diff --git a/content/manuals/engine/release-notes/27.md b/content/manuals/engine/release-notes/27.md
index 9761f4edcf8b..75cac5c3e448 100644
--- a/content/manuals/engine/release-notes/27.md
+++ b/content/manuals/engine/release-notes/27.md
@@ -8,10 +8,6 @@ toc_max: 2
 tags:
   - Release notes
 aliases:
-- /engine/release-notes/
-- /engine/release-notes/latest/
-- /release-notes/docker-ce/
-- /release-notes/docker-engine/
 - /engine/release-notes/27.1/
 - /engine/release-notes/27.0/
 ---
diff --git a/content/manuals/engine/release-notes/28.md b/content/manuals/engine/release-notes/28.md
new file mode 100644
index 000000000000..d98428bf1322
--- /dev/null
+++ b/content/manuals/engine/release-notes/28.md
@@ -0,0 +1,944 @@
+---
+title: Docker Engine version 28 release notes
+linkTitle: Engine v28
+description: Learn about the new features, bug fixes, and breaking changes for Docker Engine
+keywords: docker, docker engine, ce, whats new, release notes
+toc_min: 1
+toc_max: 2
+tags:
+  - Release notes
+aliases:
+- /engine/release-notes/
+- /engine/release-notes/latest/
+- /release-notes/docker-ce/
+- /release-notes/docker-engine/
+- /engine/release-notes/28.0/
+---
+
+This page describes the latest changes, additions, known issues, and fixes for Docker Engine version 28.
+
+For more information about:
+
+- Deprecated and removed features, see [Deprecated Engine Features](../deprecated.md).
+- Changes to the Engine API, see [Engine API version history](/reference/api/engine/version-history.md).
+
+## 28.0.0
+
+{{< release-date date="202X-xx-xx" >}}
+
+For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:
+
+- [docker/cli, 28.0.0 milestone](https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A28.0.0)
+- [moby/moby, 28.0.0 milestone](https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A28.0.0)
+- Deprecated and removed features, see [Deprecated Features](https://github.com/docker/cli/blob/v28.0.0/docs/deprecated.md).
+- Changes to the Engine API, see [API version history](https://github.com/moby/moby/blob/v28.0.0/docs/api/version-history.md).
+
+### New
+
+- Windows: add support for running containerd as a child process of the daemon, instead of using a system-installed containerd. [moby/moby#47955](https://github.com/moby/moby/pull/47955)
+- `docker load`, `docker save`, and `docker history` now support a `--platform` flag allowing to choose a specific platform for single-platform operations on multi-platform images. [docker/cli#5331](https://github.com/docker/cli/pull/5331)
+- Add `OOMScoreAdj` to `docker service create` and `docker stack`. [docker/cli#5145](https://github.com/docker/cli/pull/5145)
+- `docker buildx prune` now supports `reserved-space`, `max-used-space` and `min-free-space`, `keep-bytes` filters. [moby/moby#48720](https://github.com/moby/moby/pull/48720)
+- `docker images --tree` now shows metadata badges [docker/cli#5744](https://github.com/docker/cli/pull/5744)
+
+
+### Bug fixes and enhancements
+
+- `docker image save` now produces stable timestamps. [moby/moby#48611](https://github.com/moby/moby/pull/48611)
+- Improve validation of `exec-opts` in daemon configuration. [moby/moby#48979](https://github.com/moby/moby/pull/48979)
+- Add IPv6 loopback address as insecure registry by default. [moby/moby#48540](https://github.com/moby/moby/pull/48540)
+- Updated the handling of the `--gpus=0` flag to be consistent with the NVIDIA Container Runtime. [moby/moby#48482](https://github.com/moby/moby/pull/48482)
+- `client.ContainerCreate` now normalizes `CapAdd` and `CapDrop` fields in `HostConfig` to their canonical form. [moby/moby#48551](https://github.com/moby/moby/pull/48551)
+- containerd image store: Add support for `Extracting` layer status in `docker pull`. [moby/moby#49064](https://github.com/moby/moby/pull/49064)
+- Add support for Cobra-generated completion scripts for `dockerd`. [moby/moby#49339](https://github.com/moby/moby/pull/49339)
+- Improve output and consistency for unknown (sub)commands and invalid arguments [docker/cli#5234](https://github.com/docker/cli/pull/5234)
+- Improve error-output for invalid flags on the command-line. [docker/cli#5233](https://github.com/docker/cli/pull/5233)
+- IPv6 addresses shown by `docker ps` in port bindings are now bracketed [docker/cli#5363](https://github.com/docker/cli/pull/5363)
+- Fix an issue preventing some IPv6 addresses shown by `docker ps` to be properly bracketed [docker/cli#5468](https://github.com/docker/cli/pull/5468)
+- Implement the ports validation method for compose [docker/cli#5524](https://github.com/docker/cli/pull/5524)
+- `docker inspect` now also allows inspecting swarm configs [docker/cli#5573](https://github.com/docker/cli/pull/5573)
+- Fix bug preventing image pulls from being cancelled during `docker run`. [docker/cli#5645](https://github.com/docker/cli/pull/5645)
+- Fix `docker images --tree` unnecessary truncating long image names when multiple names are available [docker/cli#5757](https://github.com/docker/cli/pull/5757)
+- Fix issue causing output of `docker run` to be inconsistent when using `--attach stdout` or `--attach stderr` versus `stdin`.  `docker run --attach stdin` now exits if the container exits. [docker/cli#5662](https://github.com/docker/cli/pull/5662)
+- Fix `docker export` not releasing the container's writable layer after a failure. [moby/moby#48517](https://github.com/moby/moby/pull/48517)
+- Fix `docker export` continuing the export after the operation was canceled. [moby/moby#49265](https://github.com/moby/moby/pull/49265)
+- Fix a bug where a container with a name matching another container's ID would not be restored on daemon startup. [moby/moby#48669](https://github.com/moby/moby/pull/48669)
+- Fix DNS queries failing when containers are launched via `systemd` auto-start on boot [moby/moby#48812](https://github.com/moby/moby/pull/48812)
+- Fix error-handling when running the daemon as a Windows service to prevent unclean exits. [moby/moby#48518](https://github.com/moby/moby/pull/48518)
+- Generated completion scripts from the CLI will now show descriptions next to each command/flag suggestion. [docker/cli#5756](https://github.com/docker/cli/pull/5756)
+- Improve errors when failing to start a container using anther container's network namespace. [moby/moby#49367](https://github.com/moby/moby/pull/49367)
+- Improve handling of invalid API errors that could result in an empty error message being presented to the user. [moby/moby#49373](https://github.com/moby/moby/pull/49373)
+- containerd image store: Make `docker load --platform` return an error when the requested platform wasn't loaded. [moby/moby#48718](https://github.com/moby/moby/pull/48718)
+- containerd image store: Fix `commit`, `import` and `build` not preserving replaced image as a dangling. [moby/moby#48316](https://github.com/moby/moby/pull/48316)
+
+### Packaging updates
+
+- Update Go runtime to [1.23.5](https://go.dev/doc/devel/release#go1.23.5).  [moby/moby#49311](https://github.com/moby/moby/pull/49311), [docker/cli#5761](https://github.com/docker/cli/pull/5761) [docker/docker-ce-packaging#1146](https://github.com/docker/docker-ce-packaging/pull/1146)
+- Update `runc` to [v1.2.4](https://github.com/opencontainers/runc/releases/tag/v1.2.4) [moby/moby#49238](https://github.com/moby/moby/pull/49238)
+- Update containerd to [v1.7.25](https://github.com/containerd/containerd/releases/tag/v1.7.25). [moby/moby#49252](https://github.com/moby/moby/pull/49252)
+- Update BuildKit to [v0.19.0](https://github.com/moby/buildkit/releases/tag/v0.19.0). [moby/moby#49315](https://github.com/moby/moby/pull/49315)
+- Update Compose to [v2.32.4](https://github.com/docker/compose/releases/tag/v2.32.3). [docker/docker-ce-packaging#1143](https://github.com/docker/docker-ce-packaging/pull/1143)
+- The canonical source for the `dockerd(8)` man page has been moved back to the `moby/moby` repository itself. [moby/moby#48298](https://github.com/moby/moby/pull/48298)
+
+### Go SDK
+
+- `Client.ImageBuild()` now omits default values from the API request's query string. [moby/moby#48651](https://github.com/moby/moby/pull/48651)
+- `pkg/containerfs`: move to internal [moby/moby#48097](https://github.com/moby/moby/pull/48097)
+- `pkg/reexec`: can now be used on platforms other than Linux, Windows, macOS and FreeBSD [moby/moby#49118](https://github.com/moby/moby/pull/49118)
+- `api/types/container`: merge `Stats` and `StatsResponse` [moby/moby#49287](https://github.com/moby/moby/pull/49287)
+- `client.WithVersion`: strip v-prefix when setting API version [moby/moby#49352](https://github.com/moby/moby/pull/49352)
+
+### API
+
+- Update API version to [v1.48](https://docs.docker.com/engine/api/v1.48/) [moby/moby#48476](https://github.com/moby/moby/pull/48476)
+- `GET /images/{name}/history` now supports a `platform` parameter (JSON encoded OCI Platform type) that allows to specify a platform to show the history of. [moby/moby#48295](https://github.com/moby/moby/pull/48295)
+- `POST /images/{name}/load` and `GET /images/{name}/get` now support a `platform` parameter (JSON encoded OCI Platform type) that allows to specify a platform to load/save. Not passing this parameter will result in loading/saving the full multi-platform image. [moby/moby#48295](https://github.com/moby/moby/pull/48295)
+- Improve errors for invalid width/height on container resize and exec resize [moby/moby#48679](https://github.com/moby/moby/pull/48679)
+- The `POST /containers/create` endpoint now includes a warning in the response when setting the container-wide `VolumeDriver` option in combination with volumes defined through `Mounts` because the `VolumeDriver` option has no effect on those volumes. This warning was previously generated by the CLI. [moby/moby#48789](https://github.com/moby/moby/pull/48789)
+- containerd image store: `GET /images/json` and `GET /images/{name}/json` response now includes `Descriptor` field, which contains an OCI descriptor of the image target. The new field will only be populated if the daemon provides a multi-platform image store. [moby/moby#48894](https://github.com/moby/moby/pull/48894)
+- containerd image store: `GET /containers/{name}/json` now returns an `ImageManifestDescriptor` field containing the OCI descriptor of the platform-specific image manifest of the image that was used to create the container. [moby/moby#48855](https://github.com/moby/moby/pull/48855)
+- Add debug endpoints (`GET /debug/vars`, `GET /debug/pprof/`, `GET /debug/pprof/cmdline`, `GET /debug/pprof/profile`, `GET /debug/pprof/symbol`, `GET /debug/pprof/trace`, `GET /debug/pprof/{name}`) are now also accessible through the versioned-API paths (`/v<API-version>/<endpoint>`). [moby/moby#49051](https://github.com/moby/moby/pull/49051)
+- Fix API returning a `500` status code instead of `400` for validation errors. [moby/moby#49217](https://github.com/moby/moby/pull/49217)
+- Fix status-codes for archive endpoints `HEAD /containers/{name:.*}/archive`, `GET /containers/{name:.*}/archive`, `PUT /containers/{name:.*}/archive` returning a `500` status instead of a `400` status. [moby/moby#49219](https://github.com/moby/moby/pull/49219)
+- `POST /containers/create` now accepts a `writable-cgroups=true` option in `HostConfig.SecurityOpt` to mount the container's cgroups writable. This provides a more granular approach than `HostConfig.Privileged`. [moby/moby#48828](https://github.com/moby/moby/pull/48828)
+- `POST /build/prune` renames `keep-bytes` to `reserved-space` and now supports additional prune parameters `max-used-space` and `min-free-space`. [moby/moby#48720](https://github.com/moby/moby/pull/48720)
+
+
+### Removed
+
+- The Fluent logger option `fluentd-async-connect` has been deprecated in v20.10 and is now removed. [moby/moby#46114](https://github.com/moby/moby/pull/46114)
+- `runconfig`: remove deprecated `ContainerConfigWrapper`, `SetDefaultNetModeIfBlank`, `DefaultDaemonNetworkMode`, `IsPreDefinedNetwork` [moby/moby#48102](https://github.com/moby/moby/pull/48102)
+- `runconfig/opts`: remove deprecated `ConvertKVStringsToMap` [moby/moby#48102](https://github.com/moby/moby/pull/48102)
+- remove deprecated `pkg/dmsg.Dmesg()` [moby/moby#48109](https://github.com/moby/moby/pull/48109)
+- api/types: Remove deprecated aliases: `ImagesPruneReport`, `VolumesPruneReport`, `NetworkCreateRequest`, `NetworkCreate`, `NetworkListOptions`, `NetworkCreateResponse`, `NetworkInspectOptions`, `NetworkConnect`, `NetworkDisconnect`, `EndpointResource`, `NetworkResource`, `NetworksPruneReport`, `ExecConfig`, `ExecStartCheck`, `ContainerExecInspect`, `ContainersPruneReport`, `ContainerPathStat`, `CopyToContainerOptions`, `ContainerStats`, `ImageSearchOptions`, `ImageImportSource`, `ImageLoadResponse`, `ContainerNode`. [moby/moby#48107](https://github.com/moby/moby/pull/48107)
+- api/types: Remove deprecated `container.ContainerNode` and `ContainerJSONBase.Node` field. [moby/moby#48107](https://github.com/moby/moby/pull/48107)
+- Remove support for deprecated external graph-driver plugins. [moby/moby#48072](https://github.com/moby/moby/pull/48072)
+- Remove deprecated "api-cors-header" config parameter and the `dockerd` "--api-cors-header" option [moby/moby#48209](https://github.com/moby/moby/pull/48209)
+- container: remove deprecated `ErrNameReserved`, `ErrNameNotReserved`. [moby/moby#48728](https://github.com/moby/moby/pull/48728)
+- remove deprecated image/spec package, which was moved to a separate module (`github.com/moby/docker-image-spec`) [moby/moby#48460](https://github.com/moby/moby/pull/48460)
+- `pkg/stringid`: remove deprecated `IsShortID` and  `ValidateID` functions [moby/moby#48705](https://github.com/moby/moby/pull/48705)
+- `pkg/archive`: remove deprecated `CanonicalTarNameForPath`, `NewTempArchive`, `TempArchive` [moby/moby#48708](https://github.com/moby/moby/pull/48708)
+- `pkg/longpath`: remove deprecated `Prefix` constant. [moby/moby#48779](https://github.com/moby/moby/pull/48779)
+- Remove deprecated `pkg/directory` package [moby/moby#48779](https://github.com/moby/moby/pull/48779)
+- Remove migration code and errors for the deprecated `logentries` logging driver. [moby/moby#48891](https://github.com/moby/moby/pull/48891)
+- Remove deprecated `APIEndpoint.Version` field, `APIVersion` type, and `APIVersion1` and `APIVersion2` consts. [moby/moby#49004](https://github.com/moby/moby/pull/49004)
+- Go-SDK: remove deprecated `cli.Errors` type [docker/cli#5549](https://github.com/docker/cli/pull/5549)
+- Go-SDK: `pkg/sysinfo`: Remove deprecated NumCPU. [moby/moby#49242](https://github.com/moby/moby/pull/49242)
+- Go-SDK: remove `pkg/broadcaster`, as it was only used internally [moby/moby#49172](https://github.com/moby/moby/pull/49172)
+- Go-SDK: `pkg/ioutils`: remove deprecated `BytesPipe`, `NewBytesPipe`, `ErrClosed`, `WriteCounter`, `NewWriteCounter`, `NewReaderErrWrapper`, `NopFlusher`. [moby/moby#49245](https://github.com/moby/moby/pull/49245)
+- Go-SDK: `pkg/ioutils`: remove deprecated `NopWriter` and `NopWriteCloser`. [moby/moby#49256](https://github.com/moby/moby/pull/49256)
+- Go-SDK: `pkg/ioutils`: remove `NewReaderErrWrapper` as it was never used. [moby/moby#49258](https://github.com/moby/moby/pull/49258)
+- Remove deprecated `api-cors-header` config parameter and the dockerd `--api-cors-header` option. [docker/cli#5437](https://github.com/docker/cli/pull/5437)
+- `pkg/ioutils`: remove `OnEOFReader`, which was only used internally [moby/moby#49170](https://github.com/moby/moby/pull/49170)
+- daemon: remove `Daemon.ContainerInspectCurrent()` method and change `Daemon.ContainerInspect()` signature to accept a `backend.ContainerInspectOptions` struct [moby/moby#48672](https://github.com/moby/moby/pull/48672)
+- daemon: remove deprecated `Daemon.Exists()` and `Daemon.IsPaused()` methods. [moby/moby#48723](https://github.com/moby/moby/pull/48723)
+- `pkg/fileutils`: remove deprecated `GetTotalUsedFds` [moby/moby#49210](https://github.com/moby/moby/pull/49210)
+- remove `pkg/ioutils.ReadCloserWrapper`, as it was only used in tests. [moby/moby#49237](https://github.com/moby/moby/pull/49237)
