fix(config): make Swagger UI opt-in (off by default) (#41300 )

Co-authored-by: Amin Ghadersohi <amin.ghadersohi@gmail.com> Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
chore(codeowners): add translation maintainers (#41429 )
2026-06-25 17:39:18 +00:00 · 2026-06-25 10:34:28 -07:00 · 2026-06-25 10:09:16 -07:00 · 2026-06-25 09:54:33 -07:00 · 2026-06-25 18:30:33 +03:00 · 2026-06-25 08:57:30 -03:00
453 changed files with 67389 additions and 6746 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -38,7 +38,7 @@

 # Notify translation maintainers of changes to translations

-/superset/translations/ @sfirke @rusackas
+/superset/translations/ @sfirke @rusackas @villebro @sadpandajoe @hainenber

 # Notify PMC members of changes to extension-related files

--- a/.github/workflows/bashlib.sh
+++ b/.github/workflows/bashlib.sh
@@ -114,7 +114,7 @@ testdata() {
  say "::group::Load test data"
  # must specify PYTHONPATH to make `tests.superset_test_config` importable
  export PYTHONPATH="$GITHUB_WORKSPACE"
-  pip install -e .
+  uv pip install --system -e .
  superset db upgrade
  superset load_test_users
  superset load_examples --load-test-data
@@ -127,7 +127,7 @@ playwright_testdata() {
  say "::group::Load all examples for Playwright tests"
  # must specify PYTHONPATH to make `tests.superset_test_config` importable
  export PYTHONPATH="$GITHUB_WORKSPACE"
-  pip install -e .
+  uv pip install --system -e .
  superset db upgrade
  superset load_test_users
  superset load_examples
--- a/.github/workflows/bump-python-package.yml
+++ b/.github/workflows/bump-python-package.yml
@@ -31,7 +31,7 @@ jobs:
      checks: write
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: true
          ref: master
--- a/.github/workflows/check-python-deps.yml
+++ b/.github/workflows/check-python-deps.yml
@@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/check_db_migration_confict.yml
+++ b/.github/workflows/check_db_migration_confict.yml
@@ -25,7 +25,7 @@ jobs:
      pull-requests: write
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
      - name: Check and notify
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -26,7 +26,7 @@ jobs:
      frontend: ${{ steps.check.outputs.frontend }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
      - name: Check for file changes
@@ -47,6 +47,7 @@ jobs:
    permissions:
      actions: read
      contents: read
+      pull-requests: read
      security-events: write

    strategy:
@@ -57,7 +58,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false

--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -27,7 +27,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout Repository"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
      - name: "Dependency Review"
@@ -43,7 +43,7 @@ jobs:
          #   the latest version. It's MIT: https://github.com/nbubna/store/blob/master/LICENSE-MIT
          # pkg:npm/node-forge@1.3.1
          #   selecting BSD-3-Clause licensing terms for node-forge to ensure compatibility with Apache
-          allow-dependencies-licenses: pkg:npm/store2@2.14.2, pkg:npm/node-forge@1.3.1, pkg:npm/rgbcolor, pkg:npm/jszip@3.10.1
+          allow-dependencies-licenses: pkg:npm/rgbcolor, pkg:npm/jszip@3.10.1

  python-dependency-liccheck:
    # NOTE: Configuration for liccheck lives in our pyproject.yml.
@@ -51,7 +51,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: "Checkout Repository"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false

--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -30,7 +30,7 @@ jobs:
      docker: ${{ steps.check.outputs.docker }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
      - name: Check for file changes
@@ -71,7 +71,7 @@ jobs:

    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false

@@ -177,7 +177,7 @@ jobs:
    timeout-minutes: 30
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
      - name: Free up disk space
--- a/.github/workflows/embedded-sdk-release.yml
+++ b/.github/workflows/embedded-sdk-release.yml
@@ -10,37 +10,29 @@ permissions:
  contents: read

 jobs:
-  config:
-    runs-on: ubuntu-24.04
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${NPM_TOKEN}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
-        env:
-          NPM_TOKEN: ${{ (secrets.NPM_TOKEN != '') || '' }}
  build:
-    needs: config
-    if: needs.config.outputs.has-secrets
+    # Publishing uses npm trusted publishing (OIDC), so there is no NPM_TOKEN to
+    # gate on. Restrict to the canonical repo: forks cannot mint a valid OIDC
+    # token for this package and must not publish.
+    if: github.repository == 'apache/superset'
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      id-token: write # required for npm trusted publishing (OIDC)
    defaults:
      run:
        working-directory: superset-embedded-sdk
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
+      # Note: registry-url is intentionally omitted. When set, actions/setup-node
+      # writes an .npmrc with `_authToken=${NODE_AUTH_TOKEN}` and a placeholder
+      # token, which makes npm attempt token auth and skip the OIDC
+      # trusted-publishing exchange. With no .npmrc auth line, npm authenticates
+      # via OIDC against the default registry (registry.npmjs.org).
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: "./superset-embedded-sdk/.nvmrc"
-          registry-url: "https://registry.npmjs.org"
      - run: npm ci
      - run: npm run ci:release
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
--- a/.github/workflows/embedded-sdk-test.yml
+++ b/.github/workflows/embedded-sdk-test.yml
@@ -21,7 +21,7 @@ jobs:
      run:
        working-directory: superset-embedded-sdk
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
--- a/.github/workflows/generate-FOSSA-report.yml
+++ b/.github/workflows/generate-FOSSA-report.yml
@@ -32,12 +32,12 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
      - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+        uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 # v5.3.0
        with:
          distribution: "temurin"
          java-version: "11"
--- a/.github/workflows/github-action-validator.yml
+++ b/.github/workflows/github-action-validator.yml
@@ -27,7 +27,7 @@ jobs:
      security-events: write
    steps:
      - name: Checkout Repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false

