fix(chart): reject query-context datasource missing a type

A datasource object with a matching id but no type was treated as valid, but query-context loading reads datasource["type"] directly and would raise KeyError when the saved context is later replayed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
fix(chart): keep query-context updates bound to the chart's datasource
2026-06-29 03:15:34 +00:00 · 2026-06-13 07:49:04 -07:00 · 2026-06-13 06:40:07 -07:00
499 changed files with 15198 additions and 75764 deletions
--- a/.github/actions/setup-backend/action.yml
+++ b/.github/actions/setup-backend/action.yml
@@ -42,7 +42,7 @@ runs:
        fi
        echo "python-version=$RESOLVED_VERSION" >> "$GITHUB_OUTPUT"
    - name: Set up Python ${{ steps.set-python-version.outputs.python-version }}
-      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
      with:
        python-version: ${{ steps.set-python-version.outputs.python-version }}
        cache: ${{ inputs.cache }}
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -3,6 +3,10 @@ enable-beta-ecosystems: true
 updates:
  - package-ecosystem: "github-actions"
    directory: "/"
+    ignore:
+      # Ignore temporarily as release schedule is too mentally taxing for dep-handling maintainers
+      # Additionally, very few PRs are reviewed by this action.
+      - dependency-name: anthropics/claude-code-action
    schedule:
      interval: "daily"
    cooldown:
--- a/.github/workflows/bashlib.sh
+++ b/.github/workflows/bashlib.sh
@@ -114,7 +114,7 @@ testdata() {
  say "::group::Load test data"
  # must specify PYTHONPATH to make `tests.superset_test_config` importable
  export PYTHONPATH="$GITHUB_WORKSPACE"
-  uv pip install --system -e .
+  pip install -e .
  superset db upgrade
  superset load_test_users
  superset load_examples --load-test-data
@@ -127,7 +127,7 @@ playwright_testdata() {
  say "::group::Load all examples for Playwright tests"
  # must specify PYTHONPATH to make `tests.superset_test_config` importable
  export PYTHONPATH="$GITHUB_WORKSPACE"
-  uv pip install --system -e .
+  pip install -e .
  superset db upgrade
  superset load_test_users
  superset load_examples
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -0,0 +1,88 @@
+name: Claude PR Assistant
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+
+permissions:
+  contents: read
+
+jobs:
+  check-permissions:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude'))
+    runs-on: ubuntu-latest
+    outputs:
+      allowed: ${{ steps.check.outputs.allowed }}
+    steps:
+      - name: Check if user is allowed
+        id: check
+        env:
+          COMMENTER: ${{ github.event.comment.user.login }}
+        run: |
+          # List of allowed users
+          ALLOWED_USERS="mistercrunch,rusackas"
+
+          echo "Checking permissions for user: $COMMENTER"
+
+          # Check if user is in allowed list
+          if [[ ",$ALLOWED_USERS," == *",$COMMENTER,"* ]]; then
+            echo "allowed=true" >> $GITHUB_OUTPUT
+            echo "✅ User $COMMENTER is allowed to use Claude"
+          else
+            echo "allowed=false" >> $GITHUB_OUTPUT
+            echo "❌ User $COMMENTER is not allowed to use Claude"
+          fi
+
+  deny-access:
+    needs: check-permissions
+    if: needs.check-permissions.outputs.allowed == 'false'
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - name: Comment access denied
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        env:
+          COMMENTER_LOGIN: ${{ github.event.comment.user.login || github.event.review.user.login || github.event.issue.user.login }}
+        with:
+          script: |
+            const commenter = process.env.COMMENTER_LOGIN;
+            const message = `👋 Hi @${commenter}!
+
+            Thanks for trying to use Claude Code, but currently only certain team members have access to this feature.
+
+            If you believe you should have access, please contact a project maintainer.`;
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: message
+            });
+
+  claude-code-action:
+    needs: check-permissions
+    if: needs.check-permissions.outputs.allowed == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+          fetch-depth: 1
+
+      - name: Run Claude PR Action
+        uses: anthropics/claude-code-action@5fb899572b81d2bb648d4d187173a2f423a9677c # beta
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          timeout_minutes: "60"
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -47,7 +47,6 @@ jobs:
    permissions:
      actions: read
      contents: read
-      pull-requests: read
      security-events: write

    strategy:
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -43,7 +43,7 @@ jobs:
          #   the latest version. It's MIT: https://github.com/nbubna/store/blob/master/LICENSE-MIT
          # pkg:npm/node-forge@1.3.1
          #   selecting BSD-3-Clause licensing terms for node-forge to ensure compatibility with Apache
-          allow-dependencies-licenses: pkg:npm/rgbcolor, pkg:npm/jszip@3.10.1
+          allow-dependencies-licenses: pkg:npm/store2@2.14.2, pkg:npm/node-forge@1.3.1, pkg:npm/rgbcolor, pkg:npm/jszip@3.10.1

  python-dependency-liccheck:
    # NOTE: Configuration for liccheck lives in our pyproject.yml.
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -75,24 +75,6 @@ jobs:
        with:
          persist-credentials: false

-      - name: Free up disk space
-        shell: bash
-        run: |
-          # Reclaim large preinstalled toolchains we don't use. The image
-          # build, and especially the docker-compose sanity check (which
-          # rebuilds from scratch whenever the registry cache image
-          # apache/superset-cache is unavailable), can otherwise exhaust the
-          # runner's root disk and fail with "no space left on device".
-          echo "Disk before cleanup:"; df -h /
-          sudo rm -rf \
-            /usr/share/dotnet \
-            /usr/local/lib/android \
-            /opt/ghc \
-            /usr/local/.ghcup \
-            /opt/hostedtoolcache/CodeQL \
-            /usr/local/share/boost || true
-          echo "Disk after cleanup:"; df -h /
-
      - name: Setup Docker Environment
        uses: ./.github/actions/setup-docker
        with:
@@ -119,27 +101,13 @@ jobs:
            PUSH_OR_LOAD="--load"
          fi

-          # Retry to absorb transient Docker Hub registry errors (base-image
-          # pull timeouts, 504/401 on push, ECONNRESET) that otherwise fail
-          # the whole job. buildx reuses the buildkit layer cache from the
-          # failed attempt, so a retry mostly re-does just the failed push.
-          for attempt in 1 2 3; do
-            if supersetbot docker \
-              $PUSH_OR_LOAD \
-              --preset "$BUILD_PRESET" \
-              --context "$EVENT" \
-              --context-ref "$RELEASE" $FORCE_LATEST \
-              --extra-flags "--build-arg INCLUDE_CHROMIUM=false --tag $IMAGE_TAG" \
-              $PLATFORM_ARG; then
-              break
-            fi
-            if [ "$attempt" -eq 3 ]; then
-              echo "::error::supersetbot docker build failed after 3 attempts"
-              exit 1
-            fi
-            echo "::warning::Build attempt ${attempt} failed; retrying in 30s..."
-            sleep 30
-          done
+          supersetbot docker \
+            $PUSH_OR_LOAD \
+            --preset "$BUILD_PRESET" \
+            --context "$EVENT" \
+            --context-ref "$RELEASE" $FORCE_LATEST \
+            --extra-flags "--build-arg INCLUDE_CHROMIUM=false --tag $IMAGE_TAG" \
+            $PLATFORM_ARG

      # in the context of push (using multi-platform build), we need to pull the image locally
      - name: Docker pull
@@ -180,21 +148,6 @@ jobs:
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
-      - name: Free up disk space
-        shell: bash
-        run: |
-          # The sanity check rebuilds the image from scratch whenever the
-          # registry cache image apache/superset-cache is unavailable, which
-          # can exhaust the runner's root disk ("no space left on device").
-          echo "Disk before cleanup:"; df -h /
-          sudo rm -rf \
-            /usr/share/dotnet \
-            /usr/local/lib/android \
-            /opt/ghc \
-            /usr/local/.ghcup \
-            /opt/hostedtoolcache/CodeQL \
-            /usr/local/share/boost || true
-          echo "Disk after cleanup:"; df -h /
      - name: Setup Docker Environment
        uses: ./.github/actions/setup-docker
        with:
--- a/.github/workflows/embedded-sdk-release.yml
+++ b/.github/workflows/embedded-sdk-release.yml
@@ -10,15 +10,25 @@ permissions:
  contents: read

 jobs:
-  build:
-    # Publishing uses npm trusted publishing (OIDC), so there is no NPM_TOKEN to
-    # gate on. Restrict to the canonical repo: forks cannot mint a valid OIDC
-    # token for this package and must not publish.
-    if: github.repository == 'apache/superset'
+  config:
+    runs-on: ubuntu-24.04
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${NPM_TOKEN}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
+        env:
+          NPM_TOKEN: ${{ (secrets.NPM_TOKEN != '') || '' }}
+  build:
+    needs: config
+    if: needs.config.outputs.has-secrets
    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-      id-token: write # required for npm trusted publishing (OIDC)
    defaults:
      run:
        working-directory: superset-embedded-sdk
@@ -26,13 +36,11 @@ jobs:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
-      # Note: registry-url is intentionally omitted. When set, actions/setup-node
-      # writes an .npmrc with `_authToken=${NODE_AUTH_TOKEN}` and a placeholder
-      # token, which makes npm attempt token auth and skip the OIDC
-      # trusted-publishing exchange. With no .npmrc auth line, npm authenticates
-      # via OIDC against the default registry (registry.npmjs.org).
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: "./superset-embedded-sdk/.nvmrc"
+          registry-url: "https://registry.npmjs.org"
      - run: npm ci
      - run: npm run ci:release
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
--- a/.github/workflows/generate-FOSSA-report.yml
+++ b/.github/workflows/generate-FOSSA-report.yml
@@ -37,7 +37,7 @@ jobs:
          persist-credentials: false
          submodules: recursive
      - name: Setup Java
-        uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 # v5.3.0
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
        with:
          distribution: "temurin"
          java-version: "11"
--- a/.github/workflows/license-check.yml
+++ b/.github/workflows/license-check.yml
@@ -23,7 +23,7 @@ jobs:
          persist-credentials: false
          submodules: recursive
      - name: Setup Java
-        uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 # v5.3.0
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
        with:
          distribution: "temurin"
          java-version: "11"
--- a/.github/workflows/superset-app-cli.yml
+++ b/.github/workflows/superset-app-cli.yml
@@ -61,7 +61,7 @@ jobs:
      - name: superset init
        if: steps.check.outputs.python
        run: |
-          uv pip install --system -e .
+          pip install -e .
          superset db upgrade
          superset load_test_users
      - name: superset load_examples
--- a/.github/workflows/superset-docs-deploy.yml
+++ b/.github/workflows/superset-docs-deploy.yml
@@ -71,7 +71,7 @@ jobs:
          node-version-file: "./docs/.nvmrc"
      - name: Setup Python
        uses: ./.github/actions/setup-backend/
-      - uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 # v5.3.0
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
        with:
          distribution: "zulu"
          java-version: "21"
--- a/.github/workflows/superset-e2e.yml
+++ b/.github/workflows/superset-e2e.yml
@@ -49,7 +49,7 @@ jobs:

  cypress-matrix:
    needs: changes
-    if: (needs.changes.outputs.python == 'true' || needs.changes.outputs.frontend == 'true') && github.event.pull_request.draft == false
+    if: needs.changes.outputs.python == 'true' || needs.changes.outputs.frontend == 'true'
    # Somehow one test flakes on 24.04 for unknown reasons, this is the only GHA left on 22.04
    runs-on: ubuntu-22.04
    timeout-minutes: 30
--- a/.github/workflows/superset-extensions-cli.yml
+++ b/.github/workflows/superset-extensions-cli.yml
@@ -56,7 +56,7 @@ jobs:

      - name: Upload coverage reports to Codecov
        if: steps.check.outputs.superset-extensions-cli
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          file: ./coverage.xml
          flags: superset-extensions-cli
--- a/.github/workflows/superset-frontend.yml
+++ b/.github/workflows/superset-frontend.yml
@@ -134,7 +134,7 @@ jobs:
        run: npx nyc merge coverage/ merged-output/coverage-summary.json

      - name: Upload Code Coverage
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          flags: javascript
          use_oidc: true
--- a/.github/workflows/superset-python-integrationtest.yml
+++ b/.github/workflows/superset-python-integrationtest.yml
@@ -1,11 +1,6 @@
 # Python integration tests
 name: Python-Integration

-# Least-privilege default for GITHUB_TOKEN. Jobs that need more (e.g. OIDC for
-# codecov uploads) opt in via their own job-level `permissions:` block.
-permissions:
-  contents: read
-
 on:
  push:
    branches:
@@ -90,7 +85,7 @@ jobs:
        run: |
          ./scripts/python_tests.sh
      - name: Upload code coverage
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          flags: python,mysql
          verbose: true
@@ -178,7 +173,7 @@ jobs:
        run: |
          ./scripts/python_tests.sh
      - name: Upload code coverage
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          flags: python,postgres
          verbose: true
@@ -227,7 +222,7 @@ jobs:
        run: |
          ./scripts/python_tests.sh
      - name: Upload code coverage
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          flags: python,sqlite
          verbose: true
--- a/.github/workflows/superset-python-presto-hive.yml
+++ b/.github/workflows/superset-python-presto-hive.yml
@@ -90,7 +90,7 @@ jobs:
        run: |
          ./scripts/python_tests.sh -m 'chart_data_flow or sql_json_flow'
      - name: Upload code coverage
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          flags: python,presto
          verbose: true
@@ -149,10 +149,10 @@ jobs:
          run: celery-worker
      - name: Python unit tests (PostgreSQL)
        run: |
-          uv pip install --system -e .[hive]
+          pip install -e .[hive]
          ./scripts/python_tests.sh -m 'chart_data_flow or sql_json_flow'
      - name: Upload code coverage
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          flags: python,hive
          verbose: true
--- a/.github/workflows/superset-python-unittest.yml
+++ b/.github/workflows/superset-python-unittest.yml
@@ -1,11 +1,6 @@
 # Python unit tests
 name: Python-Unit

-# Least-privilege default for GITHUB_TOKEN. Jobs that need more (e.g. OIDC for
-# codecov uploads) opt in via their own job-level `permissions:` block.
-permissions:
-  contents: read
-
 on:
  push:
    branches:
@@ -77,7 +72,7 @@ jobs:
          pytest --durations-min=0.5 --cov=superset/sql/ ./tests/unit_tests/sql/ --cache-clear --cov-fail-under=100
          pytest --durations-min=0.5 --cov=superset/semantic_layers/ ./tests/unit_tests/semantic_layers/ --cache-clear --cov-fail-under=100
      - name: Upload code coverage
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          flags: python,unit
          verbose: true
--- a/.github/workflows/sync-requirements-for-python-dep-upgrade-pr.yml
+++ b/.github/workflows/sync-requirements-for-python-dep-upgrade-pr.yml
@@ -1,60 +0,0 @@
-name: Sync requirements for Python dependency PRs
-
-on:
-  pull_request:
-    types: [opened, synchronize]
-
-permissions:
-  contents: write
-  pull-requests: read
-
-jobs:
-  sync-python-dep-requirements:
-    # This action is limited for (1) PRs authored by Dependabot and (2) upstream repo due to write back to remote
-    if: github.repository == 'apache/superset' && github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.head.repo.fork == false
-    runs-on: ubuntu-26.04
-    steps:
-      - name: Fetch Dependabot metadata
-        id: dependabot-metadata
-        shell: bash
-        env:
-          BRANCH_NAME: ${{ github.head_ref }}
-        run: |
-          # Get current branch name, extract the package ecosystem and return as GHA step output
-          packageEcosystem=$(echo "$BRANCH_NAME" | cut -d'/' -f2)
-          echo "package-ecosystem=$packageEcosystem" >> $GITHUB_OUTPUT
-
-      # zizmor: ignore[artipacked] - required persisted credentials to push synced requirement changes back to remote
-      - name: Checkout source code
-        if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-          persist-credentials: true
-
-      # Authenticate the Docker daemon so the python:slim pull in
-      # uv-pip-compile.sh uses our (much higher) authenticated rate limit
-      # instead of the shared-runner anonymous one.
-      - name: Login to Docker Hub
-        if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
-        continue-on-error: true
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Sync requirements in containerized environment
-        if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
-        run: ./scripts/uv-pip-compile.sh
-
-      - name: Push changes to remote PRs
-        if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
-        run: |
-          git config user.name 'github-actions[bot]'
-          git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
-          git add requirements
-          git diff --cached --quiet && exit 0
-          git commit --signoff --message "build(deps): sync pinned requirements for Dependabot pip PRs"
-          git push origin "HEAD:refs/heads/${GITHUB_EVENT_PULL_REQUEST_HEAD_REF}"
-        env:
-          GITHUB_EVENT_PULL_REQUEST_HEAD_REF: ${{ github.event.pull_request.head.ref }}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -50,4 +50,3 @@ under the License.
 - [4.1.4](./CHANGELOG/4.1.4.md)
 - [5.0.0](./CHANGELOG/5.0.0.md)
 - [6.0.0](./CHANGELOG/6.0.0.md)
- [6.1.0](./CHANGELOG/6.1.0.md)
--- a/CHANGELOG/6.1.0.md
+++ b/CHANGELOG/6.1.0.md
--- a/17
+++ b/17
@@ -23,14 +23,11 @@ PYTHON=`command -v python3.11 || command -v python3.10`
 install: superset pre-commit

 superset:
-	# Bootstrap uv (the project's installer) into the active environment
-	pip install uv
-
 	# Install external dependencies
-	uv pip install -r requirements/development.txt
+	pip install -r requirements/development.txt

 	# Install Superset in editable (development) mode
-	uv pip install -e .
+	pip install -e .

 	# Create an admin user in your metadata database
 	superset fab create-admin \
@@ -55,14 +52,11 @@ superset:
 update: update-py update-js

 update-py:
-	# Bootstrap uv (the project's installer) into the active environment
-	pip install uv
-
 	# Install external dependencies
-	uv pip install -r requirements/development.txt
+	pip install -r requirements/development.txt

 	# Install Superset in editable (development) mode
-	uv pip install -e .
+	pip install -e .

 	# Initialize the database
 	superset db upgrade
@@ -85,8 +79,7 @@ activate:

 pre-commit:
 	# setup pre commit dependencies
-	pip install uv
-	uv pip install -r requirements/development.txt
+	pip3 install -r requirements/development.txt
 	pre-commit install

 format: py-format js-format
--- a/RESOURCES/INTHEWILD.yaml
+++ b/RESOURCES/INTHEWILD.yaml
@@ -83,9 +83,6 @@ categories:
    - name: Clark.de
      url: https://clark.de/

-    - name: Cover Genius
-      url: https://covergenius.com/
-
    - name: EnquiryLabs
      url: https://www.enquirylabs.co.uk

@@ -95,10 +92,6 @@ categories:
    - name: KarrotPay
      url: https://www.daangnpay.com/

-    - name: NICE Actimize
-      url: https://www.niceactimize.com/
-      contributors: ["@stevensuting"]
-
    - name: Remita
      url: https://remita.net
      contributors: ["@mujibishola"]
@@ -119,6 +112,9 @@ categories:
      url: https://xendit.co/
      contributors: ["@LieAlbertTriAdrian"]

+    - name: Cover Genius
+      url: https://covergenius.com/
+
  Gaming:
    - name: Popoko VM Games Studio
      url: https://popoko.live
@@ -300,6 +296,7 @@ categories:
      logo: hifadih.png
      contributors: ["@saintLaurent00"]

+    # Logo approved by @anmol-hpe on behalf of HPE
    - name: HPE
      url: https://www.hpe.com/in/en/home.html
      logo: hpe.png
@@ -399,10 +396,6 @@ categories:
      url: https://www.techaudit.info
      contributors: ["@ETselikov"]

-    - name: Tech Solution
-      url: https://www.tech-solution.com.ar/
-      contributors: ["@danteGiuliano", "@LeandroVallejos", "@McJaben", "@xJeree", "@zeo-return-null"]
-
    - name: Tenable
      url: https://www.tenable.com
      contributors: ["@dflionis"]
@@ -432,10 +425,6 @@ categories:
      logo: userguiding.svg
      contributors: ["@tzercin"]

-    - name: Value Ad
-      url: https://bestpair.info/
-      contributors: ["@stevensuting"]
-
    - name: Virtuoso QA
      url: https://www.virtuosoqa.com

@@ -520,6 +509,10 @@ categories:
      url: https://www.sunbird.org/
      contributors: ["@eksteporg"]

+    - name: The GRAPH Network
+      url: https://thegraphnetwork.org/
+      contributors: ["@fccoelho"]
+
    - name: Udemy
      url: https://www.udemy.com/
      contributors: ["@sungjuly"]
@@ -528,24 +521,7 @@ categories:
      url: https://www.vipkid.com.cn/
      contributors: ["@illpanda"]

-  Social Organization:
-    - name: Living Goods
-      url: https://www.livinggoods.org
-      contributors: ["@chelule"]
-
-    - name: One Acre Fund
-      url: https://oneacrefund.org/
-      contributors: ["@stevensuting"]
-
-    - name: Quest Alliance
-      url: https://www.questalliance.net/
-      contributors: ["@stevensuting"]
-
-    - name: The GRAPH Network
-      url: https://thegraphnetwork.org/
-      contributors: ["@fccoelho"]
-
-    - name: Wikimedia Foundation
+    - name: WikiMedia Foundation
      url: https://wikimediafoundation.org
      contributors: ["@vg"]

@@ -558,10 +534,6 @@ categories:
      url: https://www.douroeci.com/
      contributors: ["@nunohelibeires"]

-    - name: Rogow
-      url: https://rogow.com.br/
-      contributors: ["@nilmonto"]
-
    - name: Safaricom
      url: https://www.safaricom.co.ke/
      contributors: ["@mmutiso"]
@@ -574,10 +546,11 @@ categories:
      url: https://wattbewerb.de/
      contributors: ["@wattbewerb"]

-  Healthcare:
-    - name: 2070Health
-      url: https://2070health.com/
+    - name: Rogow
+      url: https://rogow.com.br/
+      contributors: ["@nilmonto"]

+  Healthcare:
    - name: Amino
      url: https://amino.com
      contributors: ["@shkr"]
@@ -590,6 +563,10 @@ categories:
      url: https://www.getcare.io/
      contributors: ["@alandao2021"]

+    - name: Living Goods
+      url: https://www.livinggoods.org
+      contributors: ["@chelule"]
+
    - name: Maieutical Labs
      url: https://maieuticallabs.it
      contributors: ["@xrmx"]
@@ -608,10 +585,10 @@ categories:
    - name: WeSure
      url: https://www.wesure.cn/

-  HR / Staffing:
-    - name: bluquist
-      url: https://bluquist.com/
+    - name: 2070Health
+      url: https://2070health.com/

+  HR / Staffing:
    - name: Swile
      url: https://www.swile.co/
      contributors: ["@PaoloTerzi"]
@@ -619,18 +596,21 @@ categories:
    - name: Symmetrics
      url: https://www.symmetrics.fyi

+    - name: bluquist
+      url: https://bluquist.com/
+
  Government:
    - name: City of Ann Arbor, MI
      url: https://www.a2gov.org/
      contributors: ["@sfirke"]

-    - name: NRLM - Sarathi, India
-      url: https://pib.gov.in/PressReleasePage.aspx?PRID=1999586
-
    - name: RIS3 Strategy of CZ, MIT CR
      url: https://www.ris3.cz/
      contributors: ["@RIS3CZ"]

+    - name: NRLM - Sarathi, India
+      url: https://pib.gov.in/PressReleasePage.aspx?PRID=1999586
+
  Mobile Software:
    - name: VLMedia
      url: https://www.vlmedia.com.tr
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -24,29 +24,6 @@ assists people when migrating to a new version.

 ## Next

-### Pivot table First/Last aggregations follow data order
-
-The pivot table chart's `First` and `Last` aggregations now return the first and last value in data (query result) order, instead of effectively returning the minimum and maximum. Existing pivot tables that use these aggregations for totals/subtotals may show different values after upgrading. For deterministic results, ensure the underlying query has a stable sort order.
-
-### `thumbnail_url` removed from dashboard list API response
-
-The `thumbnail_url` field has been removed from `GET /api/v1/dashboard/` list responses. External consumers relying on this field must now construct the thumbnail URL client-side using `id` and `changed_on_utc`:
-
-```
-/api/v1/dashboard/{id}/thumbnail/{changed_on_utc}/
-```
-
-The thumbnail endpoint redirects to the current digest URL regardless of whether the supplied digest is exact. If the image is not yet cached, that digest URL may return `202` and trigger async generation. Using `changed_on_utc` as the digest is sufficient for cache-busting purposes.
-
-### Webhook alerts/reports block private/internal hosts by default
-
-Webhook alert/report dispatch (`WebhookNotification.send`) now validates the target URL's host against the same private/internal-IP block applied to dataset import URLs. If the resolved host is in a loopback, link-local, private (RFC-1918), shared-CGNAT, or multicast range, the webhook is rejected with `NotificationParamException`.
-
-Deployments that intentionally point webhooks at internal targets (chatops bridges, internal automation servers, on-premises Mattermost/Rocket.Chat, etc.) can opt out by setting `ALERT_REPORTS_WEBHOOK_ALLOW_INTERNAL_HOSTS = True` in `superset_config.py`. This mirrors the existing `DATASET_IMPORT_ALLOW_INTERNAL_DATA_URLS` opt-out for dataset imports.
-
-### Impala cancel_query blocks private/internal hosts by default
-
-The Impala engine spec's `cancel_query` issues an HTTP request from the Superset backend to the host configured on the Impala database connection. That host is now validated before the request: if it resolves to a private/internal IP range, the cancel call is refused and a warning is logged. Operators whose Impala cluster runs on an internal network can opt out by setting `IMPALA_CANCEL_QUERY_ALLOW_INTERNAL_HOSTS = True` in `superset_config.py`. This mirrors the dataset-import and webhook opt-out flags.
 ### Map chart renderer and OpenStreetMap migration behavior

 The MapLibre migration for deck.gl charts preserves saved non-Mapbox styles on
@@ -68,23 +45,6 @@ service requires visible `© OpenStreetMap contributors` attribution and should
 be used through normal browser map tile requests and caching; it is not intended
 for bulk prefetch or offline tile downloads.

-### Password complexity policy enabled by default
-
-Superset now ships a default password-complexity policy, enforced (via Flask-AppBuilder) across self-registration, the user create/edit/reset forms, and the User REST API. The policy requires a minimum password length of 8 characters and rejects a built-in blocklist of common/guessable passwords.
-
-This is enabled by default (`FAB_PASSWORD_COMPLEXITY_ENABLED = True`), so new or reset passwords that are too short or appear in the blocklist will be rejected where they were previously accepted. Existing stored passwords are unaffected until they are next changed.
-
-Operators can tune or disable the policy via config:
-
- `AUTH_PASSWORD_MIN_LENGTH` — minimum length (default `8`).
- `AUTH_PASSWORD_COMMON_BLOCKLIST` — extra passwords to reject, in addition to the built-in list.
- `FAB_PASSWORD_COMPLEXITY_VALIDATOR` — replace with your own callable for custom rules.
- `FAB_PASSWORD_COMPLEXITY_ENABLED = False` — disable enforcement entirely.
-
-### Data uploads bounded by UPLOAD_MAX_FILE_SIZE_BYTES
-
-Single data-file uploads (CSV, Excel, columnar) are now bounded by the `UPLOAD_MAX_FILE_SIZE_BYTES` config option, which defaults to `100 * 1024 * 1024` (100 MB). Files larger than this are rejected with a `413` before their contents are buffered into memory. Set `UPLOAD_MAX_FILE_SIZE_BYTES = None` to disable the check and restore unbounded uploads.
-
 ### Duration formatter precision

 The `DURATION` number formatter now uses `Intl.DurationFormat` for locale-aware output. By default, sub-second fields are omitted, so values that previously displayed fractional seconds with `pretty-ms`, such as `10500` milliseconds rendering as `10.5s`, now render as `10s`.
@@ -135,20 +95,6 @@ This change is backward compatible. The feature is off by default, and even when

 Disabling a user account (setting `active` to `False`, via the admin UI, REST API, or CLI) now terminates that user's outstanding sessions on their next request, instead of relying on a passive check. This works for both client-side cookie sessions and server-side session stores via a per-user invalidation epoch (`user_attribute.sessions_invalidated_at`, added by a migration). The mechanism is inert for users that were never disabled (NULL epoch), so there is no behavior change for active users. Re-enabling an account and logging in again starts a fresh, valid session. The migration backfills the epoch for accounts that are already disabled at upgrade time, so re-enabling such an account does not revive a session that predates this feature.