+- `libnetwork/iptables`: remove deprecated `IPV`, `Iptables`, `IP6Tables` and `Passthrough()`. [moby/moby#49121](https://github.com/moby/moby/pull/49121)
+
+### Deprecations
+
+- `daemon/graphdriver`: deprecate `GetDriver()` [moby/moby#48079](https://github.com/moby/moby/pull/48079)
+- `pkg/directory.Size()` function is deprecated, an will be removed in the next release. [moby/moby#48057](https://github.com/moby/moby/pull/48057)
+- Move from `api/types` to `api/types/container` - `NetworkSettings`, `NetworkSettingsBase`, `DefaultNetworkSettings`, `SummaryNetworkSettings`, `Health`, `HealthcheckResult`, `NoHealthcheck`, `Starting`, `Healthy`, and `Unhealthy` constants, `MountPoint`, `Port`, `ContainerState`, `Container`, `ContainerJSONBase`, `ContainerJSON`, `ContainerNode`. The old types are deprecated and will be removed in the next release. [moby/moby#48108](https://github.com/moby/moby/pull/48108)
+- Move from `api/types` to `api/types/image` - `ImageInspect`, `RootFS`. The old types are deprecated and will be removed in the next release. [moby/moby#48108](https://github.com/moby/moby/pull/48108)
+- Move `GraphDriverData` from `api/types` to `api/types/storage`. The old type is deprecated and will be removed in the next release. [moby/moby#48108](https://github.com/moby/moby/pull/48108)
+- Move `RequestPrivilegeFunc` from `api/types` to `api/types/registry`. The old type is deprecated and will be removed in the next release. [moby/moby#48119](https://github.com/moby/moby/pull/48119)
+- Deprecate `Daemon.Register()`. This function is unused and will be removed in the next release. [moby/moby#48702](https://github.com/moby/moby/pull/48702)
+- `ContainerdCommit.Expected`, `RuncCommit.Expected`, and  `InitCommit.Expected` fields in the `GET /info` endpoint are deprecated  and will be omitted in API v1.49. [moby/moby#48478](https://github.com/moby/moby/pull/48478)
+- `api/types/system/Commit.Expected` field is deprecated and should no longer be used. [moby/moby#48478](https://github.com/moby/moby/pull/48478)
+- Deprecate `daemon/config.Config.ValidatePlatformConfig()`. This method was used as helper for `config.Validate`, which should be used instead. [moby/moby#48985](https://github.com/moby/moby/pull/48985)
+- Deprecate the `--allow-nondistributable-artifacts` daemon flag and corresponding `allow-nondistributable-artifacts` field in `daemon.json`. Setting either option will no longer take an effect, but a deprecation warning log is added. [moby/moby#49065](https://github.com/moby/moby/pull/49065)
+`allow-nondistributable-artifacts` field in `daemon.json`. Setting either option will no longer take an effect, but a deprecation warning log is added to raise awareness about the deprecation. This warning is planned to become an error in the next release. [moby/moby#49065](https://github.com/moby/moby/pull/49065)
+- Deprecate the `RegistryConfig.AllowNondistributableArtifactsCIDRs` and `RegistryConfig.AllowNondistributableArtifactsHostnames` fields in the `GET /info` API response. For API version v1.48 and older, the fields are still included in the response, but always `null`. In API version v1.49 and later, the field will be omitted entirely. [moby/moby#49065](https://github.com/moby/moby/pull/49065)
+- `api/types/registry`: Deprecate `ServiceConfig.AllowNondistributableArtifactsCIDRs` and `ServiceConfig.AllowNondistributableArtifactsHostnames` fields. These fields will be removed in the next release. [moby/moby#49065](https://github.com/moby/moby/pull/49065)
+- Go SDK: deprecate `registry.ServiceOptions.AllowNondistributableArtifacts` field. [moby/moby#49065](https://github.com/moby/moby/pull/49065)
+- `registry`: deprecate `APIEndpoint.TrimHostName`; hostname is now trimmed unconditionally for remote names. This field will be removed in the next release. [moby/moby#49005](https://github.com/moby/moby/pull/49005)
+- `libnetwork/iptables`: deprecate `Passthrough`. This function was only used internally, and will be removed in the next release. [moby/moby#49115](https://github.com/moby/moby/pull/49115)
+- Go SDK: the `BridgeNfIptables`, `BridgeNfIp6tables` fields in `api/types/system.Info` and `BridgeNFCallIPTablesDisabled`, `BridgeNFCallIP6TablesDisabled` fields in `pkg/sysinfo.SysInfo` are deprecated and will be removed in the next release. [moby/moby#49114](https://github.com/moby/moby/pull/49114)
+- API: Deprecated: The `BridgeNfIptables` and `BridgeNfIp6tables` fields in the `GET /info` response are now always be `false` and will be omitted in API v1.49. The netfilter module is now loaded on-demand, and no longer during daemon startup, making these fields obsolete. [moby/moby#49114](https://github.com/moby/moby/pull/49114)
+- Deprecate `pkg/reexec`. This package is deprecated and moved to a separate module. Use `github.com/moby/sys/reexec` instead. [moby/moby#49129](https://github.com/moby/moby/pull/49129)
+- Go SDK: `pkg/system`: deprecate `MkdirAll`. This function provided custom handling for Windows GUID volume paths. Handling for such paths is now supported by go stdlib in go1.22 and newer, and this function is now an alias for os.MkdirAll, which should be used instead. This alias will be removed in the next release. [moby/moby#49162](https://github.com/moby/moby/pull/49162)
+- Go SDK: pkg/sysinfo: deprecate NumCPU. This utility has the same behavior as runtime.NumCPU. [moby/moby#49241](https://github.com/moby/moby/pull/49241)
+- Go SDK: deprecate `pkg/parsers.ParseKeyValueOpt`. [moby/moby#49177](https://github.com/moby/moby/pull/49177)
+- Go SDK: deprecate `pkg/parsers.ParseUintListMaximum`, `pkg/parsers.ParseUintList`. These utilities were only used internally and will be removed in the next release. [moby/moby#49222](https://github.com/moby/moby/pull/49222)
+- Go-SDK: pkg/ioutils: deprecate `NewAtomicFileWriter`, `AtomicWriteFile`, `AtomicWriteSet`, `NewAtomicWriteSet` in favor of `pkg/atomicwriter` equivalents. [moby/moby#49171](https://github.com/moby/moby/pull/49171)
+- The `--time` option on `docker stop` and `docker restart` is deprecated and renamed to `--timeout`. [docker/cli#5485](https://github.com/docker/cli/pull/5485)
+- Deprecate configuration for pushing non-distributable artifacts [docker/cli#5724](https://github.com/docker/cli/pull/5724)
+
+
+
+
+
+### Networking
+
+- The `docker-proxy` binary has been updated, older versions will not work with the updated `dockerd`. [https://github.com/moby/moby/pull/48132](https://github.com/moby/moby/pull/48132)
+    - Close a window in which the userland proxy (`docker-proxy`) could accept TCP connections, that would then fail after `iptables` NAT rules were set up.
+    - The executable `rootlesskit-docker-proxy` is no longer used, it has been removed from the build and distribution.
+- DNS nameservers read from the host's `/etc/resolv.conf` are now always accessed from the host's network namespace. [https://github.com/moby/moby/pull/48290](https://github.com/moby/moby/pull/48290)
+    - When the host's `/etc/resolv.conf` contains no nameservers and there are no `--dns` overrides, Google's DNS servers are no longer used, apart from by the default bridge network and in build containers.
+- Container interfaces in bridge and macvlan networks now use randomly generated MAC addresses. [https://github.com/moby/moby/pull/48808](https://github.com/moby/moby/pull/48808)
+    - Gratuitous ARP / Neighbour Advertisement messages will be sent when the interfaces are started so that, when IP addresses are reused, they're associated with the newly generated MAC address.
+    - IPv6 addresses in the default bridge network are now IPAM-assigned, rather than being derived from the MAC address.
+- The deprecated OCI `prestart` hook is now only used by build containers. For other containers, network interfaces are added to the network namespace after task creation is complete, before the container task is started. [https://github.com/moby/moby/pull/47406](https://github.com/moby/moby/pull/47406)
+
+
+### TODO
+- Fix a bug that was preventing containers exposing a TCP port on the host to be restarted if it was accessed by another container (or from the host) shortly before. [moby/moby#48567](https://github.com/moby/moby/pull/48567)
+- DNS nameservers read from the host's `/etc/resolv.conf` are now always accessed from the host's network namespace.
+- Close a window in which `docker-proxy` could accept TCP connections, which would fail after NAT rules were set up. The `docker-proxy` binary has been updated, the old version will not work with the updated `dockerd`.
+- Fix an issue that meant published ports from one container on a bridge network were not accessible from another container on the same network with `userland-proxy` disabled, if the kernel's `br_netfilter` module was not loaded and enabled. The daemon will now attempt to load the module and enable `bridge-nf-call-iptables` or `bridge-nf-call-ip6tables` when creating a network with the userland proxy disabled. [moby/moby#48676](https://github.com/moby/moby/pull/48676)
+- dockerd requires `ipset` support in the Linux kernel
+- Modifications to `host-gateway`, for compatibility with IPv6-only networks.
+- bridge driver options `com.docker.network.bridge.gateway_mode_ipv4` and `com.docker.network.bridge.gateway_mode_ipv6` now accept mode `nat-unprotected`.
+- `nat-unprotected` is similar to the default `nat` mode, but no per port/protocol iptables rules are set up.
+- Preserve network labels during daemon startup. [moby/moby#49196](https://github.com/moby/moby/pull/49196)
+- Add a couple of iptables rules to filter on the input interface for NAT port mappings. This will prevent rogue neighboring hosts from accessing port mappings that aren't published in the same subnet / L2 segment.
+- The env var `DOCKER_DISABLE_INPUT_IFACE_FILTERING` can be set to any `true`-ish value to globally disable this filtering. This is a temporary escape hatch and will be removed in a future release. Report an issue if you need to use it. [moby/moby#48721](https://github.com/moby/moby/pull/48721)
+- Faster connection to bridge networks, in most cases. [moby/moby#49302](https://github.com/moby/moby/pull/49302)
+- Fix a security issue that was allowing remote hosts to connect directly to a container, on one of its published port. [moby/moby#49325](https://github.com/moby/moby/pull/49325)
+- Fix a security issue that was allowing neighbor hosts to connect to ports mapped on a loopback address. [moby/moby#49325](https://github.com/moby/moby/pull/49325)
+- Add `docker network create` option `--ipv4`.
+To disable IPv4 address assignment for a network, use `docker network create --ipv4=false [...]`. [docker/cli#5599](https://github.com/docker/cli/pull/5599)
+- Add a new `gw-priority` option to `docker run`, `docker container create`, and `docker network connect`. This option will be used by the Engine to determine which network provides the default gateway for a container. On `docker run`, this option is only available through the extended `--network` syntax. [docker/cli#5664](https://github.com/docker/cli/pull/5664)
+- Fix validation of `--link` option. [docker/cli#5739](https://github.com/docker/cli/pull/5739)
+
+
+#### API
+
+- `POST /networks/create` now has an `EnableIPv4` field. Setting it to `false` disables IPv4 IPAM for the network. [https://github.com/moby/moby/pull/48271](https://github.com/moby/moby/pull/48271)
+- `GET /networks/{id}` now returns an `EnableIPv4` field showing whether the network has IPv4 IPAM enabled. [https://github.com/moby/moby/pull/48271](https://github.com/moby/moby/pull/48271)
+- User-defined bridge networks require either IPv4 or IPv6 address assignment to be enabled. IPv4 cannot be disabled for the default bridge network (`docker0`). [https://github.com/moby/moby/pull/48323](https://github.com/moby/moby/pull/48323)
+- `macvlan` and `ipvlan` networks can be created with address assignment disabled for IPv4, IPv6, or both address families. [https://github.com/moby/moby/pull/48299](https://github.com/moby/moby/pull/48299)
+- IPv4 cannot be disabled for Windows or Swarm networks. [https://github.com/moby/moby/pull/48278](https://github.com/moby/moby/pull/48278)
+- Add a way to specify which network should provide the default gateway for a container. [https://github.com/moby/moby/pull/48936](https://github.com/moby/moby/pull/48936)
+
+- `POST /networks/{id}/connect` and `POST /containers/create` now accept a `GwPriority` field in `EndpointsConfig`. This value is used to determine which network endpoint provides the default gateway for the container. The endpoint with the highest priority is selected. If multiple endpoints have the same priority, endpoints are sorted lexicographically by their network name, and the one that sorts first is picked. [https://github.com/moby/moby/pull/48746](https://github.com/moby/moby/pull/48746)
+- `GET /containers/json` now returns a `GwPriority` field in `NetworkSettings` for each network endpoint. The `GwPriority` field is used by the CLI’s new `gw-priority` option for `docker run` and `docker network connect`. [https://github.com/moby/moby/pull/48746](https://github.com/moby/moby/pull/48746)
+- In API version 1.48 and later, settings for `eth0` in `--sysctl` options are no longer automatically migrated to the network endpoint. [https://github.com/moby/moby/pull/48746](https://github.com/moby/moby/pull/48746)
+    * For example, on the command line in a docker run command, `--network mynet --sysctl net.ipv4.conf.eth0.log_martians=1` will be rejected. Instead, you must use `--network name=mynet,driver-opt=com.docker.network.endpoint.sysctls=net.ipv4.conf.IFNAME.log_martians=1`
+
+#### Port Publishing in Bridge Networks
+
+- `dockerd` now requires `ipset` support in the Linux kernel. [https://github.com/moby/moby/pull/48596](https://github.com/moby/moby/pull/48596)
+    - The `iptables` and `ip6tables` rules used to implement port publishing and network isolation have been extensively modified. This enables some of the functional changes described below, and is a first step in refactoring to enable native `nftables` support in a future release. [https://github.com/moby/moby/issues/48815](https://github.com/moby/moby/issues/48815)
+    - If it becomes necessary to downgrade to an earlier version of the daemon, some manual cleanup of the new rules will be necessary. The simplest and surest approach is to reboot the host, or use `iptables -F` and `ip6tables -F` to flush all existing `iptables` rules from the `filter` table before starting the older version of the daemon. When that is not possible, run these commands as root:
+        - `iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT`
+        - `iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -j DOCKER`
+        - If you were previously running with the iptables filter-FORWARD policy set to `ACCEPT` and need to restore access to unpublished ports, also delete per-bridge-network rules from the `DOCKER` chains. For example, `iptables -D DOCKER ! -i docker0 -o docker0 -j DROP`.
+- Fix an issue that prevented port publishing to link-local addresses. [https://github.com/moby/moby/pull/48570](https://github.com/moby/moby/pull/48570)
+- UDP ports published by a container are now reliably accessible by containers on other networks, via the host's public IP address. [https://github.com/moby/moby/pull/48571](https://github.com/moby/moby/pull/48571)
+- docker will now only set the `ip6tables` policy for the `FORWARD` chain in the `filter` table to `DROP` if it enables IP forwarding on the host itself (sysctls `net.ipv6.conf.all.forwarding` and `net.ipv6.conf.default.forwarding`). This is now aligned with existing IPv4 behaviour. [https://github.com/moby/moby/pull/48594](https://github.com/moby/moby/pull/48594)
+    - If IPv6 forwarding is enabled on your host, but you were depending on docker to set the ip6tables filter-FORWARD policy to `DROP`, you may need to update your host's configuration to make sure it is secure.
