false is deprecated by @​ndeloof in #​13065
• Simpler stop UI by @​ndeloof in #​13064
• Introduce build provenance and sbom attributes support by @​ndeloof in #​13067
• Show build progress during watch rebuild by @​ndeloof in #​13059

🐛 Fixes

• Add dry-run support to bake build by @​glours in #​13042
• Keep containers attached on stop to capture termination logs by @​ndeloof in #​13010
• Add default compose labels to images built from bake by @​glours in #​13049
• Fix report image name in bake result by @​principis in #​13047
• Don't run navigation menu if stdin isn't a terminal by @​ndeloof in #​13054
• Monitor must watch events even when context is cancelled by @​ndeloof in #​13062
• Force plain display mode if stdout isn't a terminal by @​ndeloof in #​13074
• Do not pass user id on Windows system as engine is not able to handel it by @​glours in #​13080
• Forward git command error to user by @​ndeloof in #​13084
• Use output registry when push true and load to docker store if not by @​glours in #​13085

🔧 Internal

• Add a space character to separate the timestamp from the log message by @​xduugu in #​13038
• Fix the Helm bridge e2e tests after the latest update of the templates by @​glours in #​13053
• Introduce monitor to manage containers events and application termination by @​ndeloof in #​12906
• Abstract model-cli commands execution with a model (pseudo) API by @​ndeloof in #​13051
• Swarm by @​ndeloof in #​13071
• Remove uses of moby/errdefs by @​thaJeztah in #​13076
• Use local copy of pkg/system.IsAbs by @​thaJeztah in #​13075
• Optimize ansiColorCode by replacing fmt.Sprintf with strings.Builder by @​suwakei in #​13091
• Eliminate magic number in init functions by @​suwakei in #​13090
• Integration of SetAttributes calls by @​suwakei in #​13089

⚙️ Dependencies

• Bump engine and cli to v28.3.2 by @​ndeloof in #​13035
• Build(deps): bump github.com/spf13/pflag from 1.0.6 to 1.0.7 by @​dependabot[bot] in #​13060
• Bump compose-go to version v2.8.0 by @​glours in #​13082
• Build(deps): bump google.golang.org/grpc from 1.73.0 to 1.74.2 by @​dependabot[bot] in #​13081
• bump buildx to v0.26.1 by @​glours in #​13086

New Contributors

• @​atagtm made their first contribution in #​13036
• @​xduugu made their first contribution in #​13038
• @​principis made their first contribution in #​13047
• @​suwakei made their first contribution in #​13091

Full Changelog: docker/compose@v2.38.2...v2.39.0

v2.38.2

Compare Source

What's Changed

✨ Improvements

• Add --networks flag to config command by @​jarqvi in #​13021

🐛 Fixes

• Add a Done event to model progress display by @​glours in #​13008
• Fix the way we're checking if the provider metadata are empty or not by @​glours in #​13017
• Build: fix service with profile missing secrets by @​ndeloof in #​13023
• Fix select dockerignore based on Dockerfile name set from symlink by @​ndeloof in #​13024

🔧 Internal

• pkg/compose: remove redundant uses of strslice.StrSlice by @​thaJeztah in #​13002
• (reactoring) avoid a global variable by introducing logConsumer decorator by @​ndeloof in #​12945
• Chore: fix some minor issues in the comments by @​mountdisk in #​12991
• A single place for shell-out command setup by @​ndeloof in #​13007
• Add USER_AGENT variable to cmd when shellouting by @​glours in #​13025

⚙️ Dependencies

• Bump golang to v1.23.10 by @​glours in #​13004
• Bump go-viper/mapstructure to version v2.3.0 by @​glours in #​13005
• Build(deps): bump github.com/moby/buildkit from 0.23.1 to 0.23.2 by @​dependabot in #​13009
• Build(deps): bump github.com/docker/cli from 28.3.0+incompatible to 28.3.1+incompatible by @​dependabot in #​13012
• Build(deps): bump github.com/docker/docker from 28.3.0+incompatible to 28.3.1+incompatible by @​dependabot in #​13011

New Contributors

• @​mountdisk made their first contribution in #​12991

Full Changelog: docker/compose@v2.38.1...v2.38.2

v2.38.1

Compare Source

What's Changed

✨ Improvements

• implement model_variable by @​ndeloof in #​13001

⚙️ Dependencies

• bump compose-go to version v2.7.1 by @​glours in #​13000

Full Changelog: docker/compose@v2.38.0...v2.38.1

v2.38.0

Compare Source

What's Changed

✨ Improvements

• introduce support for models by @​ndeloof in #​12976
• Add volumes command by @​leoperegrino in #​12954
• remove publish limitation on bind mount by @​glours in #​12997
• mount /var/run/docker.sock for --use-api-socket by @​ndeloof in #​12995