--- a/.github/workflows/issue_creation.yml
+++ b/.github/workflows/issue_creation.yml
@@ -16,7 +16,7 @@ jobs:
      issues: write
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false

--- a/.github/workflows/latest-release-tag.yml
+++ b/.github/workflows/latest-release-tag.yml
@@ -12,7 +12,7 @@ jobs:

    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/license-check.yml
+++ b/.github/workflows/license-check.yml
@@ -18,12 +18,12 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
      - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+        uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 # v5.3.0
        with:
          distribution: "temurin"
          java-version: "11"
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -21,7 +21,7 @@ jobs:
      pull-requests: write
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -28,7 +28,7 @@ jobs:
        python-version: ${{ github.event_name == 'pull_request' && fromJSON('["current"]') || fromJSON('["current", "previous", "next"]') }}
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -33,7 +33,7 @@ jobs:
    permissions:
      contents: write
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          # pulls all commits (needed for lerna / semantic release to correctly version)
--- a/.github/workflows/showtime-trigger.yml
+++ b/.github/workflows/showtime-trigger.yml
@@ -152,7 +152,7 @@ jobs:

      - name: Checkout PR code (only if build needed)
        if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.build_needed == 'true'
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          ref: ${{ steps.check.outputs.target_sha }}
          persist-credentials: false
--- a/.github/workflows/superset-app-cli.yml
+++ b/.github/workflows/superset-app-cli.yml
@@ -41,7 +41,7 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
@@ -61,7 +61,7 @@ jobs:
      - name: superset init
        if: steps.check.outputs.python
        run: |
-          pip install -e .
+          uv pip install --system -e .
          superset db upgrade
          superset load_test_users
      - name: superset load_examples
--- a/.github/workflows/superset-docs-deploy.yml
+++ b/.github/workflows/superset-docs-deploy.yml
@@ -60,7 +60,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.event.workflow_run.head_sha || github.sha }}"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          ref: ${{ github.event.workflow_run.head_sha || github.sha }}
          persist-credentials: false
@@ -71,7 +71,7 @@ jobs:
          node-version-file: "./docs/.nvmrc"
      - name: Setup Python
        uses: ./.github/actions/setup-backend/
-      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+      - uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287 # v5.3.0
        with:
          distribution: "zulu"
          java-version: "21"
--- a/.github/workflows/superset-docs-verify.yml
+++ b/.github/workflows/superset-docs-verify.yml
@@ -28,7 +28,7 @@ jobs:
    name: Link Checking
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
      # Do not bump this linkinator-action version without opening
@@ -73,7 +73,7 @@ jobs:
        working-directory: docs
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
@@ -112,7 +112,7 @@ jobs:
        working-directory: docs
    steps:
      - name: "Checkout PR head: ${{ github.event.workflow_run.head_sha }}"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          ref: ${{ github.event.workflow_run.head_sha }}
          persist-credentials: false
--- a/.github/workflows/superset-e2e.yml
+++ b/.github/workflows/superset-e2e.yml
@@ -38,7 +38,7 @@ jobs:
      frontend: ${{ steps.check.outputs.frontend }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
      - name: Check for file changes
@@ -49,7 +49,7 @@ jobs:

  cypress-matrix:
    needs: changes
-    if: needs.changes.outputs.python == 'true' || needs.changes.outputs.frontend == 'true'
+    if: (needs.changes.outputs.python == 'true' || needs.changes.outputs.frontend == 'true') && github.event.pull_request.draft == false
    # Somehow one test flakes on 24.04 for unknown reasons, this is the only GHA left on 22.04
    runs-on: ubuntu-22.04
    timeout-minutes: 30
@@ -97,21 +97,21 @@ jobs:
      # Conditional checkout based on context
      - name: Checkout for push or pull_request event
        if: github.event_name == 'push' || github.event_name == 'pull_request'
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
      - name: Checkout using ref (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.ref != ''
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          ref: ${{ github.event.inputs.ref }}
          submodules: recursive
      - name: Checkout using PR ID (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.pr_id != ''
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          ref: refs/pull/${{ github.event.inputs.pr_id }}/merge
@@ -207,21 +207,21 @@ jobs:
      # Conditional checkout based on context (same as Cypress workflow)
      - name: Checkout for push or pull_request event
        if: github.event_name == 'push' || github.event_name == 'pull_request'
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
      - name: Checkout using ref (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.ref != ''
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          ref: ${{ github.event.inputs.ref }}
          submodules: recursive
      - name: Checkout using PR ID (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.pr_id != ''
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          ref: refs/pull/${{ github.event.inputs.pr_id }}/merge
--- a/.github/workflows/superset-extensions-cli.yml
+++ b/.github/workflows/superset-extensions-cli.yml
@@ -31,7 +31,7 @@ jobs:
        working-directory: superset-extensions-cli
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/superset-frontend.yml
+++ b/.github/workflows/superset-frontend.yml
@@ -27,7 +27,7 @@ jobs:
      should-run: ${{ steps.check.outputs.frontend }}
    steps:
      - name: Checkout Code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -110,7 +110,7 @@ jobs:
      id-token: write
    steps:
      - name: Checkout Code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          fetch-depth: 0
--- a/.github/workflows/superset-helm-lint.yml
+++ b/.github/workflows/superset-helm-lint.yml
@@ -19,7 +19,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/superset-helm-release.yml
+++ b/.github/workflows/superset-helm-release.yml
@@ -29,7 +29,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          ref: ${{ inputs.ref || github.ref_name }}
          persist-credentials: true
--- a/.github/workflows/superset-playwright.yml
+++ b/.github/workflows/superset-playwright.yml
@@ -34,7 +34,7 @@ jobs:
      frontend: ${{ steps.check.outputs.frontend }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
      - name: Check for file changes
@@ -83,21 +83,21 @@ jobs:
      # Conditional checkout based on context (same as Cypress workflow)
      - name: Checkout for push or pull_request event
        if: github.event_name == 'push' || github.event_name == 'pull_request'
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
      - name: Checkout using ref (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.ref != ''
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          ref: ${{ github.event.inputs.ref }}
          submodules: recursive
      - name: Checkout using PR ID (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.pr_id != ''
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          ref: refs/pull/${{ github.event.inputs.pr_id }}/merge
--- a/.github/workflows/superset-python-integrationtest.yml
+++ b/.github/workflows/superset-python-integrationtest.yml
@@ -1,6 +1,11 @@
 # Python integration tests
 name: Python-Integration