+- Direct routed access to container ports that are not exposed using `p`/`-publish` is now blocked in the `DOCKER` iptables chain. [https://github.com/moby/moby/pull/48724](https://github.com/moby/moby/pull/48724)
+    - If the default iptables filter-FORWARD policy was previously left at `ACCEPT` on your host, and direct routed access to a container's unpublished ports from a remote host is still required, options are:
+        - Publish the ports you need.
+        - Use the new `gateway_mode_ipv[46]=nat-unprotected`, described below.
+    - Container ports published to host addresses will continue to be accessible via those host addresses, using NAT or the userland proxy.
+    - Unpublished container ports continue to be directly accessible from the docker host via the container's IP address.
+- Networks created with `gateway_mode_ipv[46]=routed` are now accessible from other bridge networks running on the same docker host, as well as from outside the host. [https://github.com/moby/moby/pull/48596](https://github.com/moby/moby/pull/48596)
+- Bridge driver options `com.docker.network.bridge.gateway_mode_ipv4` and `com.docker.network.bridge.gateway_mode_ipv6` now accept mode `nat-unprotected`. [https://github.com/moby/moby/pull/48597](https://github.com/moby/moby/pull/48597)
+    - `nat-unprotected` is similar to the default `nat` mode, but no per port/protocol rules are set up. This means any port on a container can be accessed by direct-routing from a remote host.
+- When a port mapping includes a host IP address or port number that cannot be used because NAT from the host is disabled using `--gateway_mode_ipv[46]`, container creation will no longer fail. The unused fields may be needed if the gateway endpoint changes when networks are connected or disconnected. A message about the unused fields will be logged. [https://github.com/moby/moby/pull/48575](https://github.com/moby/moby/pull/48575)
+- Do not create iptables nat-POSTROUTING masquerade rules for a container's own published ports, when the userland proxy is enabled. [https://github.com/moby/moby/pull/48854](https://github.com/moby/moby/pull/48854)
+
+#### IPv6
+
+- Daemon option `--ipv6` (`"ipv6": true` in `daemon.json`) can now be used without `fixed-cidr-v6`. [https://github.com/moby/moby/pull/48319](https://github.com/moby/moby/pull/48319)
+- IPAM now handles subnets bigger than "/64". [https://github.com/moby/moby/pull/49223](https://github.com/moby/moby/pull/49223)
+- Duplicate address detection (DAD) is now disabled for addresses assigned to the bridges belonging to bridge networks. [https://github.com/moby/moby/pull/48609](https://github.com/moby/moby/pull/48609)
+- Modifications to `host-gateway`, for compatibility with IPv6-only networks. [https://github.com/moby/moby/pull/48807](https://github.com/moby/moby/pull/48807)
+    * When special value `host-gateway` is used in an `--add-host` option in place of an address, it's replaced by an address on the docker host to make it possible to refer to the host by name. The address used belongs to the default bridge (normally `docker0`). Until now it's always been an IPv4 address, because all containers on bridge networks had IPv4 addresses.
+    * Now, if IPv6 is enabled on the default bridge network, `/etc/hosts` entries will be created for IPv4 and IPv6 addresses. So, a container that's only connected to IPv6-only networks can access the host by name.
+    * The `--host-gateway-ip` option overrides the address used to replace `host-gateway`. Two of these options are now allowed on the command line, for one IPv4 gateway and one IPv6.
+        - In the `daemon.json` file, to provide two addresses, use `"host-gateway-ips"`. For example, `"host-gateway-ips": ["192.0.2.1", "2001:db8::1111"]`.
+
+#### Other changes
+
+- Add validation of network-diagnostic-port daemon configuration option. [https://github.com/moby/moby/pull/49305](https://github.com/moby/moby/pull/49305)
+- Unless explicitly configured, an IP address is no longer reserved for a gateway in cases where it is not required. Namely, “internal” bridge networks with option `com.docker.network.bridge.inhibit_ipv4`, ipvlan or macvlan networks with no parent interface, and L3 ipvlan modes. [https://github.com/moby/moby/pull/49261](https://github.com/moby/moby/pull/49261)
+- Fixed an issue that meant a container could not be attached to an L3 ipvlan at the same time as other network types. [https://github.com/moby/moby/pull/49130](https://github.com/moby/moby/pull/49130)
+- Remove the correct `/etc/hosts` entries when disconnecting a container from a network. [https://github.com/moby/moby/pull/48857](https://github.com/moby/moby/pull/48857)
+- Fix duplicate network disconnect events. [https://github.com/moby/moby/pull/48800](https://github.com/moby/moby/pull/48800)
+- Resolved issues related to changing `fixed-cidr` for `docker0`, and inferring configuration from a user-managed default bridge (`--bridge`). [https://github.com/moby/moby/pull/48319](https://github.com/moby/moby/pull/48319)
+- Removed feature flag `windows-dns-proxy`, introduced in release 26.1.0 to control forwarding to external DNS resolvers from Windows containers, to make `nslookup` work. It was enabled by default in release 27.0.0. [https://github.com/moby/moby/pull/48738](https://github.com/moby/moby/pull/48738)
+- Removed an `iptables` mangle rule for checksumming SCTP. The rule can be re-enabled by setting `DOCKER_IPTABLES_SCTP_CHECKSUM=1` in the daemon's environment. This override will be removed in a future release. [https://github.com/moby/moby/pull/48149](https://github.com/moby/moby/pull/48149)
+
+
+
+
+
+
+
+
+
+
+
+
+### Rejected (backported or no impact label)
+
+- !TODO: fix some gofmt issues reported by goreportcard [moby/moby#48080](https://github.com/moby/moby/pull/48080)
+- Fix "fail to register layer: failed to Lchown" errors when trying to pull an image with rootless enabled on a system that supports native overlay with user-namespaces. [moby/moby#48083](https://github.com/moby/moby/pull/48083)
+- Fix a regression that incorrectly reported a port mapping from a host IPv6 address to an IPv4-only container as an error. [moby/moby#48088](https://github.com/moby/moby/pull/48088)
+- !TODO: cleanup: Remove unnecessary return value [moby/moby#48095](https://github.com/moby/moby/pull/48095)
+- !TODO: daemon/logger, volume/drivers: remove redundant import-aliases [moby/moby#48098](https://github.com/moby/moby/pull/48098)
+- !TODO: errdefs: FromStatusCode(): use early returns [moby/moby#48100](https://github.com/moby/moby/pull/48100)
+- !TODO: vendor: github.com/microsoft/hcsshim v0.11.7 [moby/moby#48091](https://github.com/moby/moby/pull/48091)
+- !TODO: do another run of gofumpt [moby/moby#48081](https://github.com/moby/moby/pull/48081)
+- !TODO: builder/builder-next: applySourcePolicies: remove redundant check and vars [moby/moby#48070](https://github.com/moby/moby/pull/48070)
+- !TODO: pkg/rootless/specconv: move to internal [moby/moby#48110](https://github.com/moby/moby/pull/48110)
+- api/types/system: remove deprecated Info.ExecutionDriver [moby/moby#48111](https://github.com/moby/moby/pull/48111)
+- Upgrade containerd to v1.7.19 (static binaries only). [moby/moby#48117](https://github.com/moby/moby/pull/48117)
+- !TODO: daemon/logger/journald: add //nolint:unused for readSyncTimeout [moby/moby#48115](https://github.com/moby/moby/pull/48115)
+- This release updates the Go runtime to 1.21.11 which contains security fixes for [CVE-2024-24791](https://github.com/advisories/GHSA-hw49-2p59-3mhj)
+Update Go runtime to 1.21.12 [moby/moby#48120](https://github.com/moby/moby/pull/48120)
+- !TODO: update to go1.21.12 [part 2] [moby/moby#48121](https://github.com/moby/moby/pull/48121)
+- !TODO: api/types/container: InspectResponse: keep old name for embedded type [moby/moby#48124](https://github.com/moby/moby/pull/48124)
+- !TODO: vendor: update dependencies in preparation of BuildKit v0.15 [moby/moby#48127](https://github.com/moby/moby/pull/48127)
+- !TODO: vendor: github.com/containerd/containerd v1.7.19, migrate to github.com/containerd/platforms module [moby/moby#47142](https://github.com/moby/moby/pull/47142)
+- rootless: add `Requires=dbus.socket` [moby/moby#48134](https://github.com/moby/moby/pull/48134)
+- !TODO: daemon/graphdriver: split, internalize packages to separate snapshotters and graphdrivers [moby/moby#48092](https://github.com/moby/moby/pull/48092)
+- !TODO: vendor: update buildkit to v0.15.0-rc1 [moby/moby#48126](https://github.com/moby/moby/pull/48126)
+- !TODO: Fix API version in TestSetInterfaceSysctl [moby/moby#48156](https://github.com/moby/moby/pull/48156)
+- !TODO: docs/api: Add missing ` [moby/moby#48154](https://github.com/moby/moby/pull/48154)
+- Update Buildkit to v0.15.0-rc2 [moby/moby#48150](https://github.com/moby/moby/pull/48150)
+- Update Buildkit to v0.15.0 [moby/moby#48159](https://github.com/moby/moby/pull/48159)
+- !TODO: all: switch to Go 1.19 atomics [moby/moby#48139](https://github.com/moby/moby/pull/48139)
+- !TODO: Dockerfile: update compose to v2.28.1, update cli to v27.0.2 [moby/moby#48073](https://github.com/moby/moby/pull/48073)
+- !TODO: update golangci-lint to v1.59.1 [moby/moby#48058](https://github.com/moby/moby/pull/48058)
+- api/types: deprecate `ContainerJSONBase.Node` field and `ContainerNode` type. These definitions were used by the standalone ("classic") Swarm API, but never implemented in the Docker Engine itself. [moby/moby#48055](https://github.com/moby/moby/pull/48055)
+- !TODO: daemon/graphdriver, layer: rename vars that shadowed imports [moby/moby#48071](https://github.com/moby/moby/pull/48071)
+- Fix a regression that caused duplicate subnet allocations when creating networks. [moby/moby#48084](https://github.com/moby/moby/pull/48084)
+- containerd integration: `image tag` event is now properly emitted when building images with Buildkit [moby/moby#48078](https://github.com/moby/moby/pull/48078)
+- !TODO: daemon/graphdriver: remove Capabilities, CapabilityDriver [moby/moby#48143](https://github.com/moby/moby/pull/48143)
+- !TODO: vendor: cloud.google.com/go/logging v1.9.0 [moby/moby#48165](https://github.com/moby/moby/pull/48165)
+- !TODO: rm regexp use [moby/moby#48169](https://github.com/moby/moby/pull/48169)
+- !TODO: README: replace obsolete Docker EE mention [moby/moby#48176](https://github.com/moby/moby/pull/48176)
+- !TODO: Dockerfile: update buildx to v0.16.1, compose to v2.29.0 [moby/moby#48186](https://github.com/moby/moby/pull/48186)
+- !TODO: gha: check-pr-branch: verify major version only [moby/moby#48177](https://github.com/moby/moby/pull/48177)
+- !TODO: gha: check-pr-branch: fix branch check regression [moby/moby#48194](https://github.com/moby/moby/pull/48194)
+- Upgrade containerd to v1.7.20 (static binaries only). [moby/moby#48190](https://github.com/moby/moby/pull/48190)
+- !TODO: vendor: update moby/sys modules [moby/moby#48189](https://github.com/moby/moby/pull/48189)
+- !TODO: vendor: github.com/containerd/containerd v1.7.20 [moby/moby#48188](https://github.com/moby/moby/pull/48188)
+- !TODO: contrib/check-config.sh: remove special case for userns on CentOS/RHEL 7 [moby/moby#48212](https://github.com/moby/moby/pull/48212)
+- Update BuildKit to v0.15.1 [moby/moby#48239](https://github.com/moby/moby/pull/48239)
+- Fix a regression that could result in a `ResourceExhausted desc = grpc: received message larger than max` error when building from a large Dockerfile [moby/moby#48242](https://github.com/moby/moby/pull/48242)
+- !TODO: images: Extract ImageInspect from GetImage [moby/moby#48240](https://github.com/moby/moby/pull/48240)
+- !TODO: daemon: remove setMayDetachMounts (set may_detach_mounts=1 on startup) [moby/moby#48210](https://github.com/moby/moby/pull/48210)
+- !TODO: daemon: isPermissibleC8dRuntimeName: use local utility to reduce c8d deps [moby/moby#48251](https://github.com/moby/moby/pull/48251)
+- !TODO: daemon: remove unused import [moby/moby#48263](https://github.com/moby/moby/pull/48263)
+- dockerd-rootless-setuptool.sh: move RootlessKit smoke test [moby/moby#48216](https://github.com/moby/moby/pull/48216)
+- !TODO: vendor: github.com/gofrs/flock v0.12.1 [moby/moby#48234](https://github.com/moby/moby/pull/48234)
+- !TODO: migrate to github.com/moby/sys/user/userns [moby/moby#48170](https://github.com/moby/moby/pull/48170)
+- !TODO: vendor: github.com/moby/sys/sequential v0.6.0 [moby/moby#48198](https://github.com/moby/moby/pull/48198)
+- Adjust GitHub actions permissions. [moby/moby#48262](https://github.com/moby/moby/pull/48262)
+- !TODO: libnetwork/networkdb: switch to go-immutable-radix v2 [moby/moby#48157](https://github.com/moby/moby/pull/48157)
+- !TODO: hack: explicitly control enabling the journald logging driver [moby/moby#47789](https://github.com/moby/moby/pull/47789)
+- !TODO: plugin, api/types: fix typos and GoDoc [moby/moby#48279](https://github.com/moby/moby/pull/48279)
+- !TODO: Improve documentation around maintenance, building, and packaging [moby/moby#46772](https://github.com/moby/moby/pull/46772)
+- !TODO: daemon: assorted cleanups and minor improvements [moby/moby#48244](https://github.com/moby/moby/pull/48244)
+- !TODO: libcontainerd/supervisor: remove remnants of adjusting oom-score [moby/moby#48252](https://github.com/moby/moby/pull/48252)
+- !TODO: hack/make: suppress "not mounted" message [moby/moby#48272](https://github.com/moby/moby/pull/48272)
+- n/a [moby/moby#48281](https://github.com/moby/moby/pull/48281)
+- Update Go runtime to 1.21.13 [moby/moby#48300](https://github.com/moby/moby/pull/48300)
+- !TODO: Makefile: Add BIND_GIT variable [moby/moby#48303](https://github.com/moby/moby/pull/48303)
+- !TODO: touch-up security policy [moby/moby#48280](https://github.com/moby/moby/pull/48280)
+- > `GET /images/json` response now includes `Manifests` field, which contains information about the sub-manifests included in the image index. This includes things like platform-specific manifests and build attestations.
+> The new field will only be populated if the request also sets the `manifests` query parameter to `true`.