🐛 Fixes

• only expose API socket to service asking for it by @​ndeloof in #​12972
• check progress default value instead of empty string to use BUILDKIT_PROGRESS env variable value by @​glours in #​12982
• exclude provider services from the list of dependencies that Compose should wait for by @​glours in #​12983
• don't fail down cmd if services with pre_stop hook already stopped/removed by @​glours in #​12986
• Swap to Reader in bake to avoid hangs on output by @​nscott in #​12984
• make sure the post_start hooks fails by @​glours in #​12996
• remove error message from exec outpout by default by @​glours in #​12992
• fix: typos by @​hezhizhen in #​12963
• pass project.environment to bake by @​ndeloof in #​12994
• fix provider concurrent environment map accesses by @​glours in #​12999
• e2e compose run --env by @​ndeloof in #​12967

⚙️ Dependencies

• build(deps): bump github.com/docker/cli from 28.2.2+incompatible to 28.3.0+incompatible by @​dependabot in #​12974
• build(deps): bump github.com/docker/docker from 28.2.2+incompatible to 28.3.0+incompatible by @​dependabot in #​12975

New Contributors

• @​nscott made their first contribution in #​12984
• @​hezhizhen made their first contribution in #​12963
• @​leoperegrino made their first contribution in #​12954

Full Changelog: docker/compose@v2.37.3...v2.38.0

v2.37.3

Compare Source

What's Changed

✨ Improvements

• add support for cache_to with bake by @​ndeloof in #​12959

🐛 Fixes

• fix bake intergation by @​ndeloof in #​12960
• don't create services passed as parameters of run command during dependencies creation process by @​glours in #​12968
• inject secrets/config just before container is started by @​ndeloof in #​12970
• propagate target docker host set by --host to Bake by @​ndeloof in #​12961

🔧 Internal

• pkg/compose: remove uses of ExecOptions.Detach by @​thaJeztah in #​12950

⚙️ Dependencies

• build(deps): bump github.com/moby/buildkit from 0.23.0 to 0.23.1 by @​dependabot in #​12964

Full Changelog: docker/compose@v2.37.2...v2.37.3

v2.37.2

Compare Source

What's Changed

✨ Improvements

• introduce use_api_socket by @​ndeloof in #​12908

🐛 Fixes

• restore ContainerName in images --json by @​ndeloof in #​12943
• fix panic using w shortcut on project without watch support by @​ndeloof in #​12944

🔧 Internal

• move run logic inside backend by @​ndeloof in #​12908

⚙️ Dependencies

• bump compose-go to v2.6.5 by @​ndeloof in #​12958
• build(deps): bump github.com/containerd/containerd/v2 from 2.1.1 to 2.1.2 by @​dependabot in #​12939

Full Changelog: docker/compose@v2.37.1...v2.37.2

v2.37.1

Compare Source

What's Changed

✨ Improvements

• Add support for extra_hosts building with bake by @​ndeloof in #​12935

🐛 Fixes

• Fix SIGSEGV on Enable Watch by @​ndeloof in #​12909
• Revert docker compose images JSON output to array format by @​x0rw in #​12917
• Sanitize service name so they can be used as bake targets by @​ndeloof in #​12925
• Only look for required image in bake metadata by @​ndeloof in #​12930
• Don't create metadatafile, just generate a random name by @​ndeloof in #​12931
• Fix the generated manifest for compose artifacts by @​jcarter3 in #​12933
• Fix support for additional_contexts with service sub-dependencies by @​ndeloof in #​12936
• Fix panic on failure starting plugin server by @​ndeloof in #​12914

🔧 Internal

• Do not forget to remove the bake metadata file by @​glours in #​12912

⚙️ Dependencies

• Bump golang.org/x/sync v0.15.0 by @​ndeloof in #​12913
• Build(deps): bump google.golang.org/grpc from 1.72.2 to 1.73.0 by @​dependabot in #​12910

New Contributors

• @​x0rw made their first contribution in #​12917
• @​jcarter3 made their first contribution in #​12933

Full Changelog: docker/compose@v2.37.0...v2.37.1

v2.37.0

Compare Source

What's Changed

ℹ️ bake is now used as the default images builder, if you don't want to use it you could opt-out by setting the COMPOSE_BAKE env variable to false

✨ Improvements

• Add compose bridge by @​glours in #​12866
• Include platform and creation date listing image by @​ndeloof in #​12856
• Add support of metadata subcommand for provider services by @​glours in #​12903
• Use bake by default by @​ndeloof in #​12699