-### Opt-in SSH tunnel server host key verification
-
-SSH tunnels can now optionally pin the expected SSH server host key as a defense-in-depth measure against man-in-the-middle attacks. paramiko's transport performs no known-hosts checking by default, so previously the SSH server's identity was not verified. This feature is opt-in and off by default; existing tunnels are unaffected.
-
- A new nullable `server_host_key` column on the `ssh_tunnels` table stores the expected host key in authorized-key form (e.g. `ssh-ed25519 AAAA...`). It is a public key and is stored in plaintext. It can be set via the SSH tunnel POST/PUT payloads (`ssh_tunnel.server_host_key`).
- When a tunnel has `server_host_key` set, Superset connects to the SSH server, reads the host key it presents, and rejects the tunnel if it does not match.
- A new config flag `SSH_TUNNEL_STRICT_HOST_KEY_CHECKING` (default `False`) controls fail-closed behavior. When `True`, every tunnel must declare a `server_host_key`; a tunnel without one is rejected.
-
-Runbook to adopt:
-
-1. Capture the SSH server's host key, e.g. `ssh-keyscan -t ed25519 ssh.example.com` (verify it out-of-band).
-2. Set that value on the tunnel's `server_host_key` (via the database/SSH tunnel API or UI payload).
-3. Optionally set `SSH_TUNNEL_STRICT_HOST_KEY_CHECKING = True` in `superset_config.py` to require host-key verification on all tunnels.
-
 ### Dataset import validates catalog against the target connection

 Importing a dataset now validates the `catalog` field against the target database connection. When the connection has multi-catalog disabled (`allow_multi_catalog` off) and the dataset's catalog is not the connection's default catalog, the import fails instead of silently persisting the non-default catalog. This matches the validation already enforced on the dataset update path and prevents imported datasets from querying an unintended database.
@@ -168,36 +114,6 @@ Both default to empty (no behavior change). They apply to both the `LOCAL_EXTENS

 The Dynamic Group By chart customization now orders its display values according to the "Sort display control values" toggle: ascending (A–Z), descending (Z–A), or the dataset's source order when the toggle is unset. Previously the dropdown always sorted alphabetically. Existing dashboards where the toggle was never set will show options in source order instead of A–Z; open the customization and enable the toggle to restore alphabetical ordering.

-### Selectable encryption engine for app-encrypted fields (AES-GCM)
-
-App-encrypted fields (database passwords, SSH tunnel credentials, OAuth tokens, etc.) can now use authenticated **AES-GCM** encryption instead of the historical unauthenticated **AES-CBC**. A new config selects the engine for the default adapter:
-
-```python
-# "aes" (AES-CBC, historical default) | "aes-gcm" (authenticated, recommended for new installs)
-SQLALCHEMY_ENCRYPTED_FIELD_ENGINE = "aes"
-```
-
-**No action required / no behavior change:** the default remains `"aes"`, so existing installs are unaffected.
-
-**Opting in on an existing install:** flipping the engine on a populated database without re-encrypting first will make stored secrets undecryptable, because the two ciphertext formats are not compatible. A migrator is provided. Recommended runbook:
-
-1. Take a metadata-DB backup.
-2. Re-encrypt existing secrets into the new engine (the `SECRET_KEY` is unchanged):
-   ```bash
-   superset re-encrypt-secrets --engine aes-gcm
-   ```
-3. Set `SQLALCHEMY_ENCRYPTED_FIELD_ENGINE = "aes-gcm"` in your config.
-4. Restart Superset.
-5. Re-run the migrator once more after the restart:
-   ```bash
-   superset re-encrypt-secrets --engine aes-gcm
-   ```
-   A live instance keeps writing *new* secrets as AES-CBC during the window between step 2 and the restart in step 4; this second pass sweeps those up (it is idempotent, so already-migrated values are skipped).
-
-Schedule the cutover in a quiet window. Runtime reads use only the single configured engine, so in a multi-worker deployment there is an unavoidable brief decrypt-outage between the migration commit and the last worker restarting with the new config — each migrator run is transactional, but the fleet-wide cutover is not zero-downtime.
-
-The migration is transactional (all-or-nothing) and idempotent — it can be safely re-run or resumed. Note that AES-GCM, unlike AES-CBC, does not support querying directly over encrypted columns; audit any code that filters on an encrypted column before switching. See the SIP at `docs/sip/authenticated-encryption-at-rest.md` for details.
-
 ### Granular Export Controls

 A new feature flag `GRANULAR_EXPORT_CONTROLS` introduces three fine-grained permissions that replace the legacy `can_csv` permission:
@@ -227,9 +143,6 @@ Added a new combined datasource list endpoint at `GET /api/v1/datasource/` to se
 - The endpoint is available to users with at least one of `can_read` on `Dataset` or `SemanticView`.
 - Semantic views are included only when the `SEMANTIC_LAYERS` feature flag is enabled.
 - The endpoint enforces strict `order_column` validation and returns `400` for invalid sort columns.
-
-## 6.1.0
-
 ### ClickHouse minimum driver version bump

 The minimum required version of `clickhouse-connect` has been raised to `>=0.13.0`. If you are using the ClickHouse connector, please upgrade your `clickhouse-connect` package. The `_mutate_label` workaround that appended hash suffixes to column aliases has also been removed, as it is no longer needed with modern versions of the driver.
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -72,23 +72,20 @@ services:
      - -c
      - |
        url="http://host.docker.internal:9000/static/assets/manifest.json"
-        max_attempts=300  # ~10 minutes at 2s intervals; first build can be slow
-        echo "Waiting for webpack dev server at $$url..."
+        max_attempts=150  # ~5 minutes at 2s intervals
+        echo "Waiting for webpack dev server at $url..."
        attempt=0
-        until curl -sf --max-time 5 -H "Host: localhost" -o /dev/null "$$url"; do
-          attempt=$$((attempt + 1))
-          if [ "$$attempt" -ge "$$max_attempts" ]; then
-            echo "ERROR: webpack dev server did not serve $$url after $$max_attempts attempts." >&2
+        until curl -sf --max-time 5 -o /dev/null "$url"; do
+          attempt=$((attempt + 1))
+          if [ "$attempt" -ge "$max_attempts" ]; then
+            echo "ERROR: webpack dev server did not serve $url after $max_attempts attempts (~5 minutes)." >&2
            echo "Is the dev server running? With BUILD_SUPERSET_FRONTEND_IN_DOCKER=false you must start it on the host (e.g. 'npm run dev' in superset-frontend)." >&2
            exit 1
          fi
-          if [ $$((attempt % 15)) -eq 0 ]; then
-            echo "Still waiting for webpack dev server... ($$attempt/$$max_attempts)"
-          fi
          sleep 2
        done
        echo "Webpack dev server is ready; starting nginx."
-        exec /docker-entrypoint.sh nginx -g 'daemon off;'
+        exec nginx -g 'daemon off;'

  redis:
    image: redis:7
--- a/docker/docker-bootstrap.sh
+++ b/docker/docker-bootstrap.sh
@@ -71,29 +71,27 @@ case "${1}" in
  worker)
    echo "Starting Celery worker..."
    # setting up only 2 workers by default to contain memory usage in dev environments
-    celery --app=superset.tasks.celery_app:app worker -O fair -l INFO --concurrency=${CELERYD_CONCURRENCY:-2} ${WORKER_LOG_FILE:+--logfile=$WORKER_LOG_FILE}
+    celery --app=superset.tasks.celery_app:app worker -O fair -l INFO --concurrency=${CELERYD_CONCURRENCY:-2}
    ;;
  beat)
    echo "Starting Celery beat..."
    rm -f /tmp/celerybeat.pid
-    celery --app=superset.tasks.celery_app:app beat --pidfile /tmp/celerybeat.pid -l INFO -s "${SUPERSET_HOME}"/celerybeat-schedule ${BEAT_LOG_FILE:+--logfile=$BEAT_LOG_FILE}
+    celery --app=superset.tasks.celery_app:app beat --pidfile /tmp/celerybeat.pid -l INFO -s "${SUPERSET_HOME}"/celerybeat-schedule
    ;;
  app)
    echo "Starting web app (using development server)..."

-    # Default to Flask debug mode in this dev compose entrypoint so the Talisman
-    # dev CSP (which permits 'unsafe-eval' required by React Refresh / HMR) is
-    # served. Operators can still set FLASK_DEBUG=false in docker/.env-local
-    # to exercise the production-like CSP and error handling.
-    : "${FLASK_DEBUG:=1}"
-    export FLASK_DEBUG
-
-    # Werkzeug's interactive debugger (/console) is a separate, security-sensitive
-    # feature and must be opted into explicitly via SUPERSET_DEBUG_ENABLED=true.
+    # Environment-based debugger control for security
+    # Only enable Werkzeug interactive debugger when explicitly requested
+    # Modern Werkzeug (3.0+) includes PIN protection, but defense-in-depth approach
+    # Override FLASK_DEBUG so the effective state matches SUPERSET_DEBUG_ENABLED even
+    # when FLASK_DEBUG=true is inherited from docker/.env or .flaskenv
    if [[ "${SUPERSET_DEBUG_ENABLED:-}" == "true" ]]; then
+        export FLASK_DEBUG=1
        DEBUGGER_FLAG="--debugger"
        echo "  ⚠️  Werkzeug debugger enabled (requires PIN for /console access)"
    else
+        export FLASK_DEBUG=0
        DEBUGGER_FLAG="--no-debugger"
        echo "  🔒 Werkzeug debugger disabled (set SUPERSET_DEBUG_ENABLED=true to enable)"
    fi
--- a/docs/admin_docs/configuration/configuring-superset.mdx
+++ b/docs/admin_docs/configuration/configuring-superset.mdx
@@ -455,51 +455,6 @@ def FLASK_APP_MUTATOR(app: Flask) -> None:
    app.before_request_funcs.setdefault(None, []).append(make_session_permanent)
 ```

-## Customizing the landing page (index view)
-
-The page served at `/` is rendered by an index view. By default Superset registers
-`SupersetIndexView`, which redirects to `/superset/welcome/` and also adds the
-`/lang/<locale>` locale handler. You can replace it with your own view, for example
-to send users straight to a specific dashboard or to a chart list.
-
-Set `FAB_INDEX_VIEW` to the **importable dotted path** of your view class. Flask-AppBuilder
-resolves this during app initialization and uses it in place of the default:
-
-```python
-# my_overrides.py — must be importable on the PYTHONPATH
-from flask import redirect
-from superset.initialization import SupersetIndexView
-from superset.superset_typing import FlaskResponse
-from flask_appbuilder import expose
-
-
-class MyIndexView(SupersetIndexView):
-    @expose("/")
-    def index(self) -> FlaskResponse:
-        return redirect("/chart/list/")
-```
-
-```python
-# superset_config.py
-FAB_INDEX_VIEW = "my_overrides.MyIndexView"
-```
-
-A few things that commonly trip people up:
-
- **Subclass `SupersetIndexView`, not Flask-AppBuilder's bare `IndexView`.** Subclassing
-  keeps Superset's `/lang/<locale>` locale handling; replacing it with a bare `IndexView`
-  silently drops that behavior.
- **The class must be importable as a real module.** `FAB_INDEX_VIEW` is resolved by
-  importing the dotted path, which is independent of how `superset_config.py` itself is
-  loaded. Superset only copies **uppercase** names out of `superset_config.py` into its
-  runtime config, so a `FAB_INDEX_VIEW = "superset_config.MyIndexView"` reference only works
-  if `superset_config` is itself importable by that name on the `PYTHONPATH`. If you load
-  config via `SUPERSET_CONFIG_PATH` (an arbitrary file path), put the view in a separate
-  importable module instead and reference that module.
- **Don't set `appbuilder.indexview` from `FLASK_APP_MUTATOR`.** The mutator runs after
-  routes are already registered, so the assignment has no effect on the `/` route. Use
-  `FAB_INDEX_VIEW` instead.
-
 ## Feature Flags

 To support a diverse set of users, Superset has some features that are not enabled by default. For
--- a/docs/admin_docs/installation/pypi.mdx
+++ b/docs/admin_docs/installation/pypi.mdx
@@ -22,24 +22,31 @@ level dependencies.

 **Debian and Ubuntu**

-The following command will ensure that the required dependencies are installed (tested on Ubuntu 20.04, 22.04, and 24.04):
-
+Ubuntu **24.04** uses python 3.12 per default, which currently is not supported by Superset. You need to add a second python installation of 3.11 and install the required additional dependencies.
 ```bash
-sudo apt-get install build-essential libssl-dev libffi-dev python3-dev python3-pip python3-venv libsasl2-dev libldap2-dev libpq-dev default-libmysqlclient-dev pkg-config
+sudo add-apt-repository ppa:deadsnakes/ppa
+sudo apt update
+sudo apt install python3.11 python3.11-dev python3.11-venv build-essential libssl-dev libffi-dev libsasl2-dev libldap2-dev default-libmysqlclient-dev
 ```

-Refer to the
-[pyproject.toml](https://github.com/apache/superset/blob/master/pyproject.toml) file for the list of
-Python versions officially supported by Superset, and install a matching `python3` interpreter for
-your distribution. The `libpq-dev` package is only needed if you intend to connect to (or use) a
-PostgreSQL database; you can omit it otherwise.
+In Ubuntu **20.04 and 22.04** the following command will ensure that the required dependencies are installed:
+
+```bash
+sudo apt-get install build-essential libssl-dev libffi-dev python3-dev python3-pip libsasl2-dev libldap2-dev default-libmysqlclient-dev
+```
+
+In Ubuntu **before 20.04** the following command will ensure that the required dependencies are installed:
+
+```bash
+sudo apt-get install build-essential libssl-dev libffi-dev python-dev python-pip libsasl2-dev libldap2-dev default-libmysqlclient-dev
+```

 **Fedora and RHEL-derivative Linux distributions**

 Install the following packages using the `yum` package manager:

 ```bash
-sudo yum install gcc gcc-c++ libffi-devel python3-devel python3-pip python3-wheel openssl-devel cyrus-sasl-devel openldap-devel
+sudo yum install gcc gcc-c++ libffi-devel python-devel python-pip python-wheel openssl-devel cyrus-sasl-devel openldap-devel
 ```

 In more recent versions of CentOS and Fedora, you may need to install a slightly different set of packages using `dnf`:
--- a/docs/netlify.toml
+++ b/docs/netlify.toml
@@ -28,19 +28,14 @@
  # Skip builds when no docs changes (exit 0 = skip, non-zero = build).
  # Checks for changes in docs/ and README.md (which gets pulled into docs).
  #
-  # $CACHED_COMMIT_REF is the last *deployed* commit; it is set on incremental
-  # builds (notably the master production deploy) and empty on a context's
-  # first build (every deploy preview). The production path diffs against it
-  # and skips correctly.
-  #
-  # Deploy previews need different handling: Netlify checks out a *merge*
-  # commit, so $COMMIT_REF (the PR head SHA) is frequently not resolvable in
-  # the clone, and on a shallow clone `git merge-base` can fail too -- so the
-  # previous logic fell through to a build on every PR, even non-docs ones.
-  # Instead, always diff the checked-out HEAD against its merge-base with
-  # master, deepening the shallow clone until that merge-base resolves. If it
-  # genuinely can't be determined, exit non-zero to build (fail safe).
-  ignore = 'if [ -n "$CACHED_COMMIT_REF" ]; then git diff --quiet "$CACHED_COMMIT_REF" HEAD -- . ../README.md; else git fetch --no-tags origin master >/dev/null 2>&1 || true; i=0; while [ "$i" -lt 10 ] && ! git merge-base origin/master HEAD >/dev/null 2>&1; do git fetch --deepen=200 origin master >/dev/null 2>&1 || break; i=$((i+1)); done; BASE="$(git merge-base origin/master HEAD 2>/dev/null || true)"; if [ -z "$BASE" ]; then exit 1; fi; git diff --quiet "$BASE" HEAD -- . ../README.md; fi'
+  # $CACHED_COMMIT_REF is the last *deployed* commit. On a PR's first build it
+  # is empty, so the original `git diff` errored and Netlify fell back to
+  # building -- which is why every PR built a docs preview once even with no
+  # docs changes. When it is empty we instead diff the whole branch against its
+  # merge-base with master, so non-docs PRs are skipped from the very first
+  # build. Subsequent builds (and the master production build) keep the cheaper
+  # incremental $CACHED_COMMIT_REF diff. Any failure exits non-zero -> build.
+  ignore = 'if [ -n "$CACHED_COMMIT_REF" ]; then git diff --quiet "$CACHED_COMMIT_REF" "$COMMIT_REF" -- . ../README.md; else git fetch origin master --depth=100 >/dev/null 2>&1; git diff --quiet "$(git merge-base origin/master "$COMMIT_REF" 2>/dev/null || echo origin/master)" "$COMMIT_REF" -- . ../README.md; fi'

 [build.environment]
  # Node version matching docs/.nvmrc
--- a/docs/package.json
+++ b/docs/package.json
@@ -70,10 +70,10 @@
    "@storybook/preview-api": "^8.6.18",
    "@storybook/theming": "^8.6.15",
    "@superset-ui/core": "^0.20.4",
-    "@swc/core": "^1.15.41",
-    "antd": "^6.4.4",
-    "baseline-browser-mapping": "^2.10.37",
-    "caniuse-lite": "^1.0.30001799",
+    "@swc/core": "^1.15.40",
+    "antd": "^6.4.3",
+    "baseline-browser-mapping": "^2.10.33",
+    "caniuse-lite": "^1.0.30001793",
    "docusaurus-plugin-openapi-docs": "^5.0.2",
    "docusaurus-theme-openapi-docs": "^5.0.2",
    "js-yaml": "^4.2.0",
@@ -101,15 +101,15 @@
    "@types/js-yaml": "^4.0.9",
    "@types/react": "^19.1.8",
    "@typescript-eslint/eslint-plugin": "^8.59.3",
-    "@typescript-eslint/parser": "^8.61.0",
+    "@typescript-eslint/parser": "^8.60.1",
    "eslint": "^9.39.2",
    "eslint-config-prettier": "^10.1.8",
    "eslint-plugin-prettier": "^5.5.6",
    "eslint-plugin-react": "^7.37.5",
    "globals": "^17.6.0",
-    "prettier": "^3.8.4",
+    "prettier": "^3.8.3",
    "typescript": "~6.0.3",
-    "typescript-eslint": "^8.61.1",
+    "typescript-eslint": "^8.60.1",
    "webpack": "^5.107.2"
  },
  "browserslist": {
--- a/docs/sip/authenticated-encryption-at-rest.md
+++ b/docs/sip/authenticated-encryption-at-rest.md
@@ -1,136 +0,0 @@
-<!--
-Licensed to the Apache Software Foundation (ASF) under one
-or more contributor license agreements.  See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership.  The ASF licenses this file
-to you under the Apache License, Version 2.0 (the
-"License"); you may not use this file except in compliance
-with the License.  You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing,
-software distributed under the License is distributed on an
-"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-KIND, either express or implied.  See the License for the
-specific language governing permissions and limitations
-under the License.
-->
-
-# SIP: Authenticated encryption (AES-GCM) for app-encrypted fields
-
-## [DRAFT — proposal for discussion]
-
-This document is a draft proposal accompanying the code in this PR. It is
-intended to seed the formal SIP discussion. The code here ships the
-backward-compatible engine selection **and** the re-encryption migrator
-(Phases 1–2 below); both are opt-in and change nothing for existing installs by
-default. Flipping the default for fresh installs (Phase 3) remains future work.
-
-## Motivation
-
-Superset app-encrypts a number of sensitive fields before persisting them to
-the metadata database, including:
-
- database connection passwords and `encrypted_extra` (`superset/models/core.py`),
- SSH tunnel credentials — password, private key, private-key password
-  (`superset/databases/ssh_tunnel/models.py`),
- OAuth2 tokens and other secrets stored via `EncryptedType`.
-
-These fields are encrypted with `sqlalchemy_utils.EncryptedType`, which
-**defaults to `AesEngine` (AES-CBC)**. AES-CBC provides confidentiality but is
-**unauthenticated**: it has no integrity tag. An attacker with write access to
-the ciphertext (e.g. direct metadata-DB access, a backup, or a compromised
-replica) can perform **bit-flipping / chosen-ciphertext manipulation** to
-silently alter the decrypted plaintext of a secret without detection.
-
-`AesGcmEngine` (AES-GCM) is authenticated encryption: tampering causes
-decryption to fail loudly rather than yielding attacker-influenced plaintext.
-Using authenticated encryption for secrets at rest is an ASVS L1 expectation
-(11.3.2 / cryptography best practice).
-
-`config.py` already documents that operators *can* switch to GCM by writing a
-custom `AbstractEncryptedFieldAdapter`, but:
-
-1. it is opt-in, undocumented as a security recommendation, and easy to miss;
-2. there is **no migration path** — flipping the engine on a populated database
-   makes every existing secret undecryptable, because GCM ciphertext is not
-   format-compatible with CBC.
-
-## Proposed change
-
-A three-part change, delivered incrementally so existing deployments are never
-broken:
-
-### Phase 1 — engine selection (this PR)
-
- Add a `SQLALCHEMY_ENCRYPTED_FIELD_ENGINE` config (`"aes"` | `"aes-gcm"`),
-  **defaulting to `"aes"`** (no behavior change for existing installs).
- Teach the default `SQLAlchemyUtilsAdapter` to honor it (an explicit `engine`
-  kwarg still wins, so the migrator can pin an engine).
- This lets **new** deployments choose AES-GCM from day one with a one-line
-  config, instead of writing a custom adapter.
-
-### Phase 2 — CBC→GCM re-encryption migrator (this PR)
-
-The existing `SecretsMigrator` (previously only used for `SECRET_KEY` rotation)
-gains an **engine migration** mode that:
-
-1. discovers every `EncryptedType` column (via `discover_encrypted_fields()`),
-2. decrypts each value with the **source** engine (AES-CBC) under the current
-   `SECRET_KEY`,
-3. re-encrypts with the **target** engine (AES-GCM),
-4. runs transactionally per the existing all-or-nothing semantics, and is
-   idempotent per column (already-migrated values are skipped), so a run can be
-   safely repeated or resumed.
-
-Exposed via a new `--engine` option on the existing CLI command:
-`superset re-encrypt-secrets --engine aes-gcm`, runnable by operators with a DB
-backup in hand. The `SECRET_KEY` is unchanged; an engine change and a key
-rotation can also be combined (pass `--previous_secret_key` as well).
-
-### Phase 3 — flip the default for new installs
-
-Once the migrator and docs are in place, change the default to `"aes-gcm"` for
-**fresh** installs only (e.g. keyed off an empty metadata DB / documented in
-`UPDATING.md`), keeping existing installs on `"aes"` until they run Phase 2.
-
-## New or changed public interfaces
-
- New config: `SQLALCHEMY_ENCRYPTED_FIELD_ENGINE: Literal["aes", "aes-gcm"]`.
- New (Phase 2) CLI: `superset re-encrypt-secrets --engine <name>`.
- No schema changes; ciphertext format changes per migrated column.
-
-## Migration plan and compatibility
-
- **Backward compatible by default.** Phase 1 changes nothing unless the
-  operator opts in.
- Switching an existing deployment to `"aes-gcm"` **without** running the Phase
-  2 migrator will make existing secrets undecryptable — this is called out in
-  the config comment and must be in `UPDATING.md`.
- Recommended operator runbook: take a metadata-DB backup → run
-  `re-encrypt-secrets --engine aes-gcm` → set
-  `SQLALCHEMY_ENCRYPTED_FIELD_ENGINE = "aes-gcm"` → restart → re-run
-  `re-encrypt-secrets --engine aes-gcm` once more to sweep up any secrets a live
-  instance wrote as AES-CBC during the cutover window. The canonical, more
-  detailed version of this runbook lives in `UPDATING.md`; this is a summary.
- `AesEngine` allows queryability over encrypted fields; AES-GCM does not.
-  Any code that filters/queries on an encrypted column directly must be audited
-  before Phase 3 (none is expected, but it must be verified).
-
-## Rejected alternatives
-
- **Flip the default immediately.** Rejected: bricks every existing
-  deployment's secrets with no migration path.
- **Document-only (custom adapter).** Status quo; high friction and no
-  migration tooling — most operators will never do it.
-
-## Open questions
-
- GCM→CBC rollback (for operators who need queryability) already works via the
-  same command (`re-encrypt-secrets --engine aes`), since the migrator is
-  engine-symmetric. Should rollback be documented as a supported path or
-  discouraged?
- The migrator already supports a concurrent `SECRET_KEY` rotation + engine
-  change in a single pass (pass `--previous_secret_key` alongside `--engine`).
-  Is that combination worth calling out in the operator docs, or kept advanced?
--- a/docs/src/data/databases.json
+++ b/docs/src/data/databases.json
@@ -7235,10 +7235,10 @@
        "pypi_packages": [
          "oracledb"
        ],
-        "connection_string": "oracle+oracledb://{username}:{password}@{hostname}:{port}",
+        "connection_string": "oracle://{username}:{password}@{hostname}:{port}",
        "default_port": 1521,
        "notes": "Previously used cx_Oracle, now uses oracledb.",
-        "docs_url": "https://python-oracledb.readthedocs.io/en/latest/user_guide/installation.html",
+        "docs_url": "https://cx-oracle.readthedocs.io/en/latest/user_guide/installation.html",
        "category": "Other Databases"
      },
      "engine": "oracle",
--- a/docs/yarn.lock
+++ b/docs/yarn.lock
--- a/helm/superset/Chart.yaml
+++ b/helm/superset/Chart.yaml
@@ -29,7 +29,7 @@ maintainers:
  - name: craig-rueda
    email: craig@craigrueda.com
    url: https://github.com/craig-rueda
-version: 0.17.0 # See [README](https://github.com/apache/superset/blob/master/helm/superset/README.md#versioning) for version details.
+version: 0.16.0 # See [README](https://github.com/apache/superset/blob/master/helm/superset/README.md#versioning) for version details.
 dependencies:
  - name: postgresql
    version: 16.7.27
--- a/helm/superset/README.md
+++ b/helm/superset/README.md
@@ -23,7 +23,7 @@ NOTE: This file is generated by helm-docs: https://github.com/norwoodj/helm-docs

 # superset

-![Version: 0.17.0](https://img.shields.io/badge/Version-0.17.0-informational?style=flat-square)
+![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square)

 Apache Superset is a modern, enterprise-ready business intelligence web application

@@ -111,6 +111,9 @@ On helm this can be set on `extraSecretEnv.SUPERSET_SECRET_KEY` or `configOverri
 | init.resources | object | `{}` |  |
 | init.tolerations | list | `[]` |  |
 | init.topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to init job |
+| initImage.pullPolicy | string | `"IfNotPresent"` |  |
+| initImage.repository | string | `"apache/superset"` |  |
+| initImage.tag | string | `"dockerize"` |  |
 | nameOverride | string | `nil` | Provide a name to override the name of the chart |
 | nodeSelector | object | `{}` |  |
 | postgresql | object | see `values.yaml` | Configuration values for the postgresql dependency. ref: https://github.com/bitnami/charts/tree/main/bitnami/postgresql |
--- a/helm/superset/templates/deployment-beat.yaml
+++ b/helm/superset/templates/deployment-beat.yaml
@@ -126,7 +126,7 @@ spec:
              {{- toYaml .Values.resources | nindent 12 }}
            {{- end }}
        {{- if .Values.supersetCeleryBeat.extraContainers }}
-            {{- tpl (toYaml .Values.supersetCeleryBeat.extraContainers) . | nindent 8 }}
+            {{- toYaml .Values.supersetCeleryBeat.extraContainers | nindent 8 }}
        {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector: {{- toYaml . | nindent 8 }}
--- a/helm/superset/templates/deployment-flower.yaml
+++ b/helm/superset/templates/deployment-flower.yaml
@@ -121,7 +121,7 @@ spec:
              {{- toYaml .Values.resources | nindent 12 }}
            {{- end }}
        {{- if .Values.supersetCeleryFlower.extraContainers }}
-            {{- tpl (toYaml .Values.supersetCeleryFlower.extraContainers) . | nindent 8 }}
+            {{- toYaml .Values.supersetCeleryFlower.extraContainers | nindent 8 }}
        {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector: {{- toYaml . | nindent 8 }}
--- a/helm/superset/templates/deployment-worker.yaml
+++ b/helm/superset/templates/deployment-worker.yaml
@@ -141,7 +141,7 @@ spec:
              {{- toYaml .Values.resources | nindent 12 }}
            {{- end }}
        {{- if .Values.supersetWorker.extraContainers }}
-          {{- tpl (toYaml .Values.supersetWorker.extraContainers) . | nindent 8 }}
+          {{- toYaml .Values.supersetWorker.extraContainers | nindent 8 }}
        {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector: {{- toYaml . | nindent 8 }}
--- a/helm/superset/templates/deployment-ws.yaml
+++ b/helm/superset/templates/deployment-ws.yaml
@@ -120,7 +120,7 @@ spec:
          livenessProbe: {{- .Values.supersetWebsockets.livenessProbe | toYaml | nindent 12 }}
          {{- end }}
        {{- if .Values.supersetWebsockets.extraContainers }}
-            {{- tpl (toYaml .Values.supersetWebsockets.extraContainers) . | nindent 8 }}
+            {{- toYaml .Values.supersetWebsockets.extraContainers | nindent 8 }}
        {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector: {{- toYaml . | nindent 8 }}
--- a/helm/superset/templates/deployment.yaml
+++ b/helm/superset/templates/deployment.yaml
@@ -151,7 +151,7 @@ spec:
              {{- toYaml .Values.resources | nindent 12 }}
            {{- end }}
        {{- if .Values.supersetNode.extraContainers }}
-          {{- tpl (toYaml .Values.supersetNode.extraContainers) . | nindent 8 }}
+          {{- toYaml .Values.supersetNode.extraContainers | nindent 8 }}
        {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector: {{- toYaml . | nindent 8 }}
--- a/helm/superset/templates/init-job.yaml
+++ b/helm/superset/templates/init-job.yaml
@@ -62,9 +62,6 @@ spec:
      {{- if .Values.init.initContainers }}
      initContainers: {{-  tpl (toYaml .Values.init.initContainers) . | nindent 6 }}
      {{- end }}
-      {{- with .Values.hostAliases }}
-      hostAliases: {{- toYaml . | nindent 6 }}
-      {{- end }}
      containers:
      - name: {{ template "superset.name" . }}-init-db
        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -104,7 +101,7 @@ spec:
        command: {{  tpl (toJson .Values.init.command) . }}
        resources: {{- toYaml .Values.init.resources | nindent 10 }}
      {{- if .Values.init.extraContainers }}
-          {{- tpl (toYaml .Values.init.extraContainers) . | nindent 6 }}
+          {{- toYaml .Values.init.extraContainers | nindent 6 }}
      {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector: {{- toYaml . | nindent 8 }}
--- a/helm/superset/values.yaml
+++ b/helm/superset/values.yaml
@@ -194,6 +194,11 @@ image:

 imagePullSecrets: []

+initImage:
+  repository: apache/superset
+  tag: dockerize
+  pullPolicy: IfNotPresent
+
 service:
  type: ClusterIP
  port: 8088
@@ -298,29 +303,15 @@ supersetNode:
  # @default -- a container waiting for postgres
  initContainers:
    - name: wait-for-postgres
-      image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-      imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+      image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
+      imagePullPolicy: "{{ .Values.initImage.pullPolicy }}"
      envFrom:
        - secretRef:
            name: "{{ tpl .Values.envFromSecret . }}"
      command:
-        - /bin/bash
+        - /bin/sh
        - -c
-        - |
-          # opening a /dev/tcp fd performs a TCP connect without sending any
-          # payload (avoids postgres "incomplete startup packet" log noise);
-          # no external `dockerize`, `nc`, or busybox needed. SECONDS-based
-          # deadline mirrors the prior `dockerize -timeout 120s` behaviour.
-          SECONDS=0
-          until (exec 3<>/dev/tcp/"$DB_HOST"/"$DB_PORT") 2>/dev/null; do
-            if [ "$SECONDS" -ge 120 ]; then
-              echo "timeout waiting for postgres at $DB_HOST:$DB_PORT after 120s" >&2
-              exit 1
-            fi
-            echo "waiting for postgres at $DB_HOST:$DB_PORT (elapsed ${SECONDS}s)"
-            sleep 2
-          done
-          echo "postgres at $DB_HOST:$DB_PORT is up"
+        - dockerize -wait "tcp://$DB_HOST:$DB_PORT" -timeout 120s
      resources:
        limits:
          memory: "256Mi"
@@ -416,31 +407,15 @@ supersetWorker:
  # @default -- a container waiting for postgres and redis
  initContainers:
    - name: wait-for-postgres-redis
-      image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-      imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+      image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
+      imagePullPolicy: "{{ .Values.initImage.pullPolicy }}"
      envFrom:
        - secretRef:
            name: "{{ tpl .Values.envFromSecret . }}"
      command:
-        - /bin/bash
+        - /bin/sh
        - -c
-        - |
-          # See supersetNode.initContainers for the rationale.
-          SECONDS=0
-          wait_for() {
-            local host=$1 port=$2 name=$3
-            until (exec 3<>/dev/tcp/"$host"/"$port") 2>/dev/null; do
-              if [ "$SECONDS" -ge 120 ]; then
-                echo "timeout waiting for $name at $host:$port after 120s" >&2
-                exit 1
-              fi
-              echo "waiting for $name at $host:$port (elapsed ${SECONDS}s)"
-              sleep 2
-            done
-            echo "$name at $host:$port is up"
-          }
-          wait_for "$DB_HOST" "$DB_PORT" postgres
-          wait_for "$REDIS_HOST" "$REDIS_PORT" redis
+        - dockerize -wait "tcp://$DB_HOST:$DB_PORT" -wait "tcp://$REDIS_HOST:$REDIS_PORT" -timeout 120s
      resources:
        limits:
          memory: "256Mi"
@@ -520,31 +495,15 @@ supersetCeleryBeat:
  # @default -- a container waiting for postgres
  initContainers:
    - name: wait-for-postgres-redis
-      image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-      imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+      image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
+      imagePullPolicy: "{{ .Values.initImage.pullPolicy }}"
      envFrom:
        - secretRef:
            name: "{{ tpl .Values.envFromSecret . }}"
      command:
-        - /bin/bash
+        - /bin/sh
        - -c
-        - |
-          # See supersetNode.initContainers for the rationale.
-          SECONDS=0
-          wait_for() {
-            local host=$1 port=$2 name=$3
-            until (exec 3<>/dev/tcp/"$host"/"$port") 2>/dev/null; do
-              if [ "$SECONDS" -ge 120 ]; then
-                echo "timeout waiting for $name at $host:$port after 120s" >&2
-                exit 1
-              fi
-              echo "waiting for $name at $host:$port (elapsed ${SECONDS}s)"
-              sleep 2
-            done
-            echo "$name at $host:$port is up"
-          }
-          wait_for "$DB_HOST" "$DB_PORT" postgres
-          wait_for "$REDIS_HOST" "$REDIS_PORT" redis
+        - dockerize -wait "tcp://$DB_HOST:$DB_PORT" -wait "tcp://$REDIS_HOST:$REDIS_PORT" -timeout 120s
      resources:
        limits:
          memory: "256Mi"
@@ -635,31 +594,15 @@ supersetCeleryFlower:
  # @default -- a container waiting for postgres and redis
  initContainers:
    - name: wait-for-postgres-redis
-      image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-      imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+      image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
+      imagePullPolicy: "{{ .Values.initImage.pullPolicy }}"
      envFrom:
        - secretRef:
            name: "{{ tpl .Values.envFromSecret . }}"
      command:
-        - /bin/bash
+        - /bin/sh
        - -c
-        - |
-          # See supersetNode.initContainers for the rationale.
-          SECONDS=0
-          wait_for() {
-            local host=$1 port=$2 name=$3
-            until (exec 3<>/dev/tcp/"$host"/"$port") 2>/dev/null; do
-              if [ "$SECONDS" -ge 120 ]; then
-                echo "timeout waiting for $name at $host:$port after 120s" >&2
-                exit 1
-              fi
-              echo "waiting for $name at $host:$port (elapsed ${SECONDS}s)"
-              sleep 2
-            done
-            echo "$name at $host:$port is up"
-          }
-          wait_for "$DB_HOST" "$DB_PORT" postgres
-          wait_for "$REDIS_HOST" "$REDIS_PORT" redis
+        - dockerize -wait "tcp://$DB_HOST:$DB_PORT" -wait "tcp://$REDIS_HOST:$REDIS_PORT" -timeout 120s
      resources:
        limits:
          memory: "256Mi"
@@ -821,26 +764,15 @@ init:
  # @default -- a container waiting for postgres
  initContainers:
    - name: wait-for-postgres
-      image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-      imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+      image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
+      imagePullPolicy: "{{ .Values.initImage.pullPolicy }}"
      envFrom:
        - secretRef:
            name: "{{ tpl .Values.envFromSecret . }}"
      command:
-        - /bin/bash
+        - /bin/sh
        - -c
-        - |
-          # See supersetNode.initContainers for the rationale.
-          SECONDS=0
-          until (exec 3<>/dev/tcp/"$DB_HOST"/"$DB_PORT") 2>/dev/null; do
-            if [ "$SECONDS" -ge 120 ]; then
-              echo "timeout waiting for postgres at $DB_HOST:$DB_PORT after 120s" >&2
-              exit 1
-            fi
-            echo "waiting for postgres at $DB_HOST:$DB_PORT (elapsed ${SECONDS}s)"
-            sleep 2
-          done
-          echo "postgres at $DB_HOST:$DB_PORT is up"
+        - dockerize -wait "tcp://$DB_HOST:$DB_PORT" -timeout 120s
      resources:
        limits:
          memory: "256Mi"
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -38,20 +38,14 @@ dependencies = [
    # no bounds for apache-superset-core until we have a stable version
    "apache-superset-core",
    "backoff>=1.8.0",
-    # cachetools is used directly by ``superset.db_engine_specs.aws_iam`` (TTLCache).
-    # It used to be installed transitively via ``google-auth`` (<2.53), but
-    # ``google-auth`` 2.53+ dropped it, so Superset must declare it
-    # explicitly to keep fresh ``pip install apache-superset`` working
-    # without the ``base.txt`` lock file (#40962).
-    "cachetools>=6.2.1, <7",
    "celery>=5.3.6, <6.0.0",
    "click>=8.4.0",
    "click-option-group",
    "colorama",
-    "flask-cors>=6.0.5, <7.0",
-    "croniter>=6.2.2",
+    "flask-cors>=6.0.0, <7.0",
+    "croniter>=0.3.28",
    "cron-descriptor",
-    "cryptography>=48.0.0, <49.0.0",
+    "cryptography>=42.0.4, <47.0.0",
    "deprecation>=2.1.0, <2.2.0",
    "flask>=2.2.5, <4.0.0",
    "flask-appbuilder>=5.2.1, <6.0.0",
@@ -59,11 +53,11 @@ dependencies = [
    "flask-compress>=1.13, <2.0",
    "flask-talisman>=1.0.0, <2.0",
    "flask-login>=0.6.0, < 1.0",
-    "flask-migrate>=4.1.0, <5.0",
+    "flask-migrate>=3.1.0, <5.0",
    "flask-session>=0.4.0, <1.0",
-    "flask-wtf>=1.3.0, <2.0",
+    "flask-wtf>=1.1.0, <2.0",
    "geopy",
-    "greenlet<=3.5.1, >=3.5.1",
+    "greenlet>=3.0.3, <=3.5.0",
    "gunicorn>=25.3.0, <26; sys_platform != 'win32'",
    "hashids>=1.3.1, <2",
    # holidays>=0.45 required for security fix
@@ -73,12 +67,10 @@ dependencies = [
    "jsonpath-ng>=1.8.0, <2",
    "Mako>=1.2.2",
    "markdown>=3.10.2",
-    # marshmallow 4 compatibility: see superset/marshmallow_compatibility.py for a
-    # Flask-AppBuilder workaround. Tracking issue:
-    # https://github.com/apache/superset/issues/33162
-    "marshmallow>=3.0, <5",
+    # marshmallow>=4 has issues: https://github.com/apache/superset/issues/33162
+    "marshmallow>=3.0, <4",
    "marshmallow-union>=0.1",
-    "msgpack>=1.2.0, <1.3",
+    "msgpack>=1.0.0, <1.2",
    "nh3>=0.3.5, <0.4",
    "numpy>1.23.5, <2.3",
    "packaging",
@@ -98,14 +90,14 @@ dependencies = [
    "python-dotenv", # optional dependencies for Flask but required for Superset, see https://flask.palletsprojects.com/en/stable/installation/#optional-dependencies
    "pygeohash",
    "pyarrow>=24.0.0, <25", # before upgrading pyarrow, check that all db dependencies support this, see e.g. https://github.com/apache/superset/pull/34693
-    "pyyaml>=6.0.3, <7.0.0",
+    "pyyaml>=6.0.0, <7.0.0",
    "PyJWT>=2.4.0, <3.0",
    "redis>=5.0.0, <6.0",
    "rison>=2.0.0, <3.0",
    "selenium>=4.44.0, <5.0",
    "shillelagh[gsheetsapi]>=1.4.4, <2.0",
    "sshtunnel>=0.4.0, <0.5",
-    "simplejson>=4.1.1",
+    "simplejson>=3.15.0",
    "slack_sdk>=3.19.0, <4",
    "sqlalchemy>=1.4, <2",
    "sqlalchemy-utils>=0.38.0, <0.43", # expanding lowerbound to work with pydoris
@@ -149,10 +141,10 @@ drill = ["sqlalchemy-drill>=1.1.10, <2"]
 druid = ["pydruid>=0.6.5,<0.7"]
 duckdb = ["duckdb>=1.5.2,<2", "duckdb-engine>=0.17.0"]
 dynamodb = ["pydynamodb>=0.4.2"]
-solr = ["sqlalchemy-solr >= 0.2.4.3"]
+solr = ["sqlalchemy-solr >= 0.2.0"]
 elasticsearch = ["elasticsearch-dbapi>=0.2.13, <0.3.0"]
 exasol = ["sqlalchemy-exasol>=2.4.0, <8.0"]
-excel = ["xlrd>=2.0.2, <2.1"]
+excel = ["xlrd>=1.2.0, <1.3"]
 fastmcp = [
    "fastmcp>=3.2.4,<4.0",
    # tiktoken backs the response-size-guard token estimator. Without
@@ -164,7 +156,7 @@ firebird = ["sqlalchemy-firebird>=0.7.0, <2.2"]
 firebolt = ["firebolt-sqlalchemy>=1.0.0, <2"]
 gevent = ["gevent>=26.4.0"]
 gsheets = ["shillelagh[gsheetsapi]>=1.4.4, <2"]
-hana = ["hdbcli==2.28.21", "sqlalchemy_hana==0.4.0"]
+hana = ["hdbcli==2.28.20", "sqlalchemy_hana==0.4.0"]
 hive = [
    "pyhive[hive]>=0.6.5;python_version<'3.11'",
    "pyhive[hive_pure_sasl]>=0.7.0",