+> [!WARNING]
+>
+> This is experimental and may change at any time without any backward compatibility. [moby/moby#47526](https://github.com/moby/moby/pull/47526)
+- !TODO: Clean up networks in 'integration/network' tests [moby/moby#48217](https://github.com/moby/moby/pull/48217)
+- !TODO: vendor: golang.org/x/time v0.5.0, google.golang.org/grpc v1.62.0 [moby/moby#48283](https://github.com/moby/moby/pull/48283)
+- !TODO: vendor: github.com/containerd/nydus-snapshotter v0.14.0 [moby/moby#48288](https://github.com/moby/moby/pull/48288)
+- !TODO: c8d/image: Simplify `presentImages` and better "platform not found" error [moby/moby#48276](https://github.com/moby/moby/pull/48276)
+- !TODO: c8d/list: Fix `Total` size calculation  [moby/moby#48330](https://github.com/moby/moby/pull/48330)
+- Update BuildKit to v0.15.2 [moby/moby#48340](https://github.com/moby/moby/pull/48340)
+- !TODO: fix deprecation comments, and update some godoc [moby/moby#48324](https://github.com/moby/moby/pull/48324)
+- !TODO: c8d/list: Don't require `opts.ContainerCount` for manifest containers [moby/moby#48345](https://github.com/moby/moby/pull/48345)
+- !TODO: feat(stream): log the event when stream copy failed [moby/moby#48334](https://github.com/moby/moby/pull/48334)
+- !TODO: vendor.mod: github.com/microsoft/hcsshim v0.12.5 [moby/moby#48174](https://github.com/moby/moby/pull/48174)
+- !TODO: integration/container: rename var that collided with import [moby/moby#48351](https://github.com/moby/moby/pull/48351)
+- !TODO: libcontainerd/supervisor: consolidate platform-specific defaults [moby/moby#48353](https://github.com/moby/moby/pull/48353)
+- !TODO: Dockerfile: update xx to v1.5.0 [moby/moby#48261](https://github.com/moby/moby/pull/48261)
+- !TODO: libcontainerd/supervisor: set log-level through the config-file [moby/moby#48355](https://github.com/moby/moby/pull/48355)
+- !TODO: vendor: tags.cncf.io/container-device-interface v0.8.0 [moby/moby#48371](https://github.com/moby/moby/pull/48371)
+- !TODO: libnetwork: resolvconf: remove dependency on errdefs [moby/moby#48370](https://github.com/moby/moby/pull/48370)
+- !TODO: c8d/list: Fix race condition when traversing containers [moby/moby#48367](https://github.com/moby/moby/pull/48367)
+- !TODO: vendor: dario.cat/mergo v1.0.1 [moby/moby#48372](https://github.com/moby/moby/pull/48372)
+- containerd image store: Fix early error exit from `docker load` in cases where unpacking the image would fail [moby/moby#48293](https://github.com/moby/moby/pull/48293)
+- containerd image store: Fix the previous image not being persisted as dangling after `docker pull`. [moby/moby#48374](https://github.com/moby/moby/pull/48374)
+- Update containerd (static binaries only) to [v1.7.21](https://github.com/containerd/containerd/releases/tag/v1.7.21) [moby/moby#48382](https://github.com/moby/moby/pull/48382)
+- !TODO: vendor: github.com/vishvananda/netlink v1.3.0 [moby/moby#48368](https://github.com/moby/moby/pull/48368)
+- !TODO: Fix linting issues in preparation of Go and GolangCI-lint update [moby/moby#48359](https://github.com/moby/moby/pull/48359)
+- !TODO: libnetwork/portallocator: assorted cleanups [moby/moby#48373](https://github.com/moby/moby/pull/48373)
+- !TODO: vendor.mod: golang.org/x/* latest [moby/moby#48398](https://github.com/moby/moby/pull/48398)
+- containerd image store: Fix non-container images being hidden in the `docker images` output [moby/moby#48399](https://github.com/moby/moby/pull/48399)
+- !TODO: govulncheck to report known vulnerabilities [moby/moby#48311](https://github.com/moby/moby/pull/48311)
+- !TODO: Dockerfile: update registry to v3.0.0-beta.1 [moby/moby#48403](https://github.com/moby/moby/pull/48403)
+- !TODO: add Austin Vazquez (austinvazquez) to curators [moby/moby#48310](https://github.com/moby/moby/pull/48310)
+- !TODO: remove leftovers for building docker-proxy on Windows [moby/moby#48318](https://github.com/moby/moby/pull/48318)
+- !TODO: migrate to github.com/moby/sys/userns [moby/moby#48307](https://github.com/moby/moby/pull/48307)
+- !TODO: api/swagger: fix x-nullable for SystemInfo.Containerd (api v1.46) [moby/moby#48275](https://github.com/moby/moby/pull/48275)
+- !TODO: man: create parent directories in install recipe [moby/moby#48388](https://github.com/moby/moby/pull/48388)
+- !TODO: hack/make/.binary: enable pie mode on windows/arm64 [moby/moby#48421](https://github.com/moby/moby/pull/48421)
+- containerd image store: Improve `docker pull` error message when the image platform doesn't match [moby/moby#48414](https://github.com/moby/moby/pull/48414)
+- update to go1.22.6 [moby/moby#46982](https://github.com/moby/moby/pull/46982)
+- !TODO: add more //go:build directives to prevent downgrading to go1.16 [moby/moby#48434](https://github.com/moby/moby/pull/48434)
+- !TODO: gha/bin-image: Also run on branches like `27.x` [moby/moby#48450](https://github.com/moby/moby/pull/48450)
+- !TODO: container/stream: Config.CloseStreams(): use errors.Join [moby/moby#48435](https://github.com/moby/moby/pull/48435)
+- !TODO: vendor: update buildkit to v0.16.0-rc1 [moby/moby#48309](https://github.com/moby/moby/pull/48309)
+- !TODO: vendor: github.com/opencontainers/runc v1.1.14 [moby/moby#48425](https://github.com/moby/moby/pull/48425)
+- Update Go to 1.22.7 [moby/moby#48432](https://github.com/moby/moby/pull/48432)
+- Add support for RISC-V (riscv64) architecture in Docker's seccomp profile handling. [moby/moby#48455](https://github.com/moby/moby/pull/48455)
+- !TODO: vendor: update buildkit to v0.16.0 [moby/moby#48472](https://github.com/moby/moby/pull/48472)
+- When reading logs with the `jsonfile` or `local` log drivers, any errors while trying to read or parse underlying log files will cause the rest of the file to be skipped and move to the next log file (if one exists) rather than returning an error to the client and closing the stream.
+The errors are viewable in the dockerd logs and exported to traces when tracing is configured.
+
+When reading log files, compressed log files are now only decompressed when needed rather than decompressing all files before starting the log stream. [moby/moby#47983](https://github.com/moby/moby/pull/47983)
+- !TODO: internal/unix_noeintr: fix godoc for package [moby/moby#48453](https://github.com/moby/moby/pull/48453)
+- !TODO: api/swagger: update deprecation version for erroneous fields [moby/moby#48446](https://github.com/moby/moby/pull/48446)
+- Upgrade `runc` to [v1.1.14](https://github.com/opencontainers/runc/releases/tag/v1.1.14), which contains a fix for [CVE-2024-45310](https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv). [moby/moby#48424](https://github.com/moby/moby/pull/48424)
+- !TODO: Fix typos [moby/moby#48393](https://github.com/moby/moby/pull/48393)
+- Update containerd (static binaries only) to [v1.7.22](https://github.com/containerd/containerd/releases/tag/v1.7.22) [moby/moby#48458](https://github.com/moby/moby/pull/48458)
+- !TODO: docs/api: add documentation for API v1.47 [moby/moby#48422](https://github.com/moby/moby/pull/48422)
+- !TODO: integration/system: rename vars to prevent shadowing imports [moby/moby#48473](https://github.com/moby/moby/pull/48473)
+- !TODO: api: swagger: fix documentation for image push endpoint [moby/moby#48443](https://github.com/moby/moby/pull/48443)
+- Update Buildkit to v0.16.0-rc2 [moby/moby#48456](https://github.com/moby/moby/pull/48456)
+- !TODO: project: update 23.0 EOL and add 25.0 LTM branch [moby/moby#48474](https://github.com/moby/moby/pull/48474)
+- !TODO: update RootlessKit to v2.3.1 [moby/moby#48172](https://github.com/moby/moby/pull/48172)
+- Add a `--feature` flag to the daemon options. [moby/moby#48167](https://github.com/moby/moby/pull/48167)
+- !TODO: TestIPRangeAt64BitLimit: remove colon after XFAIL to help grepping [moby/moby#48480](https://github.com/moby/moby/pull/48480)
+- containerd integration: Fix `docker image prune -a` untagging images used by containers started from images referenced by a digested reference. [moby/moby#48076](https://github.com/moby/moby/pull/48076)
+- !TODO: image/tarexport: fix some minor linting issues  [moby/moby#48467](https://github.com/moby/moby/pull/48467)
+- !TODO: layer: layerStore.deleteLayer(): remove redundant error-check [moby/moby#48461](https://github.com/moby/moby/pull/48461)
+- !TODO: man: update dockerd man-page to include --feature flag [moby/moby#48486](https://github.com/moby/moby/pull/48486)
+- !TODO: Dockerfile: Update CLI, buildx and compose [moby/moby#48475](https://github.com/moby/moby/pull/48475)
+- n/a [moby/moby#48497](https://github.com/moby/moby/pull/48497)
+- !TODO: man: remove docs for deprecated --api-cors-header [moby/moby#48504](https://github.com/moby/moby/pull/48504)
+- !TODO: dockerd: fix docs, improve validation and improve coverage of "--feature" flag [moby/moby#48502](https://github.com/moby/moby/pull/48502)
+- Fix an issue that prevented communication between containers on an IPv4 bridge network
+when running with `--iptables=false`, `--ip6tables=true` (the default), a firewall with a
+DROP rule for forwarded packets on hosts where the `br_netfilter` kernel module was not
+normally loaded. [moby/moby#48492](https://github.com/moby/moby/pull/48492)
+- !TODO: man: dockerd: add description for --log-format option [moby/moby#48505](https://github.com/moby/moby/pull/48505)
+- !TODO: cmd/dockerd: runDaemon: extract platform-agnostic code [moby/moby#48519](https://github.com/moby/moby/pull/48519)
+- !TODO: gha: govulncheck: make sure read permissions are set [moby/moby#48524](https://github.com/moby/moby/pull/48524)
+- !TODO: gha: add CodeQL Analysis workflow [moby/moby#47034](https://github.com/moby/moby/pull/47034)
+- !TODO: libnet/ds, libnet/config: various cleanups [moby/moby#47992](https://github.com/moby/moby/pull/47992)
+- !TODO: cmd/dockerd: assorted changes to improve context-passing, config loading [moby/moby#47412](https://github.com/moby/moby/pull/47412)
+- !TODO: cmd/dockerd: use golang.org/x/sys/windows/service param-change consts [moby/moby#48513](https://github.com/moby/moby/pull/48513)
+- n/a [moby/moby#48407](https://github.com/moby/moby/pull/48407)
+- !TODO: Dockerfile: update buildx to v0.17.1, compose to v2.29.4 [moby/moby#48509](https://github.com/moby/moby/pull/48509)
+- !TODO: daemon/exec: don't overwrite exit code if set [moby/moby#48552](https://github.com/moby/moby/pull/48552)
+- Update Go runtime to 1.22.8 [moby/moby#48573](https://github.com/moby/moby/pull/48573)
+- !TODO: integration: Add tests for port mappings [moby/moby#48545](https://github.com/moby/moby/pull/48545)
+- !TODO: api: postImagesLoad: fix API version for platform [moby/moby#48588](https://github.com/moby/moby/pull/48588)
+- !TODO: gha: buildkit: make sure expected Go version is installed [moby/moby#48615](https://github.com/moby/moby/pull/48615)
+- !TODO: vendor assorted dependencies in preparation of BuildKit v0.17 [moby/moby#48613](https://github.com/moby/moby/pull/48613)
+- !TODO: integration/build: remove TestBuildWithSession, and fsutil direct dependency [moby/moby#48628](https://github.com/moby/moby/pull/48628)
+- !TODO: gha: add guardrails timeouts on all jobs [moby/moby#48629](https://github.com/moby/moby/pull/48629)
+- !TODO: gha: remove stray double empty line [moby/moby#48636](https://github.com/moby/moby/pull/48636)
+- Update BuildKit to [v0.17.0-rc1](https://github.com/moby/buildkit/releases/tag/v0.17.0-rc1) [moby/moby#48634](https://github.com/moby/moby/pull/48634)
+- !TODO: gha: restrict cross and bin-image to 20 minutes [moby/moby#48645](https://github.com/moby/moby/pull/48645)
+- !TODO: Touch-up some errors for missing platforms [moby/moby#48631](https://github.com/moby/moby/pull/48631)
+- !TODO: gha:  more limits, update alpine version, and some minor improvements [moby/moby#48654](https://github.com/moby/moby/pull/48654)
+- !TODO: builder/builder-next: Builder.Build: use network-mode consts [moby/moby#48652](https://github.com/moby/moby/pull/48652)
+- !TODO: docs: api: document w (width) and h (height) query params as required [moby/moby#48663](https://github.com/moby/moby/pull/48663)
+- !TODO: update links to API documentation [moby/moby#48653](https://github.com/moby/moby/pull/48653)
+- n/a [moby/moby#48598](https://github.com/moby/moby/pull/48598)
+- !TODO: container/integration: TestResize: add more test-cases, and add TestExecResize [moby/moby#48665](https://github.com/moby/moby/pull/48665)
+- !TODO: daemon: killWithSignal: use more structured logs [moby/moby#48673](https://github.com/moby/moby/pull/48673)
+- container: deprecate ErrNameReserved, ErrNameNotReserved [moby/moby#48668](https://github.com/moby/moby/pull/48668)
+- !TODO: README: add some badges [moby/moby#48655](https://github.com/moby/moby/pull/48655)
+- !TODO: api/server/httputils: DecodePlatform: improve test-coverage [moby/moby#48680](https://github.com/moby/moby/pull/48680)
+- !TODO: distribution: remove formatPlatform utility [moby/moby#48682](https://github.com/moby/moby/pull/48682)
+- !TODO: build: create distinct history db for each store [moby/moby#48565](https://github.com/moby/moby/pull/48565)
+- !TODO: vendor: github.com/moby/swarmkit/v2 v2.0.0-20241017191044-e8ecf83ee08e [moby/moby#48686](https://github.com/moby/moby/pull/48686)
+- !TODO: ci: run integration tests with firewalld enabled [moby/moby#48603](https://github.com/moby/moby/pull/48603)
+- Fix a possible memory leak caused by OTEL meters [moby/moby#48690](https://github.com/moby/moby/pull/48690)
+- dockerd-rootless-setuptool.sh: let --force ignore smoke test errors [moby/moby#48683](https://github.com/moby/moby/pull/48683)
+- !TODO: volume/service: change some logs to use structured logs [moby/moby#48675](https://github.com/moby/moby/pull/48675)
+- api: `GET /images/json` with the `manifests` option enabled now preserves the original order in which manifests appeared in the manifest-index. [moby/moby#48701](https://github.com/moby/moby/pull/48701)
+- After a daemon restart with live-restore, ensure an iptables jump to the DOCKER-USER chain is placed before other rules. [moby/moby#48577](https://github.com/moby/moby/pull/48577)
+- !TODO: pkg/stringid: replace TestShortenIdXXX with TestTruncateID table test [moby/moby#48707](https://github.com/moby/moby/pull/48707)
+- !TODO: daemon: Daemon.newContainer: inline Daemon.generateHostname [moby/moby#48704](https://github.com/moby/moby/pull/48704)
+- !TODO: pkg/stringid: optimize GenerateRandomID [moby/moby#48706](https://github.com/moby/moby/pull/48706)