+# Least-privilege default for GITHUB_TOKEN. Jobs that need more (e.g. OIDC for
+# codecov uploads) opt in via their own job-level `permissions:` block.
+permissions:
+  contents: read
+
 on:
  push:
    branches:
@@ -24,7 +29,7 @@ jobs:
      python: ${{ steps.check.outputs.python }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
      - name: Check for file changes
@@ -67,7 +72,7 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
@@ -152,7 +157,7 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
@@ -202,7 +207,7 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/superset-python-presto-hive.yml
+++ b/.github/workflows/superset-python-presto-hive.yml
@@ -25,7 +25,7 @@ jobs:
      python: ${{ steps.check.outputs.python }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
      - name: Check for file changes
@@ -72,7 +72,7 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
@@ -127,7 +127,7 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
@@ -149,7 +149,7 @@ jobs:
          run: celery-worker
      - name: Python unit tests (PostgreSQL)
        run: |
-          pip install -e .[hive]
+          uv pip install --system -e .[hive]
          ./scripts/python_tests.sh -m 'chart_data_flow or sql_json_flow'
      - name: Upload code coverage
        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
--- a/.github/workflows/superset-python-unittest.yml
+++ b/.github/workflows/superset-python-unittest.yml
@@ -1,6 +1,11 @@
 # Python unit tests
 name: Python-Unit

+# Least-privilege default for GITHUB_TOKEN. Jobs that need more (e.g. OIDC for
+# codecov uploads) opt in via their own job-level `permissions:` block.
+permissions:
+  contents: read
+
 on:
  push:
    branches:
@@ -25,7 +30,7 @@ jobs:
      python: ${{ steps.check.outputs.python }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
      - name: Check for file changes
@@ -50,7 +55,7 @@ jobs:
      PYTHONPATH: ${{ github.workspace }}
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/superset-translations.yml
+++ b/.github/workflows/superset-translations.yml
@@ -25,7 +25,7 @@ jobs:
      pull-requests: read
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
@@ -61,7 +61,7 @@ jobs:
      pull-requests: read
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/superset-websocket.yml
+++ b/.github/workflows/superset-websocket.yml
@@ -25,7 +25,7 @@ jobs:
    timeout-minutes: 20
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
      - name: Install dependencies
--- a/.github/workflows/supersetbot.yml
+++ b/.github/workflows/supersetbot.yml
@@ -38,7 +38,7 @@ jobs:
            });