@@ -181,17 +173,17 @@ motherduck = ["apache-superset[duckdb]"]
 mysql = ["mysqlclient>=2.1.0, <3"]
 ocient = [
    "sqlalchemy-ocient>=1.0.0",
-    "pyocient>=1.0.15, <4",
+    "pyocient>=1.0.15, <2",
    "shapely",
    "geojson",
 ]
-oracle = ["oracledb>=2.0.0, <5"]
+oracle = ["cx-Oracle>8.0.0, <8.4"]
 parseable = ["sqlalchemy-parseable>=0.1.3,<0.2.0"]
 pinot = ["pinotdb>=5.0.0, <10.0.0"]
 playwright = ["playwright>=1.60.0, <2"]
 postgres = ["psycopg2-binary==2.9.12"]
 presto = ["pyhive[presto]>=0.6.5"]
-trino = ["trino>=0.337.0"]
+trino = ["trino>=0.328.0"]
 prophet = ["prophet>=1.1.6, <2"]
 redshift = ["sqlalchemy-redshift>=0.8.1, <0.9"]
 risingwave = ["sqlalchemy-risingwave"]
@@ -216,7 +208,7 @@ netezza = ["nzalchemy>=11.0.2"]
 starrocks = ["starrocks>=1.3.3, <2"]
 doris = ["pydoris>=1.0.0, <2.0.0"]
 oceanbase = ["oceanbase_py>=0.0.1.2"]
-ydb = ["ydb-sqlalchemy>=0.1.22", "ydb-sqlglot-plugin>=0.2.5"]
+ydb = ["ydb-sqlalchemy>=0.1.2", "ydb-sqlglot-plugin>=0.2.5"]
 development = [
    # no bounds for apache-superset-extensions-cli until a stable version
    "apache-superset-extensions-cli",
@@ -224,13 +216,13 @@ development = [
    "docker",
    "flask-testing",
    "freezegun",
-    "grpcio>=1.81.1",
+    "grpcio>=1.55.3",
    "openapi-spec-validator",
    "parameterized",
    "pip",
    "polib",  # used by scripts/translations/ and their unit tests
    "pre-commit",
-    "progress>=1.6.1,<2",
+    "progress>=1.5,<2",
    "psutil",
    "pyfakefs",
    "pyinstrument>=5.1.2,<6",
--- a/pytest.ini
+++ b/pytest.ini
@@ -18,30 +18,5 @@
 testpaths =
    tests
 python_files = *_test.py test_*.py *_tests.py *viz/utils.py
-# `-p no:warnings` temporarily disabled in favor of more finely tuned `filterwarnings`.
-#addopts = -p no:warnings
+addopts = -p no:warnings
 asyncio_mode = auto
-
-# `ignore` is effectively equivalent to `-p no:warnings`.
-# Always print RemovedIn20Warning when SQLALCHEMY_WARN_20=1.
-# Additionally, raise errors for refactored RemovedIn20Warning cases to prevent regression.
-filterwarnings =
-    ignore
-    always::sqlalchemy.exc.RemovedIn20Warning
-    error:Passing a string to Connection.execute\(\) is deprecated:sqlalchemy.exc.RemovedIn20Warning
-#    error:"Query" object is being merged into a Session:sqlalchemy.exc.RemovedIn20Warning
-#    error:"SavedQuery" object is being merged into a Session:sqlalchemy.exc.RemovedIn20Warning
-#    error:"SqlaTable" object is being merged into a Session:sqlalchemy.exc.RemovedIn20Warning
-#    error:"SqlMetric" object is being merged into a Session:sqlalchemy.exc.RemovedIn20Warning
-#    error:"TableColumn" object is being merged into a Session:sqlalchemy.exc.RemovedIn20Warning
-#    error:"TaggedObject" object is being merged into a Session:sqlalchemy.exc.RemovedIn20Warning
-#    error:The ``as_declarative\(\)`` function is now available:sqlalchemy.exc.RemovedIn20Warning
-#    error:The autoload parameter is deprecated:sqlalchemy.exc.RemovedIn20Warning
-#    error:The connection.execute\(\) method:sqlalchemy.exc.RemovedIn20Warning
-#    error:The current statement is being autocommitted using implicit autocommit:sqlalchemy.exc.RemovedIn20Warning
-#    error:The `database` package is deprecated:sqlalchemy.exc.RemovedIn20Warning
-#    error:The ``declarative_base\(\)`` function is now available:sqlalchemy.exc.RemovedIn20Warning
-#    error:The Engine.execute\(\) method is considered legacy:sqlalchemy.exc.RemovedIn20Warning
-    error:The legacy calling style of select\(\) is deprecated:sqlalchemy.exc.RemovedIn20Warning
-#    error:The "whens" argument to case:sqlalchemy.exc.RemovedIn20Warning
-#    error:"User" object is being merged into a Session:sqlalchemy.exc.RemovedIn20Warning
--- a/requirements/base.in
+++ b/requirements/base.in
@@ -26,7 +26,7 @@ filelock>=3.20.3,<4.0.0
 brotli>=1.2.0,<2.0.0
 numexpr>=2.9.0
 # Security: CVE-2026-34073 (MEDIUM) - Improper Certificate Validation
-cryptography>=48.0.0,<49.0.0
+cryptography>=46.0.7,<47.0.0
 # Security: Snyk - XSS vulnerability in Mako templates
 mako>=1.3.11,<2.0.0
 # Security: CVE-2024-52338 (CRITICAL) - Deserialization of untrusted data in IPC/Parquet readers
@@ -44,10 +44,11 @@ async_timeout>=4.0.0,<5.0.0
 # a bit of attention to bump.
 apispec>=6.0.0,<6.7.0

-# 1.4.1 introduced a memory regression that exhausts memory in the test suite
-# (https://github.com/marshmallow-code/marshmallow-sqlalchemy/issues/665). 1.4.2
-# claimed a fix but did not address the root cause; only 1.5.0 actually fixes it.
-marshmallow-sqlalchemy>=1.5.0
+# 1.4.1 appears to use much more memory, where the python test suite runs out of memory
+# causing CI to fail. 1.4.0 is the last version that works.
+# https://marshmallow-sqlalchemy.readthedocs.io/en/latest/changelog.html#id3
+# Opened this issue https://github.com/marshmallow-code/marshmallow-sqlalchemy/issues/665
+marshmallow-sqlalchemy>=1.3.0,<1.4.1

 # needed for python 3.12 support
 openapi-schema-validator>=0.6.3
@@ -57,9 +58,3 @@ openapi-schema-validator>=0.6.3
 # Known affected packages: Preset's 'clients' package
 # See docs/docs/contributing/pkg-resources-migration.md for details
 setuptools<81
-
-# google-auth 2.53+ dropped its transitive dependency on cachetools, which is
-# imported directly by superset.db_engine_specs.aws_iam. We declare cachetools
-# explicitly in pyproject.toml and pin google-auth to the post-drop range so
-# the install path is internally consistent (#40962).
-google-auth>=2.53.0,<3.0.0
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -45,7 +45,7 @@ cachelib==0.13.0
    #   flask-caching
    #   flask-session
 cachetools==6.2.1
-    # via apache-superset (pyproject.toml)
+    # via google-auth
 cattrs==25.1.1
    # via requests-cache
 celery==5.5.2
@@ -84,13 +84,12 @@ colorama==0.4.6
    #   flask-appbuilder
 cron-descriptor==1.4.5
    # via apache-superset (pyproject.toml)
-croniter==6.2.2
+croniter==6.0.0
    # via apache-superset (pyproject.toml)
-cryptography==48.0.1
+cryptography==46.0.7
    # via
    #   -r requirements/base.in
    #   apache-superset (pyproject.toml)
-    #   google-auth
    #   paramiko
    #   pyopenssl
 defusedxml==0.7.1
@@ -132,7 +131,7 @@ flask-caching==2.3.1
    # via apache-superset (pyproject.toml)
 flask-compress==1.17
    # via apache-superset (pyproject.toml)
-flask-cors==6.0.5
+flask-cors==6.0.2
    # via apache-superset (pyproject.toml)
 flask-jwt-extended==4.7.1
    # via flask-appbuilder
@@ -142,7 +141,7 @@ flask-login==0.6.3
    # via
    #   apache-superset (pyproject.toml)
    #   flask-appbuilder
-flask-migrate==4.1.0
+flask-migrate==3.1.0
    # via apache-superset (pyproject.toml)
 flask-session==0.8.0
    # via apache-superset (pyproject.toml)
@@ -152,7 +151,7 @@ flask-sqlalchemy==2.5.1
    #   flask-migrate
 flask-talisman==1.1.0
    # via apache-superset (pyproject.toml)
-flask-wtf==1.3.0
+flask-wtf==1.2.2
    # via
    #   apache-superset (pyproject.toml)
    #   flask-appbuilder
@@ -160,11 +159,9 @@ geographiclib==2.0
    # via geopy
 geopy==2.4.1
    # via apache-superset (pyproject.toml)
-google-auth==2.53.0
-    # via
-    #   -r requirements/base.in
-    #   shillelagh
-greenlet==3.5.1
+google-auth==2.43.0
+    # via shillelagh
+greenlet==3.5.0
    # via
    #   apache-superset (pyproject.toml)
    #   shillelagh
@@ -226,13 +223,13 @@ markupsafe==3.0.2
    #   mako
    #   werkzeug
    #   wtforms
-marshmallow==4.3.0
+marshmallow==3.26.2
    # via
    #   apache-superset (pyproject.toml)
    #   flask-appbuilder
    #   marshmallow-sqlalchemy
    #   marshmallow-union
-marshmallow-sqlalchemy==1.5.0
+marshmallow-sqlalchemy==1.4.0
    # via
    #   -r requirements/base.in
    #   flask-appbuilder
@@ -240,7 +237,7 @@ marshmallow-union==0.1.15
    # via apache-superset (pyproject.toml)
 mdurl==0.1.2
    # via markdown-it-py
-msgpack==1.2.1
+msgpack==1.0.8
    # via apache-superset (pyproject.toml)
 msgspec==0.19.0
    # via flask-session
@@ -273,6 +270,7 @@ packaging==25.0
    #   deprecation
    #   gunicorn
    #   limits
+    #   marshmallow
    #   shillelagh
 pandas==2.1.4
    # via apache-superset (pyproject.toml)
@@ -300,7 +298,9 @@ pyarrow==24.0.0
    #   apache-superset (pyproject.toml)
    #   apache-superset-core
 pyasn1==0.6.3
-    # via pyasn1-modules
+    # via
+    #   pyasn1-modules
+    #   rsa
 pyasn1-modules==0.4.2
    # via google-auth
 pycparser==2.22
@@ -323,7 +323,7 @@ pyjwt==2.12.0
    #   redis
 pynacl==1.6.2
    # via paramiko
-pyopenssl==26.2.0
+pyopenssl==26.0.0
    # via
    #   -r requirements/base.in
    #   shillelagh
@@ -344,11 +344,12 @@ python-dotenv==1.2.2
    # via apache-superset (pyproject.toml)
 pytz==2025.2
    # via
+    #   croniter
    #   flask-babel
    #   pandas
 pyxlsb==1.0.10
    # via pandas
-pyyaml==6.0.3
+pyyaml==6.0.2
    # via
    #   apache-superset (pyproject.toml)
    #   apispec
@@ -375,13 +376,15 @@ rpds-py==0.25.0
    # via
    #   jsonschema
    #   referencing
+rsa==4.9.1
+    # via google-auth
 selenium==4.44.0
    # via apache-superset (pyproject.toml)
 setuptools==80.9.0
    # via -r requirements/base.in
 shillelagh==1.4.4
    # via apache-superset (pyproject.toml)
-simplejson==4.1.1
+simplejson==3.20.1
    # via apache-superset (pyproject.toml)
 six==1.17.0
    # via
--- a/requirements/development.txt
+++ b/requirements/development.txt
@@ -100,7 +100,7 @@ cachelib==0.13.0
 cachetools==6.2.1
    # via
    #   -c requirements/base-constraint.txt
-    #   apache-superset
+    #   google-auth
    #   py-key-value-aio
 caio==0.9.25
    # via aiofile
@@ -174,16 +174,15 @@ cron-descriptor==1.4.5
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
-croniter==6.2.2
+croniter==6.0.0
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
-cryptography==48.0.1
+cryptography==46.0.7
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
    #   authlib
-    #   google-auth
    #   paramiko
    #   pyjwt
    #   pyopenssl
@@ -277,7 +276,7 @@ flask-compress==1.17
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
-flask-cors==6.0.5
+flask-cors==6.0.2
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
@@ -294,7 +293,7 @@ flask-login==0.6.3
    #   -c requirements/base-constraint.txt
    #   apache-superset
    #   flask-appbuilder
-flask-migrate==4.1.0
+flask-migrate==3.1.0
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
@@ -313,7 +312,7 @@ flask-talisman==1.1.0
    #   apache-superset
 flask-testing==0.8.1
    # via apache-superset
-flask-wtf==1.3.0
+flask-wtf==1.2.2
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
@@ -341,7 +340,7 @@ google-api-core==2.23.0
    #   google-cloud-core
    #   pandas-gbq
    #   sqlalchemy-bigquery
-google-auth==2.53.0
+google-auth==2.43.0
    # via
    #   -c requirements/base-constraint.txt
    #   google-api-core
@@ -374,7 +373,7 @@ googleapis-common-protos==1.66.0
    # via
    #   google-api-core
    #   grpcio-status
-greenlet==3.5.1
+greenlet==3.5.0
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
@@ -383,7 +382,7 @@ greenlet==3.5.1
    #   sqlalchemy
 griffelib==2.0.2
    # via fastmcp
-grpcio==1.81.1
+grpcio==1.71.0
    # via
    #   apache-superset
    #   google-api-core
@@ -508,8 +507,6 @@ limits==5.1.0
    # via
    #   -c requirements/base-constraint.txt
    #   flask-limiter
-lz4==4.4.5
-    # via trino
 mako==1.3.12
    # via
    #   -c requirements/base-constraint.txt
@@ -530,14 +527,14 @@ markupsafe==3.0.2
    #   mako
    #   werkzeug
    #   wtforms
-marshmallow==4.3.0
+marshmallow==3.26.2
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
    #   flask-appbuilder
    #   marshmallow-sqlalchemy
    #   marshmallow-union
-marshmallow-sqlalchemy==1.5.0
+marshmallow-sqlalchemy==1.4.0
    # via
    #   -c requirements/base-constraint.txt
    #   flask-appbuilder
@@ -559,7 +556,7 @@ more-itertools==10.8.0
    # via
    #   jaraco-classes
    #   jaraco-functools
-msgpack==1.2.1
+msgpack==1.0.8
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
@@ -611,8 +608,6 @@ ordered-set==4.1.0
    # via
    #   -c requirements/base-constraint.txt
    #   flask-limiter
-orjson==3.11.9
-    # via trino
 outcome==1.3.0.post0
    # via
    #   -c requirements/base-constraint.txt
@@ -631,6 +626,7 @@ packaging==25.0
    #   google-cloud-bigquery
    #   gunicorn
    #   limits
+    #   marshmallow
    #   matplotlib
    #   pytest
    #   shillelagh
@@ -690,7 +686,7 @@ prison==0.2.1
    # via
    #   -c requirements/base-constraint.txt
    #   flask-appbuilder
-progress==1.6.1
+progress==1.6
    # via apache-superset
 prompt-toolkit==3.0.51
    # via
@@ -727,6 +723,7 @@ pyasn1==0.6.3
    #   -c requirements/base-constraint.txt
    #   pyasn1-modules
    #   python-ldap
+    #   rsa
 pyasn1-modules==0.4.2
    # via
    #   -c requirements/base-constraint.txt
@@ -783,7 +780,7 @@ pynacl==1.6.2
    # via
    #   -c requirements/base-constraint.txt
    #   paramiko
-pyopenssl==26.2.0
+pyopenssl==26.0.0
    # via
    #   -c requirements/base-constraint.txt
    #   shillelagh
@@ -844,6 +841,7 @@ python-multipart==0.0.29
 pytz==2025.2
    # via
    #   -c requirements/base-constraint.txt
+    #   croniter
    #   flask-babel
    #   pandas
    #   trino
@@ -851,7 +849,7 @@ pyxlsb==1.0.10
    # via
    #   -c requirements/base-constraint.txt
    #   pandas
-pyyaml==6.0.3
+pyyaml==6.0.2
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
@@ -913,6 +911,10 @@ rpds-py==0.25.0
    #   -c requirements/base-constraint.txt
    #   jsonschema
    #   referencing
+rsa==4.9.1
+    # via
+    #   -c requirements/base-constraint.txt
+    #   google-auth
 ruff==0.9.7
    # via apache-superset
 s3transfer==0.16.0
@@ -937,7 +939,7 @@ shillelagh==1.4.4
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
-simplejson==4.1.1
+simplejson==3.20.1
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
@@ -1015,7 +1017,7 @@ tqdm==4.67.1
    # via
    #   cmdstanpy
    #   prophet
-trino==0.337.0
+trino==0.330.0
    # via apache-superset
 trio==0.33.0
    # via
@@ -1035,7 +1037,6 @@ typing-extensions==4.15.0
    #   apache-superset-core
    #   cattrs
    #   exceptiongroup
-    #   grpcio
    #   limits
    #   mcp
    #   opentelemetry-api
@@ -1150,4 +1151,3 @@ zstandard==0.23.0
    # via
    #   -c requirements/base-constraint.txt
    #   flask-compress
-    #   trino
--- a/scripts/benchmark_migration.py
+++ b/scripts/benchmark_migration.py
@@ -30,7 +30,7 @@ from flask import current_app
 from flask_appbuilder import Model
 from flask_migrate import downgrade, upgrade
 from progress.bar import ChargingBar
-from sqlalchemy import create_engine, inspect, text
+from sqlalchemy import create_engine, inspect
 from sqlalchemy.ext.automap import automap_base

 from superset import db
@@ -154,7 +154,7 @@ def main(  # noqa: C901

    print(f"Migration goes from {down_revision} to {revision}")
    current_revision = db.engine.execute(
-        text("SELECT version_num FROM alembic_version")
+        "SELECT version_num FROM alembic_version"
    ).scalar()
    print(f"Current version of the DB is {current_revision}")

--- a/scripts/translations/backfill_po.py
+++ b/scripts/translations/backfill_po.py
@@ -106,7 +106,6 @@ LANGUAGE_NAMES: dict[str, str] = {
    "ru": "Russian",
    "sk": "Slovak",
    "sl": "Slovenian",
-    "sr": "Serbian",
    "tr": "Turkish",
    "uk": "Ukrainian",
    "zh": "Chinese (Simplified)",
--- a/superset-embedded-sdk/package-lock.json
+++ b/superset-embedded-sdk/package-lock.json
@@ -27,6 +27,19 @@
        "webpack-cli": "^5.1.4"
      }
    },
+    "node_modules/@ampproject/remapping": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.3.0.tgz",
+      "integrity": "sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw==",
+      "dev": true,
+      "dependencies": {
+        "@jridgewell/gen-mapping": "^0.3.5",
+        "@jridgewell/trace-mapping": "^0.3.24"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
    "node_modules/@babel/cli": {
      "version": "7.25.6",
      "resolved": "https://registry.npmjs.org/@babel/cli/-/cli-7.25.6.tgz",
@@ -58,12 +71,12 @@
      }
    },
    "node_modules/@babel/code-frame": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.7.tgz",
-      "integrity": "sha512-Aup7aUOfpbAUg2ROOJN6Iw5f9DMBlzu0mIkm/malLQFN/YQgO48wCj0Kxa3sEHJvPVFg7siR+qRInwXd2qhQKw==",
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz",
+      "integrity": "sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==",
      "dev": true,
      "dependencies": {
-        "@babel/helper-validator-identifier": "^7.29.7",
+        "@babel/helper-validator-identifier": "^7.28.5",
        "js-tokens": "^4.0.0",
        "picocolors": "^1.1.1"
      },
@@ -72,30 +85,32 @@
      }
    },
    "node_modules/@babel/compat-data": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.29.7.tgz",
-      "integrity": "sha512-locTkQyKvwIEgBzVrn8693ebc97F2U8ZHjbXwDXJ5Fn2TCpNwTlKcaKLkdHop5c/icOFE7qt7Q9JC5hnKNa6Gg==",
+      "version": "7.25.4",
+      "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.25.4.tgz",
+      "integrity": "sha512-+LGRog6RAsCJrrrg/IO6LGmpphNe5DiK30dGjCoxxeGv49B10/3XYGxPsAwrDlMFcFEvdAUavDT8r9k/hSyQqQ==",
      "dev": true,
+      "license": "MIT",
      "engines": {
        "node": ">=6.9.0"
      }
    },
    "node_modules/@babel/core": {
-      "version": "7.29.6",
-      "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.29.6.tgz",
-      "integrity": "sha512-QdxmAo/ikZqqRGA8s43ww8lcql6naWRvEz0FFrl6MIlc7Gi6TroXnSdWa5U/kq6fzcpqpHesicQxFZIieZbyIA==",
+      "version": "7.25.2",
+      "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.25.2.tgz",
+      "integrity": "sha512-BBt3opiCOxUr9euZ5/ro/Xv8/V7yJ5bjYMqG/C1YAo8MIKAnumZalCN+msbci3Pigy4lIQfPUpfMM27HMGaYEA==",
      "dev": true,
+      "license": "MIT",
      "dependencies": {
-        "@babel/code-frame": "^7.29.0",
-        "@babel/generator": "^7.29.6",
-        "@babel/helper-compilation-targets": "^7.28.6",
-        "@babel/helper-module-transforms": "^7.28.6",
-        "@babel/helpers": "^7.29.2",
-        "@babel/parser": "^7.29.3",
-        "@babel/template": "^7.28.6",
-        "@babel/traverse": "^7.29.0",
-        "@babel/types": "^7.29.0",
-        "@jridgewell/remapping": "^2.3.5",
+        "@ampproject/remapping": "^2.2.0",
+        "@babel/code-frame": "^7.24.7",
+        "@babel/generator": "^7.25.0",
+        "@babel/helper-compilation-targets": "^7.25.2",
+        "@babel/helper-module-transforms": "^7.25.2",
+        "@babel/helpers": "^7.25.0",
+        "@babel/parser": "^7.25.0",
+        "@babel/template": "^7.25.0",
+        "@babel/traverse": "^7.25.2",
+        "@babel/types": "^7.25.2",
        "convert-source-map": "^2.0.0",
        "debug": "^4.1.0",
        "gensync": "^1.0.0-beta.2",
@@ -111,13 +126,13 @@
      }
    },
    "node_modules/@babel/generator": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.7.tgz",
-      "integrity": "sha512-DkXD5OJQaAQIdZ1bt3UZdEnHAn9Imd3IVBdX03UFe+ony9Ojw5pzr9YVKGDY1jt+Gcn/FnGkNf8r+Vj5NOJWtQ==",
+      "version": "7.29.1",
+      "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.1.tgz",
+      "integrity": "sha512-qsaF+9Qcm2Qv8SRIMMscAvG4O3lJ0F1GuMo5HR/Bp02LopNgnZBC/EkbevHFeGs4ls/oPz9v+Bsmzbkbe+0dUw==",
      "dev": true,
      "dependencies": {
-        "@babel/parser": "^7.29.7",
-        "@babel/types": "^7.29.7",
+        "@babel/parser": "^7.29.0",
+        "@babel/types": "^7.29.0",
        "@jridgewell/gen-mapping": "^0.3.12",
        "@jridgewell/trace-mapping": "^0.3.28",
        "jsesc": "^3.0.2"
@@ -154,14 +169,15 @@
      }
    },
    "node_modules/@babel/helper-compilation-targets": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.29.7.tgz",
-      "integrity": "sha512-wem6WaBj4NaVYVdNhLPPVacES6ZJ+KBBfSkTMD3YZxbP3rm3Di85tJU5ljaUNhaOynt+Aj0xruhYuzQBt8n71g==",
+      "version": "7.25.2",
+      "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.25.2.tgz",
+      "integrity": "sha512-U2U5LsSaZ7TAt3cfaymQ8WHh0pxvdHoEk6HVpaexxixjyEquMh0L0YNJNM6CTGKMXV1iksi0iZkGw4AcFkPaaw==",
      "dev": true,
+      "license": "MIT",
      "dependencies": {
-        "@babel/compat-data": "^7.29.7",
-        "@babel/helper-validator-option": "^7.29.7",
-        "browserslist": "^4.24.0",
+        "@babel/compat-data": "^7.25.2",
+        "@babel/helper-validator-option": "^7.24.8",
+        "browserslist": "^4.23.1",
        "lru-cache": "^5.1.1",
        "semver": "^6.3.1"
      },
@@ -366,28 +382,29 @@
      }
    },
    "node_modules/@babel/helper-string-parser": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.29.7.tgz",
-      "integrity": "sha512-Pb5ijPrZ89GDH8223L4UP8i6QApWxs04RbPQJTeWDV0/keR2E36MeKnyr6LYmUUvqRRI+Iv87SuF1W6ErINzYw==",
+      "version": "7.27.1",
+      "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz",
+      "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==",
      "dev": true,
      "engines": {
        "node": ">=6.9.0"
      }
    },
    "node_modules/@babel/helper-validator-identifier": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.29.7.tgz",
-      "integrity": "sha512-qehxGkRj55h/ff8EMaJ+cYhyaKlHIxqYDn682wQD7RNp9UujOQsHog2uS0r2vzr4pW+sXf90NeeayjcNaX3fFg==",
+      "version": "7.28.5",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz",
+      "integrity": "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==",
      "dev": true,
      "engines": {
        "node": ">=6.9.0"
      }
    },
    "node_modules/@babel/helper-validator-option": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.29.7.tgz",
-      "integrity": "sha512-N9ZErrD+yW5geCDtBqnOoxmR8+tNKiGuxKlDpuJxfsqpa2dFcexaziGAE/qoHLiDDreVNMupxGmSoNlyvsA3gw==",
+      "version": "7.24.8",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.24.8.tgz",
+      "integrity": "sha512-xb8t9tD1MHLungh/AIoWYN+gVHaB9kwlu8gffXGSt3FFEIT7RjS+xWbc2vUD1UTZdIpKj/ab3rdqJ7ufngyi2Q==",
      "dev": true,
+      "license": "MIT",
      "engines": {
        "node": ">=6.9.0"
      }
@@ -408,25 +425,26 @@
      }
    },
    "node_modules/@babel/helpers": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.29.7.tgz",
-      "integrity": "sha512-1k2lAGRMfHTcwuNYcCNUmaUffmQv8KWMfh2iJUUeRlwlwH4FdNG7mfPI10NPfLHJFThE4Tyr4mv7kTNZOiPuBg==",
+      "version": "7.25.6",
+      "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.25.6.tgz",
+      "integrity": "sha512-Xg0tn4HcfTijTwfDwYlvVCl43V6h4KyVVX2aEm4qdO/PC6L2YvzLHFdmxhoeSA3eslcE6+ZVXHgWwopXYLNq4Q==",
      "dev": true,
+      "license": "MIT",
      "dependencies": {
-        "@babel/template": "^7.29.7",
-        "@babel/types": "^7.29.7"
+        "@babel/template": "^7.25.0",
+        "@babel/types": "^7.25.6"
      },
      "engines": {
        "node": ">=6.9.0"
      }
    },
    "node_modules/@babel/parser": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.7.tgz",
-      "integrity": "sha512-hnORnjP/1P/zFEndoeX+n+t1RwWRJiJpM/jO7FW32Kn9r5+sJB2JWOdYo4L6k78j15eCwY3Gm/7364B1EMwtNg==",
+      "version": "7.29.3",
+      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.3.tgz",
+      "integrity": "sha512-b3ctpQwp+PROvU/cttc4OYl4MzfJUWy6FZg+PMXfzmt/+39iHVF0sDfqay8TQM3JA2EUOyKcFZt75jWriQijsA==",
      "dev": true,
      "dependencies": {
-        "@babel/types": "^7.29.7"
+        "@babel/types": "^7.29.0"
      },
      "bin": {
        "parser": "bin/babel-parser.js"
@@ -1825,14 +1843,14 @@
      }
    },
    "node_modules/@babel/template": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.29.7.tgz",
-      "integrity": "sha512-puq+Gf35oI24FeN11LkoUQFqv9uwNeWpxXZi/Ji3rRIoKAzKnxRaZ+Gkj0vKS9ZCiTESfng1N9LyOyXvo+m+Gg==",
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.28.6.tgz",
+      "integrity": "sha512-YA6Ma2KsCdGb+WC6UpBVFJGXL58MDA6oyONbjyF/+5sBgxY/dwkhLogbMT2GXXyU84/IhRw/2D1Os1B/giz+BQ==",
      "dev": true,
      "dependencies": {
-        "@babel/code-frame": "^7.29.7",
-        "@babel/parser": "^7.29.7",
-        "@babel/types": "^7.29.7"
+        "@babel/code-frame": "^7.28.6",
+        "@babel/parser": "^7.28.6",
+        "@babel/types": "^7.28.6"
      },
      "engines": {
        "node": ">=6.9.0"
@@ -1857,13 +1875,13 @@
      }
    },
    "node_modules/@babel/types": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.7.tgz",
-      "integrity": "sha512-4zBIxpPzowiZpusoFkyGVwakdRJUyuH5PxQ/PrqghfdFWWasvnCdPfQXHrenDai+gyLARulZjZowCOj6fjT4pA==",
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz",
+      "integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==",
      "dev": true,
      "dependencies": {
-        "@babel/helper-string-parser": "^7.29.7",
-        "@babel/helper-validator-identifier": "^7.29.7"
+        "@babel/helper-string-parser": "^7.27.1",
+        "@babel/helper-validator-identifier": "^7.28.5"
      },
      "engines": {
        "node": ">=6.9.0"
@@ -2631,16 +2649,6 @@
        "@jridgewell/trace-mapping": "^0.3.24"
      }
    },
-    "node_modules/@jridgewell/remapping": {
-      "version": "2.3.5",
-      "resolved": "https://registry.npmjs.org/@jridgewell/remapping/-/remapping-2.3.5.tgz",
-      "integrity": "sha512-LI9u/+laYG4Ds1TDKSJW2YPrIlcVYOwi2fUC6xB43lueCjgxV4lffOCZCtYFiH6TNOX+tQKXx97T4IKHbhyHEQ==",
-      "dev": true,
-      "dependencies": {
-        "@jridgewell/gen-mapping": "^0.3.5",
-        "@jridgewell/trace-mapping": "^0.3.24"
-      }
-    },
    "node_modules/@jridgewell/resolve-uri": {
      "version": "3.1.0",
      "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.0.tgz",
@@ -7975,6 +7983,16 @@
    }
  },
  "dependencies": {
+    "@ampproject/remapping": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.3.0.tgz",
+      "integrity": "sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw==",
+      "dev": true,
+      "requires": {
+        "@jridgewell/gen-mapping": "^0.3.5",
+        "@jridgewell/trace-mapping": "^0.3.24"
+      }
+    },
    "@babel/cli": {
      "version": "7.25.6",
      "resolved": "https://registry.npmjs.org/@babel/cli/-/cli-7.25.6.tgz",
@@ -7993,38 +8011,38 @@
      }
    },
    "@babel/code-frame": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.7.tgz",
-      "integrity": "sha512-Aup7aUOfpbAUg2ROOJN6Iw5f9DMBlzu0mIkm/malLQFN/YQgO48wCj0Kxa3sEHJvPVFg7siR+qRInwXd2qhQKw==",
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz",
+      "integrity": "sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==",
      "dev": true,
      "requires": {
-        "@babel/helper-validator-identifier": "^7.29.7",
+        "@babel/helper-validator-identifier": "^7.28.5",
        "js-tokens": "^4.0.0",
        "picocolors": "^1.1.1"
      }
    },
    "@babel/compat-data": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.29.7.tgz",
-      "integrity": "sha512-locTkQyKvwIEgBzVrn8693ebc97F2U8ZHjbXwDXJ5Fn2TCpNwTlKcaKLkdHop5c/icOFE7qt7Q9JC5hnKNa6Gg==",
+      "version": "7.25.4",
+      "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.25.4.tgz",
+      "integrity": "sha512-+LGRog6RAsCJrrrg/IO6LGmpphNe5DiK30dGjCoxxeGv49B10/3XYGxPsAwrDlMFcFEvdAUavDT8r9k/hSyQqQ==",
      "dev": true
    },
    "@babel/core": {
-      "version": "7.29.6",
-      "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.29.6.tgz",
-      "integrity": "sha512-QdxmAo/ikZqqRGA8s43ww8lcql6naWRvEz0FFrl6MIlc7Gi6TroXnSdWa5U/kq6fzcpqpHesicQxFZIieZbyIA==",
+      "version": "7.25.2",
+      "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.25.2.tgz",
+      "integrity": "sha512-BBt3opiCOxUr9euZ5/ro/Xv8/V7yJ5bjYMqG/C1YAo8MIKAnumZalCN+msbci3Pigy4lIQfPUpfMM27HMGaYEA==",
      "dev": true,
      "requires": {
-        "@babel/code-frame": "^7.29.0",
-        "@babel/generator": "^7.29.6",