+- daemon: deprecate `Daemon.Exists()` and `Daemon.IsPaused()`. These functions are no longer used and will be removed  in the next release. [moby/moby#48670](https://github.com/moby/moby/pull/48670)
+- !TODO: Increase flaky test sleep, replace deprecated assert [moby/moby#48417](https://github.com/moby/moby/pull/48417)
+- !TODO: vendor: go.etcd.io/etcd v3.5.16, go.etcd.io/etcd/server/v3 v3.5.16 [moby/moby#48650](https://github.com/moby/moby/pull/48650)
+- !TODO: daemon: use OwnCgroupPath in withCgroups [moby/moby#48730](https://github.com/moby/moby/pull/48730)
+- !TODO: client.ContainerCreate: use container.CreateRequest instead of local type [moby/moby#48553](https://github.com/moby/moby/pull/48553)
+- !TODO: client: explicitly return zero-type on failures in prune functions [moby/moby#48713](https://github.com/moby/moby/pull/48713)
+- !TODO: Dockerfile: update docker CLI to v27.3.1, compose to v2.29.7 [moby/moby#48537](https://github.com/moby/moby/pull/48537)
+- Support WSL2 mirrored-mode networking's use of interface `loopback0` for packets from the Windows host. [moby/moby#48075](https://github.com/moby/moby/pull/48075)
+- !TODO: runconfig: validateNetContainerMode: simplify validation [moby/moby#48554](https://github.com/moby/moby/pull/48554)
+- !TODO: daemon: remove Daemon.containerRoot, Daemon.newBaseContainer [moby/moby#48725](https://github.com/moby/moby/pull/48725)
+- !TODO: Update download-frozen-image-v2.sh added OCI v1 support (carry 48533) [moby/moby#48546](https://github.com/moby/moby/pull/48546)
+- !TODO: vendor: github.com/cyphar/filepath-securejoin v0.3.4 [moby/moby#48732](https://github.com/moby/moby/pull/48732)
+- !TODO: daemon: remove configsSupported, secretsSupported utilities [moby/moby#48703](https://github.com/moby/moby/pull/48703)
+- !TODO: vendor: github.com/cilium/ebpf v0.16.0 [moby/moby#48735](https://github.com/moby/moby/pull/48735)
+- !TODO: vendor: github.com/opencontainers/selinux v1.11.1 [moby/moby#48741](https://github.com/moby/moby/pull/48741)
+- !TODO: vendor: google.golang.org/protobuf v1.34.2 [moby/moby#48751](https://github.com/moby/moby/pull/48751)
+- !TODO: container: update confusing GoDoc for Container and State [moby/moby#48726](https://github.com/moby/moby/pull/48726)
+- !TODO: client: prevent idle connections leaking FDs [moby/moby#48736](https://github.com/moby/moby/pull/48736)
+- !TODO: vendor: github.com/prometheus/client_golang v1.20.5 [moby/moby#48753](https://github.com/moby/moby/pull/48753)
+- !TODO: vendor: github.com/go-logr/logr v1.4.2, github.com/cenkalti/backoff/v4 v4.3.0 [moby/moby#48752](https://github.com/moby/moby/pull/48752)
+- Fix anonymous volumes being created through the `--mount` option not being marked as anonymous. [moby/moby#48754](https://github.com/moby/moby/pull/48754)
+- !TODO: demon: ImageService.Mount: use structured logs [moby/moby#48770](https://github.com/moby/moby/pull/48770)
+- !TODO: vendor: github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 [moby/moby#48750](https://github.com/moby/moby/pull/48750)
+- !TODO: inte/t/networking: delete veth ifaces before netns [moby/moby#48749](https://github.com/moby/moby/pull/48749)
+- !TODO: api/types/filters: GetBoolOrDefault: remove unreachableCode [moby/moby#48745](https://github.com/moby/moby/pull/48745)
+- !TODO: volume: VolumesService.Create: fix log-level for debug logs [moby/moby#48767](https://github.com/moby/moby/pull/48767)
+- !TODO: internal/safepath: log some unhandled errors, and remove workaround for ECI / Sysbox [moby/moby#48774](https://github.com/moby/moby/pull/48774)
+- !TODO: Update tmLanguage file to cover first escape character [moby/moby#36766](https://github.com/moby/moby/pull/36766)
+- !TODO: daemon: cdiHandler.getErrors: remove var that shadowed import [moby/moby#48771](https://github.com/moby/moby/pull/48771)
+- !TODO: remove redundant alias for runtime-spec [moby/moby#48769](https://github.com/moby/moby/pull/48769)
+- !TODO: volume/mounts: minor linting issues, touch-ups, and improve test-coverage [moby/moby#48776](https://github.com/moby/moby/pull/48776)
+- TODO add change-log for buildkit changes [moby/moby#48792](https://github.com/moby/moby/pull/48792)
+- !TODO: builder-next: exporter: emptyImageConfig: use platform directly [moby/moby#48794](https://github.com/moby/moby/pull/48794)
+- !TODO: hack/unit: Rerun failed flaky libnetwork tests [moby/moby#47553](https://github.com/moby/moby/pull/47553)
+- !TODO: vendor: github.com/Microsoft/hcsshim v0.12.7 [moby/moby#48790](https://github.com/moby/moby/pull/48790)
+- !TODO: vendor: go.opentelemetry.io/otel v1.28.0, go.opentelemetry.io/contrib v0.53.0 [moby/moby#48757](https://github.com/moby/moby/pull/48757)
+- !TODO: volume/service: use local driver as default for anonymous volumes [moby/moby#48775](https://github.com/moby/moby/pull/48775)
+- containerd image store: Fix `docker image inspect` outputting duplicate references in `RepoDigests`. [moby/moby#48777](https://github.com/moby/moby/pull/48777)
+- !TODO: Revert "ci: run integration tests with firewalld enabled" [moby/moby#48788](https://github.com/moby/moby/pull/48788)
+- !TODO: client: Client.ImageHistory: don't decorate error twice, and improve tests [moby/moby#48819](https://github.com/moby/moby/pull/48819)
+- !TODO: libnetwork: endpointJoinInfo.UnmarshalJSON: fix shadowed variable (go… [moby/moby#48822](https://github.com/moby/moby/pull/48822)
+- !TODO: vendor: github.com/containerd/containerd v1.7.23, hcsshim v0.12.8 [moby/moby#48544](https://github.com/moby/moby/pull/48544)
+- !TODO: fix, and update golangci-lint config, and fix some linting issues [moby/moby#48824](https://github.com/moby/moby/pull/48824)
+- !TODO: api/swagger: Improve description for platform in images/push [moby/moby#48357](https://github.com/moby/moby/pull/48357)
+- !TODO: vendor: github.com/containerd/typeurl v2.2.3 [moby/moby#48827](https://github.com/moby/moby/pull/48827)
+- !TODO: golangci: enable all govet linters, run gosec on tests as well [moby/moby#48825](https://github.com/moby/moby/pull/48825)
+- !TODO: all: Remove redundant `units` alias for `go-units` [moby/moby#48834](https://github.com/moby/moby/pull/48834)
+- Update BuildKit to v0.17.1 [moby/moby#48836](https://github.com/moby/moby/pull/48836)
+- !TODO: Registry host configuration cleanup [moby/moby#47380](https://github.com/moby/moby/pull/47380)
+- Update BuildKit to v0.17.0 [moby/moby#48801](https://github.com/moby/moby/pull/48801)
+- !TODO: client: add utilities to encode platforms [moby/moby#48806](https://github.com/moby/moby/pull/48806)
+- !TODO: c8d/save: Add tests [moby/moby#48722](https://github.com/moby/moby/pull/48722)
+- deprecate pkg/platform: this package is only used internally, and will be removed in the next release. [moby/moby#48862](https://github.com/moby/moby/pull/48862)
+- !TODO: Dockerfile: update registry to v3.0.0-rc.1 [moby/moby#48848](https://github.com/moby/moby/pull/48848)
+- !TODO: ci: re-add firewalld jobs [moby/moby#48756](https://github.com/moby/moby/pull/48756)
+- !TODO: update go:build tags to use go1.22, and enable copyloopvar linter [moby/moby#48856](https://github.com/moby/moby/pull/48856)
+- !TODO: fix missing go:build tags [moby/moby#48884](https://github.com/moby/moby/pull/48884)
+- !TODO: EnableIPv4 will be in API 1.48, not 1.47 [moby/moby#48888](https://github.com/moby/moby/pull/48888)
+- !TODO: daemon/logger: logDriverError: use WithFields for logs [moby/moby#48887](https://github.com/moby/moby/pull/48887)
+- !TODO: client: improve/refactor some unit-tests and add "platform" test-cases to them [moby/moby#48896](https://github.com/moby/moby/pull/48896)
+- !TODO: Move Austin Vazquez (austinvazquez) to maintainers [moby/moby#48873](https://github.com/moby/moby/pull/48873)
+- !TODO: Makefile: don't automatically inherit graph-driver from host [moby/moby#48895](https://github.com/moby/moby/pull/48895)
+- !TODO: vendor: google.golang.org/grpc v1.66.3 [moby/moby#48898](https://github.com/moby/moby/pull/48898)
+- !TODO: client: support multiple platforms on save and load [moby/moby#48902](https://github.com/moby/moby/pull/48902)
+- !TODO: hack: Add explicit containerd feature to `daemon.json` [moby/moby#48860](https://github.com/moby/moby/pull/48860)
+- !TODO: Dockerfile: update buildx to v0.18.0, compose to v2.30.3 [moby/moby#48866](https://github.com/moby/moby/pull/48866)
+- Upgrade `runc` to [v1.2.2](https://github.com/opencontainers/runc/releases/tag/v1.2.2) [moby/moby#47666](https://github.com/moby/moby/pull/47666)
+- Upgrade `containerd` (static binaries only) to [v1.7.24](https://github.com/containerd/containerd/releases/tag/v1.7.24) [moby/moby#48918](https://github.com/moby/moby/pull/48918)
+- !TODO: runc-1.2.0 merge followups [moby/moby#48766](https://github.com/moby/moby/pull/48766)
+- !TODO: volume/testutils: simplify fakePluginGetter [moby/moby#48916](https://github.com/moby/moby/pull/48916)
+- !TODO: vendor: github.com/tonistiigi/go-actions-cache 394979b8119e [moby/moby#48932](https://github.com/moby/moby/pull/48932)
+- !TODO: update golangci-lint to v1.62.0 [moby/moby#48901](https://github.com/moby/moby/pull/48901)
+- !TODO: vendor: resenje.org/singleflight v0.4.3 [moby/moby#48930](https://github.com/moby/moby/pull/48930)
+- !TODO: Update containerd to v1.7.24 [moby/moby#48917](https://github.com/moby/moby/pull/48917)
+- TODO: add description for changelog [moby/moby#48923](https://github.com/moby/moby/pull/48923)
+- !TODO: api/types/filters: rewrite / improve some tests [moby/moby#48945](https://github.com/moby/moby/pull/48945)
+- !TODO: client: ImageImport: omit empty query-parameters [moby/moby#48897](https://github.com/moby/moby/pull/48897)
+- containerd image-store: fix partially pulled images not being garbage-collected [moby#48910](https://github.com/moby/moby/pull/48910) [moby/moby#48910](https://github.com/moby/moby/pull/48910)
+- !TODO: Remove buildkit init timeout [moby/moby#48953](https://github.com/moby/moby/pull/48953)
+- Vendor github.com/golang-jwt/jwt/v4@v4.5.1 [moby/moby#48911](https://github.com/moby/moby/pull/48911)
+- Fix loading of `bridge` and `br_netfilter` kernel modules. [moby/moby#48960](https://github.com/moby/moby/pull/48960)
+- !TODO: vendor: update buildkit to v0.18.0-rc2 [moby/moby#48952](https://github.com/moby/moby/pull/48952)
+- !TODO: integration: add wait [moby/moby#48940](https://github.com/moby/moby/pull/48940)
+- Ignores "dataset does not exist" error when removing dataset on ZFS (#43080) [moby/moby#48520](https://github.com/moby/moby/pull/48520)
+- Update BuildKit to v0.18.0 [moby/moby#48961](https://github.com/moby/moby/pull/48961)
+- !TODO: ci: use edge releases of buildx [moby/moby#48982](https://github.com/moby/moby/pull/48982)
+- !TODO: integration/container: TestCDISpecDirsAreInSystemInfo: use fixtures [moby/moby#48929](https://github.com/moby/moby/pull/48929)
+- !TODO: tests: migrate assertions to be more modern [moby/moby#48915](https://github.com/moby/moby/pull/48915)
+- !TODO: vendor: github.com/vishvananda/netns v0.0.5 [moby/moby#48937](https://github.com/moby/moby/pull/48937)
+- !TODO: daemon: Daemon.RegistryHosts: use internal method to get daemon config [moby/moby#48984](https://github.com/moby/moby/pull/48984)
+- !TODO: cmd/dockerd: newRouterOptions: rename arg that shadowed import [moby/moby#48980](https://github.com/moby/moby/pull/48980)
+- !TODO: integration: remove default poll delay and timeouts [moby/moby#48956](https://github.com/moby/moby/pull/48956)
+- !TODO: gofumpt code [moby/moby#48978](https://github.com/moby/moby/pull/48978)
+- !TODO: cmd/dockerd: change routerOptions.Build to a regular func [moby/moby#48986](https://github.com/moby/moby/pull/48986)
+- !TODO: daemon: getCD: remove use of parsers.ParseKeyValueOpt [moby/moby#48981](https://github.com/moby/moby/pull/48981)
+- !TODO: Jenkinsfile: modprobe br_netfilter [moby/moby#48993](https://github.com/moby/moby/pull/48993)
+- registry: deprecate `RepositoryInfo.Class`. This field is no longer used, and will be removed in the next release. [moby/moby#49006](https://github.com/moby/moby/pull/49006)
+- Dockerd rootless mode loads /etc/cdi and /var/run/cdi as expected by the Container Device Interface (CDI) integration. [moby/moby#48541](https://github.com/moby/moby/pull/48541)
+- !TODO: Add --host-gateway-ip to the dockerd manpage [moby/moby#48988](https://github.com/moby/moby/pull/48988)
+- !TODO: distribution: verifySchema1Manifest: pass through context [moby/moby#49021](https://github.com/moby/moby/pull/49021)
+- containerd image store: Remove a confusing warning log when tagging a non-dangling image. [moby/moby#49009](https://github.com/moby/moby/pull/49009)
+- !TODO: vendor: google.golang.org/protobuf v1.35.2 [moby/moby#49031](https://github.com/moby/moby/pull/49031)
+- !TODO: registry: remove assignment of default values in some tests [moby/moby#49015](https://github.com/moby/moby/pull/49015)
+- !TODO: registry: isCIDRMatch: avoid performing DNS lookups if not needed [moby/moby#48999](https://github.com/moby/moby/pull/48999)
+- !TODO: daemon/daemon_linux.go: Fix a typo in comment [moby/moby#49019](https://github.com/moby/moby/pull/49019)
+- Update BuildKit to v0.18.1 [moby/moby#49023](https://github.com/moby/moby/pull/49023)
+- !TODO: api/types/network: add godoc for EndpointSettings.GwPriority [moby/moby#49045](https://github.com/moby/moby/pull/49045)
+- Attempt to load kernel modules, including `ip6_tables` and `br_netfilter` when required, using a
+method that is likely to succeed inside a docker-in-docker container. [moby/moby#49038](https://github.com/moby/moby/pull/49038)
+- !TODO: cmd/dockerd: ignore some unhandled errors [moby/moby#49053](https://github.com/moby/moby/pull/49053)
+- !TODO: daemon: remove Daemon.NetworkControllerEnabled [moby/moby#49052](https://github.com/moby/moby/pull/49052)
+- !TODO: Dockerfile: remove libapparmor-dev dependency [moby/moby#49066](https://github.com/moby/moby/pull/49066)
+- !TODO: man: vendor: github.com/cpuguy83/go-md2man v2.0.5 [moby/moby#49059](https://github.com/moby/moby/pull/49059)
+- !TODO: vendor: update golang.org/x/ dependencies [moby/moby#49070](https://github.com/moby/moby/pull/49070)
+- Upgrade `runc` to [v1.2.3](https://github.com/opencontainers/runc/releases/tag/v1.2.3) [moby/moby#49071](https://github.com/moby/moby/pull/49071)
+- !TODO: Dockerfile: remove dpkg-dev, libudev-dev, libsecret-1-dev, libbtrfs-dev dependencies [moby/moby#49067](https://github.com/moby/moby/pull/49067)