      - name: "Checkout ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false

--- a/.github/workflows/sync-requirements-for-python-dep-upgrade-pr.yml
+++ b/.github/workflows/sync-requirements-for-python-dep-upgrade-pr.yml
@@ -0,0 +1,60 @@
+name: Sync requirements for Python dependency PRs
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: write
+  pull-requests: read
+
+jobs:
+  sync-python-dep-requirements:
+    # This action is limited for (1) PRs authored by Dependabot and (2) upstream repo due to write back to remote
+    if: github.repository == 'apache/superset' && github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.head.repo.fork == false
+    runs-on: ubuntu-26.04
+    steps:
+      - name: Fetch Dependabot metadata
+        id: dependabot-metadata
+        shell: bash
+        env:
+          BRANCH_NAME: ${{ github.head_ref }}
+        run: |
+          # Get current branch name, extract the package ecosystem and return as GHA step output
+          packageEcosystem=$(echo "$BRANCH_NAME" | cut -d'/' -f2)
+          echo "package-ecosystem=$packageEcosystem" >> $GITHUB_OUTPUT
+
+      # zizmor: ignore[artipacked] - required persisted credentials to push synced requirement changes back to remote
+      - name: Checkout source code
+        if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: true
+
+      # Authenticate the Docker daemon so the python:slim pull in
+      # uv-pip-compile.sh uses our (much higher) authenticated rate limit
+      # instead of the shared-runner anonymous one.
+      - name: Login to Docker Hub
+        if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
+        continue-on-error: true
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Sync requirements in containerized environment
+        if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
+        run: ./scripts/uv-pip-compile.sh
+
+      - name: Push changes to remote PRs
+        if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'pip' }}
+        run: |
+          git config user.name 'github-actions[bot]'
+          git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
+          git add requirements
+          git diff --cached --quiet && exit 0
+          git commit --signoff --message "build(deps): sync pinned requirements for Dependabot pip PRs"
+          git push origin "HEAD:refs/heads/${GITHUB_EVENT_PULL_REQUEST_HEAD_REF}"
+        env:
+          GITHUB_EVENT_PULL_REQUEST_HEAD_REF: ${{ github.event.pull_request.head.ref }}
--- a/.github/workflows/tag-release.yml
+++ b/.github/workflows/tag-release.yml
@@ -54,7 +54,7 @@ jobs:
      fail-fast: false
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -120,7 +120,7 @@ jobs:
      pull-requests: write
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false
          fetch-depth: 0
--- a/.github/workflows/tech-debt.yml
+++ b/.github/workflows/tech-debt.yml
@@ -32,7 +32,7 @@ jobs:
    name: Generate Reports
    steps:
      - name: Checkout Repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -50,3 +50,4 @@ under the License.
 - [4.1.4](./CHANGELOG/4.1.4.md)
 - [5.0.0](./CHANGELOG/5.0.0.md)
 - [6.0.0](./CHANGELOG/6.0.0.md)
+- [6.1.0](./CHANGELOG/6.1.0.md)
--- a/CHANGELOG/6.1.0.md
+++ b/CHANGELOG/6.1.0.md
--- a/17
+++ b/17
@@ -23,11 +23,14 @@ PYTHON=`command -v python3.11 || command -v python3.10`
 install: superset pre-commit

 superset:
+	# Bootstrap uv (the project's installer) into the active environment
+	pip install uv
+
 	# Install external dependencies
-	pip install -r requirements/development.txt
+	uv pip install -r requirements/development.txt

 	# Install Superset in editable (development) mode
-	pip install -e .
+	uv pip install -e .

 	# Create an admin user in your metadata database
 	superset fab create-admin \
@@ -52,11 +55,14 @@ superset:
 update: update-py update-js

 update-py:
+	# Bootstrap uv (the project's installer) into the active environment
+	pip install uv
+
 	# Install external dependencies
-	pip install -r requirements/development.txt
+	uv pip install -r requirements/development.txt

 	# Install Superset in editable (development) mode
-	pip install -e .
+	uv pip install -e .

 	# Initialize the database
 	superset db upgrade
@@ -79,7 +85,8 @@ activate:

 pre-commit:
 	# setup pre commit dependencies
-	pip3 install -r requirements/development.txt
+	pip install uv
+	uv pip install -r requirements/development.txt
 	pre-commit install

 format: py-format js-format
--- a/RESOURCES/INTHEWILD.yaml
+++ b/RESOURCES/INTHEWILD.yaml
@@ -83,6 +83,9 @@ categories:
    - name: Clark.de
      url: https://clark.de/

+    - name: Cover Genius
+      url: https://covergenius.com/
+
    - name: EnquiryLabs
      url: https://www.enquirylabs.co.uk

@@ -92,6 +95,10 @@ categories:
    - name: KarrotPay
      url: https://www.daangnpay.com/

+    - name: NICE Actimize
+      url: https://www.niceactimize.com/
+      contributors: ["@stevensuting"]
+
    - name: Remita
      url: https://remita.net
      contributors: ["@mujibishola"]
@@ -112,9 +119,6 @@ categories:
      url: https://xendit.co/
      contributors: ["@LieAlbertTriAdrian"]

-    - name: Cover Genius
-      url: https://covergenius.com/
-
  Gaming:
    - name: Popoko VM Games Studio
      url: https://popoko.live
@@ -296,7 +300,6 @@ categories:
      logo: hifadih.png
      contributors: ["@saintLaurent00"]

-    # Logo approved by @anmol-hpe on behalf of HPE
    - name: HPE
      url: https://www.hpe.com/in/en/home.html
      logo: hpe.png
@@ -396,6 +399,10 @@ categories:
      url: https://www.techaudit.info
      contributors: ["@ETselikov"]

+    - name: Tech Solution
+      url: https://www.tech-solution.com.ar/
+      contributors: ["@danteGiuliano", "@LeandroVallejos", "@McJaben", "@xJeree", "@zeo-return-null"]
+
    - name: Tenable
      url: https://www.tenable.com
      contributors: ["@dflionis"]
@@ -425,6 +432,10 @@ categories:
      logo: userguiding.svg
      contributors: ["@tzercin"]

+    - name: Value Ad
+      url: https://bestpair.info/
+      contributors: ["@stevensuting"]
+
    - name: Virtuoso QA
      url: https://www.virtuosoqa.com

@@ -509,10 +520,6 @@ categories:
      url: https://www.sunbird.org/
      contributors: ["@eksteporg"]

-    - name: The GRAPH Network
-      url: https://thegraphnetwork.org/
-      contributors: ["@fccoelho"]
-
    - name: Udemy
      url: https://www.udemy.com/
      contributors: ["@sungjuly"]
@@ -521,7 +528,24 @@ categories:
      url: https://www.vipkid.com.cn/
      contributors: ["@illpanda"]