-        "@babel/helper-compilation-targets": "^7.28.6",
-        "@babel/helper-module-transforms": "^7.28.6",
-        "@babel/helpers": "^7.29.2",
-        "@babel/parser": "^7.29.3",
-        "@babel/template": "^7.28.6",
-        "@babel/traverse": "^7.29.0",
-        "@babel/types": "^7.29.0",
-        "@jridgewell/remapping": "^2.3.5",
+        "@ampproject/remapping": "^2.2.0",
+        "@babel/code-frame": "^7.24.7",
+        "@babel/generator": "^7.25.0",
+        "@babel/helper-compilation-targets": "^7.25.2",
+        "@babel/helper-module-transforms": "^7.25.2",
+        "@babel/helpers": "^7.25.0",
+        "@babel/parser": "^7.25.0",
+        "@babel/template": "^7.25.0",
+        "@babel/traverse": "^7.25.2",
+        "@babel/types": "^7.25.2",
        "convert-source-map": "^2.0.0",
        "debug": "^4.1.0",
        "gensync": "^1.0.0-beta.2",
@@ -8033,13 +8051,13 @@
      }
    },
    "@babel/generator": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.7.tgz",
-      "integrity": "sha512-DkXD5OJQaAQIdZ1bt3UZdEnHAn9Imd3IVBdX03UFe+ony9Ojw5pzr9YVKGDY1jt+Gcn/FnGkNf8r+Vj5NOJWtQ==",
+      "version": "7.29.1",
+      "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.1.tgz",
+      "integrity": "sha512-qsaF+9Qcm2Qv8SRIMMscAvG4O3lJ0F1GuMo5HR/Bp02LopNgnZBC/EkbevHFeGs4ls/oPz9v+Bsmzbkbe+0dUw==",
      "dev": true,
      "requires": {
-        "@babel/parser": "^7.29.7",
-        "@babel/types": "^7.29.7",
+        "@babel/parser": "^7.29.0",
+        "@babel/types": "^7.29.0",
        "@jridgewell/gen-mapping": "^0.3.12",
        "@jridgewell/trace-mapping": "^0.3.28",
        "jsesc": "^3.0.2"
@@ -8065,14 +8083,14 @@
      }
    },
    "@babel/helper-compilation-targets": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.29.7.tgz",
-      "integrity": "sha512-wem6WaBj4NaVYVdNhLPPVacES6ZJ+KBBfSkTMD3YZxbP3rm3Di85tJU5ljaUNhaOynt+Aj0xruhYuzQBt8n71g==",
+      "version": "7.25.2",
+      "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.25.2.tgz",
+      "integrity": "sha512-U2U5LsSaZ7TAt3cfaymQ8WHh0pxvdHoEk6HVpaexxixjyEquMh0L0YNJNM6CTGKMXV1iksi0iZkGw4AcFkPaaw==",
      "dev": true,
      "requires": {
-        "@babel/compat-data": "^7.29.7",
-        "@babel/helper-validator-option": "^7.29.7",
-        "browserslist": "^4.24.0",
+        "@babel/compat-data": "^7.25.2",
+        "@babel/helper-validator-option": "^7.24.8",
+        "browserslist": "^4.23.1",
        "lru-cache": "^5.1.1",
        "semver": "^6.3.1"
      }
@@ -8211,21 +8229,21 @@
      }
    },
    "@babel/helper-string-parser": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.29.7.tgz",
-      "integrity": "sha512-Pb5ijPrZ89GDH8223L4UP8i6QApWxs04RbPQJTeWDV0/keR2E36MeKnyr6LYmUUvqRRI+Iv87SuF1W6ErINzYw==",
+      "version": "7.27.1",
+      "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz",
+      "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==",
      "dev": true
    },
    "@babel/helper-validator-identifier": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.29.7.tgz",
-      "integrity": "sha512-qehxGkRj55h/ff8EMaJ+cYhyaKlHIxqYDn682wQD7RNp9UujOQsHog2uS0r2vzr4pW+sXf90NeeayjcNaX3fFg==",
+      "version": "7.28.5",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz",
+      "integrity": "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==",
      "dev": true
    },
    "@babel/helper-validator-option": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.29.7.tgz",
-      "integrity": "sha512-N9ZErrD+yW5geCDtBqnOoxmR8+tNKiGuxKlDpuJxfsqpa2dFcexaziGAE/qoHLiDDreVNMupxGmSoNlyvsA3gw==",
+      "version": "7.24.8",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.24.8.tgz",
+      "integrity": "sha512-xb8t9tD1MHLungh/AIoWYN+gVHaB9kwlu8gffXGSt3FFEIT7RjS+xWbc2vUD1UTZdIpKj/ab3rdqJ7ufngyi2Q==",
      "dev": true
    },
    "@babel/helper-wrap-function": {
@@ -8240,22 +8258,22 @@
      }
    },
    "@babel/helpers": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.29.7.tgz",
-      "integrity": "sha512-1k2lAGRMfHTcwuNYcCNUmaUffmQv8KWMfh2iJUUeRlwlwH4FdNG7mfPI10NPfLHJFThE4Tyr4mv7kTNZOiPuBg==",
+      "version": "7.25.6",
+      "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.25.6.tgz",
+      "integrity": "sha512-Xg0tn4HcfTijTwfDwYlvVCl43V6h4KyVVX2aEm4qdO/PC6L2YvzLHFdmxhoeSA3eslcE6+ZVXHgWwopXYLNq4Q==",
      "dev": true,
      "requires": {
-        "@babel/template": "^7.29.7",
-        "@babel/types": "^7.29.7"
+        "@babel/template": "^7.25.0",
+        "@babel/types": "^7.25.6"
      }
    },
    "@babel/parser": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.7.tgz",
-      "integrity": "sha512-hnORnjP/1P/zFEndoeX+n+t1RwWRJiJpM/jO7FW32Kn9r5+sJB2JWOdYo4L6k78j15eCwY3Gm/7364B1EMwtNg==",
+      "version": "7.29.3",
+      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.3.tgz",
+      "integrity": "sha512-b3ctpQwp+PROvU/cttc4OYl4MzfJUWy6FZg+PMXfzmt/+39iHVF0sDfqay8TQM3JA2EUOyKcFZt75jWriQijsA==",
      "dev": true,
      "requires": {
-        "@babel/types": "^7.29.7"
+        "@babel/types": "^7.29.0"
      }
    },
    "@babel/plugin-bugfix-firefox-class-in-computed-class-key": {
@@ -9139,14 +9157,14 @@
      }
    },
    "@babel/template": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.29.7.tgz",
-      "integrity": "sha512-puq+Gf35oI24FeN11LkoUQFqv9uwNeWpxXZi/Ji3rRIoKAzKnxRaZ+Gkj0vKS9ZCiTESfng1N9LyOyXvo+m+Gg==",
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.28.6.tgz",
+      "integrity": "sha512-YA6Ma2KsCdGb+WC6UpBVFJGXL58MDA6oyONbjyF/+5sBgxY/dwkhLogbMT2GXXyU84/IhRw/2D1Os1B/giz+BQ==",
      "dev": true,
      "requires": {
-        "@babel/code-frame": "^7.29.7",
-        "@babel/parser": "^7.29.7",
-        "@babel/types": "^7.29.7"
+        "@babel/code-frame": "^7.28.6",
+        "@babel/parser": "^7.28.6",
+        "@babel/types": "^7.28.6"
      }
    },
    "@babel/traverse": {
@@ -9165,13 +9183,13 @@
      }
    },
    "@babel/types": {
-      "version": "7.29.7",
-      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.7.tgz",
-      "integrity": "sha512-4zBIxpPzowiZpusoFkyGVwakdRJUyuH5PxQ/PrqghfdFWWasvnCdPfQXHrenDai+gyLARulZjZowCOj6fjT4pA==",
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz",
+      "integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==",
      "dev": true,
      "requires": {
-        "@babel/helper-string-parser": "^7.29.7",
-        "@babel/helper-validator-identifier": "^7.29.7"
+        "@babel/helper-string-parser": "^7.27.1",
+        "@babel/helper-validator-identifier": "^7.28.5"
      }
    },
    "@bcoe/v8-coverage": {
@@ -9753,16 +9771,6 @@
        "@jridgewell/trace-mapping": "^0.3.24"
      }
    },
-    "@jridgewell/remapping": {
-      "version": "2.3.5",
-      "resolved": "https://registry.npmjs.org/@jridgewell/remapping/-/remapping-2.3.5.tgz",
-      "integrity": "sha512-LI9u/+laYG4Ds1TDKSJW2YPrIlcVYOwi2fUC6xB43lueCjgxV4lffOCZCtYFiH6TNOX+tQKXx97T4IKHbhyHEQ==",
-      "dev": true,
-      "requires": {
-        "@jridgewell/gen-mapping": "^0.3.5",
-        "@jridgewell/trace-mapping": "^0.3.24"
-      }
-    },
    "@jridgewell/resolve-uri": {
      "version": "3.1.0",
      "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.0.tgz",
--- a/superset-embedded-sdk/package.json
+++ b/superset-embedded-sdk/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@superset-ui/embedded-sdk",
-  "version": "0.4.0",
+  "version": "0.3.0",
  "description": "SDK for embedding resources from Superset into your own application",
  "access": "public",
  "keywords": [
--- a/superset-embedded-sdk/release-if-necessary.js
+++ b/superset-embedded-sdk/release-if-necessary.js
@@ -47,11 +47,7 @@ function logError(...args) {
      execSync('npm publish --access public', { stdio: 'pipe' });
      log(`published ${version} to npm`);
    } catch (err) {
-      // npm writes failure details to stderr (auth/permission/registry
-      // errors in particular), so surface both streams to avoid masking
-      // the real cause in CI logs.
-      if (err.stdout) console.error(String(err.stdout));
-      if (err.stderr) console.error(String(err.stderr));
+      console.error(String(err.stdout));
      logError('Encountered an error, details should be above');
      process.exitCode = 1;
    }
--- a/superset-frontend/.eslintignore
+++ b/superset-frontend/.eslintignore
@@ -0,0 +1,34 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+**/*{.,-}min.js
+**/*.sh
+coverage/**
+dist/*
+src/assets/images/*
+node_modules/*
+node_modules*/*
+vendor/*
+docs/*
+src/dashboard/deprecated/*
+src/temp/*
+**/node_modules
+*.d.ts
+coverage/
+esm/
+lib/
+tmp/
+storybook-static/
--- a/superset-frontend/.eslintrc.js
+++ b/superset-frontend/.eslintrc.js
@@ -0,0 +1,537 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+// Register TypeScript require hook so ESLint can load .ts plugin files
+require('tsx/cjs');
+
+const packageConfig = require('./package.json');
+
+const importCoreModules = [];
+Object.entries(packageConfig.dependencies).forEach(([pkg]) => {
+  if (/@superset-ui/.test(pkg)) {
+    importCoreModules.push(pkg);
+  }
+});
+
+// ignore files in production mode
+let ignorePatterns = [];
+if (process.env.NODE_ENV === 'production') {
+  ignorePatterns = [
+    '*.test.{js,ts,jsx,tsx}',
+    'plugins/**/test/**/*',
+    'packages/**/test/**/*',
+    'packages/generator-superset/**/*',
+  ];
+}
+
+const restrictedImportsRules = {
+  'no-design-icons': {
+    name: '@ant-design/icons',
+    message:
+      'Avoid importing icons directly from @ant-design/icons. Use the src/components/Icons component instead.',
+  },
+  'no-moment': {
+    name: 'moment',
+    message:
+      'Please use the dayjs library instead of moment.js. See https://day.js.org',
+  },
+  'no-lodash-memoize': {
+    name: 'lodash/memoize',
+    message: 'Lodash Memoize is unsafe! Please use memoize-one instead',
+  },
+  'no-testing-library-react': {
+    name: '@superset-ui/core/spec',
+    message: 'Please use spec/helpers/testing-library instead',
+  },
+  'no-testing-library-react-dom-utils': {
+    name: '@testing-library/react-dom-utils',
+    message: 'Please use spec/helpers/testing-library instead',
+  },
+  'no-antd': {
+    name: 'antd',
+    message: 'Please import Ant components from the index of src/components',
+  },
+  'no-superset-theme': {
+    name: '@superset-ui/core',
+    importNames: ['supersetTheme'],
+    message:
+      'Please use the theme directly from the ThemeProvider rather than importing supersetTheme.',
+  },
+  'no-query-string': {
+    name: 'query-string',
+    message: 'Please use the URLSearchParams API instead of query-string.',
+  },
+  'no-jest-mock-console': {
+    name: 'jest-mock-console',
+    message: 'Please use native Jest spies, i.e. jest.spyOn(console, "warn")',
+  },
+};
+
+module.exports = {
+  extends: [
+    'eslint:recommended',
+    'plugin:import/recommended',
+    'plugin:react-prefer-function-component/recommended',
+    'plugin:storybook/recommended',
+    'prettier',
+  ],
+  parser: '@babel/eslint-parser',
+  parserOptions: {
+    ecmaVersion: 2020,
+    sourceType: 'module',
+    ecmaFeatures: {
+      jsx: true,
+    },
+    requireConfigFile: false,
+    babelOptions: {
+      presets: ['@babel/preset-react', '@babel/preset-env'],
+    },
+  },
+  env: {
+    browser: true,
+    node: true,
+    es2020: true,
+  },
+  settings: {
+    'import/resolver': {
+      node: {
+        extensions: ['.js', '.jsx', '.ts', '.tsx', '.json'],
+        moduleDirectory: ['node_modules', '.'],
+      },
+      typescript: {
+        alwaysTryTypes: true,
+        project: [
+          './tsconfig.json',
+          './packages/superset-ui-core/tsconfig.json',
+          './packages/superset-ui-chart-controls/',
+          './plugins/*/tsconfig.json',
+        ],
+      },
+    },
+    'import/core-modules': importCoreModules,
+    react: {
+      version: 'detect',
+    },
+  },
+  plugins: [
+    'import',
+    'lodash',
+    'theme-colors',
+    'icons',
+    'i18n-strings',
+    'react-prefer-function-component',
+    'react-you-might-not-need-an-effect',
+    'prettier',
+  ],
+  rules: {
+    // === Essential Superset customizations ===
+
+    // Prettier integration
+    'prettier/prettier': 'error',
+
+    // Custom Superset rules
+    'theme-colors/no-literal-colors': 'error',
+    'icons/no-fa-icons-usage': 'error',
+    'i18n-strings/no-template-vars': 'error',
+    'i18n-strings/no-eager-t-in-config': 'off', // enabled only for controlPanel files via overrides below
+
+    // Core ESLint overrides for Superset
+    'no-console': 'warn',
+    'no-unused-vars': 'off', // TypeScript handles this
+    camelcase: [
+      'error',
+      {
+        allow: ['^UNSAFE_', '__REDUX_DEVTOOLS_EXTENSION_COMPOSE__'],
+        properties: 'never',
+      },
+    ],
+    'prefer-destructuring': ['error', { object: true, array: false }],
+    'no-prototype-builtins': 0,
+    curly: 'off',
+
+    // Import plugin overrides
+    'import/extensions': [
+      'error',
+      'ignorePackages',
+      {
+        js: 'never',
+        jsx: 'never',
+        ts: 'never',
+        tsx: 'never',
+      },
+    ],
+    'import/no-cycle': 0,
+    'import/prefer-default-export': 0,
+    'import/no-named-as-default-member': 0,
+    'import/no-extraneous-dependencies': [
+      'error',
+      {
+        devDependencies: [
+          'test/**',
+          'tests/**',
+          'spec/**',
+          '**/__tests__/**',
+          '**/__mocks__/**',
+          '*.test.{js,jsx,ts,tsx}',
+          '*.spec.{js,jsx,ts,tsx}',
+          '**/*.test.{js,jsx,ts,tsx}',
+          '**/*.spec.{js,jsx,ts,tsx}',
+          '**/jest.config.js',
+          '**/jest.setup.js',
+          '**/webpack.config.js',
+          '**/webpack.config.*.js',
+          '**/.eslintrc*.js',
+        ],
+        optionalDependencies: false,
+      },
+    ],
+
+    // React plugin overrides
+    'react-prefer-function-component/react-prefer-function-component': 1,
+
+    // React effect best practices
+    'react-you-might-not-need-an-effect/no-empty-effect': 'error',
+    'react-you-might-not-need-an-effect/no-pass-live-state-to-parent': 'error',
+    'react-you-might-not-need-an-effect/no-initialize-state': 'error',
+
+    // Lodash
+    'lodash/import-scope': [2, 'member'],
+
+    // React effect best practices
+    'react-you-might-not-need-an-effect/no-reset-all-state-on-prop-change':
+      'error',
+    'react-you-might-not-need-an-effect/no-chain-state-updates': 'error',
+    'react-you-might-not-need-an-effect/no-event-handler': 'error',
+    'react-you-might-not-need-an-effect/no-derived-state': 'error',
+
+    // Storybook
+    'storybook/prefer-pascal-case': 'error',
+
+    // File progress
+    'file-progress/activate': 1,
+
+    // React effect rules
+    'react-you-might-not-need-an-effect/no-adjust-state-on-prop-change':
+      'error',
+    'react-you-might-not-need-an-effect/no-pass-data-to-parent': 'error',
+
+    // Restricted imports
+    'no-restricted-imports': [
+      'error',
+      {
+        paths: Object.values(restrictedImportsRules).filter(Boolean),
+        patterns: ['antd/*'],
+      },
+    ],
+
+    // Temporarily disabled for migration
+    'no-unsafe-optional-chaining': 0,
+    'no-import-assign': 0,
+    'import/no-relative-packages': 0,
+    'no-promise-executor-return': 0,
+    'import/no-import-module-exports': 0,
+
+    // Restrict certain syntax patterns
+    'no-restricted-syntax': [
+      'error',
+      {
+        selector:
+          "ImportDeclaration[source.value='react'] :matches(ImportDefaultSpecifier, ImportNamespaceSpecifier)",
+        message:
+          'Default React import is not required due to automatic JSX runtime in React 16.4',
+      },
+      {
+        selector: 'ImportNamespaceSpecifier[parent.source.value!=/^(\\.|src)/]',
+        message: 'Wildcard imports are not allowed',
+      },
+    ],
+  },
+  overrides: [
+    // Eager t()/tn() in `label`/`description` config props is captured at
+    // module-load time, before i18n initializes — labels stay in the fallback
+    // language even after the user switches. Surfaced as a warning (with
+    // autofix to `() => t(...)`) wherever this is a real foot-gun:
+    // controlPanel files. Many pre-existing call sites need conversion;
+    // run `eslint --fix` on a controlPanel file to sweep it. Promote to
+    // `'error'` once the codebase is clean.
+    {
+      files: ['**/controlPanel.{ts,tsx,js,jsx}'],
+      rules: {
+        'i18n-strings/no-eager-t-in-config': 'warn',
+      },
+    },
+    // Ban JavaScript files in src/ - all new code must be TypeScript
+    {
+      files: ['src/**/*.js', 'src/**/*.jsx'],
+      rules: {
+        'no-restricted-syntax': [
+          'error',
+          {
+            selector: 'Program',
+            message:
+              'JavaScript files are not allowed in src/. Please use TypeScript (.ts/.tsx) instead.',
+          },
+        ],
+      },
+    },
+    // Ban JavaScript files in plugins/ - all plugin source code must be TypeScript
+    {
+      files: ['plugins/**/src/**/*.js', 'plugins/**/src/**/*.jsx'],
+      rules: {
+        'no-restricted-syntax': [
+          'error',
+          {
+            selector: 'Program',
+            message:
+              'JavaScript files are not allowed in plugins/. Please use TypeScript (.ts/.tsx) instead.',
+          },
+        ],
+      },
+    },
+    // Ban JavaScript files in packages/ - with exceptions for config files and generators
+    {
+      files: ['packages/**/src/**/*.js', 'packages/**/src/**/*.jsx'],
+      excludedFiles: [
+        'packages/generator-superset/**/*', // Yeoman generator templates run via Node
+        'packages/**/__mocks__/**/*', // Test mocks
+      ],
+      rules: {
+        'no-restricted-syntax': [
+          'error',
+          {
+            selector: 'Program',
+            message:
+              'JavaScript files are not allowed in packages/. Please use TypeScript (.ts/.tsx) instead.',
+          },
+        ],
+      },
+    },
+    {
+      files: ['*.ts', '*.tsx'],
+      parser: '@typescript-eslint/parser',
+      parserOptions: {
+        ecmaFeatures: {
+          jsx: true,
+        },
+        tsconfigRootDir: __dirname,
+        project: ['./tsconfig.json'],
+      },
+      extends: ['plugin:@typescript-eslint/recommended', 'prettier'],
+      plugins: ['@typescript-eslint/eslint-plugin'],
+      rules: {
+        // TypeScript-specific rule overrides
+        '@typescript-eslint/ban-ts-ignore': 0,
+        '@typescript-eslint/ban-ts-comment': 0,
+        '@typescript-eslint/ban-types': 0,
+        '@typescript-eslint/naming-convention': [
+          'error',
+          {
+            selector: 'enum',
+            format: ['PascalCase'],
+          },
+          {
+            selector: 'enumMember',
+            format: ['PascalCase'],
+          },
+        ],
+        '@typescript-eslint/no-empty-function': 0,
+        '@typescript-eslint/no-explicit-any': 0,
+        '@typescript-eslint/no-use-before-define': 'error',
+        '@typescript-eslint/no-non-null-assertion': 0,
+        '@typescript-eslint/explicit-function-return-type': 0,
+        '@typescript-eslint/explicit-module-boundary-types': 0,
+        '@typescript-eslint/no-unused-vars': 'warn',
+        '@typescript-eslint/prefer-optional-chain': 'error',
+
+        // Disable base rules that conflict with TS versions
+        'no-unused-vars': 'off',
+        'no-use-before-define': 'off',
+        'no-shadow': 'off',
+
+        // Import overrides for TypeScript
+        'import/extensions': [
+          'error',
+          'ignorePackages',
+          {
+            js: 'never',
+            jsx: 'never',
+            ts: 'never',
+            tsx: 'never',
+          },
+        ],
+      },
+      settings: {
+        'import/resolver': {
+          typescript: {},
+        },
+      },
+    },
+    {
+      files: ['packages/**'],
+      rules: {
+        'import/no-extraneous-dependencies': [
+          'error',
+          { devDependencies: true },
+        ],
+        'no-restricted-imports': [
+          'error',
+          {
+            paths: [
+              restrictedImportsRules['no-moment'],
+              restrictedImportsRules['no-lodash-memoize'],
+              restrictedImportsRules['no-superset-theme'],
+            ],
+            patterns: [],
+          },
+        ],
+      },
+    },
+    {
+      files: ['plugins/**'],
+      rules: {
+        'no-restricted-imports': [
+          'error',
+          {
+            paths: [
+              restrictedImportsRules['no-moment'],
+              restrictedImportsRules['no-lodash-memoize'],
+            ],
+            patterns: [],
+          },
+        ],
+      },
+    },
+    {
+      files: ['src/components/**', 'src/theme/**'],
+      rules: {
+        'no-restricted-imports': [
+          'error',
+          {
+            paths: Object.values(restrictedImportsRules).filter(
+              r => r.name !== 'antd',
+            ),
+            patterns: [],
+          },
+        ],
+      },
+    },
+    {
+      files: [
+        '*.test.ts',
+        '*.test.tsx',
+        '*.test.js',
+        '*.test.jsx',
+        '*.stories.tsx',
+        '*.stories.jsx',
+        'fixtures.*',
+        '**/test/**/*',
+        '**/tests/**/*',
+        'spec/**/*',
+        '**/fixtures/**/*',
+        '**/__mocks__/**/*',
+        '**/spec/**/*',
+      ],
+      excludedFiles: 'cypress-base/cypress/**/*',
+      plugins: ['jest-dom', 'no-only-tests', 'testing-library'],
+      extends: ['plugin:jest-dom/recommended', 'plugin:testing-library/react'],
+      rules: {
+        'import/no-extraneous-dependencies': [
+          'error',
+          { devDependencies: true },
+        ],
+        'prefer-promise-reject-errors': 0,
+        'max-classes-per-file': 0,
+
+        // Temporary for migration
+        'testing-library/await-async-queries': 0,
+        'testing-library/await-async-utils': 0,
+        'testing-library/no-await-sync-events': 0,
+        'testing-library/no-render-in-lifecycle': 0,
+        'testing-library/no-unnecessary-act': 0,
+        'testing-library/no-wait-for-multiple-assertions': 0,
+        'testing-library/prefer-screen-queries': 0,
+        'testing-library/await-async-events': 0,
+        'testing-library/no-node-access': 0,
+        'testing-library/no-wait-for-side-effects': 0,
+        'testing-library/prefer-presence-queries': 0,
+        'testing-library/render-result-naming-convention': 0,
+        'testing-library/no-container': 0,
+        'testing-library/prefer-find-by': 0,
+        'testing-library/no-manual-cleanup': 0,
+
+        'no-restricted-syntax': [
+          'error',
+          {
+            selector:
+              "ImportDeclaration[source.value='react'] :matches(ImportDefaultSpecifier, ImportNamespaceSpecifier)",
+            message:
+              'Default React import is not required due to automatic JSX runtime in React 16.4',
+          },
+        ],
+        'no-restricted-imports': 0,
+      },
+    },
+    {
+      files: [
+        '*.test.ts',
+        '*.test.tsx',
+        '*.test.js',
+        '*.test.jsx',
+        '*.stories.tsx',
+        '*.stories.jsx',
+        'fixtures.*',
+        '**/test/**/*',
+        '**/tests/**/*',
+        'spec/**/*',
+        '**/fixtures/**/*',
+        '**/__mocks__/**/*',
+        '**/spec/**/*',
+        'cypress-base/cypress/**/*',
+        'Stories.tsx',
+        'packages/superset-ui-core/src/theme/index.tsx',
+      ],
+      rules: {
+        'theme-colors/no-literal-colors': 0,
+        'icons/no-fa-icons-usage': 0,
+        'i18n-strings/no-template-vars': 0,
+        'no-restricted-imports': 0,
+      },
+    },
+    {
+      files: [
+        'packages/**/*.stories.*',
+        'packages/**/*.overview.*',
+        'packages/**/fixtures.*',
+      ],
+      rules: {
+        'import/no-extraneous-dependencies': 'off',
+      },
+    },
+    {
+      files: ['playwright/**/*.ts', 'playwright/**/*.js'],
+      rules: {
+        'import/no-extraneous-dependencies': [
+          'error',
+          { devDependencies: true },
+        ],
+      },
+    },
+  ],
+  ignorePatterns,
+};
--- a/superset-frontend/.eslintrc.minimal.js
+++ b/superset-frontend/.eslintrc.minimal.js
@@ -0,0 +1,124 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+// Register TypeScript require hook so ESLint can load .ts plugin files
+require('tsx/cjs');
+
+/**
+ * MINIMAL ESLint config - ONLY for rules OXC doesn't support
+ * This config is designed to be run alongside OXC linter
+ *
+ * Only covers:
+ * - Custom Superset plugins (theme-colors, icons, i18n)
+ * - Prettier formatting
+ * - File progress indicator
+ */
+
+module.exports = {
+  root: true,
+  // Don't report on eslint-disable comments for rules we don't have
+  reportUnusedDisableDirectives: false,
+  // Simple parser - no TypeScript needed since OXC handles that
+  parser: '@babel/eslint-parser',
+  parserOptions: {
+    ecmaVersion: 2020,
+    sourceType: 'module',
+    ecmaFeatures: {
+      jsx: true,
+    },
+    requireConfigFile: false,
+    babelOptions: {
+      presets: ['@babel/preset-react', '@babel/preset-env'],
+    },
+  },
+  env: {
+    browser: true,
+    node: true,
+    es2020: true,
+  },
+  plugins: [
+    // ONLY custom Superset plugins that OXC doesn't support
+    'theme-colors',
+    'icons',
+    'i18n-strings',
+    'file-progress',
+    'prettier',
+  ],
+  rules: {
+    // === ONLY rules that OXC cannot handle ===
+
+    // Prettier integration (formatting)
+    'prettier/prettier': 'error',
+
+    // Custom Superset plugins
+    'theme-colors/no-literal-colors': 'error',
+    'icons/no-fa-icons-usage': 'error',
+    'i18n-strings/no-template-vars': 'error',
+    'file-progress/activate': 1,
+
+    // Explicitly turn off all other rules to avoid conflicts
+    // when the config gets merged with other configs
+    'import/no-unresolved': 'off',
+    'import/extensions': 'off',
+    '@typescript-eslint/naming-convention': 'off',
+  },
+  overrides: [
+    {
+      // Disable custom rules in test/story files
+      files: [
+        '**/*.test.*',
+        '**/*.spec.*',
+        '**/*.stories.*',
+        '**/test/**',
+        '**/tests/**',
+        '**/spec/**',
+        '**/__tests__/**',
+        '**/__mocks__/**',
+        'cypress-base/**',
+        'packages/superset-ui-core/src/theme/index.tsx',
+      ],
+      rules: {
+        'theme-colors/no-literal-colors': 0,
+        'icons/no-fa-icons-usage': 0,
+        'i18n-strings/no-template-vars': 0,
+        'file-progress/activate': 0,
+      },
+    },
+  ],
+  // Only check src/ files where theme/icon rules matter
+  ignorePatterns: [
+    'node_modules',
+    'dist',
+    'build',
+    '.next',
+    'coverage',
+    '*.min.js',
+    'vendor',
+    // Skip packages/plugins since they have different theming rules
+    'packages/**',
+    'plugins/**',
+    // Skip generated/external files
+    '*.generated.*',
+    '*.config.js',
+    'webpack.*',
+    // Temporary analysis files
+    '*.js', // Skip all standalone JS files in root
+    '*.json',
+  ],
+};
--- a/superset-frontend/babel.config.js
+++ b/superset-frontend/babel.config.js
@@ -107,13 +107,7 @@ module.exports = {
        [
          'babel-plugin-jsx-remove-data-test-id',
          {
-            // The plugin matches attribute names exactly (no prefix match),