+- Fix excessive memory allocations when OTEL is not configured. [moby/moby#49078](https://github.com/moby/moby/pull/49078)
+- !TODO: daemon/containerd: hostsWrapper: remove  unused regService argument [moby/moby#49049](https://github.com/moby/moby/pull/49049)
+- !TODO: registry: some optimizations to reduce network connections  and DNS lookups if not needed [moby/moby#49050](https://github.com/moby/moby/pull/49050)
+- !TODO: update xx to v1.6.1 for compatibility with alpine 3.21 [moby/moby#49058](https://github.com/moby/moby/pull/49058)
+- `docker info` and the corresponding `GET /info` API endpoint no longer include
+warnings when `bridge-nf-call-iptables` or `bridge-nf-call-ip6tables` are
+disabled at the daemon is started. The `br_netfilter` kernel module is now
+attempted to be loaded when needed, which made those warnings inaccurate. [moby/moby#49089](https://github.com/moby/moby/pull/49089)
+- !TODO: vendor: golang.org/x/net v0.32.0 [moby/moby#49094](https://github.com/moby/moby/pull/49094)
+- !TODO: libnet/d/bridge: unconditionally error out if LinkSetMTU fails [moby/moby#49092](https://github.com/moby/moby/pull/49092)
+- !TODO: integration-cli: don't skip AppArmor tests on SLES [moby/moby#49061](https://github.com/moby/moby/pull/49061)
+- !TODO: libnet/iptables: remove mutex-based serialization [moby/moby#49096](https://github.com/moby/moby/pull/49096)
+- Update docs and code to reflect Go’s automatic canonicalisation of Api-Version and Ostype headers. [moby/moby#49054](https://github.com/moby/moby/pull/49054)
+- Update BuildKit to v0.18.2 [moby/moby#49116](https://github.com/moby/moby/pull/49116)
+- !TODO: docs/api: version-history.md: fix markdown [moby/moby#49113](https://github.com/moby/moby/pull/49113)
+- !TODO: libnet/iptables: split ProgramChain and move to bridge driver [moby/moby#49107](https://github.com/moby/moby/pull/49107)
+- pkg/system: deprecate `Lstat()`, `Mkdev()`, `Mknod()`, `FromStatT()` and `Stat()` functions, and related `StatT` types. These were only used internally, and will be removed in the next release. [moby/moby#49098](https://github.com/moby/moby/pull/49098)
+- !TODO: docs/api: document correct case for Api-Version header [moby/moby#49103](https://github.com/moby/moby/pull/49103)
+- !TODO: Decouple pkg/archive from pkg/ioutils [moby/moby#49073](https://github.com/moby/moby/pull/49073)
+- !TODO: integration/build: make TestBuildEmitsImageCreateEvent less noisy [moby/moby#49102](https://github.com/moby/moby/pull/49102)
+- networking: fixed a bug that could result in a iptables DOCKER FILTER chain not being cleaned up on failure  [moby/moby#49109](https://github.com/moby/moby/pull/49109)
+- !TODO: libnet/osl: drop netns path GC [moby/moby#49099](https://github.com/moby/moby/pull/49099)
+- !TODO: pkg/archive: replace uses of pkg/errors for stdlib errors [moby/moby#49101](https://github.com/moby/moby/pull/49101)
+- !TODO: Enable external DNS if a network has an IPv6 gateway [moby/moby#49128](https://github.com/moby/moby/pull/49128)
+- Fix an issue that caused excessive memory usage when DNS resolution was made in a tight loop [moby/moby#49123](https://github.com/moby/moby/pull/49123)
+- !TODO: libcontainer: ReplaceContainer: fix var shadowing import [moby/moby#49106](https://github.com/moby/moby/pull/49106)
+- Updated documentation by adding the DataPathAddr parameter to example usages of the SwarmJoin operation. [moby/moby#49122](https://github.com/moby/moby/pull/49122)
+- !TODO: libnet/d/bridge: move iptRule to iptables pkg [moby/moby#49125](https://github.com/moby/moby/pull/49125)
+- !TODO: docs/api: allow for an empty string for Isolation (api v1.25-v1.47) [moby/moby#49144](https://github.com/moby/moby/pull/49144)
+- !TODO: Decouple pkg/archive from pkg/system [moby/moby#49072](https://github.com/moby/moby/pull/49072)
+- !TODO: add Shaun Thompson as curator [moby/moby#49127](https://github.com/moby/moby/pull/49127)
+- api: Allow empty string for Isolation field in container inspection [moby/moby#48616](https://github.com/moby/moby/pull/48616)
+- !TODO: api: Remove unused imageStore and layerStore [moby/moby#49138](https://github.com/moby/moby/pull/49138)
+- !TODO: daemon/c8d: Fix duplicate containerd/images import [moby/moby#49140](https://github.com/moby/moby/pull/49140)
+- Builder GC policies without a `keepStorage` value now inherit the `defaultKeepStorage` limit as intended. [moby/moby#49062](https://github.com/moby/moby/pull/49062)
+- !TODO: image: Remove `GetImageManifest` [moby/moby#49133](https://github.com/moby/moby/pull/49133)
+- !TODO: vendor: golang.org/x/net v0.33.0 [moby/moby#49146](https://github.com/moby/moby/pull/49146)
+- !TODO: builder: don't fall back to defaultKeepStorage when set to zero [moby/moby#49147](https://github.com/moby/moby/pull/49147)
+- !TODO: pkg/chrootarchive: use stdlib errors, remove "// import" comments [moby/moby#49151](https://github.com/moby/moby/pull/49151)
+- !TODO: libnet: pass store as an arg to netdrivers [moby/moby#49158](https://github.com/moby/moby/pull/49158)
+- !TODO: pkg/parsers: rename var that collided with builtin [moby/moby#49182](https://github.com/moby/moby/pull/49182)
+- !TODO: daemon: add missing "//go:build" directive [moby/moby#49186](https://github.com/moby/moby/pull/49186)
+- !TODO: daemon: parseSecurityOpt: rename var that shadowed function [moby/moby#49176](https://github.com/moby/moby/pull/49176)
+- !TODO: daemon: adjust tests for changes in go1.24 JSON errors [moby/moby#49188](https://github.com/moby/moby/pull/49188)
+- !TODO: daemon: minor cleanups for getting system info [moby/moby#49185](https://github.com/moby/moby/pull/49185)
+- !TODO: daemon: don't repeatedly call NumCPU if not needed [moby/moby#49192](https://github.com/moby/moby/pull/49192)
+- !TODO: Remove use of `pkg/pools` in archive [moby/moby#49117](https://github.com/moby/moby/pull/49117)
+- !TODO: builder/dockerfile: unconvert [moby/moby#49168](https://github.com/moby/moby/pull/49168)
+- !TODO: vendor: github.com/Azure/go-ansiterm faa5f7b0171c, remove workaround for OSC string terminator parsing [moby/moby#49195](https://github.com/moby/moby/pull/49195)
+- !TODO: daemon: ignore some errors when setting env-vars [moby/moby#49163](https://github.com/moby/moby/pull/49163)
+- !TODO: fix non-constant format string (caught by go1.24) [moby/moby#49201](https://github.com/moby/moby/pull/49201)
+- !TODO: use lazyregexp to compile regexes on first use [moby/moby#48166](https://github.com/moby/moby/pull/48166)
+- !TODO: pkg/sysinfo: cleanup tests [moby/moby#49189](https://github.com/moby/moby/pull/49189)
+- !TODO: Down with the sickness (AUTO_GOPATH) [moby/moby#48958](https://github.com/moby/moby/pull/48958)
+- !TODO: distribution: Pass `Traceparent` OTEL header [moby/moby#49156](https://github.com/moby/moby/pull/49156)
+- !TODO: libnetwork/drivers/windows: fix error-matching for hcsshim "not found" [moby/moby#49202](https://github.com/moby/moby/pull/49202)
+- !TODO: Add testutil daemon.WithResolvConf [moby/moby#49132](https://github.com/moby/moby/pull/49132)
+- !TODO: integration: minor cleanups  and linting fixes [moby/moby#49199](https://github.com/moby/moby/pull/49199)
+- containerd image store: Fix passing a build context via tarball to the `/build` endpoint. [moby/moby#49178](https://github.com/moby/moby/pull/49178)
+- !TODO: integration-cli: TestRunInvalidCpuset.. create instead of run [moby/moby#49181](https://github.com/moby/moby/pull/49181)
+- Go SDK: pkg/fileutils: deprecate GetTotalUsedFds: this function is only used internally and will be removed in the next release. [moby/moby#49208](https://github.com/moby/moby/pull/49208)
+- !TODO: Update swarm to latest for server alpn config [moby/moby#49214](https://github.com/moby/moby/pull/49214)
+- !TODO: pkg/sysinfo: internalize parsing cpusets [moby/moby#49193](https://github.com/moby/moby/pull/49193)
+- !TODO: man: remove --allow-nondistributable-artifacts [moby/moby#49215](https://github.com/moby/moby/pull/49215)
+- !TODO: vendor: github.com/moby/term v0.5.2 [moby/moby#49216](https://github.com/moby/moby/pull/49216)
+- !TODO: golangci-lint: remove temporary exception for deprecated code [moby/moby#49211](https://github.com/moby/moby/pull/49211)
+- !TODO: integration/internal/container: IsInState: touch up error-logs [moby/moby#49220](https://github.com/moby/moby/pull/49220)
+- !TODO: pkg/sysinfo: parse cpuset.cpus/mems once and memoize [moby/moby#49221](https://github.com/moby/moby/pull/49221)
+- !TODO: Fix live restore for IPv6-only and multiple gateway endpoints [moby/moby#49150](https://github.com/moby/moby/pull/49150)
+- !TODO: integration-cli: migrate TestCreateByImageID to integration suite [moby/moby#49198](https://github.com/moby/moby/pull/49198)
+- !TODO: libnetwork/osl: Namespace.setSysctls: use stdlib errors [moby/moby#49224](https://github.com/moby/moby/pull/49224)
+- !TODO: daemon: isOnlineFSOperationPermitted: cleanup confusing syntax [moby/moby#49218](https://github.com/moby/moby/pull/49218)
+- !TODO: ci: update bake-action to v6 [moby/moby#49233](https://github.com/moby/moby/pull/49233)
+- !TODO: daemon: remove workaround for  go1.21 compiler bug [moby/moby#49187](https://github.com/moby/moby/pull/49187)
+- !TODO: Use bridge consts for "DefaultGatewayIPv[46]" aux-addr keys [moby/moby#49229](https://github.com/moby/moby/pull/49229)
+- !TODO: daemon: ImageService.LogImageEvent: pass through context [moby/moby#49014](https://github.com/moby/moby/pull/49014)
+- Fix a potential race condition error when deleting a container. [moby/moby#49228](https://github.com/moby/moby/pull/49228)
+- !TODO: libnetwork/drivers/bridge: processIPAM: remove unused arg [moby/moby#49235](https://github.com/moby/moby/pull/49235)
+- !TODO: daemon/links: use gotest.tools, remove unneeded utility and duplicated test [moby/moby#49232](https://github.com/moby/moby/pull/49232)
+- !TODO: pkg/idtools: rewrite to use moby/sys/user [moby/moby#49226](https://github.com/moby/moby/pull/49226)
+- !TODO: Centralize daemon metrics [moby/moby#49165](https://github.com/moby/moby/pull/49165)
+- !TODO: Split idtools to an internal package and package to be moved [moby/moby#49087](https://github.com/moby/moby/pull/49087)
+- !TODO: Fix unit tests for an nftables host [moby/moby#49248](https://github.com/moby/moby/pull/49248)
+- Go SDK: pkg/ioutils: deprecate `BytesPipe`, `NewBytesPipe`, `ErrClosed`. These types are only used internally and will be removed in the next release
+Go SDK: pkg/ioutils: deprecate `WriteCounter`, `NewWriteCounter`. This type and utility were not used and will be removed in the next release
+Go SDK: pkg/ioutils: deprecate `NewReaderErrWrapper`. This function was not used and will be removed in the next release.
+Go SDK: pkg/ioutils: deprecate `NopFlusher`. This type was only used internally and will be removed in the next release. [moby/moby#49244](https://github.com/moby/moby/pull/49244)
+- Upgrade `runc` to [v1.2.4](https://github.com/opencontainers/runc/releases/tag/v1.2.4) [moby/moby#49238](https://github.com/moby/moby/pull/49238)
+- !TODO: improve validation of cpu-shares, and migrate TestRunInvalidCPUShares [moby/moby#49180](https://github.com/moby/moby/pull/49180)
+- Update containerd (static binaries only) to [v1.7.25](https://github.com/containerd/containerd/releases/tag/v1.7.25) [moby/moby#49252](https://github.com/moby/moby/pull/49252)
+- Go SDK: pkg/ioutils: deprecate `NopWriter` in favour of `io.Discard`. It will be removed in the next release.
+Go SDK: pkg/ioutils: deprecate `NopWriteCloser`. It was only used internally, and will be removed in the next release. [moby/moby#49254](https://github.com/moby/moby/pull/49254)
+- !TODO: pkg/archive: nosysFileInfo: implement tar.FileInfoNames to prevent lookups [moby/moby#49152](https://github.com/moby/moby/pull/49152)
+- !TODO: c8d: Implement `RWLayer` [moby/moby#49120](https://github.com/moby/moby/pull/49120)
+- !TODO: Update MAINTAINERS file [moby/moby#49259](https://github.com/moby/moby/pull/49259)
+- !TODO: imageService: Remove PerformWithBaseFS [moby/moby#49263](https://github.com/moby/moby/pull/49263)
+- !TODO: vendor: github.com/creack/pty v1.1.24 [moby/moby#49278](https://github.com/moby/moby/pull/49278)
+- !TODO: vendor: otel v0.56.0 / v1.31.0 [moby/moby#49276](https://github.com/moby/moby/pull/49276)
+- !TODO: vendor: cloud.google.com/go/compute/metadata v0.5.0 [moby/moby#49273](https://github.com/moby/moby/pull/49273)
+- !TODO: testutil: update to semconv v1.26.0 [moby/moby#49280](https://github.com/moby/moby/pull/49280)
+- !TODO: vendor: google.golang.org/grpc v1.68.1, google.golang.org/genproto 324edc3d5d38 [moby/moby#49275](https://github.com/moby/moby/pull/49275)
+- !TODO: vendor: github.com/aws/aws-sdk-go-v2 v1.30.3 [moby/moby#49277](https://github.com/moby/moby/pull/49277)
+- !TODO: libnet/d/bridge: init driver.nlh in newDriver [moby/moby#49267](https://github.com/moby/moby/pull/49267)
+- !TODO: pkg/ioutils: remove crypto/sha256, crypto/sha512 imports [moby/moby#49281](https://github.com/moby/moby/pull/49281)
+- !TODO: use StatsResponse instead of Stats in tests [moby/moby#49284](https://github.com/moby/moby/pull/49284)
+- !TODO: Increase integration test timeout from 5m to 10m [moby/moby#49283](https://github.com/moby/moby/pull/49283)
+- !TODO: daemon: remove kernel-version check for kernel < 4.0.0 [moby/moby#49184](https://github.com/moby/moby/pull/49184)
+- !TODO: api/server/middleware: log before, not after the request [moby/moby#48740](https://github.com/moby/moby/pull/48740)
+- !TODO: ci: switch from jenkins to gha for arm64 build and tests [moby/moby#49290](https://github.com/moby/moby/pull/49290)
+- !TODO: ci(bin-image): fix bake build [moby/moby#49289](https://github.com/moby/moby/pull/49289)
+- Fixed an issue that could persistently prevent daemon startup after failure to initialize the default bridge. [moby/moby#49292](https://github.com/moby/moby/pull/49292)
+- !TODO: awslogs: Prevent close from being blocked on log [moby/moby#47748](https://github.com/moby/moby/pull/47748)
+- !TODO: spelling fix in comments (daemon/logger/loggerutils/queue.go) [moby/moby#49296](https://github.com/moby/moby/pull/49296)
+- !TODO: api: swagger: document StatsResponse [moby/moby#49286](https://github.com/moby/moby/pull/49286)
+- !TODO: Ignore error when adding a bridge already in the ipset [moby/moby#49295](https://github.com/moby/moby/pull/49295)
+- On a host that cannot load the `br_netfilter` module when it's needed, set environment variable
+`DOCKER_IGNORE_BR_NETFILTER_ERROR=1` to ignore the problem.