-    - name: WikiMedia Foundation
+  Social Organization:
+    - name: Living Goods
+      url: https://www.livinggoods.org
+      contributors: ["@chelule"]
+
+    - name: One Acre Fund
+      url: https://oneacrefund.org/
+      contributors: ["@stevensuting"]
+
+    - name: Quest Alliance
+      url: https://www.questalliance.net/
+      contributors: ["@stevensuting"]
+
+    - name: The GRAPH Network
+      url: https://thegraphnetwork.org/
+      contributors: ["@fccoelho"]
+
+    - name: Wikimedia Foundation
      url: https://wikimediafoundation.org
      contributors: ["@vg"]

@@ -534,6 +558,10 @@ categories:
      url: https://www.douroeci.com/
      contributors: ["@nunohelibeires"]

+    - name: Rogow
+      url: https://rogow.com.br/
+      contributors: ["@nilmonto"]
+
    - name: Safaricom
      url: https://www.safaricom.co.ke/
      contributors: ["@mmutiso"]
@@ -546,11 +574,10 @@ categories:
      url: https://wattbewerb.de/
      contributors: ["@wattbewerb"]

-    - name: Rogow
-      url: https://rogow.com.br/
-      contributors: ["@nilmonto"]
-
  Healthcare:
+    - name: 2070Health
+      url: https://2070health.com/
+
    - name: Amino
      url: https://amino.com
      contributors: ["@shkr"]
@@ -563,10 +590,6 @@ categories:
      url: https://www.getcare.io/
      contributors: ["@alandao2021"]

-    - name: Living Goods
-      url: https://www.livinggoods.org
-      contributors: ["@chelule"]
-
    - name: Maieutical Labs
      url: https://maieuticallabs.it
      contributors: ["@xrmx"]
@@ -585,10 +608,10 @@ categories:
    - name: WeSure
      url: https://www.wesure.cn/

-    - name: 2070Health
-      url: https://2070health.com/
-
  HR / Staffing:
+    - name: bluquist
+      url: https://bluquist.com/
+
    - name: Swile
      url: https://www.swile.co/
      contributors: ["@PaoloTerzi"]
@@ -596,21 +619,18 @@ categories:
    - name: Symmetrics
      url: https://www.symmetrics.fyi

-    - name: bluquist
-      url: https://bluquist.com/
-
  Government:
    - name: City of Ann Arbor, MI
      url: https://www.a2gov.org/
      contributors: ["@sfirke"]

+    - name: NRLM - Sarathi, India
+      url: https://pib.gov.in/PressReleasePage.aspx?PRID=1999586
+
    - name: RIS3 Strategy of CZ, MIT CR
      url: https://www.ris3.cz/
      contributors: ["@RIS3CZ"]

-    - name: NRLM - Sarathi, India
-      url: https://pib.gov.in/PressReleasePage.aspx?PRID=1999586
-
  Mobile Software:
    - name: VLMedia
      url: https://www.vlmedia.com.tr
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -24,6 +24,22 @@ assists people when migrating to a new version.

 ## Next

+### Guest-token RLS rules reject unknown fields
+
+The `rls` rules passed to `POST /api/v1/security/guest_token/` are now validated strictly: a rule may only contain `dataset` and `clause`. Previously unknown fields were silently dropped, so a mistyped or legacy scope key (most commonly `datasource` instead of `dataset`) produced a rule with no `dataset`, which is treated as a *global* rule applied to every dataset the embedded resource can reach. Such a request now returns HTTP 400 identifying the offending field instead of issuing a token with an unintended global rule. Integrators that were sending extra fields in RLS rules must remove them; valid dataset-scoped (`{"dataset": 41, "clause": "..."}`) and global (`{"clause": "..."}`) rules are unaffected.
+
+### MCP service requires `MCP_JWT_AUDIENCE` when JWT auth is enabled
+
+When the MCP service has JWT auth enabled (`MCP_AUTH_ENABLED = True`), an audience must be configured via `MCP_JWT_AUDIENCE` so issued tokens are bound to this service. The service now fails to start with a clear configuration error when the audience is unset, instead of starting with audience validation skipped. Deployments that enable MCP JWT auth must set `MCP_JWT_AUDIENCE` to the audience value their identity provider issues for the MCP service. API-key-only MCP deployments (JWT auth disabled) are unaffected.
+
+### Swagger UI is opt-in (off by default)
+
+`FAB_API_SWAGGER_UI` now defaults to `False` and is driven by the `SUPERSET_ENABLE_SWAGGER_UI` environment variable. The interactive Swagger UI / OpenAPI documentation endpoints (e.g. `/swagger/v1`) are therefore no longer exposed by default. To enable them, set `SUPERSET_ENABLE_SWAGGER_UI=true` (the bundled Docker development environment sets this) or override `FAB_API_SWAGGER_UI = True` in `superset_config.py`.
+
+### Pivot table First/Last aggregations follow data order
+
+The pivot table chart's `First` and `Last` aggregations now return the first and last value in data (query result) order, instead of effectively returning the minimum and maximum. Existing pivot tables that use these aggregations for totals/subtotals may show different values after upgrading. For deterministic results, ensure the underlying query has a stable sort order.
+
 ### `thumbnail_url` removed from dashboard list API response