🐛 Fixes

• (Re)start dependent services after watch rebuilt image by @​ndeloof in #​12879
• Resolve symlinks while making dockerfile path absolute by @​ndeloof in #​12884
• Fix support for BUILDKIT_PROGRESS by @​ndeloof in #​12894
• Build dependent service images when required by @​ndeloof in #​12896
• Fix recreate network (and connected containers) on config updates by @​ndeloof in #​12899
• pull does not require env_file being resolved by @​ndeloof in #​12904

🔧 Internal

• Refactor: use slices.Contains to simplify code by @​tongjicoder in #​12877
• Remove utils.Contains to prefer slice.ContainsFunc by @​ndeloof in #​12878
• Fix typo in suggestion log by @​Carlos-err406 in #​12893
• Replace uses of golang.org/x/exp/(maps|slices) for stdlib and fix linting by @​thaJeztah in #​12885
• Debug message to help diagnose platform mismatch by @​ndeloof in #​12905
• (refactoting) Move watch logic into a dedicated Watcher type by @​ndeloof in #​12865

⚙️ Dependencies

• Bump cli-doc-tools to v0.10.0 by @​glours in #​12855
• Bump github.com/docker/docker, docker/cli v28.2.2 by @​thaJeztah in #​12875
• Build(deps): bump google.golang.org/grpc from 1.72.1 to 1.72.2 by @​dependabot in #​12872

New Contributors

• @​tongjicoder made their first contribution in #​12877
• @​Carlos-err406 made their first contribution in #​12893

Full Changelog: docker/compose@v2.36.2...v2.37.0

v2.36.2

Compare Source

What's Changed

🐛 Fixes

• Run ContainerStart sequentially by @​ndeloof in #​12851
• Only use attestation when building image outside the development inner loop by @​glours in #​12853
• Report error (re)creating container by @​ndeloof in #​12859
• Fix up --build with additional_context dependency by @​ndeloof in #​12863

🔧 Internal

• Add example provider implementation by @​ndeloof in #​12848
• Add up --build e2e test by @​ndeloof in #​12864

⚙️ Dependencies

• Build(deps): bump github.com/containerd/containerd/v2 from 2.1.0 to 2.1.1 by @​dependabot in #​12857
• Bump compose-go to v2.6.4 by @​glours in #​12867
• Bump buildkit v0.22.0 and buildx v0.24.0 by @​glours in #​12868

Full Changelog: docker/compose@v2.36.1...v2.36.2

v2.36.1

Compare Source

What's Changed

✨ Improvements

• Provider.options can be an array by @​ndeloof in #​12819
• Set provider environment by @​ndeloof in #​12817
• Add support of debug messages in the communication between Compose … by @​glours in #​12826
• Introduce config --lock-image-digests by @​ndeloof in #​12843

🐛 Fixes

• Skip push step for provider services by @​glours in #​12818
• Provider info by @​ndeloof in #​12820
• Append .exe to provider name doing executable lookup on windows by @​ndeloof in #​12832
• Fix quiet option when using COMPOSE_BAKE=1 by @​AnvarU in #​12838
• Do not throw an error on build with provider services by @​glours in #​12842
• Report cancelled pull after another one failed by @​ndeloof in #​12840
• Ensure build dependencies are enabled by @​ndeloof in #​12824

🔧 Internal

• Simplification by @​ndeloof in #​12811
• Remove Docker EULA licensing which isn't relevant by @​ndeloof in #​12829
• Remove convert alias from config command by @​glours in #​12850

⚙️ Dependencies

• Build(deps): bump github.com/containerd/containerd/v2 from 2.0.5 to 2.1.0 by @​dependabot in #​12813
• Build(deps): bump google.golang.org/grpc from 1.72.0 to 1.72.1 by @​dependabot in #​12837
• Bump compose-go to v2.6.3 by @​glours in #​12849

Full Changelog: docker/compose@v2.36.0...v2.36.1

v2.36.0

Compare Source

What's Changed

🎉 You can now use external binaries as service provider to extend Compose behaviour. For more information about creating your own plugin check the documentation

✨ Improvements

• Introduce networks.interface_name by @​ndeloof in #​12771
• Add support for COMPOSE_PROGRESS env variable by @​AnvarU in #​12769
• Document extensibility using service.provider and open provider to external binaries by @​ndeloof in #​12777
• Introduce build --check by @​ndeloof in #​12765

🐛 Fixes

• Build: write --print output to stdout by @​emersion in #​12756
• Fix: concurrent map writes when pulling by @​skanehira in #​12752
• Fix support for remote absolute path by @​ndeloof in #​12786
• Fix collect image digests for service images built by

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: providers/flagd/go.sum

Command failed: go get -t ./...
go: module github.com/docker/compose/[email protected] requires go >= 1.24.9; switching to go1.24.9
go: downloading go1.24.9 (linux/amd64)
go: download go1.24.9: golang.org/[email protected]: verifying module: checksum database disabled by GOSUMDB=off