+- Some things won't work! Including disabling inter-container communication in a bridge network
+and, with the userland proxy disabled, it won't be possible to access one container's published
+ports from another container on the same network. [moby/moby#49293](https://github.com/moby/moby/pull/49293)
+- !TODO: build: log when build is cancelled [moby/moby#48696](https://github.com/moby/moby/pull/48696)
+- !TODO: daemon/links: assorted bug fixes and cleanup [moby/moby#49300](https://github.com/moby/moby/pull/49300)
+- !TODO: Update RootlessKit to v2.3.2 [moby/moby#49303](https://github.com/moby/moby/pull/49303)
+- !TODO: Revert "libnet/d/bridge: port mappings: filter by input iface" [moby/moby#49310](https://github.com/moby/moby/pull/49310)
+- !TODO: Dockerfile: dev-container: update CLI v27.5.0, buildx v0.20.0, compose v2.32.4 [moby/moby#49316](https://github.com/moby/moby/pull/49316)
+- !TODO: build: don't print warning when connection was terminated [moby/moby#49299](https://github.com/moby/moby/pull/49299)
+- !TODO: gha: Adjust release branches [moby/moby#49313](https://github.com/moby/moby/pull/49313)
+- !TODO: Fix parsing of user/group during copy operation [moby/moby#34143](https://github.com/moby/moby/pull/34143)
+- !TODO: docs: clarify that tag or digest in fromImage is ignored [moby/moby#49266](https://github.com/moby/moby/pull/49266)
+- !TODO: libnetwork/types: align error-types with errdefs [moby/moby#49318](https://github.com/moby/moby/pull/49318)
+- !TODO: libnetwork: use errdefs and gotest.tools for asserting error-types (step 1) [moby/moby#49326](https://github.com/moby/moby/pull/49326)
+- !TODO: daemon: NewDaemon: align grpc options with containerd's defaults [moby/moby#48617](https://github.com/moby/moby/pull/48617)
+- !TODO: distribution: fix / improve handling of "closed pipe" and context cancellation / timeouts [moby/moby#49297](https://github.com/moby/moby/pull/49297)
+- !TODO: libnetwork/drivers/bridge: driver.configure: move vars close to where used [moby/moby#49328](https://github.com/moby/moby/pull/49328)
+- !TODO: layerStore.registerWithDescriptor: improve logs for cleaning up cache [moby/moby#49298](https://github.com/moby/moby/pull/49298)
+- !TODO: gha: update DCO check to alpine 3.21 [moby/moby#49323](https://github.com/moby/moby/pull/49323)
+- !TODO: libnetwork/driverapi: fix GoDoc for UpdateIpamConfig [moby/moby#49319](https://github.com/moby/moby/pull/49319)
+- !TODO: libnetwork: use gotest.tools for errdefs assertions in various tests [moby/moby#49332](https://github.com/moby/moby/pull/49332)
+- !TODO: libnetwork: remove some redundant type-conversions [moby/moby#49327](https://github.com/moby/moby/pull/49327)
+- !TODO: man: vendor github.com/cpuguy83/go-md2man/v2 v2.0.6 [moby/moby#49340](https://github.com/moby/moby/pull/49340)
+- !TODO: libnetwork: rewrite some tests to use gotest.tools [moby/moby#49329](https://github.com/moby/moby/pull/49329)
+- !TODO: IPv6 only: not experimental [moby/moby#48809](https://github.com/moby/moby/pull/48809)
+- !TODO: libnetwork: remove Network.EndpointByID as it must not be used [moby/moby#49341](https://github.com/moby/moby/pull/49341)
+- !TODO: daemon: make daemon.getEntrypointAndArgs a regular function [moby/moby#49335](https://github.com/moby/moby/pull/49335)
+- !TODO: daemon: health: getShell: simplify logic (LCOW remnants) [moby/moby#49337](https://github.com/moby/moby/pull/49337)
+- !TODO: integration: remove assertAttachedStream, check both STDERR and STDOUT [moby/moby#49338](https://github.com/moby/moby/pull/49338)
+- !TODO: daemon/cluster/executor: simplify handling of Network Attachments [moby/moby#49343](https://github.com/moby/moby/pull/49343)
+- !TODO: libnetwork: remove ErrNoSuchEndpoint, ErrInvalidID, ErrInvalidName [moby/moby#49344](https://github.com/moby/moby/pull/49344)
+- !TODO: remove redundant uses of api/types/strslice.StrSlice [moby/moby#49336](https://github.com/moby/moby/pull/49336)
+- !TODO: Debug flaky unsolicited Neighbour Advertisements [moby/moby#49342](https://github.com/moby/moby/pull/49342)
+- !TODO: libnetwork/options: rewrite tests with gotest.tools [moby/moby#49347](https://github.com/moby/moby/pull/49347)
+- !TODO: libnetwork/drivers/windows: remove ErrUnsupportedAddressType [moby/moby#49350](https://github.com/moby/moby/pull/49350)
+- !TODO: libnetwork/drivers/bridge: remove, or internalize errors [moby/moby#49349](https://github.com/moby/moby/pull/49349)
+- !TODO: gha/e2e: Update latest version to 27.0 [docker/cli#5191](https://github.com/docker/cli/pull/5191)
+- !TODO: Dockerfile: Use CLI generated completions in the dev shell [moby/moby#47649](https://github.com/moby/moby/pull/47649)
+- !TODO: vendor: github.com/docker/docker v27.0.3 [docker/cli#5207](https://github.com/docker/cli/pull/5207)
+- !TODO: update golangci-lint to v1.59.1 [docker/cli#5189](https://github.com/docker/cli/pull/5189)
+- Fix a regression that caused port numbers to be ignored when parsing a Docker registry URL. [docker/cli#5195](https://github.com/docker/cli/pull/5195)
+- Fix handling of IPv6 addresses with custom ports on docker login [docker/cli#5196](https://github.com/docker/cli/pull/5196)
+- !TODO: vendor: github.com/docker/docker v27.0.2 [docker/cli#5205](https://github.com/docker/cli/pull/5205)
+- !TODO: cli/command/stack: fix faulty sort for sorting stacks [docker/cli#5212](https://github.com/docker/cli/pull/5212)
+- !TODO: api/types: remove some redundant imports [moby/moby#49355](https://github.com/moby/moby/pull/49355)
+- !TODO: client: remove uses of pkg/errors in tests [moby/moby#49356](https://github.com/moby/moby/pull/49356)
+- !TODO: fix: ctx cancellation on login prompt [docker/cli#5168](https://github.com/docker/cli/pull/5168)
+- !TODO: cli/command/network: some cleanup and pass smaller interfaces [docker/cli#5225](https://github.com/docker/cli/pull/5225)
+- !TODO: assorted minor changes in preparation of updating docker/docker dependency [docker/cli#5222](https://github.com/docker/cli/pull/5222)
+- Enable shell completion for `docker image rm`, `docker image history`, and `docker image inspect`. [docker/cli#5223](https://github.com/docker/cli/pull/5223)
+- !TODO: vendor: github.com/fvbommel/sortorder v1.1.0 [docker/cli#5213](https://github.com/docker/cli/pull/5213)
+- !TODO: cli/command/container: TestSplitCpArg: cleaner skip [docker/cli#5230](https://github.com/docker/cli/pull/5230)
+- !TODO: feat: force lf line endings by default [docker/cli#5216](https://github.com/docker/cli/pull/5216)
+- !TODO: cmd/docker: split handling exit-code to a separate utility [docker/cli#5229](https://github.com/docker/cli/pull/5229)
+- Update Go runtime to 1.21.12 [docker/cli#5218](https://github.com/docker/cli/pull/5218)
+- !TODO: install bash-completion in dev container [docker/cli#5232](https://github.com/docker/cli/pull/5232)
+- !TODO: docs: make buildx build the canonical reference doc [docker/cli#5002](https://github.com/docker/cli/pull/5002)
+- !TODO: vendor: github.com/docker/docker aae044039ca4 (master, v-next) [docker/cli#5251](https://github.com/docker/cli/pull/5251)
+- !TODO: test spring-cleaning [docker/cli#5224](https://github.com/docker/cli/pull/5224)
+- !TODO: vendor: github.com/docker/cli-docs-tool v0.8.0 [docker/cli#5255](https://github.com/docker/cli/pull/5255)
+- !TODO: cli: make cli.StatusError slightly prettier [docker/cli#5231](https://github.com/docker/cli/pull/5231)
+- !TODO: vendor: github.com/docker/docker 508cc7c61226 (master) [docker/cli#5226](https://github.com/docker/cli/pull/5226)
+- !TODO: Dockerfile: update buildx to v0.16.1, compose to v2.29.0 [docker/cli#5264](https://github.com/docker/cli/pull/5264)
+- !TODO: cli reference overview base cmd [docker/cli#5010](https://github.com/docker/cli/pull/5010)
+- !TODO: gha: update to macOS 13, add macOS 14 arm64 (Apple Silicon M1) [docker/cli#5268](https://github.com/docker/cli/pull/5268)
+- Add support for `DOCKER_CUSTOM_HEADERS` environment variable
+
+This environment variable allows for setting additional headers to be sent by the client. Headers set through this environment variable are added to headers set through the config-file (through the HttpHeaders field).
+
+This environment variable can be used in situations where headers must be set for a specific invocation of the CLI, but should not be set by default, and therefore cannot be set in the config-file. [docker/cli#5098](https://github.com/docker/cli/pull/5098)
+- sending a termination request to the CLI while attached to a container, will wait for the container to exit before closing the stream. [docker/cli#5247](https://github.com/docker/cli/pull/5247)
+- !TODO: cli/command/container: remove reportError, and put StatusError to use [docker/cli#5236](https://github.com/docker/cli/pull/5236)
+- !TODO: vendor: update various dependencies [docker/cli#5228](https://github.com/docker/cli/pull/5228)
+- !TODO: gha: check-pr-branch: verify major version only [docker/cli#5262](https://github.com/docker/cli/pull/5262)
+- add and improve shell completions for various flags [docker/cli#5238](https://github.com/docker/cli/pull/5238)
+- containerd integration: Fix `docker push` defaulting the `--platform` flag to a value of `DOCKER_DEFAULT_PLATFORM` environment variable on unsupported API versions. [docker/cli#5246](https://github.com/docker/cli/pull/5246)
+- !TODO: cli/config/credentials: move warning to fileStore [docker/cli#5259](https://github.com/docker/cli/pull/5259)
+- !TODO: login: slightly cleanup warning about unencrypted store [docker/cli#5258](https://github.com/docker/cli/pull/5258)
+- !TODO: Fix flaky `TestCloseRunningCommand` test [docker/cli#5290](https://github.com/docker/cli/pull/5290)
+- !TODO: tests: fix other flaky `connhelper` tests [docker/cli#5291](https://github.com/docker/cli/pull/5291)
+- !TODO: lint: replace deprecated linter names  [docker/cli#5298](https://github.com/docker/cli/pull/5298)
+- Fix `docker attach` exiting on `SIGINT` instead of forwarding the signal to the container and waiting for it to exit. [docker/cli#5297](https://github.com/docker/cli/pull/5297)
+- !TODO: tests/run: fix flaky `RunAttachTermination` test [docker/cli#5303](https://github.com/docker/cli/pull/5303)
+- !TODO: vendor: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0 [docker/cli#5311](https://github.com/docker/cli/pull/5311)
+- Fix `docker attach` printing a spurious `context cancelled` error message. [docker/cli#5295](https://github.com/docker/cli/pull/5295)
+- !TODO: docs: refresh image versions in examples [docker/cli#5289](https://github.com/docker/cli/pull/5289)
+- Update Go runtime to 1.21.13 [docker/cli#5324](https://github.com/docker/cli/pull/5324)
+- !TODO: vendor: github.com/docker/docker master  (f3cf9359bdf6) [docker/cli#5330](https://github.com/docker/cli/pull/5330)
+- !TODO: vendor: github.com/docker/docker 2269acc7a31d (master, v-next) [docker/cli#5332](https://github.com/docker/cli/pull/5332)
+- !TODO: docs: fix link to http proxy document [docker/cli#5338](https://github.com/docker/cli/pull/5338)
+- !TODO: docs: update internal links after refactor [docker/cli#5342](https://github.com/docker/cli/pull/5342)
+- !TODO: cli/connhelper: getConnectionHelper: move ssh-option funcs out of closure [docker/cli#5345](https://github.com/docker/cli/pull/5345)
+- Fix issue with remote contexts over SSH where the CLI would allocate a pseudoterminal when connecting to the remote host, which causes issues in rare situations. [docker/cli#5320](https://github.com/docker/cli/pull/5320)
+- Added support for device-code flow login when authenticating to the official registry. [docker/cli#5344](https://github.com/docker/cli/pull/5344)
+- containerd image store:  `docker image ls` now supports `--tree` flag that shows a multiplatform-aware image list. This is experimental and may change at any time without any backwards compatibility. [docker/cli#4982](https://github.com/docker/cli/pull/4982)
+- !TODO:  list/tree: Print <untagged> as dangling image name [docker/cli#5352](https://github.com/docker/cli/pull/5352)
+- !TODO: list/tree: No extra spacing for graphdriver [docker/cli#5356](https://github.com/docker/cli/pull/5356)
+- !TODO: docs: update link to moved build context doc [docker/cli#5347](https://github.com/docker/cli/pull/5347)
+- !TODO: login: add oauth escape hatch [docker/cli#5361](https://github.com/docker/cli/pull/5361)
+- !TODO: docs: use gh alert syntax for callouts [docker/cli#5350](https://github.com/docker/cli/pull/5350)
+- !TODO: Fix linting issues in preparation of Go and GolangCI-lint update [docker/cli#5370](https://github.com/docker/cli/pull/5370)
+- !TODO: chore: update link to docker engine api reference [docker/cli#5360](https://github.com/docker/cli/pull/5360)
+- !TODO: docs: update docker login reference [docker/cli#5386](https://github.com/docker/cli/pull/5386)
+- Update Go runtime to 1.22.7 [docker/cli#5410](https://github.com/docker/cli/pull/5410)
+- !TODO: vendor.mod: put github.com/pkg/browser in the right group [docker/cli#5407](https://github.com/docker/cli/pull/5407)
+- !TODO: scripts/build/plugins: don't override CGO_ENABLED set by .variables [docker/cli#5393](https://github.com/docker/cli/pull/5393)
+- Fix issue that will sometimes cause the browser-login flow to fail if the CLI process is suspended and then resumed while waiting for the user to authenticate. [docker/cli#5376](https://github.com/docker/cli/pull/5376)
+- update to go1.22.6 [docker/cli#5387](https://github.com/docker/cli/pull/5387)
+- !TODO: Dockerfile: update xx to v1.5.0 [docker/cli#5389](https://github.com/docker/cli/pull/5389)
+- Fixed issue related to login, causing credentials to sometimes not be picked up when explicitly pulling/pushing images from `registry-1.docker.io`. [docker/cli#5379](https://github.com/docker/cli/pull/5379)
+- !TODO: chore: remove duplicated `govet` linter config [docker/cli#5425](https://github.com/docker/cli/pull/5425)
+- !TODO: fix: gitattributes enforcing line endings [docker/cli#5381](https://github.com/docker/cli/pull/5381)
+- !TODO: docs: rename plugins index file and add linkTitle [docker/cli#5403](https://github.com/docker/cli/pull/5403)
+- Fix issue where `docker volume update` command would cause the CLI to panic if no argument/volume was passed. [docker/cli#5420](https://github.com/docker/cli/pull/5420)
+- Fix issue causing login to not remove repository names from passed in registry addresses, resulting in credentials being stored under the wrong key. [docker/cli#5383](https://github.com/docker/cli/pull/5383)
+- !TODO: info: stop printing "Expected" commits [docker/cli#5422](https://github.com/docker/cli/pull/5422)
+- Properly report metrics when run in WSL environment on Windows [docker/cli#5424](https://github.com/docker/cli/pull/5424)
+- !TODO: vendor: update various dependencies [docker/cli#5427](https://github.com/docker/cli/pull/5427)
+- !TODO: docs, man: dockerd: add documentation for "--log-format" option [docker/cli#5438](https://github.com/docker/cli/pull/5438)
+- !TODO: docs: add documentation for dockerd --feature flag [docker/cli#5436](https://github.com/docker/cli/pull/5436)
+- !TODO: Dockerfile: update buildx to v0.17.1, compose to v2.29.4 [docker/cli#5441](https://github.com/docker/cli/pull/5441)