-            // so each data-test* attribute must be listed explicitly.
-            attributes: [
-              'data-test',
-              'data-test-drag-source-id',
-              'data-test-drop-target-id',
-            ],
+            attributes: 'data-test',
          },
        ],
      ],
--- a/superset-frontend/cypress-base/package-lock.json
+++ b/superset-frontend/cypress-base/package-lock.json
@@ -4708,15 +4708,16 @@
      }
    },
    "node_modules/form-data": {
-      "version": "4.0.6",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.6.tgz",
-      "integrity": "sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==",
+      "version": "4.0.5",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz",
+      "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==",
+      "license": "MIT",
      "dependencies": {
        "asynckit": "^0.4.0",
        "combined-stream": "^1.0.8",
        "es-set-tostringtag": "^2.1.0",
-        "hasown": "^2.0.4",
-        "mime-types": "^2.1.35"
+        "hasown": "^2.0.2",
+        "mime-types": "^2.1.12"
      },
      "engines": {
        "node": ">= 6"
@@ -5028,9 +5029,10 @@
      }
    },
    "node_modules/hasown": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.4.tgz",
-      "integrity": "sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
+      "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
+      "license": "MIT",
      "dependencies": {
        "function-bind": "^1.1.2"
      },
@@ -10226,7 +10228,7 @@
        "camelcase": "^5.3.1",
        "find-up": "^4.1.0",
        "get-package-type": "^0.1.0",
-        "js-yaml": "^3.13.1",
+        "js-yaml": "4.1.1",
        "resolve-from": "^5.0.0"
      },
      "dependencies": {
@@ -10236,7 +10238,8 @@
          "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q=="
        },
        "js-yaml": {
-          "version": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
+          "version": "4.1.1",
+          "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
          "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
          "requires": {
            "argparse": "^2.0.1"
@@ -12342,15 +12345,15 @@
      "integrity": "sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw=="
    },
    "form-data": {
-      "version": "4.0.6",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.6.tgz",
-      "integrity": "sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==",
+      "version": "4.0.5",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz",
+      "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==",
      "requires": {
        "asynckit": "^0.4.0",
        "combined-stream": "^1.0.8",
        "es-set-tostringtag": "^2.1.0",
-        "hasown": "^2.0.4",
-        "mime-types": "^2.1.35"
+        "hasown": "^2.0.2",
+        "mime-types": "^2.1.12"
      }
    },
    "fromentries": {
@@ -12571,9 +12574,9 @@
      }
    },
    "hasown": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.4.tgz",
-      "integrity": "sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==",
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
+      "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
      "requires": {
        "function-bind": "^1.1.2"
      }
--- a/superset-frontend/eslint-rules/eslint-plugin-i18n-strings/no-template-vars.test.ts
+++ b/superset-frontend/eslint-rules/eslint-plugin-i18n-strings/no-template-vars.test.ts
@@ -31,13 +31,12 @@ const plugin: { rules: Record<string, Rule.RuleModule> } = require('.');
 // Tests
 //------------------------------------------------------------------------------

-const ruleTester = new RuleTester({ languageOptions: { ecmaVersion: 6 } });
+const ruleTester = new RuleTester({ parserOptions: { ecmaVersion: 6 } });
 const rule: Rule.RuleModule = plugin.rules['no-template-vars'];

-const errors: Array<{ message: string }> = [
+const errors: Array<{ type: string }> = [
  {
-    message:
-      "Don't use variables in translation string templates. Flask-babel is a static translation service, so it can't handle strings that include variables",
+    type: 'CallExpression',
  },
 ];

--- a/superset-frontend/eslint-rules/eslint-plugin-icons/no-fontawesome.test.ts
+++ b/superset-frontend/eslint-rules/eslint-plugin-icons/no-fontawesome.test.ts
@@ -31,10 +31,7 @@ const plugin: { rules: Record<string, Rule.RuleModule> } = require('.');
 // Tests
 //------------------------------------------------------------------------------
 const ruleTester = new RuleTester({
-  languageOptions: {
-    ecmaVersion: 6,
-    parserOptions: { ecmaFeatures: { jsx: true } },
-  },
+  parserOptions: { ecmaVersion: 6, ecmaFeatures: { jsx: true } },
 });
 const rule: Rule.RuleModule = plugin.rules['no-fa-icons-usage'];

--- a/superset-frontend/eslint.config.minimal.js
+++ b/superset-frontend/eslint.config.minimal.js
@@ -1,137 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-/**
- * MINIMAL ESLint flat config - ONLY for rules OXC doesn't support.
- *
- * This config is run alongside the OXC (oxlint) linter, which handles the
- * bulk of linting. ESLint here only covers the custom Superset plugins and
- * Prettier formatting that oxlint cannot express. It is consumed by
- * `scripts/oxlint-metrics-uploader.js` (`npm run lint-stats`).
- *
- * Migrated from the legacy `.eslintrc.minimal.js` (eslintrc) format to flat
- * config for ESLint v9+/v10, where eslintrc is no longer supported.
- *
- * Only covers:
- * - Custom Superset plugins (theme-colors, icons, i18n-strings)
- * - Prettier formatting
- */
-
-// Register the TypeScript require hook so ESLint can load the .ts plugin files
-// from eslint-rules/*.
-require('tsx/cjs');
-
-const tsParser = require('@typescript-eslint/parser');
-const prettierPlugin = require('eslint-plugin-prettier');
-const themeColorsPlugin = require('eslint-plugin-theme-colors');
-const iconsPlugin = require('eslint-plugin-icons');
-const i18nStringsPlugin = require('eslint-plugin-i18n-strings');
-
-module.exports = [
-  // Files this config applies to. Flat config has no `--ext`; globs live here.
-  // Only check src/ files where the theme/icon/i18n rules matter.
-  {
-    ignores: [
-      'node_modules/**',
-      'dist/**',
-      'build/**',
-      '.next/**',
-      'coverage/**',
-      '**/*.min.js',
-      'vendor/**',
-      // Skip packages/plugins since they have different theming rules
-      'packages/**',
-      'plugins/**',
-      // Skip generated/external/config files
-      '**/*.generated.*',
-      '**/*.config.js',
-      '**/webpack.*',
-      '*.json',
-    ],
-  },
-  {
-    files: ['**/*.{js,jsx,ts,tsx}'],
-    languageOptions: {
-      ecmaVersion: 2020,
-      sourceType: 'module',
-      // The @typescript-eslint parser handles both TS/TSX and plain JS/JSX and
-      // is compatible with ESLint v10's scope manager. (The legacy
-      // @babel/eslint-parser does not support ESLint v10.) The custom rules
-      // here are pure AST visitors and do not require type information, so no
-      // `project` is configured — this keeps parsing fast.
-      parser: tsParser,
-      parserOptions: {
-        ecmaFeatures: {
-          jsx: true,
-        },
-      },
-    },
-    // Don't report on eslint-disable comments for rules we don't have.
-    linterOptions: {
-      reportUnusedDisableDirectives: false,
-    },
-    plugins: {
-      prettier: prettierPlugin,
-      'theme-colors': themeColorsPlugin,
-      icons: iconsPlugin,
-      'i18n-strings': i18nStringsPlugin,
-    },
-    rules: {
-      // Prettier integration (formatting)
-      'prettier/prettier': 'error',
-
-      // Custom Superset plugins
-      'theme-colors/no-literal-colors': 'error',
-      'icons/no-fa-icons-usage': 'error',
-      'i18n-strings/no-template-vars': 'error',
-      // Enabled only for controlPanel files via the override below.
-      'i18n-strings/no-eager-t-in-config': 'off',
-    },
-  },
-  {
-    // Eager t()/tn() in `label`/`description` config props is captured at
-    // module-load time, before i18n initializes — labels stay in the fallback
-    // language even after the user switches. Surfaced as a warning (with
-    // autofix to `() => t(...)`) wherever this is a real foot-gun:
-    // controlPanel files. Promote to `'error'` once the codebase is clean.
-    files: ['**/controlPanel.{ts,tsx,js,jsx}'],
-    rules: {
-      'i18n-strings/no-eager-t-in-config': 'warn',
-    },
-  },
-  {
-    // Disable custom rules in test/story files
-    files: [
-      '**/*.test.*',
-      '**/*.spec.*',
-      '**/*.stories.*',
-      '**/test/**',
-      '**/tests/**',
-      '**/spec/**',
-      '**/__tests__/**',
-      '**/__mocks__/**',
-      'cypress-base/**',
-    ],
-    rules: {
-      'theme-colors/no-literal-colors': 'off',
-      'icons/no-fa-icons-usage': 'off',
-      'i18n-strings/no-template-vars': 'off',
-    },
-  },
-];
--- a/superset-frontend/jest.config.js
+++ b/superset-frontend/jest.config.js
@@ -69,7 +69,7 @@ module.exports = {
  ],
  coverageReporters: ['lcov', 'json-summary', 'html', 'text'],
  transformIgnorePatterns: [
-    'node_modules/(?!@formatjs/.*|d3-(array|interpolate|color|time|scale|time-format|format)|internmap|@mapbox/tiny-sdf|remark-gfm|(?!@ngrx|(?!deck.gl)|d3-scale)|markdown-table|micromark-*.|decode-named-character-reference|character-entities|mdast-util-*.|unist-util-*.|ccount|escape-string-regexp|nanoid|uuid|@rjsf/*.|echarts|zrender|fetch-mock|pretty-ms|parse-ms|ol|@babel/runtime|@emotion|cheerio|cheerio/lib|parse5|dom-serializer|entities|htmlparser2|rehype-sanitize|hast-util-sanitize|unified|unist-.*|hast-.*|rehype-.*|remark-.*|mdast-.*|micromark-.*|parse-entities|property-information|space-separated-tokens|comma-separated-tokens|bail|devlop|zwitch|longest-streak|geostyler|geostyler-.*|(?!geostyler)lodash|react-error-boundary|react-json-tree|react-base16-styling|lodash-es|rbush|quickselect|react-diff-viewer-continued|storybook/*.|json-stringify-pretty-compact)',
+    'node_modules/(?!@formatjs/.*|d3-(array|interpolate|color|time|scale|time-format|format)|internmap|@mapbox/tiny-sdf|remark-gfm|(?!@ngrx|(?!deck.gl)|d3-scale)|markdown-table|micromark-*.|decode-named-character-reference|character-entities|mdast-util-*.|unist-util-*.|ccount|escape-string-regexp|nanoid|uuid|@rjsf/*.|echarts|zrender|fetch-mock|pretty-ms|parse-ms|ol|@babel/runtime|@emotion|cheerio|cheerio/lib|parse5|dom-serializer|entities|htmlparser2|rehype-sanitize|hast-util-sanitize|unified|unist-.*|hast-.*|rehype-.*|remark-.*|mdast-.*|micromark-.*|parse-entities|property-information|space-separated-tokens|comma-separated-tokens|bail|devlop|zwitch|longest-streak|geostyler|geostyler-.*|(?!geostyler)lodash|react-error-boundary|react-json-tree|react-base16-styling|lodash-es|rbush|quickselect|react-diff-viewer-continued|storybook/*.)',
  ],
  preset: 'ts-jest',
  transform: {
--- a/superset-frontend/oxlint.json
+++ b/superset-frontend/oxlint.json
@@ -287,15 +287,13 @@
  "ignorePatterns": [
    "packages/generator-superset/**/*",
    "cypress-base/**",
-    "**/node_modules/**",
+    "node_modules/**",
    "build/**",
-    "**/dist/**",
-    "**/lib/**",
-    "**/esm/**",
-    "**/*.min.js",
-    "**/*.d.ts",
+    "dist/**",
+    "lib/**",
+    "esm/**",
+    "*.min.js",
    "coverage/**",
-    "storybook-static/**",
    ".git/**",
    "**/*.config.js",
    "**/*.config.ts"
--- a/superset-frontend/package-lock.json
+++ b/superset-frontend/package-lock.json
--- a/superset-frontend/package.json
+++ b/superset-frontend/package.json
@@ -158,57 +158,58 @@
    "@types/d3-selection": "^3.0.11",
    "@types/d3-time-format": "^4.0.3",
    "@types/react-google-recaptcha": "^2.1.9",
-    "@visx/axis": "^4.0.0",
-    "@visx/grid": "^4.0.0",
-    "@visx/responsive": "^4.0.0",
-    "@visx/scale": "^4.0.0",
-    "@visx/tooltip": "^4.0.0",
-    "@visx/xychart": "^4.0.0",
+    "@visx/axis": "^3.8.0",
+    "@visx/grid": "^3.5.0",
+    "@visx/responsive": "^3.0.0",
+    "@visx/scale": "^3.5.0",
+    "@visx/tooltip": "^3.0.0",
+    "@visx/xychart": "^3.5.1",
    "ag-grid-community": "35.3.1",
    "ag-grid-react": "35.3.1",
    "antd": "^5.26.0",
    "chrono-node": "^2.9.1",
    "classnames": "^2.2.5",
    "content-disposition": "^2.0.1",
+    "d3-color": "^3.1.0",
    "d3-scale": "^4.0.2",
    "dayjs": "^1.11.21",
-    "dom-to-image-more": "^3.10.0",
+    "dom-to-image-more": "^3.7.2",
    "dom-to-pdf": "^0.3.2",
    "echarts": "^5.6.0",
    "fast-glob": "^3.3.2",
    "fs-extra": "^11.3.5",
-    "fuse.js": "^7.4.2",
+    "fuse.js": "^7.4.1",
    "geolib": "^3.3.14",
    "geostyler": "^18.6.0",
    "geostyler-data": "^1.1.0",
    "geostyler-openlayers-parser": "^5.7.0",
    "geostyler-style": "11.0.2",
    "geostyler-wfs-parser": "^3.0.1",
-    "google-auth-library": "^10.7.0",
+    "google-auth-library": "^10.6.2",
    "immer": "^11.1.8",
    "interweave": "^13.1.1",
    "jquery": "^4.0.0",
    "js-levenshtein": "^1.1.6",
    "json-bigint": "^1.0.0",
-    "json-stringify-pretty-compact": "^4.0.0",
+    "json-stringify-pretty-compact": "^2.0.0",
    "lodash": "^4.18.1",
-    "mapbox-gl": "^3.24.1",
-    "markdown-to-jsx": "^9.8.2",
+    "mapbox-gl": "^3.24.0",
+    "markdown-to-jsx": "^9.8.1",
    "match-sorter": "^8.3.0",
-    "memoize-one": "^6.0.0",
+    "memoize-one": "^5.2.1",
    "mousetrap": "^1.6.5",
    "mustache": "^4.2.0",
    "nanoid": "^5.1.11",
    "ol": "^10.9.0",
    "query-string": "9.4.0",
    "re-resizable": "^6.11.2",
-    "react": "^18.3.0",
-    "react-arborist": "^3.10.5",
+    "react": "^18.2.0",
+    "react-arborist": "^3.8.0",
    "react-checkbox-tree": "^1.8.0",
    "react-diff-viewer-continued": "^4.2.2",
    "react-dnd": "^11.1.3",
    "react-dnd-html5-backend": "^11.1.3",
-    "react-dom": "^18.3.0",
+    "react-dom": "^18.2.0",
    "react-google-recaptcha": "^3.1.0",
    "react-intersection-observer": "^10.0.3",
    "react-json-tree": "^0.20.0",
@@ -230,9 +231,9 @@
    "redux-undo": "^1.0.0-beta9-9-7",
    "rison": "^0.1.1",
    "scroll-into-view-if-needed": "^3.1.0",
-    "simple-zstd": "^2.1.0",
+    "simple-zstd": "^1.4.2",
    "stream-browserify": "^3.0.0",
-    "tinycolor2": "^1.6.0",
+    "tinycolor2": "^1.4.2",
    "urijs": "^1.19.8",
    "use-event-callback": "^0.1.0",
    "use-immer": "^0.11.0",
@@ -260,16 +261,16 @@
    "@babel/types": "^7.29.7",
    "@emotion/babel-plugin": "^11.13.5",
    "@emotion/jest": "^11.14.2",
-    "@formatjs/intl-durationformat": "^0.10.15",
+    "@formatjs/intl-durationformat": "^0.10.13",
    "@istanbuljs/nyc-config-typescript": "^1.0.1",
-    "@playwright/test": "^1.61.0",
+    "@playwright/test": "^1.60.0",
    "@pmmmwh/react-refresh-webpack-plugin": "^0.6.2",
-    "@storybook/addon-docs": "10.4.5",
-    "@storybook/addon-links": "10.4.4",
-    "@storybook/react-webpack5": "10.4.4",
+    "@storybook/addon-docs": "10.4.2",
+    "@storybook/addon-links": "10.4.2",
+    "@storybook/react-webpack5": "10.4.2",
    "@storybook/test-runner": "0.24.4",
    "@svgr/webpack": "^8.1.0",
-    "@swc/core": "^1.15.41",
+    "@swc/core": "^1.15.40",
    "@swc/plugin-emotion": "^14.12.0",
    "@swc/plugin-transform-imports": "^12.5.0",
    "@testing-library/dom": "^9.3.4",
@@ -279,13 +280,13 @@
    "@types/content-disposition": "^0.5.9",
    "@types/dom-to-image": "^2.6.7",
    "@types/jest": "^30.0.0",
-    "@types/jquery": "^4.0.1",
+    "@types/jquery": "^4.0.0",
    "@types/js-levenshtein": "^1.1.3",
    "@types/json-bigint": "^1.0.4",
    "@types/mousetrap": "^1.6.15",
-    "@types/node": "^25.9.3",
-    "@types/react": "^18.3.0",
-    "@types/react-dom": "^18.3.0",
+    "@types/node": "^25.9.1",
+    "@types/react": "^18.2.0",
+    "@types/react-dom": "^18.2.0",
    "@types/react-loadable": "^5.5.11",
    "@types/react-redux": "^7.1.10",
    "@types/react-router-dom": "^5.3.3",
@@ -296,22 +297,22 @@
    "@types/rison": "0.1.0",
    "@types/tinycolor2": "^1.4.3",
    "@types/unzipper": "^0.10.11",
-    "@typescript-eslint/eslint-plugin": "^8.61.1",
-    "@typescript-eslint/parser": "^8.61.0",
+    "@typescript-eslint/eslint-plugin": "^8.60.1",
+    "@typescript-eslint/parser": "^8.59.4",
    "babel-jest": "^30.4.1",
    "babel-loader": "^10.1.1",
    "babel-plugin-dynamic-import-node": "^2.3.3",
    "babel-plugin-jsx-remove-data-test-id": "^3.0.0",
    "babel-plugin-lodash": "^3.3.4",
-    "baseline-browser-mapping": "^2.10.37",
+    "baseline-browser-mapping": "^2.10.33",
    "cheerio": "1.2.0",
    "concurrently": "^10.0.3",
    "copy-webpack-plugin": "^14.0.0",
    "cross-env": "^10.1.0",
    "css-loader": "^7.1.4",
    "css-minimizer-webpack-plugin": "^8.0.0",
-    "eslint": "^10.5.0",
-    "eslint-config-prettier": "^10.1.8",
+    "eslint": "^8.56.0",
+    "eslint-config-prettier": "^7.2.0",
    "eslint-import-resolver-alias": "^1.1.2",
    "eslint-import-resolver-typescript": "^4.4.5",
    "eslint-plugin-cypress": "^3.6.0",
@@ -319,12 +320,12 @@
    "eslint-plugin-icons": "file:eslint-rules/eslint-plugin-icons",
    "eslint-plugin-import": "^2.32.0",
    "eslint-plugin-jest-dom": "^5.5.0",
-    "eslint-plugin-lodash": "^8.0.0",
+    "eslint-plugin-lodash": "^7.4.0",
    "eslint-plugin-no-only-tests": "^3.4.0",
    "eslint-plugin-prettier": "^5.5.6",
    "eslint-plugin-react-prefer-function-component": "^5.0.0",
-    "eslint-plugin-react-you-might-not-need-an-effect": "^1.0.1",
-    "eslint-plugin-storybook": "10.4.5",
+    "eslint-plugin-react-you-might-not-need-an-effect": "^0.10.4",
+    "eslint-plugin-storybook": "10.4.2",
    "eslint-plugin-testing-library": "^7.16.2",
    "eslint-plugin-theme-colors": "file:eslint-rules/eslint-plugin-theme-colors",
    "fetch-mock": "^12.6.0",
@@ -343,19 +344,18 @@
    "lightningcss": "^1.32.0",
    "mini-css-extract-plugin": "^2.10.2",
    "open-cli": "^9.0.0",
-    "oxlint": "^1.70.0",
+    "oxlint": "^1.68.0",
    "po2json": "^0.4.5",
-    "prettier": "3.8.4",
+    "prettier": "3.8.3",
    "prettier-plugin-packagejson": "^3.0.2",
    "process": "^0.11.10",
-    "react-dnd-test-backend": "^16.0.1",
    "react-refresh": "^0.18.0",
    "react-resizable": "^4.0.1",
    "redux-mock-store": "^1.5.4",
    "source-map": "^0.7.6",
    "source-map-support": "^0.5.21",
    "speed-measure-webpack-plugin": "^1.6.0",
-    "storybook": "10.4.5",
+    "storybook": "10.4.2",
    "style-loader": "^4.0.0",
    "swc-loader": "^0.2.7",
    "terser-webpack-plugin": "^5.6.1",
@@ -368,9 +368,9 @@
    "wait-on": "^9.0.10",
    "webpack": "^5.107.2",
    "webpack-bundle-analyzer": "^5.3.0",
-    "webpack-cli": "^7.0.3",
-    "webpack-dev-server": "^5.2.5",
-    "webpack-manifest-plugin": "^6.0.1",
+    "webpack-cli": "^6.0.1",
+    "webpack-dev-server": "^5.2.4",
+    "webpack-manifest-plugin": "^5.0.1",
    "webpack-sources": "^3.5.0",
    "webpack-visualizer-plugin2": "^2.0.0"
  },
@@ -414,16 +414,7 @@
    "@jest/types": "^30.4.0",
    "jest-util": "^30.4.0",
    "jest-circus": "^30.4.0",
-    "jest-environment-node": "^30.4.0",
-    "@babel/eslint-parser": {
-      "eslint": "$eslint"
-    },
-    "eslint-plugin-import": {
-      "eslint": "$eslint"
-    },
-    "eslint-plugin-jest-dom": {
-      "eslint": "$eslint"
-    }
+    "jest-environment-node": "^30.4.0"
  },
  "readme": "ERROR: No README data found!",
  "scarfSettings": {
--- a/superset-frontend/packages/generator-superset/package.json
+++ b/superset-frontend/packages/generator-superset/package.json
@@ -37,7 +37,7 @@
    "cross-env": "^10.1.0",
    "fs-extra": "^11.3.5",
    "jest": "^30.4.2",
-    "yeoman-test": "^11.6.0"
+    "yeoman-test": "^11.5.2"
  },
  "engines": {
    "npm": ">= 4.0.0",
--- a/superset-frontend/packages/superset-core/package.json
+++ b/superset-frontend/packages/superset-core/package.json
@@ -97,8 +97,8 @@
    "@fontsource/ibm-plex-mono": "^5.2.7",
    "@fontsource/inter": "^5.2.6",
    "nanoid": "^5.0.9",
-    "react": "^18.3.0",
-    "react-dom": "^18.3.0",
+    "react": "^18.2.0",
+    "react-dom": "^18.2.0",
    "react-loadable": "^5.5.0",
    "tinycolor2": "*",
    "lodash": "^4.18.1",
--- a/superset-frontend/packages/superset-core/src/utils/logging.test.ts
+++ b/superset-frontend/packages/superset-core/src/utils/logging.test.ts
@@ -16,26 +16,13 @@
 * specific language governing permissions and limitations
 * under the License.
 */
-export {}; // ensure this file is treated as a module so top-level declarations don't leak into global scope
-
-type LoggingModule = typeof import('./index');
-
-const loadLogging = (): LoggingModule['logging'] => {
-  let logging: LoggingModule['logging'] | undefined;
-  jest.isolateModules(() => {
-    ({ logging } = jest.requireActual<LoggingModule>(
-      '@apache-superset/core/utils',
-    ));
-  });
-  return logging!;
-};
-
 beforeEach(() => {
+  jest.resetModules();
  jest.resetAllMocks();
 });

 test('should pipe to `console` methods', () => {
-  const logging = loadLogging();
+  const { logging } = require('@apache-superset/core/utils');

  jest.spyOn(logging, 'debug').mockImplementation();
  jest.spyOn(logging, 'log').mockImplementation();
@@ -63,24 +50,20 @@ test('should pipe to `console` methods', () => {
 });

 test('should use noop functions when console unavailable', () => {
-  const originalConsole = window.console;
  Object.assign(window, { console: undefined });
-  try {
-    const logging = loadLogging();
+  const { logging } = require('@apache-superset/core/utils');

-    expect(() => {
-      logging.debug();
-      logging.log();
-      logging.info();
-      logging.warn('warn');
-      logging.error('error');
-      logging.trace();
-      logging.table([
-        [1, 2],
-        [3, 4],
-      ]);
-    }).not.toThrow();
-  } finally {
-    Object.assign(window, { console: originalConsole });
-  }
+  expect(() => {
+    logging.debug();
+    logging.log();
+    logging.info();
+    logging.warn('warn');
+    logging.error('error');
+    logging.trace();
+    logging.table([
+      [1, 2],
+      [3, 4],
+    ]);
+  }).not.toThrow();
+  Object.assign(window, { console });
 });
--- a/superset-frontend/packages/superset-ui-chart-controls/package.json
+++ b/superset-frontend/packages/superset-ui-chart-controls/package.json
@@ -39,10 +39,10 @@
    "@testing-library/user-event": "*",
    "ace-builds": "^1.4.14",
    "brace": "^0.11.1",
-    "memoize-one": "^6.0.0",
-    "react": "^18.3.0",
+    "memoize-one": "^5.1.1",
+    "react": "^18.2.0",
    "react-ace": "^10.1.0",
-    "react-dom": "^18.3.0"
+    "react-dom": "^18.2.0"
  },
  "publishConfig": {
    "access": "public"
--- a/superset-frontend/packages/superset-ui-chart-controls/src/types.ts
+++ b/superset-frontend/packages/superset-ui-chart-controls/src/types.ts
@@ -677,9 +677,7 @@ export interface ServerPaginationData {

 export type TableColumnConfig = {
  d3NumberFormat?: string;
-  // Allow null to match JSON round-trips, where an unset value deserializes
-  // from the metadata DB as `null` rather than `undefined`.
-  d3SmallNumberFormat?: string | null;
+  d3SmallNumberFormat?: string;
  d3TimeFormat?: string;
  columnWidth?: number;
  horizontalAlign?: 'left' | 'right' | 'center';
--- a/superset-frontend/packages/superset-ui-core/package.json
+++ b/superset-frontend/packages/superset-ui-core/package.json
@@ -29,7 +29,7 @@
    "@babel/runtime": "^7.29.7",
    "@braintree/sanitize-url": "^7.1.2",
    "@types/json-bigint": "^1.0.4",
-    "@visx/responsive": "^4.0.0",
+    "@visx/responsive": "^3.12.0",
    "ace-builds": "^1.44.0",
    "ag-grid-community": "35.3.1",
    "ag-grid-react": "35.3.1",
@@ -43,7 +43,7 @@
    "d3-time": "^3.1.0",
    "d3-time-format": "^4.1.0",
    "dayjs": "^1.11.21",
-    "dompurify": "^3.4.11",
+    "dompurify": "^3.4.8",
    "fetch-retry": "^6.0.0",
    "handlebars": "^4.7.9",
    "jed": "^1.1.1",
@@ -75,9 +75,9 @@
    "@types/d3-scale": "^2.1.1",
    "@types/d3-time": "^3.0.4",
    "@types/d3-time-format": "^4.0.3",
-    "@types/jquery": "^4.0.1",
+    "@types/jquery": "^4.0.0",
    "@types/lodash": "^4.17.24",
-    "@types/node": "^25.9.3",
+    "@types/node": "^25.9.1",
    "@types/prop-types": "^15.7.15",
    "@types/react-syntax-highlighter": "^15.5.13",
    "@types/react-table": "^7.7.20",
@@ -101,8 +101,8 @@
    "@types/tinycolor2": "*",
    "antd": "^5.26.0",
    "nanoid": "^5.0.9",
-    "react": "^18.3.0",
-    "react-dom": "^18.3.0",
+    "react": "^18.2.0",
+    "react-dom": "^18.2.0",
    "react-loadable": "^5.5.0",
    "tinycolor2": "*"
  },
--- a/superset-frontend/packages/superset-ui-core/src/components/AsyncAceEditor/AsyncAceEditor.test.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/AsyncAceEditor/AsyncAceEditor.test.tsx
@@ -18,7 +18,6 @@
 */
 import { createRef } from 'react';
 import { render, screen, waitFor } from '@superset-ui/core/spec';
-import { supersetTheme } from '@apache-superset/core/theme';
 import type AceEditor from 'react-ace';
 import {
  AsyncAceEditor,
@@ -29,7 +28,6 @@ import {
  CssEditor,
  JsonEditor,
  ConfigEditor,
-  aceCompletionHighlightStyles,
 } from '.';

 import type { AceModule, AsyncAceEditorOptions } from './types';
@@ -44,17 +42,6 @@ test('renders SQLEditor', async () => {
  });
 });

-test('themes the autocomplete completion highlight from the theme', () => {
-  // Ace ships a hardcoded `color: #000` for the matched-prefix highlight, which
-  // is invisible on the dark autocomplete popup. The shared editor overrides it
-  // from the theme so every Ace editor (SQL Lab, Explore Custom SQL, ...) stays
-  // consistent.
-  const { styles } = aceCompletionHighlightStyles(supersetTheme);
-
-  expect(styles).toContain('.ace_completion-highlight');
-  expect(styles).toContain(supersetTheme.colorPrimaryText);
-});
-
 test('SQLEditor uses fontFamilyCode from theme', async () => {
  const ref = createRef<AceEditor>();
  const { container } = render(<SQLEditor ref={ref as React.Ref<never>} />);
--- a/superset-frontend/packages/superset-ui-core/src/components/AsyncAceEditor/index.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/AsyncAceEditor/index.tsx
@@ -32,7 +32,7 @@ import {
  AsyncEsmComponent,
  PlaceholderProps,
 } from '@superset-ui/core/components/AsyncEsmComponent';
-import { useTheme, css, type SupersetTheme } from '@apache-superset/core/theme';
+import { useTheme, css } from '@apache-superset/core/theme';
 import { Global } from '@emotion/react';

 export { getTooltipHTML } from './Tooltip';
@@ -105,19 +105,6 @@ export type AsyncAceEditorOptions = {
  > | null;
 };

-/**
- * Theme-aware styling for the matched-prefix highlight in the autocomplete
- * popup. Ace ships a hardcoded `color: #000` that is invisible on the dark
- * popup, so the override needs `!important` to win. Lives in the shared editor
- * so every Ace editor (SQL Lab, Explore Custom SQL, ...) stays consistent.
- */
-export const aceCompletionHighlightStyles = (token: SupersetTheme) => css`
-  .ace_completion-highlight {
-    color: ${token.colorPrimaryText} !important;
-    background-color: ${token.colorPrimaryBgHover};
-  }
-`;
-
 /**
 * Get an async AceEditor with automatical loading of specified ace modules.
 */
@@ -383,8 +370,6 @@ export function AsyncAceEditor(
                  display: flex !important;
                }

-                ${aceCompletionHighlightStyles(token)}
-
                &&& .tooltip-detail {
                  display: flex;
                  justify-content: center;
--- a/superset-frontend/packages/superset-ui-core/src/components/Avatar/index.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/Avatar/index.tsx
@@ -17,23 +17,15 @@