 The `thumbnail_url` field has been removed from `GET /api/v1/dashboard/` list responses. External consumers relying on this field must now construct the thumbnail URL client-side using `id` and `changed_on_utc`:
@@ -223,6 +239,9 @@ Added a new combined datasource list endpoint at `GET /api/v1/datasource/` to se
 - The endpoint is available to users with at least one of `can_read` on `Dataset` or `SemanticView`.
 - Semantic views are included only when the `SEMANTIC_LAYERS` feature flag is enabled.
 - The endpoint enforces strict `order_column` validation and returns `400` for invalid sort columns.
+
+## 6.1.0
+
 ### ClickHouse minimum driver version bump

 The minimum required version of `clickhouse-connect` has been raised to `>=0.13.0`. If you are using the ClickHouse connector, please upgrade your `clickhouse-connect` package. The `_mutate_label` workaround that appended hash suffixes to column aliases has also been removed, as it is no longer needed with modern versions of the driver.
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -72,20 +72,23 @@ services:
      - -c
      - |
        url="http://host.docker.internal:9000/static/assets/manifest.json"
-        max_attempts=150  # ~5 minutes at 2s intervals
-        echo "Waiting for webpack dev server at $url..."
+        max_attempts=300  # ~10 minutes at 2s intervals; first build can be slow
+        echo "Waiting for webpack dev server at $$url..."
        attempt=0
-        until curl -sf --max-time 5 -o /dev/null "$url"; do
-          attempt=$((attempt + 1))
-          if [ "$attempt" -ge "$max_attempts" ]; then
-            echo "ERROR: webpack dev server did not serve $url after $max_attempts attempts (~5 minutes)." >&2
+        until curl -sf --max-time 5 -H "Host: localhost" -o /dev/null "$$url"; do
+          attempt=$$((attempt + 1))
+          if [ "$$attempt" -ge "$$max_attempts" ]; then
+            echo "ERROR: webpack dev server did not serve $$url after $$max_attempts attempts." >&2
            echo "Is the dev server running? With BUILD_SUPERSET_FRONTEND_IN_DOCKER=false you must start it on the host (e.g. 'npm run dev' in superset-frontend)." >&2
            exit 1
          fi
+          if [ $$((attempt % 15)) -eq 0 ]; then
+            echo "Still waiting for webpack dev server... ($$attempt/$$max_attempts)"
+          fi
          sleep 2
        done
        echo "Webpack dev server is ready; starting nginx."
-        exec nginx -g 'daemon off;'
+        exec /docker-entrypoint.sh nginx -g 'daemon off;'

  redis:
    image: redis:7
--- a/docker/.env
+++ b/docker/.env
@@ -70,6 +70,8 @@ SUPERSET_LOG_LEVEL=info

 SUPERSET_APP_ROOT="/"
 SUPERSET_ENV=development
+# Swagger UI is opt-in (off by default); enable it for local development.
+SUPERSET_ENABLE_SWAGGER_UI=true
 SUPERSET_LOAD_EXAMPLES=yes
 CYPRESS_CONFIG=false
 SUPERSET_PORT=8088
--- a/docker/docker-bootstrap.sh
+++ b/docker/docker-bootstrap.sh
@@ -81,17 +81,19 @@ case "${1}" in
  app)
    echo "Starting web app (using development server)..."

-    # Environment-based debugger control for security
-    # Only enable Werkzeug interactive debugger when explicitly requested
-    # Modern Werkzeug (3.0+) includes PIN protection, but defense-in-depth approach
-    # Override FLASK_DEBUG so the effective state matches SUPERSET_DEBUG_ENABLED even
-    # when FLASK_DEBUG=true is inherited from docker/.env or .flaskenv
+    # Default to Flask debug mode in this dev compose entrypoint so the Talisman
+    # dev CSP (which permits 'unsafe-eval' required by React Refresh / HMR) is
+    # served. Operators can still set FLASK_DEBUG=false in docker/.env-local
+    # to exercise the production-like CSP and error handling.
+    : "${FLASK_DEBUG:=1}"
+    export FLASK_DEBUG
+
+    # Werkzeug's interactive debugger (/console) is a separate, security-sensitive
+    # feature and must be opted into explicitly via SUPERSET_DEBUG_ENABLED=true.
    if [[ "${SUPERSET_DEBUG_ENABLED:-}" == "true" ]]; then
-        export FLASK_DEBUG=1
        DEBUGGER_FLAG="--debugger"
        echo "  ⚠️  Werkzeug debugger enabled (requires PIN for /console access)"
    else
-        export FLASK_DEBUG=0
        DEBUGGER_FLAG="--no-debugger"
        echo "  🔒 Werkzeug debugger disabled (set SUPERSET_DEBUG_ENABLED=true to enable)"
    fi
--- a/docker/entrypoints/run-server.sh
+++ b/docker/entrypoints/run-server.sh
@@ -19,7 +19,7 @@
 #
 HYPHEN_SYMBOL='-'