+- docs/cli/container_run: Fix example usage of `--rm=false` flag to `--rm` in container_run.md [docker/cli#5435](https://github.com/docker/cli/pull/5435)
+- Print OTEL errors in the CLI on shutdown [docker/cli#5444](https://github.com/docker/cli/pull/5444)
+- !TODO: gha: update codeql workflow to go1.22.7 [docker/cli#5446](https://github.com/docker/cli/pull/5446)
+- Use lowercase windows drive letter for WSL metrics path [docker/cli#5445](https://github.com/docker/cli/pull/5445)
+- Fix issue causing CLI OTel metrics to not be collected. [docker/cli#5456](https://github.com/docker/cli/pull/5456)
+- !TODO: Dockerfile: update compose to v2.29.7 [docker/cli#5459](https://github.com/docker/cli/pull/5459)
+- containerd image store:  do not underline names in `docker image ls --tree`. [docker/cli#5473](https://github.com/docker/cli/pull/5473)
+- !TODO: docs: fix a typo in run.md [docker/cli#5481](https://github.com/docker/cli/pull/5481)
+- containerd image store:  change name of `USED` column in `docker image ls --tree` to `IN USE`. [docker/cli#5474](https://github.com/docker/cli/pull/5474)
+- !TODO: gha: codeql: minor touch-ups and fixes [docker/cli#5454](https://github.com/docker/cli/pull/5454)
+- !TODO: vendor: github.com/docker/docker 164cae56ed95 (master, v-next) [docker/cli#5428](https://github.com/docker/cli/pull/5428)
+- !TODO: cli/container: use github.com/moby/sys/capability for completions [docker/cli#5480](https://github.com/docker/cli/pull/5480)
+- !TODO: cli/command/container: add unit tests for completion helpers [docker/cli#5492](https://github.com/docker/cli/pull/5492)
+- !TODO: opts: cleanup ParseEnvFile tests [docker/cli#5494](https://github.com/docker/cli/pull/5494)
+- opts: remove ErrBadKey as it's not used as a sentinel error [docker/cli#5495](https://github.com/docker/cli/pull/5495)
+- !TODO: opts: parseKeyValueFile: cleanup and remove redundant trimming [docker/cli#5496](https://github.com/docker/cli/pull/5496)
+- !TODO: docs: use important callout for buildkit vs legacy builder [docker/cli#5469](https://github.com/docker/cli/pull/5469)
+- move parsing key-value files to a separate package (pkg/kvfile) [docker/cli#5502](https://github.com/docker/cli/pull/5502)
+- !TODO: cli/command/container: add unit tests for container restart and container stop [docker/cli#5482](https://github.com/docker/cli/pull/5482)
+- !TODO: Update `VERSION` file to `v27.3.1-dev` [docker/cli#5460](https://github.com/docker/cli/pull/5460)
+- !TODO: docs: fix anchor link to web-based login section [docker/cli#5471](https://github.com/docker/cli/pull/5471)
+- !TODO: docs/reference: stop, restart: add flag descriptions [docker/cli#5484](https://github.com/docker/cli/pull/5484)
+- !TODO: docs: fix inaccurate description of --restart=unless-stopped [docker/cli#5508](https://github.com/docker/cli/pull/5508)
+- Update Go runtime to 1.22.8 [docker/cli#5504](https://github.com/docker/cli/pull/5504)
+- add shell-completion for --platform flags [docker/cli#5516](https://github.com/docker/cli/pull/5516)
+- !TODO: vendor assorted dependencies in preparation of engine update [docker/cli#5529](https://github.com/docker/cli/pull/5529)
+- Improve completion of containers for `docker rm` [docker/cli#5527](https://github.com/docker/cli/pull/5527)
+- !TODO: cli/command/completion: add more unit-tests [docker/cli#5533](https://github.com/docker/cli/pull/5533)
+- !TODO: README: update pkg.go.dev badge, add OpenSSF scorecard [docker/cli#5532](https://github.com/docker/cli/pull/5532)
+- !TODO: cli/command/container: set empty args in tests and discard output [docker/cli#5534](https://github.com/docker/cli/pull/5534)
+- !TODO: cli/command/image: fix TestNewSaveCommandSuccess to actually test [docker/cli#5520](https://github.com/docker/cli/pull/5520)
+- !TODO: cli/command/images: set cmd.Args to prevent test-failures [docker/cli#5521](https://github.com/docker/cli/pull/5521)
+- !TODO: templates: add test for HeaderFunctions [docker/cli#5541](https://github.com/docker/cli/pull/5541)
+- !TODO: vendor: github.com/moby/swarmkit/v2 v2.0.0-20241017191044-e8ecf83ee08e [docker/cli#5539](https://github.com/docker/cli/pull/5539)
+- !TODO: docs: corrected the max events returned [docker/cli#5537](https://github.com/docker/cli/pull/5537)
+- !TODO: docs: update prose about image tag/name format [docker/cli#5535](https://github.com/docker/cli/pull/5535)
+- go-sdk: fix deprecation of `cli/command.ConfigureAuth()`, which was deprecated since v27.2.1 [docker/cli#5551](https://github.com/docker/cli/pull/5551)
+- !TODO: cli/hints: add tests [docker/cli#5546](https://github.com/docker/cli/pull/5546)
+- Documentation: Link supported Go duration strings [docker/cli#5507](https://github.com/docker/cli/pull/5507)
+- improve formatting of errors during `docker plugin remove`
+go-sdk: deprecate cli.Errors type in favour of Go's errors.Join [docker/cli#5547](https://github.com/docker/cli/pull/5547)
+- !TODO: cli/command: PromptUserForCredentials: assorted minor improvements and (linting) fixes [docker/cli#5550](https://github.com/docker/cli/pull/5550)
+- !TODO: cli/config: improve error when failing to parse config file [docker/cli#5567](https://github.com/docker/cli/pull/5567)
+- !TODO: cmd/docker: add tests for flag-completions, and refactor [docker/cli#5542](https://github.com/docker/cli/pull/5542)
+- !TODO: Completion for `events --filter` [docker/cli#5538](https://github.com/docker/cli/pull/5538)
+- !TODO: cli/config/credentials: add test for save being idempotent [docker/cli#5570](https://github.com/docker/cli/pull/5570)
+- !TODO: bump golangci-lint to v1.61.0 and cleanup config [docker/cli#5585](https://github.com/docker/cli/pull/5585)
+- Fixed bash completion for `events --filter daemon=` [docker/cli#5554](https://github.com/docker/cli/pull/5554)
+- !TODO: vendor: github.com/docker/docker 36a3bd090489 (master, v28.0-dev) [docker/cli#5544](https://github.com/docker/cli/pull/5544)
+- The `docker login` and `docker logout` command no longer update the configuration file if the credentials didn't change. [docker/cli#5553](https://github.com/docker/cli/pull/5553)
+- !TODO: golangci-lint: set go version to prevent fallback to go1.17, and fix copyloopvar linting issues [docker/cli#5594](https://github.com/docker/cli/pull/5594)
+- !TODO: vendor: github.com/docker/docker 6ac445c42bad (master, v28.0-dev) [docker/cli#5590](https://github.com/docker/cli/pull/5590)
+- !TODO: deps: update `go-jose/go-jose` to `v4` [docker/cli#5596](https://github.com/docker/cli/pull/5596)
+- !TODO: cli/command: fix some minor linting issues [docker/cli#5557](https://github.com/docker/cli/pull/5557)
+- !TODO: docs: change link to desktop docs [docker/cli#5600](https://github.com/docker/cli/pull/5600)
+- `docker stats` output is now buffered to reduce flickering issues [docker/cli#5586](https://github.com/docker/cli/pull/5586)
+- Ported some completions from the bash completion to the new cobra based completion. [docker/cli#5580](https://github.com/docker/cli/pull/5580)
+- !TODO: Dockerfile: update buildx to v0.18.0, compose to v2.30.3 [docker/cli#5615](https://github.com/docker/cli/pull/5615)
+- !TODO: cli/command/container: fix missing go:build tag [docker/cli#5621](https://github.com/docker/cli/pull/5621)
+- !TODO: docs: Correct `run` exit code 126 description [docker/cli#5591](https://github.com/docker/cli/pull/5591)
+- !TODO: vendor: github.com/docker/docker e5c2b5e10d68 (master, v28.0.0-dev) [docker/cli#5638](https://github.com/docker/cli/pull/5638)
+- !TODO: Dockerfile: bump github.com/josephspurrier/goversioninfo to v1.4.1 [docker/cli#5630](https://github.com/docker/cli/pull/5630)
+- !TODO: update golangci-lint to v1.62.0 [docker/cli#5632](https://github.com/docker/cli/pull/5632)
+- !TODO: cli/command/container: parse: remove client-side warning [docker/cli#5579](https://github.com/docker/cli/pull/5579)
+- !TODO: build(deps): bump codecov/codecov-action from 4 to 5 [docker/cli#5636](https://github.com/docker/cli/pull/5636)
+- !TODO: docs: update example redis tags from 3.0.x to 7.4.x [docker/cli#5595](https://github.com/docker/cli/pull/5595)
+- !TODO: vendor: github.com/moby/sys/capability v0.4.0 [docker/cli#5633](https://github.com/docker/cli/pull/5633)
+- !TODO:  tests: cleanup table test names [docker/cli#5650](https://github.com/docker/cli/pull/5650)
+- !TODO: vendor: github.com/go-viper/mapstructure/v2 v2.2.1 [docker/cli#5634](https://github.com/docker/cli/pull/5634)
+- !TODO: update go:build tags to use go1.22 [docker/cli#5608](https://github.com/docker/cli/pull/5608)
+- !TODO: docs: fix janky rendering of toc on docs.docker.com [docker/cli#5653](https://github.com/docker/cli/pull/5653)
+- !TODO: Optimise `docker stats` to not require clearing the whole screen [docker/cli#5625](https://github.com/docker/cli/pull/5625)
+- !TODO: vendor: github.com/tonistiigi/go-rosetta v0.0.0-20220804170347-3f4430f2d346 [docker/cli#5637](https://github.com/docker/cli/pull/5637)
+- !TODO: vendor: update various golang.org/x/ dependencies [docker/cli#5671](https://github.com/docker/cli/pull/5671)
+- Fix inaccessible plugins paths preventing plugins from being detected. [docker/cli#5651](https://github.com/docker/cli/pull/5651)
+- !TODO: vendor: google.golang.org/protobuf v1.35.2 [docker/cli#5672](https://github.com/docker/cli/pull/5672)
+- !TODO: vendor: github.com/docker/docker 5d72419486fe (master, v28.0.0-dev) [docker/cli#5673](https://github.com/docker/cli/pull/5673)
+- !TODO: registry/client: remove uses of APIEndpoint.TrimHostName [docker/cli#5674](https://github.com/docker/cli/pull/5674)
+- !TODO: update go-md2man to v2.0.5 [docker/cli#5689](https://github.com/docker/cli/pull/5689)
+- !TODO: cli/command/system: remove netfilter warnings from tests [docker/cli#5691](https://github.com/docker/cli/pull/5691)
+- !TODO: update xx to v1.6.1 for compatibility with alpine 3.21 [docker/cli#5683](https://github.com/docker/cli/pull/5683)
+- !TODO: cli/command/system: remove BridgeNfIptables, BridgeNfIp6tables in tests [docker/cli#5696](https://github.com/docker/cli/pull/5696)
+- !TODO: Add --bip6 to the dockerd manpage [docker/cli#5655](https://github.com/docker/cli/pull/5655)
+- !TODO: chore: update commit guidelines in CONTRIBUTING.md [docker/cli#5648](https://github.com/docker/cli/pull/5648)
+- !TODO: vendor: update golang.org/x/ dependencies for docker/docker [docker/cli#5702](https://github.com/docker/cli/pull/5702)
+- !TODO: cli/trust: GetNotaryRepository: remove uses of RepositoryInfo.Class [docker/cli#5660](https://github.com/docker/cli/pull/5660)
+- !TODO: Makefile: use go1.22 semantics for gofumpt [docker/cli#5684](https://github.com/docker/cli/pull/5684)
+- !TODO: cli/command/system: don't use "non-distributable-artifacts" fields in tests [docker/cli#5679](https://github.com/docker/cli/pull/5679)
+- !TODO: vendor: golang.org/x/net v0.33.0 [docker/cli#5705](https://github.com/docker/cli/pull/5705)
+- !TODO: cli/command/system: TestEventsFormat: set cmd.Args to prevent test-failures [docker/cli#5695](https://github.com/docker/cli/pull/5695)
+- !TODO: update golangci-lint to v1.62.2 [docker/cli#5682](https://github.com/docker/cli/pull/5682)
+- !TODO: cli/command/registry: assorted refactor and test changes [docker/cli#5667](https://github.com/docker/cli/pull/5667)
+- !TODO: cli/command/container: use local copy of pkg/system.IsAbs [docker/cli#5697](https://github.com/docker/cli/pull/5697)
+- !TODO: vendor: github.com/docker/docker 6f6c3b921180 (master, v28.0.0-dev) [docker/cli#5716](https://github.com/docker/cli/pull/5716)
+- !TODO: Use io.copy for build context compression [docker/cli#5719](https://github.com/docker/cli/pull/5719)
+- !TODO: docs, man: remove confusing example for "--isolation" [docker/cli#5718](https://github.com/docker/cli/pull/5718)
+- !TODO: remove remnants of --oom-score-adj daemon config (docs, completion) [docker/cli#5722](https://github.com/docker/cli/pull/5722)
+- !TODO: TestRunCopyFromContainerToFilesystem: use Tar without options [docker/cli#5710](https://github.com/docker/cli/pull/5710)
+- !TODO: contrib/completion: remove deprecated --api-cors-header [docker/cli#5725](https://github.com/docker/cli/pull/5725)
+- !TODO: vendor: github.com/docker/docker a72026acbbdf (master, v28.0.0-dev) [docker/cli#5711](https://github.com/docker/cli/pull/5711)
+- !TODO: vendor: github.com/moby/term v0.5.2 [docker/cli#5727](https://github.com/docker/cli/pull/5727)
+- !TODO: vendor: github.com/docker/docker ad6929339acd (master, v28.0.0-dev) [docker/cli#5703](https://github.com/docker/cli/pull/5703)
+- !TODO: Fix container cp test to separate source and destination [docker/cli#5715](https://github.com/docker/cli/pull/5715)
+- !TODO: golangci-lint: sync some depguard settings with moby/moby [docker/cli#5709](https://github.com/docker/cli/pull/5709)
+- !TODO: Drop support for fluentd-async-connect [docker/cli#5740](https://github.com/docker/cli/pull/5740)
+- !TODO: gha/build: Publish bin image for release branches [docker/cli#5734](https://github.com/docker/cli/pull/5734)
+- !TODO: vendor: google.golang.org/grpc v1.68.1, google.golang.org/genproto 324edc3d5d38 [docker/cli#5745](https://github.com/docker/cli/pull/5745)
+- !TODO: vendor: github.com/docker/docker 50212d215ba7 (master, v28.0-dev) [docker/cli#5728](https://github.com/docker/cli/pull/5728)
+- !TODO: vendor: github.com/docker/docker 69687190936d (master, v28.0-dev) [docker/cli#5708](https://github.com/docker/cli/pull/5708)
+- !TODO: vendor: otel v0.56.0 / v1.31.0 [docker/cli#5750](https://github.com/docker/cli/pull/5750)
+- !TODO: vendor: github.com/creack/pty v1.1.24 [docker/cli#5746](https://github.com/docker/cli/pull/5746)
+- !TODO: cli/command/plugin: runCreate: minor cleanup [docker/cli#5729](https://github.com/docker/cli/pull/5729)
+- !TODO: ci: update bake-action to v6 [docker/cli#5737](https://github.com/docker/cli/pull/5737)
+- !TODO: update cli-docs-tool to v0.9.0, go-md2man v2.0.6 [docker/cli#5741](https://github.com/docker/cli/pull/5741)
+- !TODO: vendor: github.com/mattn/go-runewidth v0.0.16 [docker/cli#5748](https://github.com/docker/cli/pull/5748)
+- !TODO: cli/command: update semconv to 1.26.0 [docker/cli#5751](https://github.com/docker/cli/pull/5751)
+- !TODO: switch to gopkg.in/yaml.v3 [docker/cli#5752](https://github.com/docker/cli/pull/5752)
+- !TODO: gha: Adjust release branches [docker/cli#5763](https://github.com/docker/cli/pull/5763)
+- !TODO: cli/tree: Use single character triple dot [docker/cli#5758](https://github.com/docker/cli/pull/5758)
+- !TODO: Dockerfile: dev-container: update buildx v0.20.0, compose v2.32.4 [docker/cli#5765](https://github.com/docker/cli/pull/5765)
+- !TODO: pkg/command: wrap `jsonmessage.DisplayJSONMessagesStream` with go context [docker/cli#5663](https://github.com/docker/cli/pull/5663)
+- !TODO: Dockerfile: update to alpine 3.21 [docker/cli#5767](https://github.com/docker/cli/pull/5767)
+- !TODO: Makefile: add "shell-completion" target [docker/cli#5770](https://github.com/docker/cli/pull/5770)
+- !TODO: remove dockerd man-page (moved back to moby repository) [docker/cli#5773](https://github.com/docker/cli/pull/5773)
\ No newline at end of file