 * under the License.
 */

-import { forwardRef } from 'react';
 import { Avatar as AntdAvatar } from 'antd';
 import type { AvatarProps, GroupProps as AvatarGroupProps } from './types';

-export const Avatar = forwardRef<HTMLSpanElement, AvatarProps>((props, ref) => (
-  <AntdAvatar ref={ref} {...props} />
-));
+export function Avatar(props: AvatarProps) {
+  return <AntdAvatar {...props} />;
+}

-// antd Avatar.Group is a plain function component without forwardRef; wrap in
-// a span so this component can be a Tooltip / Popover trigger and skip the
-// findDOMNode fallback.
-export const AvatarGroup = forwardRef<HTMLSpanElement, AvatarGroupProps>(
-  (props, ref) => (
-    <span ref={ref}>
-      <AntdAvatar.Group {...props} />
-    </span>
-  ),
-);
+export function AvatarGroup(props: AvatarGroupProps) {
+  return <AntdAvatar.Group {...props} />;
+}

 export type { AvatarProps, AvatarGroupProps };
--- a/superset-frontend/packages/superset-ui-core/src/components/Button/index.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/Button/index.tsx
@@ -16,7 +16,7 @@
 * specific language governing permissions and limitations
 * under the License.
 */
-import { Children, ReactElement, Fragment, forwardRef, Ref } from 'react';
+import { Children, ReactElement, Fragment } from 'react';
 import cx from 'classnames';
 import { Button as AntdButton } from 'antd';
 import { useTheme } from '@apache-superset/core/theme';
@@ -100,7 +100,7 @@ const BUTTON_STYLE_MAP: Record<
  link: { type: 'link' },
 };

-function ButtonInner(props: ButtonProps, ref: Ref<HTMLElement>) {
+export function Button(props: ButtonProps) {
  const {
    tooltip,
    placement,
@@ -160,7 +160,6 @@ function ButtonInner(props: ButtonProps, ref: Ref<HTMLElement>) {

  const button = (
    <AntdButton
-      ref={ref as Ref<HTMLButtonElement & HTMLAnchorElement>}
      href={disabled ? undefined : href}
      disabled={disabled}
      type={antdType}
@@ -236,6 +235,4 @@ function ButtonInner(props: ButtonProps, ref: Ref<HTMLElement>) {
  return button;
 }

-export const Button = forwardRef<HTMLElement, ButtonProps>(ButtonInner);
-
 export type { ButtonProps, OnClickHandler };
--- a/superset-frontend/packages/superset-ui-core/src/components/DropdownButton/index.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/DropdownButton/index.tsx
@@ -75,10 +75,7 @@ export const DropdownButton = ({
        id={`${kebabCase(tooltip)}-tooltip`}
        title={tooltip}
      >
-        {/* antd Dropdown.Button is a plain function component without
-            forwardRef; wrap in a span so the Tooltip can attach a ref to a
-            real DOM node and skip the findDOMNode fallback. */}
-        <span>{button}</span>
+        {button}
      </Tooltip>
    );
  }
--- a/superset-frontend/packages/superset-ui-core/src/components/DynamicEditableTitle/DynamicEditableTitle.regression.test.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/DynamicEditableTitle/DynamicEditableTitle.regression.test.tsx
@@ -70,46 +70,11 @@ test('a change event that arrives before isEditing flips is not dropped', () =>
 });

 test('prop changes mid-edit do not clobber unsaved typing', async () => {
-  // Rerender DynamicEditableTitle directly with a changed title prop so the
-  // sync effect actually runs. Going through Harness would not exercise the
-  // bug because Harness owns its own state and only reads initialTitle once.
-  const onSave = jest.fn();
-  const props = {
-    placeholder: 'placeholder',
-    canEdit: true,
-    label: 'Title',
-    onSave,
-  };
-  const { rerender } = render(<DynamicEditableTitle {...props} title="Foo" />);
+  const { rerender } = render(<Harness initialTitle="Foo" />);
  const input = screen.getByRole('textbox') as HTMLInputElement;
  userEvent.click(input);
  await userEvent.type(input, 'X', { delay: 1 });
  expect(input.value).toBe('FooX');
-  rerender(<DynamicEditableTitle {...props} title="Bar" />);
+  rerender(<Harness initialTitle="Foo" />);
  expect(input.value).toBe('FooX');
-  // Locks in commit semantics: blur after a real edit must persist the
-  // user's typed value, even when a competing parent-driven title arrived
-  // mid-edit.
-  fireEvent.blur(input);
-  expect(onSave).toHaveBeenCalledWith('FooX');
-});
-
-test('passive focus then parent-driven title change then blur does not revert', () => {
-  // Phantom-revert scenario: user clicks the input but does not type, the
-  // parent autosaves a new title from elsewhere, then the user blurs. The
-  // component must NOT call onSave with the stale local value, otherwise it
-  // would silently overwrite the parent's update.
-  const onSave = jest.fn();
-  const props = {
-    placeholder: 'placeholder',
-    canEdit: true,
-    label: 'Title',
-    onSave,
-  };
-  const { rerender } = render(<DynamicEditableTitle {...props} title="Foo" />);
-  const input = screen.getByRole('textbox') as HTMLInputElement;
-  userEvent.click(input);
-  rerender(<DynamicEditableTitle {...props} title="Bar" />);
-  fireEvent.blur(input);
-  expect(onSave).not.toHaveBeenCalled();
 });
--- a/superset-frontend/packages/superset-ui-core/src/components/DynamicEditableTitle/index.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/DynamicEditableTitle/index.tsx
@@ -81,25 +81,12 @@ export const DynamicEditableTitle = memo(

    const sizerRef = useRef<HTMLSpanElement>(null);
    const inputRef = useRef<InputRef>(null);
-    // Tracks whether the user has actually typed since entering edit mode.
-    // Gates onSave so that passive focus (click without typing) followed by a
-    // parent-driven title change and blur does not silently revert the
-    // parent's update with our stale currentTitle.
-    const dirtyRef = useRef(false);
    const { width: containerWidth, ref: containerRef } = useResizeDetector({
      refreshMode: 'debounce',
    });

    useEffect(() => {
-      // Don't overwrite in-flight user input when the parent re-renders with a
-      // new title prop mid-edit. handleBlur already syncs currentTitle on commit;
-      // re-running this effect when isEditing flips would resync to a stale
-      // title prop, so isEditing is intentionally read via closure rather than
-      // listed as a dep.
-      if (!isEditing) {
-        setCurrentTitle(title);
-      }
-      // eslint-disable-next-line react-hooks/exhaustive-deps
+      setCurrentTitle(title);
    }, [title]);
    useEffect(() => {
      if (isEditing) {
@@ -151,19 +138,10 @@ export const DynamicEditableTitle = memo(
        return;
      }
      const formattedTitle = currentTitle.trim();
-      // Only commit when the user actually typed. Passive focus must not
-      // overwrite a parent-driven title change that landed mid-edit.
-      if (dirtyRef.current && title !== formattedTitle) {
-        setCurrentTitle(formattedTitle);
+      setCurrentTitle(formattedTitle);
+      if (title !== formattedTitle) {
        onSave(formattedTitle);
-      } else if (!dirtyRef.current) {
-        // Drop any stale local state and resync to the latest title prop so a
-        // subsequent edit starts from the current parent value.
-        setCurrentTitle(title);
-      } else {
-        setCurrentTitle(formattedTitle);
      }
-      dirtyRef.current = false;
      setIsEditing(false);
    }, [canEdit, currentTitle, onSave, title]);

@@ -180,7 +158,6 @@ export const DynamicEditableTitle = memo(
        if (!isEditing) {
          setIsEditing(true);
        }
-        dirtyRef.current = true;
        setCurrentTitle(ev.target.value);
      },
      [canEdit, isEditing],
--- a/superset-frontend/packages/superset-ui-core/src/components/EditableTitle/index.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/EditableTitle/index.tsx
@@ -240,10 +240,7 @@ export function EditableTitle({
              t("You don't have the rights to alter this title.")
        }
      >
-        {/* Wrap in span so the Tooltip can attach a ref to a DOM element.
-            antd's Input.TextArea forwards a non-DOM imperative handle, which
-            triggers a React 18 findDOMNode deprecation warning. */}
-        <span>{titleComponent}</span>
+        {titleComponent}
      </Tooltip>
    );
  }
--- a/superset-frontend/packages/superset-ui-core/src/components/IconTooltip/index.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/IconTooltip/index.tsx
@@ -16,54 +16,47 @@
 * specific language governing permissions and limitations
 * under the License.
 */
-import { forwardRef } from 'react';
 import { Tooltip } from '../Tooltip';
 import { Button } from '../Button';
 import type { IconTooltipProps } from './types';

-export const IconTooltip = forwardRef<HTMLElement, IconTooltipProps>(
-  (
-    {
-      children = null,
-      className = '',
-      onClick = () => undefined,
-      placement = 'top',
-      style = {},
-      tooltip = null,
-      mouseEnterDelay = 0.3,
-      mouseLeaveDelay = 0.15,
-    },
-    ref,
-  ) => {
-    const iconTooltip = (
-      <Button
-        ref={ref}
-        onClick={onClick}
-        style={{
-          padding: 0,
-          ...style,
-        }}
-        buttonStyle="link"
-        className={`IconTooltip ${className}`}
+export const IconTooltip = ({
+  children = null,
+  className = '',
+  onClick = () => undefined,
+  placement = 'top',
+  style = {},
+  tooltip = null,
+  mouseEnterDelay = 0.3,
+  mouseLeaveDelay = 0.15,
+}: IconTooltipProps) => {
+  const iconTooltip = (
+    <Button
+      onClick={onClick}
+      style={{
+        padding: 0,
+        ...style,
+      }}
+      buttonStyle="link"
+      className={`IconTooltip ${className}`}
+    >
+      {children}
+    </Button>
+  );
+  if (tooltip) {
+    return (
+      <Tooltip
+        id="tooltip"
+        title={tooltip}
+        placement={placement}
+        mouseEnterDelay={mouseEnterDelay}
+        mouseLeaveDelay={mouseLeaveDelay}
      >
-        {children}
-      </Button>
+        {iconTooltip}
+      </Tooltip>
    );
-    if (tooltip) {
-      return (
-        <Tooltip
-          id="tooltip"
-          title={tooltip}
-          placement={placement}
-          mouseEnterDelay={mouseEnterDelay}
-          mouseLeaveDelay={mouseLeaveDelay}
-        >
-          {iconTooltip}
-        </Tooltip>
-      );
-    }
-    return iconTooltip;
-  },
-);
+  }
+  return iconTooltip;
+};

 export type { IconTooltipProps };
--- a/superset-frontend/packages/superset-ui-core/src/components/Icons/AntdEnhanced.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/Icons/AntdEnhanced.tsx
@@ -86,7 +86,6 @@ import {
  FundProjectionScreenOutlined,
  FunctionOutlined,
  HighlightOutlined,
-  HomeOutlined,
  InfoCircleOutlined,
  InfoCircleFilled,
  InsertRowAboveOutlined,
@@ -166,7 +165,7 @@ import {
  SlackOutlined,
  ApiOutlined,
 } from '@ant-design/icons';
-import { ForwardRefExoticComponent, RefAttributes, forwardRef } from 'react';
+import { FC } from 'react';
 import { IconType } from './types';
 import { BaseIconComponent } from './BaseIcon';

@@ -244,7 +243,6 @@ const AntdIcons = {
  GoogleOutlined,
  GroupOutlined,
  HighlightOutlined,
-  HomeOutlined,
  InfoCircleOutlined,
  InfoCircleFilled,
  InsertRowAboveOutlined,
@@ -325,25 +323,19 @@ type AntdIconNames = keyof typeof AntdIcons;

 export const antdEnhancedIcons: Record<
  AntdIconNames,
-  ForwardRefExoticComponent<IconType & RefAttributes<HTMLSpanElement>>
+  FC<IconType>
 > = Object.keys(AntdIcons)
  .filter(key => !EXCLUDED_ICONS.some(excluded => key.includes(excluded)))
  .reduce(
    (acc, key) => {
-      acc[key as AntdIconNames] = forwardRef<HTMLSpanElement, IconType>(
-        (props, ref) => (
-          <BaseIconComponent
-            ref={ref}
-            component={AntdIcons[key as AntdIconNames]}
-            fileName={key}
-            {...props}
-          />
-        ),
+      acc[key as AntdIconNames] = (props: IconType) => (
+        <BaseIconComponent
+          component={AntdIcons[key as AntdIconNames]}
+          fileName={key}
+          {...props}
+        />
      );
      return acc;
    },
-    {} as Record<
-      AntdIconNames,
-      ForwardRefExoticComponent<IconType & RefAttributes<HTMLSpanElement>>
-    >,
+    {} as Record<AntdIconNames, FC<IconType>>,
  );
--- a/superset-frontend/packages/superset-ui-core/src/components/Icons/AsyncIcon.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/Icons/AsyncIcon.tsx
@@ -17,12 +17,12 @@
 * under the License.
 */

-import { FC, SVGProps, forwardRef, useEffect, useRef, useState } from 'react';
+import { FC, SVGProps, useEffect, useRef, useState } from 'react';
 import TransparentIcon from './svgs/transparent.svg';
 import { IconType } from './types';
 import { BaseIconComponent } from './BaseIcon';

-const AsyncIcon = forwardRef<HTMLSpanElement, IconType>((props, ref) => {
+const AsyncIcon = (props: IconType) => {
  const [, setLoaded] = useState(false);
  const ImportedSVG = useRef<FC<SVGProps<SVGSVGElement>>>();
  const { fileName, customIcons, iconSize, iconColor, viewBox, ...restProps } =
@@ -46,7 +46,6 @@ const AsyncIcon = forwardRef<HTMLSpanElement, IconType>((props, ref) => {

  return (
    <BaseIconComponent
-      ref={ref}
      component={ImportedSVG.current || TransparentIcon}
      fileName={fileName}
      customIcons={customIcons}
@@ -56,6 +55,6 @@ const AsyncIcon = forwardRef<HTMLSpanElement, IconType>((props, ref) => {
      {...restProps}
    />
  );
-});
+};

 export default AsyncIcon;
--- a/superset-frontend/packages/superset-ui-core/src/components/Icons/BaseIcon.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/Icons/BaseIcon.tsx
@@ -17,7 +17,6 @@
 * under the License.
 */

-import { forwardRef, type ComponentType } from 'react';
 import { css, useTheme, getFontSize } from '@apache-superset/core/theme';
 import { AntdIconType, BaseIconProps, CustomIconType, IconType } from './types';

@@ -36,78 +35,65 @@ const genAriaLabel = (fileName: string) => {
  return name.toLowerCase();
 };

-export const BaseIconComponent = forwardRef<
-  HTMLSpanElement | SVGSVGElement,
+export const BaseIconComponent: React.FC<
  BaseIconProps & Omit<IconType, 'component'>
->(
-  (
-    {
-      component: Component,
-      iconColor,
-      iconSize,
-      viewBox,
-      customIcons,
-      fileName,
-      ...rest
-    },
-    ref,
-  ) => {
-    const theme = useTheme();
-    const whatRole = rest?.onClick ? 'button' : 'img';
-    const ariaLabel = genAriaLabel(fileName || '');
-    const style = {
-      color: iconColor,
-      fontSize: iconSize
-        ? `${getFontSize(theme, iconSize)}px`
-        : `${theme.fontSize}px`,
-      cursor: rest?.onClick ? 'pointer' : undefined,
-    };
+> = ({
+  component: Component,
+  iconColor,
+  iconSize,
+  viewBox,
+  customIcons,
+  fileName,
+  ...rest
+}) => {
+  const theme = useTheme();
+  const whatRole = rest?.onClick ? 'button' : 'img';
+  const ariaLabel = genAriaLabel(fileName || '');
+  const style = {
+    color: iconColor,
+    fontSize: iconSize
+      ? `${getFontSize(theme, iconSize)}px`
+      : `${theme.fontSize}px`,
+    cursor: rest?.onClick ? 'pointer' : undefined,
+  };

-    const AntdComponent = Component as ComponentType<
-      Record<string, unknown> & {
-        ref?: React.Ref<HTMLSpanElement | SVGSVGElement>;
-      }
-    >;
-    return customIcons ? (
-      <span
-        ref={ref as React.Ref<HTMLSpanElement>}
-        role={whatRole}
-        aria-label={ariaLabel}
-        data-test={ariaLabel}
-        css={[
-          css`
-            display: inline-flex;
-            align-items: center;
-            line-height: 0;
-            vertical-align: middle;
-          `,
-        ]}
-      >
-        <Component
-          viewBox={viewBox || '0 0 24 24'}
-          style={style}
-          width={
-            iconSize
-              ? `${getFontSize(theme, iconSize) || theme.fontSize}px`
-              : `${theme.fontSize}px`
-          }
-          height={
-            iconSize
-              ? `${getFontSize(theme, iconSize) || theme.fontSize}px`
-              : `${theme.fontSize}px`
-          }
-          {...(rest as CustomIconType)}
-        />
-      </span>
-    ) : (
-      <AntdComponent
-        ref={ref}
-        role={whatRole}
+  return customIcons ? (
+    <span
+      role={whatRole}
+      aria-label={ariaLabel}
+      data-test={ariaLabel}
+      css={[
+        css`
+          display: inline-flex;
+          align-items: center;
+          line-height: 0;
+          vertical-align: middle;
+        `,
+      ]}
+    >
+      <Component
+        viewBox={viewBox || '0 0 24 24'}
        style={style}
-        aria-label={ariaLabel}
-        data-test={ariaLabel}
-        {...(rest as AntdIconType)}
+        width={
+          iconSize
+            ? `${getFontSize(theme, iconSize) || theme.fontSize}px`
+            : `${theme.fontSize}px`
+        }
+        height={
+          iconSize
+            ? `${getFontSize(theme, iconSize) || theme.fontSize}px`
+            : `${theme.fontSize}px`
+        }
+        {...(rest as CustomIconType)}
      />
-    );
-  },
-);
+    </span>
+  ) : (
+    <Component
+      role={whatRole}
+      style={style}
+      aria-label={ariaLabel}
+      data-test={ariaLabel}
+      {...(rest as AntdIconType)}
+    />
+  );
+};
--- a/superset-frontend/packages/superset-ui-core/src/components/Icons/index.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/Icons/index.tsx
@@ -17,16 +17,12 @@
 * under the License.
 */

-import { ForwardRefExoticComponent, RefAttributes, forwardRef } from 'react';
+import { FC } from 'react';
 import { antdEnhancedIcons } from './AntdEnhanced';
 import AsyncIcon from './AsyncIcon';

 import type { IconType } from './types';

-type IconComponent = ForwardRefExoticComponent<
-  IconType & RefAttributes<HTMLSpanElement>
->;
-
 /**
 * Filename is going to be inferred from the icon name.
 * i.e. BigNumberChartTile => assets/images/icons/big_number_chart_tile
@@ -62,17 +58,15 @@ const customIcons = [
  'Undo',
 ] as const;

-type CustomIconType = Record<(typeof customIcons)[number], IconComponent>;
+type CustomIconType = Record<(typeof customIcons)[number], FC<IconType>>;

 const iconOverrides: CustomIconType = {} as CustomIconType;
 customIcons.forEach(customIcon => {
  const fileName = customIcon
    .replace(/([a-z0-9])([A-Z])/g, '$1_$2')
    .toLowerCase();
-  iconOverrides[customIcon] = forwardRef<HTMLSpanElement, IconType>(
-    (props, ref) => (
-      <AsyncIcon ref={ref} customIcons fileName={fileName} {...props} />
-    ),
+  iconOverrides[customIcon] = (props: IconType) => (
+    <AsyncIcon customIcons fileName={fileName} {...props} />
  );
 });

@@ -80,7 +74,7 @@ export type IconNameType =
  | keyof typeof antdEnhancedIcons
  | keyof typeof iconOverrides;

-type IconComponentType = Record<IconNameType, IconComponent>;
+type IconComponentType = Record<IconNameType, FC<IconType>>;

 export const Icons: IconComponentType = {
  ...antdEnhancedIcons,
--- a/superset-frontend/packages/superset-ui-core/src/components/Label/index.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/Label/index.tsx
@@ -16,7 +16,6 @@
 * specific language governing permissions and limitations
 * under the License.
 */
-import { forwardRef } from 'react';
 import { Tag } from '@superset-ui/core/components/Tag';
 import { css } from '@emotion/react';
 import { useTheme, getColorVariants } from '@apache-superset/core/theme';
@@ -24,7 +23,7 @@ import { DatasetTypeLabel } from './reusable/DatasetTypeLabel';
 import { PublishedLabel } from './reusable/PublishedLabel';
 import type { LabelProps } from './types';

-export const Label = forwardRef<HTMLSpanElement, LabelProps>((props, ref) => {
+export function Label(props: LabelProps) {
  const theme = useTheme();
  // Use Ant Design's motion duration instead of deprecated transitionTiming
  const {
@@ -72,7 +71,6 @@ export const Label = forwardRef<HTMLSpanElement, LabelProps>((props, ref) => {

  return (
    <Tag
-      ref={ref}
      onClick={onClick}
      role={onClick ? 'button' : undefined}
      style={style}
@@ -83,6 +81,6 @@ export const Label = forwardRef<HTMLSpanElement, LabelProps>((props, ref) => {
      {children}
    </Tag>
  );
-});
+}
 export { DatasetTypeLabel, PublishedLabel };
 export type { LabelType } from './types';
--- a/superset-frontend/packages/superset-ui-core/src/components/Modal/Modal.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/Modal/Modal.tsx
@@ -371,9 +371,6 @@ const CustomModal = ({
            disabled={!draggable || dragDisabled}
            bounds={bounds ?? false}
            onStart={(event, uiData) => onDragStart(event, uiData)}
-            // Pass nodeRef so react-draggable does not fall back to
-            // ReactDOM.findDOMNode (deprecated in React 18+ Strict Mode).
-            nodeRef={draggableRef}
            {...draggableConfig}
          >
            {resizable ? (
--- a/superset-frontend/packages/superset-ui-core/src/components/Popover/index.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/Popover/index.tsx
@@ -16,15 +16,11 @@
 * specific language governing permissions and limitations
 * under the License.
 */
-import { forwardRef } from 'react';
 import { Popover as AntdPopover } from 'antd';
 import { PopoverProps as AntdPopoverProps } from 'antd/es/popover';
-import type { TooltipRef } from 'antd/es/tooltip';

 export interface PopoverProps extends AntdPopoverProps {
  forceRender?: boolean;
 }

-export const Popover = forwardRef<TooltipRef, PopoverProps>((props, ref) => (
-  <AntdPopover ref={ref} {...props} />
-));
+export const Popover = (props: PopoverProps) => <AntdPopover {...props} />;
--- a/superset-frontend/packages/superset-ui-core/src/components/RefreshLabel/index.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/RefreshLabel/index.tsx
@@ -16,9 +16,10 @@
 * specific language governing permissions and limitations
 * under the License.
 */
-import { MouseEventHandler } from 'react';
+import { MouseEventHandler, forwardRef } from 'react';
 import { SupersetTheme } from '@apache-superset/core/theme';
 import { Icons } from '@superset-ui/core/components/Icons';
+import type { IconType } from '@superset-ui/core/components/Icons/types';
 import { Tooltip } from '../Tooltip';

 export interface RefreshLabelProps {
@@ -31,19 +32,25 @@ const RefreshLabel = ({
  onClick,
  tooltipContent,
  disabled,
-}: RefreshLabelProps) => (
-  <Tooltip title={tooltipContent}>
-    <Icons.SyncOutlined
-      iconSize="l"
-      role="button"
-      onClick={disabled ? undefined : onClick}
-      css={(theme: SupersetTheme) => ({
-        cursor: 'pointer',
-        color: theme.colorIcon,
-        '&:hover': { color: theme.colorPrimary },
-      })}
-    />
-  </Tooltip>
-);
+}: RefreshLabelProps) => {
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  const IconWithoutRef = forwardRef((props: IconType, ref: any) => (
+    <Icons.SyncOutlined iconSize="l" {...props} />
+  ));
+
+  return (
+    <Tooltip title={tooltipContent}>
+      <IconWithoutRef
+        role="button"
+        onClick={disabled ? undefined : onClick}
+        css={(theme: SupersetTheme) => ({
+          cursor: 'pointer',
+          color: theme.colorIcon,
+          '&:hover': { color: theme.colorPrimary },
+        })}
+      />
+    </Tooltip>
+  );
+};

 export default RefreshLabel;
--- a/superset-frontend/packages/superset-ui-core/src/components/Tooltip/index.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/Tooltip/index.tsx
@@ -16,22 +16,17 @@
 * specific language governing permissions and limitations
 * under the License.
 */
-import { forwardRef } from 'react';
 import { Tooltip as AntdTooltip } from 'antd';
-import type { TooltipRef } from 'antd/es/tooltip';

 import type { TooltipProps, TooltipPlacement } from './types';

-export const Tooltip = forwardRef<TooltipRef, TooltipProps>(
-  ({ overlayStyle, ...props }, ref) => (
-    <AntdTooltip
-      ref={ref}
-      styles={{
-        body: { overflow: 'hidden', textOverflow: 'ellipsis' },
-        root: overlayStyle ?? {},
-      }}
-      {...props}
-    />
-  ),
+export const Tooltip = ({ overlayStyle, ...props }: TooltipProps) => (
+  <AntdTooltip
+    styles={{
+      body: { overflow: 'hidden', textOverflow: 'ellipsis' },
+      root: overlayStyle ?? {},
+    }}
+    {...props}
+  />
 );
 export type { TooltipProps, TooltipPlacement };
--- a/superset-frontend/packages/superset-ui-core/src/connection/SupersetClient.ts
+++ b/superset-frontend/packages/superset-ui-core/src/connection/SupersetClient.ts
@@ -52,13 +52,6 @@ const SupersetClient: SupersetClientInterface = {
  request: request => getInstance().request(request),
  getCSRFToken: () => getInstance().getCSRFToken(),
  getUrl: (...args) => getInstance().getUrl(...args),
-  get guestTokenHeaderName() {
-    try {
-      return getInstance().guestTokenHeaderName;
-    } catch {
-      return 'X-GuestToken';
-    }
-  },
 };

 export default SupersetClient;
--- a/superset-frontend/packages/superset-ui-core/src/connection/types.ts
+++ b/superset-frontend/packages/superset-ui-core/src/connection/types.ts
@@ -163,7 +163,6 @@ export interface SupersetClientInterface extends Pick<
  configure: (config?: ClientConfig) => SupersetClientInterface;
  reset: () => void;
  getCSRFToken: () => CsrfPromise;
-  guestTokenHeaderName?: string;
 }

 export type SupersetClientResponse = Response | JsonResponse | TextResponse;
--- a/superset-frontend/packages/superset-ui-core/src/currency-format/CurrencyFormatter.ts
+++ b/superset-frontend/packages/superset-ui-core/src/currency-format/CurrencyFormatter.ts
@@ -18,11 +18,7 @@
 */

 import { ExtensibleFunction } from '../models';
-// Import from the concrete modules rather than the `number-format` barrel to
-// avoid a circular dependency (the barrel pulls in getSmallNumberFormatter,
-// which imports CurrencyFormatter).
-import { getNumberFormatter } from '../number-format/NumberFormatterRegistrySingleton';
-import NumberFormats from '../number-format/NumberFormats';
+import { getNumberFormatter, NumberFormats } from '../number-format';
 import { Currency } from '../query';
 import { RowData, RowDataValue } from './types';
 import { AUTO_CURRENCY_SYMBOL, ISO_4217_REGEX } from './CurrencyFormats';
--- a/superset-frontend/packages/superset-ui-core/src/number-format/getSmallNumberFormatter.ts
+++ b/superset-frontend/packages/superset-ui-core/src/number-format/getSmallNumberFormatter.ts
@@ -1,54 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-import { CurrencyFormatter } from '../currency-format';
-import { Currency } from '../query';
-import NumberFormatter from './NumberFormatter';
-import { getNumberFormatter } from './NumberFormatterRegistrySingleton';
-
-/**
- * Returns the appropriate formatter for small numbers (|value| < 1).
- *
- * When `d3SmallNumberFormat` is nullish or blank the caller's default
- * formatter is returned unchanged, which preserves percentage formats
- * that would otherwise be lost.
- *
- * Handles the cases where `d3SmallNumberFormat` is `null` (from JSON
- * serialization of `undefined`) or `""` (from a cleared Select control).
- *
- * The generic parameter `F` allows callers to pass any formatter type
- * (e.g. TimeFormatter, CustomFormatter) without a circular dependency
- * on @superset-ui/chart-controls.
- */
-export default function getSmallNumberFormatter<F>(
-  defaultFormatter: F,
-  d3SmallNumberFormat: string | null | undefined,
-  currencyFormat?: Currency,
-): F | NumberFormatter | CurrencyFormatter {
-  if (d3SmallNumberFormat == null || d3SmallNumberFormat.trim() === '') {
-    return defaultFormatter;
-  }
-  if (currencyFormat) {
-    return new CurrencyFormatter({
-      d3Format: d3SmallNumberFormat,
-      currency: currencyFormat,
-    });
-  }
-  return getNumberFormatter(d3SmallNumberFormat);
-}
--- a/superset-frontend/packages/superset-ui-core/src/number-format/index.ts
+++ b/superset-frontend/packages/superset-ui-core/src/number-format/index.ts
@@ -34,4 +34,3 @@ export { default as createDurationFormatter } from './factories/createDurationFo
 export { default as createMemoryFormatter } from './factories/createMemoryFormatter';
 export { default as createSiAtMostNDigitFormatter } from './factories/createSiAtMostNDigitFormatter';
 export { default as createSmartNumberFormatter } from './factories/createSmartNumberFormatter';
-export { default as getSmallNumberFormatter } from './getSmallNumberFormatter';
--- a/superset-frontend/packages/superset-ui-core/test/connection/SupersetClient.test.ts
+++ b/superset-frontend/packages/superset-ui-core/test/connection/SupersetClient.test.ts
@@ -172,15 +172,4 @@ describe('SupersetClient', () => {
    const token = await SupersetClient.getCSRFToken();
    expect(token).toBe('my_token');
  });
-
-  test('guestTokenHeaderName returns the configured header name when instance exists', () => {
-    SupersetClient.configure({ guestTokenHeaderName: 'X-Custom-Guest' });
-    expect(SupersetClient.guestTokenHeaderName).toBe('X-Custom-Guest');
-  });
-
-  test('guestTokenHeaderName returns default X-GuestToken when instance is not configured', () => {
-    // Ensure instance is reset (afterEach calls SupersetClient.reset())
-    // Access the property without calling configure() first
-    expect(SupersetClient.guestTokenHeaderName).toBe('X-GuestToken');
-  });
 });
--- a/superset-frontend/packages/superset-ui-core/test/number-format/getSmallNumberFormatter.test.ts
+++ b/superset-frontend/packages/superset-ui-core/test/number-format/getSmallNumberFormatter.test.ts
@@ -1,82 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-import {
-  CurrencyFormatter,
-  getNumberFormatter,
-  getSmallNumberFormatter,
-  NumberFormatter,
-} from '@superset-ui/core';
-
-const defaultFormatter = getNumberFormatter('.8%');
-
-describe('getSmallNumberFormatter', () => {
-  test('returns defaultFormatter when d3SmallNumberFormat is undefined', () => {
-    expect(getSmallNumberFormatter(defaultFormatter, undefined)).toBe(
-      defaultFormatter,
-    );
-  });
-
-  test('returns defaultFormatter when d3SmallNumberFormat is null (JSON round-trip)', () => {
-    expect(getSmallNumberFormatter(defaultFormatter, null)).toBe(
-      defaultFormatter,
-    );
-  });
-
-  test('returns defaultFormatter when d3SmallNumberFormat is empty string (cleared Select)', () => {
-    expect(getSmallNumberFormatter(defaultFormatter, '')).toBe(
-      defaultFormatter,
-    );
-  });
-
-  test('returns defaultFormatter when d3SmallNumberFormat is whitespace', () => {
-    expect(getSmallNumberFormatter(defaultFormatter, '  ')).toBe(
-      defaultFormatter,
-    );
-  });
-
-  test('returns a NumberFormatter when d3SmallNumberFormat is a valid format', () => {
-    const result = getSmallNumberFormatter(defaultFormatter, ',.4f');
-    expect(result).toBeInstanceOf(NumberFormatter);
-    expect(result).not.toBe(defaultFormatter);
-    expect(result!(0.12345)).toBe('0.1235');
-  });
-
-  test('returns a CurrencyFormatter when currencyFormat is provided', () => {
-    const result = getSmallNumberFormatter(defaultFormatter, ',.4f', {
-      symbol: 'USD',
-      symbolPosition: 'prefix',
-    });
-    expect(result).toBeInstanceOf(CurrencyFormatter);
-    expect(result!(0.12345)).toContain('0.1235');
-    expect(result!(0.12345)).toContain('$');
-  });
-
-  test('preserves percentage formatter output for small numbers when d3SmallNumberFormat is null', () => {
-    const pctFormatter = getNumberFormatter('.8%');
-    const result = getSmallNumberFormatter(pctFormatter, null);
-    expect(result!(-0.00001229)).toBe('-0.00122900%');
-  });
-
-  test('returns undefined when defaultFormatter is undefined and d3SmallNumberFormat is nullish', () => {
-    expect(getSmallNumberFormatter(undefined, null)).toBeUndefined();
-    expect(getSmallNumberFormatter(undefined, undefined)).toBeUndefined();
-    expect(getSmallNumberFormatter(undefined, '')).toBeUndefined();
-  });
-});
--- a/superset-frontend/playwright/pages/ExplorePage.ts
+++ b/superset-frontend/playwright/pages/ExplorePage.ts
@@ -29,33 +29,12 @@ export class ExplorePage {
  private static readonly SELECTORS = {
    DATASOURCE_CONTROL: '[data-test="datasource-control"]',
    VIZ_SWITCHER: '[data-test="fast-viz-switcher"]',
-    CHART_CONTAINER: '[data-test="chart-container"]',
  } as const;

  constructor(page: Page) {
    this.page = page;
  }

-  /**
-   * Navigates to the Explore page for a given chart and waits for it to load.
-   *
-   * @param chartId - ID of the chart (slice) to open
-   * @param options - Optional wait options
-   */
-  async goto(chartId: number, options?: { timeout?: number }): Promise<void> {
-    await this.page.goto(`explore/?slice_id=${chartId}`);
-    await this.waitForPageLoad(options);
-  }
-
-  /**
-   * Gets the chart container locator (where the rendered viz appears).
-   *
-   * @returns Locator for the chart container
-   */
-  getChartContainer(): Locator {
-    return this.page.locator(ExplorePage.SELECTORS.CHART_CONTAINER);
-  }
-
  /**
   * Waits for the Explore page to load.
   * Validates URL contains /explore/ and datasource control is visible.
--- a/superset-frontend/playwright/tests/chart/handlebars-format-date.spec.ts
+++ b/superset-frontend/playwright/tests/chart/handlebars-format-date.spec.ts
@@ -1,104 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-/**
- * Regression for #32960: the `formatDate` Handlebars helper (provided by
- * just-handlebars-helpers) stopped working after 4.1.2, rendering
- * "i is not a function" (minified) / "moment is not a function" (dev) instead
- * of the formatted date. The library helper resolves `moment` lazily via
- * `global.moment` / `require('moment/min/moment-with-locales')`, which the
- * bundled HandlebarsViewer no longer satisfies (it switched to dayjs).
- *
- * The fix registers a dayjs-backed `formatDate` override in HandlebarsViewer
- * (superset-frontend/plugins/plugin-chart-handlebars). This spec guards it: it
- * creates a Handlebars chart whose template uses `{{formatDate 'DD.MM.YYYY' ds}}`
- * and asserts the chart renders a real formatted date rather than the helper
- * error. Because the failure was a bundling/minification artifact (moment
- * resolves fine under Jest's Node `require`), an E2E test is required to cover it.
- */
-import { testWithAssets, expect } from '../../helpers/fixtures';
-import { apiPostChart } from '../../helpers/api/chart';
-import { getDatasetByName } from '../../helpers/api/dataset';
-import { ExplorePage } from '../../pages/ExplorePage';
-import { TIMEOUT } from '../../utils/constants';
-
-const DATASET_NAME = 'birth_names';
-
-testWithAssets(
-  'Handlebars formatDate helper renders a formatted date (#32960)',
-  async ({ page, testAssets }) => {
-    testWithAssets.setTimeout(TIMEOUT.SLOW_TEST);
-
-    const dataset = await getDatasetByName(page, DATASET_NAME);
-    if (!dataset) {
-      throw new Error(`Dataset ${DATASET_NAME} not found`);
-    }
-    const datasetId = dataset.id;
-
-    const params = {
-      datasource: `${datasetId}__table`,
-      viz_type: 'handlebars',
-      query_mode: 'aggregate',
-      groupby: ['ds'],
-      metrics: ['count'],
-      adhoc_filters: [],
-      row_limit: 5,
-      // Note: HTML_SANITIZATION (on by default) strips non-allowlisted
-      // attributes such as `class`, so the rendered markup is plain
-      // <ul>/<li> elements. The assertions below target `li` directly.
-      handlebarsTemplate:
-        '<ul>{{#each data}}' +
-        "<li>{{formatDate 'DD.MM.YYYY' ds}}</li>" +
-        '{{/each}}</ul>',
-      styleTemplate: '',
-    };
-
-    const chartResp = await apiPostChart(page, {
-      slice_name: `handlebars_format_date_${Date.now()}`,
-      viz_type: 'handlebars',
-      datasource_id: datasetId,
-      datasource_type: 'table',
-      params: JSON.stringify(params),
-    });
-    expect(chartResp.ok()).toBe(true);
-    // The chart API may return either a top-level `{ id }` or a wrapped
-    // `{ result: { id } }` shape; handle both and fail explicitly otherwise.
-    const chartBody = await chartResp.json();
-    const chartId: number = chartBody.result?.id ?? chartBody.id;
-    expect(chartId, 'chart creation should return an id').toBeTruthy();
-    testAssets.trackChart(chartId);
-
-    const explorePage = new ExplorePage(page);
-    await explorePage.goto(chartId);
-
-    const panel = explorePage.getChartContainer();
-    await panel.waitFor({ state: 'visible', timeout: TIMEOUT.PAGE_LOAD });
-
-    // The helper error surfaces as a "... is not a function" message rendered
-    // in place of the chart content.
-    await expect(panel).not.toContainText('is not a function', {
-      timeout: TIMEOUT.API_RESPONSE,
-    });
-
-    // At least one list item should contain a DD.MM.YYYY formatted date.
-    await expect(panel.locator('li').first()).toHaveText(/\d{2}\.\d{2}\.\d{4}/, {
-      timeout: TIMEOUT.API_RESPONSE,
-    });
-  },
-);
--- a/superset-frontend/playwright/tests/dashboard/gauge-interval-colors.spec.ts
+++ b/superset-frontend/playwright/tests/dashboard/gauge-interval-colors.spec.ts
@@ -1,202 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-/**
- * Regression for #28766: a Gauge chart configured with interval bounds and
- * interval colors (mapped to a categorical color scheme) sometimes renders the
- * wrong interval colors when first loaded on a dashboard — a refresh fixes it.
- *
- * The gauge renders to a <canvas>, so this test reads pixels back from the
- * rendered gauge and asserts the configured interval colors are present in the
- * correct mapping. With `color_scheme: supersetColors` and
- * `interval_color_indices: '1,2'`, the gauge axis must paint the scheme's 1st
- * and 2nd colors (#1FA8C9 and #454E7C) and must NOT paint the 3rd (#5AC189),
- * which would indicate a shifted / fallback palette.
- *
- * CI green => the gauge paints the configured interval colors on first load;
- *             merging closes #28766 and guards against regressions.
- * CI red   => the interval colors are wrong on first load; the bug is live in
- *             plugin-chart-echarts/src/Gauge (color-scheme resolution).
- */
-import { testWithAssets, expect } from '../../helpers/fixtures';
-import { apiPostChart, apiPutChart } from '../../helpers/api/chart';
-import { apiPostDashboard } from '../../helpers/api/dashboard';
-import { getDatasetByName } from '../../helpers/api/dataset';
-import { DashboardPage } from '../../pages/DashboardPage';
-
-const DATASET_NAME = 'birth_names';
-
-// supersetColors palette (1-based, matching interval_color_indices):
-// index 1 = #1FA8C9, index 2 = #454E7C, index 3 = #5AC189
-const COLOR_INTERVAL_1: [number, number, number] = [31, 168, 201];
-const COLOR_INTERVAL_2: [number, number, number] = [69, 78, 124];
-const COLOR_UNUSED_3: [number, number, number] = [90, 193, 137];
-
-testWithAssets(
-  'Gauge renders configured interval colors on a dashboard (#28766)',
-  async ({ page, testAssets }) => {
-    const dataset = await getDatasetByName(page, DATASET_NAME);
-    if (!dataset) {
-      throw new Error(`Dataset ${DATASET_NAME} not found`);
-    }
-    const datasetId = dataset.id;
-
-    const sliceName = `gauge_interval_colors_${Date.now()}`;
-    const chartParams = {
-      datasource: `${datasetId}__table`,
-      viz_type: 'gauge_chart',
-      metric: 'count',
-      adhoc_filters: [],
-      row_limit: 10,
-      color_scheme: 'supersetColors',
-      min_val: 0,
-      max_val: 100,
-      start_angle: 225,
-      end_angle: -45,
-      intervals: '50,100',
-      interval_color_indices: '1,2',
-      show_pointer: true,
-      number_format: 'SMART_NUMBER',
-      value_formatter: '{value}',
-    };
-    const chartResp = await apiPostChart(page, {
-      slice_name: sliceName,
-      viz_type: 'gauge_chart',
-      datasource_id: datasetId,
-      datasource_type: 'table',
-      params: JSON.stringify(chartParams),
-    });
-    expect(chartResp.ok()).toBe(true);
-    const chartBody = await chartResp.json();
-    // Normalize: API may return id at top level or inside result.
-    const chartId: number = chartBody.result?.id ?? chartBody.id;
-    if (!chartId) {
-      throw new Error(
-        `Chart creation returned no id. Response: ${JSON.stringify(chartBody)}`,
-      );
-    }
-    testAssets.trackChart(chartId);
-
-    const chartLayoutKey = `CHART-${chartId}`;
-    const positionJson = {
-      DASHBOARD_VERSION_KEY: 'v2',
-      ROOT_ID: { type: 'ROOT', id: 'ROOT_ID', children: ['GRID_ID'] },
-      GRID_ID: {
-        type: 'GRID',
-        id: 'GRID_ID',
-        children: ['ROW-1'],
-        parents: ['ROOT_ID'],
-      },
-      'ROW-1': {
-        type: 'ROW',
-        id: 'ROW-1',
-        children: [chartLayoutKey],
-        parents: ['ROOT_ID', 'GRID_ID'],
-        meta: { background: 'BACKGROUND_TRANSPARENT' },
-      },
-      [chartLayoutKey]: {
-        type: 'CHART',
-        id: chartLayoutKey,
-        children: [],
-        parents: ['ROOT_ID', 'GRID_ID', 'ROW-1'],
-        meta: {
-          chartId,
-          width: 6,
-          height: 60,
-          sliceName,
-        },
-      },
-    };
-    const dashResp = await apiPostDashboard(page, {
-      dashboard_title: `gauge_interval_colors_${Date.now()}`,
-      published: true,
-      position_json: JSON.stringify(positionJson),
-      json_metadata: JSON.stringify({ color_scheme: 'supersetColors' }),
-    });
-    expect(dashResp.ok()).toBe(true);
-    const dashBody = await dashResp.json();
-    const dashboardId: number = dashBody.result?.id ?? dashBody.id;
-    testAssets.trackDashboard(dashboardId);
-
-    await apiPutChart(page, chartId, { dashboards: [dashboardId] });
-
-    const dashboardPage = new DashboardPage(page);
-    await dashboardPage.gotoById(dashboardId);
-    await dashboardPage.waitForLoad();
-    await dashboardPage.waitForChartsToLoad();
-
-    const canvas = page.locator('[data-test="chart-container"] canvas').first();
-    await canvas.waitFor({ state: 'visible', timeout: 30_000 });
-
-    // Read the configured interval colors back from the rendered canvas.
-    // Poll because the gauge paints shortly after the chart container appears.
-    const countColors = () =>
-      canvas.evaluate(
-        (el: HTMLCanvasElement, targets: Array<[number, number, number]>) => {
-          const ctx = el.getContext('2d');
-          if (!ctx) return targets.map(() => 0);
-          const { data } = ctx.getImageData(0, 0, el.width, el.height);
-          const counts = targets.map(() => 0);
-          for (let i = 0; i < data.length; i += 4) {
-            if (data[i + 3] < 200) continue;
-            for (let t = 0; t < targets.length; t += 1) {
-              const [r, g, b] = targets[t];
-              if (
-                Math.abs(data[i] - r) < 12 &&
-                Math.abs(data[i + 1] - g) < 12 &&
-                Math.abs(data[i + 2] - b) < 12
-              ) {
-                counts[t] += 1;
-              }
-            }
-          }
-          return counts;
-        },
-        [COLOR_INTERVAL_1, COLOR_INTERVAL_2, COLOR_UNUSED_3],
-      );
-
-    // Capture the counts inside the poll so the assertions below run against the
-    // exact paint snapshot that satisfied the poll, not a second canvas read.
-    let counts: number[] = [0, 0, 0];
-    await expect
-      .poll(
-        async () => {
-          counts = await countColors();
-          return counts[0];
-        },
-        { timeout: 20_000 },
-      )
-      .toBeGreaterThan(50);
-
-    const [interval1, interval2, unused3] = counts;
-
-    expect(
-      interval1,
-      'Gauge should paint the 1st interval color (#1FA8C9)',
-    ).toBeGreaterThan(50);
-    expect(
-      interval2,
-      'Gauge should paint the 2nd interval color (#454E7C)',
-    ).toBeGreaterThan(50);
-    expect(
-      unused3,
-      'Gauge must not paint the 3rd palette color (#5AC189) — indicates a shifted/fallback palette (#28766)',
-    ).toBe(0);
-  },
-);
--- a/superset-frontend/playwright/tests/embedded/pivot-collapse-state.spec.ts
+++ b/superset-frontend/playwright/tests/embedded/pivot-collapse-state.spec.ts
@@ -1,309 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-/**
- * Regression for #33406: in a Pivot Table (v2) with nested rows, collapsing a
- * row group with the [-] toggle should stay collapsed after the collapsed rows
- * scroll out of the viewport and back. The bug reproduces specifically when the
- * dashboard is embedded via an iframe — the collapse/expand state lives in the
- * pivot renderer's local React state (`collapsedRows` initialised to `{}`), so
- * anything that remounts the chart resets it and the rows re-expand.
- *
- * This spec runs on the embedded harness (the only place the bug is reported to
- * reproduce). It collapses a top-level row, scrolls the embedded dashboard so
- * the pivot leaves and re-enters the viewport, and asserts the row is still
- * collapsed.
- *
- * CI green => collapse state survives the scroll round-trip; merging closes
- *             #33406 and guards against regressions.
- * CI red   => the rows re-expanded; the bug is live and the fix belongs in
- *             plugin-chart-pivot-table (lift collapse state out of transient
- *             component state, e.g. persist `collapsedRows`/`collapsedCols`).
- *
- * NOTE: the embedded suite only runs when the embedded SDK bundle is built and
- * INCLUDE_EMBEDDED=true (CI sets both). It is skipped otherwise.
- */
-import { test, expect, Browser, BrowserContext, Page } from '@playwright/test';
-import { createServer, IncomingMessage, ServerResponse, Server } from 'http';
-import { AddressInfo, Socket } from 'net';
-import { readFileSync, existsSync } from 'fs';
-import { join } from 'path';
-import {
-  apiEnableEmbedding,
-  getAccessToken,
-  getGuestToken,
-} from '../../helpers/api/embedded';
-import { apiPost, apiPut } from '../../helpers/api/requests';
-import { apiPostDashboard, apiDeleteDashboard } from '../../helpers/api/dashboard';
-import { apiDeleteChart } from '../../helpers/api/chart';
-import { EmbeddedPage } from '../../pages/EmbeddedPage';
-import { EMBEDDED } from '../../utils/constants';
-
-const SUPERSET_DOMAIN = (() => {
-  const url = process.env.PLAYWRIGHT_BASE_URL || 'http://localhost:8088';
-  return url.replace(/\/+$/, '');
-})();
-const SUPERSET_BASE_URL = SUPERSET_DOMAIN.endsWith('/')
-  ? SUPERSET_DOMAIN
-  : `${SUPERSET_DOMAIN}/`;
-
-const SDK_BUNDLE_PATH = join(
-  __dirname,
-  '../../../../superset-embedded-sdk/bundle/index.js',
-);
-const EMBED_APP_DIR = join(__dirname, '../../embedded-app');
-const INDEX_HTML_PATH = join(EMBED_APP_DIR, 'index.html');
-const DATASET_NAME = 'birth_names';
-
-interface EmbedAppServer {
-  server: Server;
-  url: string;
-  close: () => Promise<void>;
-}
-
-async function startEmbedAppServer(): Promise<EmbedAppServer> {
-  const sockets = new Set<Socket>();
-  const server = createServer((req: IncomingMessage, res: ServerResponse) => {
-    const urlPath = req.url?.split('?')[0] || '/';
-    if (urlPath === '/sdk/index.js') {
-      if (!existsSync(SDK_BUNDLE_PATH)) {
-        res.writeHead(404);
-        res.end(
-          'SDK bundle not found. Run: cd superset-embedded-sdk && npm ci && npm run build',
-        );
-        return;
-      }
-      res.writeHead(200, { 'Content-Type': 'text/javascript' });
-      res.end(readFileSync(SDK_BUNDLE_PATH));
-      return;
-    }
-    if (urlPath === '/' || urlPath === '/index.html') {
-      res.writeHead(200, { 'Content-Type': 'text/html' });
-      res.end(readFileSync(INDEX_HTML_PATH));
-      return;
-    }
-    res.writeHead(404);
-    res.end('Not found');
-  });
-  server.on('connection', socket => {
-    sockets.add(socket);
-    socket.once('close', () => sockets.delete(socket));
-  });
-  await new Promise<void>((resolve, reject) => {
-    server.once('error', reject);
-    server.listen(0, '127.0.0.1', () => {
-      server.removeListener('error', reject);
-      resolve();
-    });
-  });
-  const address = server.address() as AddressInfo;
-  return {
-    server,
-    url: `http://127.0.0.1:${address.port}`,
-    close: () =>
-      new Promise<void>(resolve => {
-        for (const socket of sockets) socket.destroy();
-        sockets.clear();
-        server.close(() => resolve());
-      }),
-  };
-}
-
-function createAdminContext(browser: Browser): Promise<BrowserContext> {
-  return browser.newContext({
-    storageState: 'playwright/.auth/user.json',
-    baseURL: SUPERSET_BASE_URL,
-  });
-}
-
-async function findDatasetIdByName(page: Page, name: string): Promise<number> {
-  const query = `(filters:!((col:table_name,opr:eq,value:'${name}')))`;
-  const resp = await page.request.get(`api/v1/dataset/?q=${query}`);
-  const body = await resp.json();
-  if (!body.result?.length) {
-    throw new Error(`Dataset ${name} not found`);
-  }
-  return body.result[0].id;
-}
-
-test.describe('Embedded Pivot Table collapse state (#33406)', () => {
-  test.describe.configure({ mode: 'serial' });
-  test.setTimeout(90000);
-
-  let appServer: EmbedAppServer;
-  let accessToken: string;
-  let embedUuid: string;
-  let dashboardId: number;
-  let chartId: number;
-
-  test.beforeAll(async ({ browser }) => {
-    test.skip(
-      !existsSync(SDK_BUNDLE_PATH),
-      'Embedded SDK bundle not found. Build it with: cd superset-embedded-sdk && npm ci && npm run build',
-    );
-
-    appServer = await startEmbedAppServer();
-    const context = await createAdminContext(browser);
-    const setupPage = await context.newPage();
-    try {
-      const datasetId = await findDatasetIdByName(setupPage, DATASET_NAME);
-
-      const params = {
-        datasource: `${datasetId}__table`,
-        viz_type: 'pivot_table_v2',
-        groupbyRows: ['state', 'name'],
-        groupbyColumns: [],
-        metrics: ['count'],
-        metricsLayout: 'COLUMNS',
-        aggregateFunction: 'Count',
-        rowSubTotals: true,
-        rowTotals: true,
-        valueFormat: 'SMART_NUMBER',
-        row_limit: 1000,
-        order_desc: true,
-      };
-      const chartResp = await apiPost(setupPage, 'api/v1/chart/', {
-        slice_name: `pivot_collapse_repro_${Date.now()}`,
-        viz_type: 'pivot_table_v2',
-        datasource_id: datasetId,
-        datasource_type: 'table',
-        params: JSON.stringify(params),
-      });
-      chartId = (await chartResp.json()).id;
-
-      const chartLayoutKey = `CHART-${chartId}`;
-      const positionJson = {
-        DASHBOARD_VERSION_KEY: 'v2',
-        ROOT_ID: { type: 'ROOT', id: 'ROOT_ID', children: ['GRID_ID'] },
-        GRID_ID: {
-          type: 'GRID',
-          id: 'GRID_ID',
-          children: ['ROW-1'],
-          parents: ['ROOT_ID'],
-        },
-        'ROW-1': {
-          type: 'ROW',
-          id: 'ROW-1',
-          children: [chartLayoutKey],
-          parents: ['ROOT_ID', 'GRID_ID'],
-          meta: { background: 'BACKGROUND_TRANSPARENT' },
-        },
-        [chartLayoutKey]: {
-          type: 'CHART',
-          id: chartLayoutKey,
-          children: [],
-          parents: ['ROOT_ID', 'GRID_ID', 'ROW-1'],
-          meta: {
-            chartId,
-            width: 6,
-            height: 80,
-            sliceName: 'pivot_collapse_repro',
-          },
-        },
-      };
-      const dashResp = await apiPostDashboard(setupPage, {
-        dashboard_title: `pivot_collapse_repro_${Date.now()}`,
-        published: true,
-        position_json: JSON.stringify(positionJson),
-      });
-      const dashBody = await dashResp.json();
-      dashboardId = dashBody.id;
-      await apiPut(setupPage, `api/v1/chart/${chartId}`, {
-        dashboards: [dashboardId],
-      });
-
-      const embedded = await apiEnableEmbedding(setupPage, dashboardId);
-      embedUuid = embedded.uuid;
-      accessToken = await getAccessToken(setupPage);
-    } finally {
-      await context.close();
-    }
-  });
-
-  test.afterAll(async ({ browser }) => {
-    const context = await createAdminContext(browser);
-    try {
-      const cleanupPage = await context.newPage();
-      if (dashboardId !== undefined) {
-        await apiDeleteDashboard(cleanupPage, dashboardId, {
-          failOnStatusCode: false,
-        });
-      }
-      if (chartId !== undefined) {
-        await apiDeleteChart(cleanupPage, chartId, { failOnStatusCode: false });
-      }
-    } catch (err) {
-      // eslint-disable-next-line no-console
-      console.error('[pivot-collapse teardown] cleanup failed:', err);
-    } finally {
-      await context.close();
-    }
-    if (appServer) await appServer.close();
-  });
-
-  test('collapsed rows stay collapsed after a scroll round-trip', async ({
-    page,
-  }) => {
-    const embeddedPage = new EmbeddedPage(page);
-    await embeddedPage.exposeTokenFetcher(async () =>
-      getGuestToken(page, dashboardId, { accessToken }),
-    );
-    await embeddedPage.goto({
-      appUrl: appServer.url,
-      uuid: embedUuid,
-      supersetDomain: SUPERSET_DOMAIN,
-    });
-    await embeddedPage.waitForIframe();
-    await embeddedPage.waitForDashboardContent();
-    await embeddedPage.waitForChartRendered();
-
-    const rowLabels = embeddedPage.iframe.locator('.pvtRowLabel');
-    await expect
-      .poll(() => rowLabels.count(), { timeout: EMBEDDED.CHART_RENDER })
-      .toBeGreaterThan(1);
-    const expandedCount = await rowLabels.count();
-
-    // Collapse the first top-level row group via its [-] toggle. Scope to
-    // `.pvtTable` so we never match a stray `toggle` class elsewhere in the DOM.
-    await embeddedPage.iframe.locator('.pvtTable .toggle').first().click();
-    await expect
-      .poll(() => embeddedPage.iframe.locator('.pvtRowLabel').count(), {
-        timeout: EMBEDDED.CHART_RENDER,
-      })
-      .toBeLessThan(expandedCount);
-    const collapsedCount = await embeddedPage.iframe
-      .locator('.pvtRowLabel')
-      .count();
-
-    // Scroll the embedded dashboard so the pivot leaves the viewport, then back.
-    await embeddedPage.iframe.locator('body').evaluate(() => {
-      window.scrollTo(0, document.body.scrollHeight);
-    });
-    await page.waitForTimeout(800);
-    await embeddedPage.iframe.locator('body').evaluate(() => {
-      window.scrollTo(0, 0);
-    });
-    await page.waitForTimeout(1200);
-
-    // The collapsed group must remain collapsed (row-label count unchanged).
-    await expect(embeddedPage.iframe.locator('.pvtRowLabel')).toHaveCount(
-      collapsedCount,
-    );
-  });
-});
--- a/superset-frontend/plugins/legacy-plugin-chart-calendar/package.json
+++ b/superset-frontend/plugins/legacy-plugin-chart-calendar/package.json
@@ -33,7 +33,7 @@
    "@superset-ui/chart-controls": "*",
    "@superset-ui/core": "*",
    "@apache-superset/core": "*",
-    "react": "^18.3.0"
+    "react": "^18.2.0"
  },
  "publishConfig": {
    "access": "public"
--- a/Show More
+++ b/Show More