-gunicorn \
+exec gunicorn \
    --bind "${SUPERSET_BIND_ADDRESS:-0.0.0.0}:${SUPERSET_PORT:-8088}" \
    --access-logfile "${ACCESS_LOG_FILE:-$HYPHEN_SYMBOL}" \
    --error-logfile "${ERROR_LOG_FILE:-$HYPHEN_SYMBOL}" \
--- a/docs/admin_docs/configuration/configuring-superset.mdx
+++ b/docs/admin_docs/configuration/configuring-superset.mdx
@@ -455,6 +455,51 @@ def FLASK_APP_MUTATOR(app: Flask) -> None:
    app.before_request_funcs.setdefault(None, []).append(make_session_permanent)
 ```

+## Customizing the landing page (index view)
+
+The page served at `/` is rendered by an index view. By default Superset registers
+`SupersetIndexView`, which redirects to `/superset/welcome/` and also adds the
+`/lang/<locale>` locale handler. You can replace it with your own view, for example
+to send users straight to a specific dashboard or to a chart list.
+
+Set `FAB_INDEX_VIEW` to the **importable dotted path** of your view class. Flask-AppBuilder
+resolves this during app initialization and uses it in place of the default:
+
+```python
+# my_overrides.py — must be importable on the PYTHONPATH
+from flask import redirect
+from superset.initialization import SupersetIndexView
+from superset.superset_typing import FlaskResponse
+from flask_appbuilder import expose
+
+
+class MyIndexView(SupersetIndexView):
+    @expose("/")
+    def index(self) -> FlaskResponse:
+        return redirect("/chart/list/")
+```
+
+```python
+# superset_config.py
+FAB_INDEX_VIEW = "my_overrides.MyIndexView"
+```
+
+A few things that commonly trip people up:
+
+- **Subclass `SupersetIndexView`, not Flask-AppBuilder's bare `IndexView`.** Subclassing
+  keeps Superset's `/lang/<locale>` locale handling; replacing it with a bare `IndexView`
+  silently drops that behavior.
+- **The class must be importable as a real module.** `FAB_INDEX_VIEW` is resolved by
+  importing the dotted path, which is independent of how `superset_config.py` itself is
+  loaded. Superset only copies **uppercase** names out of `superset_config.py` into its
+  runtime config, so a `FAB_INDEX_VIEW = "superset_config.MyIndexView"` reference only works
+  if `superset_config` is itself importable by that name on the `PYTHONPATH`. If you load
+  config via `SUPERSET_CONFIG_PATH` (an arbitrary file path), put the view in a separate
+  importable module instead and reference that module.
+- **Don't set `appbuilder.indexview` from `FLASK_APP_MUTATOR`.** The mutator runs after
+  routes are already registered, so the assignment has no effect on the `/` route. Use
+  `FAB_INDEX_VIEW` instead.
+
 ## Feature Flags

 To support a diverse set of users, Superset has some features that are not enabled by default. For
--- a/docs/admin_docs/installation/pypi.mdx
+++ b/docs/admin_docs/installation/pypi.mdx
@@ -22,31 +22,24 @@ level dependencies.

 **Debian and Ubuntu**

-Ubuntu **24.04** uses python 3.12 per default, which currently is not supported by Superset. You need to add a second python installation of 3.11 and install the required additional dependencies.
-```bash
-sudo add-apt-repository ppa:deadsnakes/ppa
-sudo apt update
-sudo apt install python3.11 python3.11-dev python3.11-venv build-essential libssl-dev libffi-dev libsasl2-dev libldap2-dev default-libmysqlclient-dev
-```
-
-In Ubuntu **20.04 and 22.04** the following command will ensure that the required dependencies are installed:
+The following command will ensure that the required dependencies are installed (tested on Ubuntu 20.04, 22.04, and 24.04):

 ```bash
-sudo apt-get install build-essential libssl-dev libffi-dev python3-dev python3-pip libsasl2-dev libldap2-dev default-libmysqlclient-dev
+sudo apt-get install build-essential libssl-dev libffi-dev python3-dev python3-pip python3-venv libsasl2-dev libldap2-dev libpq-dev default-libmysqlclient-dev pkg-config
 ```

-In Ubuntu **before 20.04** the following command will ensure that the required dependencies are installed:
-
-```bash
-sudo apt-get install build-essential libssl-dev libffi-dev python-dev python-pip libsasl2-dev libldap2-dev default-libmysqlclient-dev
-```
+Refer to the
+[pyproject.toml](https://github.com/apache/superset/blob/master/pyproject.toml) file for the list of
+Python versions officially supported by Superset, and install a matching `python3` interpreter for
+your distribution. The `libpq-dev` package is only needed if you intend to connect to (or use) a
+PostgreSQL database; you can omit it otherwise.

 **Fedora and RHEL-derivative Linux distributions**

 Install the following packages using the `yum` package manager:

 ```bash
-sudo yum install gcc gcc-c++ libffi-devel python-devel python-pip python-wheel openssl-devel cyrus-sasl-devel openldap-devel
+sudo yum install gcc gcc-c++ libffi-devel python3-devel python3-pip python3-wheel openssl-devel cyrus-sasl-devel openldap-devel
 ```

 In more recent versions of CentOS and Fedora, you may need to install a slightly different set of packages using `dnf`:
--- a/docs/admin_docs/security/securing_superset.mdx
+++ b/docs/admin_docs/security/securing_superset.mdx
@@ -161,6 +161,7 @@ Here's the documentation section how how to set up Talisman: https://superset.ap

  - [ ] Regularly update to the latest major or minor versions of Superset. Those versions receive up-to-date security patches.
  - [ ] Rotate the `SUPERSET_SECRET_KEY` periodically (e.g., quarterly) and after any potential security incident.
+  - [ ] Rotate the other security-critical secrets (guest-token and async-query JWT secrets, SMTP and database credentials) on the cadence in Appendix C, and after any potential security incident.
  - [ ] Conduct quarterly access reviews for all users.
  - [ ] Assuming logging and monitoring is in place, review security monitoring alerts weekly.

@@ -173,6 +174,24 @@ Rotating the `SUPERSET_SECRET_KEY` is a critical security procedure. It is manda
 The procedure for safely rotating the SECRET_KEY must be followed precisely to avoid locking yourself out of your instance. The official Apache Superset documentation maintains the correct, up-to-date procedure. Please follow the official guide here:
 https://superset.apache.org/admin-docs/configuration/configuring-superset/#rotating-to-a-newer-secret_key

+### **Appendix C: Secrets Register and Rotation Schedule**
+
+`SUPERSET_SECRET_KEY` is not the only security-critical secret in a Superset deployment. Maintain an inventory of all such secrets, store each in a secrets manager (not in `superset_config.py` or version control), assign an owner, and rotate them on a defined cadence as well as after any suspected compromise.
+
+| Secret | Purpose | Risk if leaked | Suggested rotation |
+|---|---|---|---|
+| `SUPERSET_SECRET_KEY` | Signs session cookies; key material for encrypting stored DB credentials (Fernet/AES) | Forged sessions (auth bypass / privilege escalation); decryption of exfiltrated metadata-DB secrets | Quarterly + post-incident |
+| `GUEST_TOKEN_JWT_SECRET` | Signs embedded-dashboard guest tokens | Forged guest tokens → unauthorized dashboard/data access | Quarterly + post-incident |
+| `GLOBAL_ASYNC_QUERIES_JWT_SECRET` | Signs the async-query channel JWT | Forged async-query tokens | Quarterly + post-incident |
+| SMTP password | Outbound email for alerts & reports | Email relay abuse / spoofing | Per organizational policy + post-incident |
+| Database connection passwords | Access to analytical databases and the metadata DB | Direct database access | Per organizational policy + post-incident |
+
+Notes:
+
+- Rotating `GUEST_TOKEN_JWT_SECRET` or `GLOBAL_ASYNC_QUERIES_JWT_SECRET` invalidates outstanding tokens of that type; schedule rotations accordingly.
+- After a suspected compromise, rotate **all** of the above, not only `SUPERSET_SECRET_KEY`.
+- Keep the register under change control so new secrets introduced by future features are added to the rotation schedule.
+
 :::resources
 - [Blog: Running Apache Superset on the Open Internet](https://preset.io/blog/running-apache-superset-on-the-open-internet-a-report-from-the-fireline/)
 - [Blog: How Security Vulnerabilities are Reported & Handled in Apache Superset](https://preset.io/blog/how-security-vulnerabilities-are-reported-and-handled-in-apache-superset/)
--- a/docs/developer_docs/extensions/contribution-types.md
+++ b/docs/developer_docs/extensions/contribution-types.md
@@ -34,15 +34,14 @@ Frontend contribution types allow extensions to extend Superset's user interface

 Extensions can add new views or panels to the host application, such as custom SQL Lab panels, dashboards, or other UI components. Contribution areas are uniquely identified (e.g., `sqllab.panels` for SQL Lab panels), enabling seamless integration into specific parts of the application.

-```tsx
-import React from 'react';
+```typescript
 import { views } from '@apache-superset/core';
 import MyPanel from './MyPanel';

 views.registerView(
  { id: 'my-extension.main', name: 'My Panel Name' },
  'sqllab.panels',
-  () => <MyPanel />,
+  MyPanel,
 );
 ```

@@ -112,6 +111,24 @@ editors.registerEditor(

 See [Editors Extension Point](./extension-points/editors.md) for implementation details.

+### Chat
+
+Extensions can add a chat interface to Superset by registering a trigger component and a panel component. The host owns the layout, open/close state, and display mode — the extension only provides the UI. The panel can be displayed as a floating overlay or docked as a resizable sidebar beside the page content, and the user's preference is persisted across reloads.
+
+```tsx
+import { chat } from '@apache-superset/core';
+import ChatTrigger from './ChatTrigger';
+import ChatPanel from './ChatPanel';
+
+chat.registerChat(
+  { id: 'my-org.my-chat', name: 'My Chat' },
+  ChatTrigger,
+  ChatPanel,
+);
+```
+
+See [Chat](./extension-points/chat.md) for implementation details.
+
 ## Backend

 Backend contribution types allow extensions to extend Superset's server-side capabilities. Backend contributions are registered at startup via classes and functions imported from the auto-discovered `entrypoint.py` file.
--- a/docs/developer_docs/extensions/extension-points/chat.md
+++ b/docs/developer_docs/extensions/extension-points/chat.md
@@ -0,0 +1,141 @@
+---
+title: Chat
+sidebar_position: 3
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# Chat Contributions
+
+Extensions can add a chat interface to Superset by registering a trigger and a panel. The host owns the layout, open/close state, and display mode — the extension only needs to provide the UI components.
+
+## Overview
+
+A chat registration consists of two React components:
+
+| Component | Role |
+|-----------|------|
+| **Trigger** | Always-visible entry point (e.g., a floating button). Rendered in the bottom-right corner in floating mode, or as a fixed overlay in panel mode. |
+| **Panel** | The chat UI itself (message list, input, etc.). Mounted by the host in the active display mode. |
+
+## Display Modes
+
+The host supports two display modes, switchable by the user or the extension at runtime:
+
+| Mode | Behavior |
+|------|----------|
+| `floating` | Panel floats above page content, anchored to the bottom-right corner. |
+| `panel` | Panel is docked to the right side of the application as a resizable sidebar, sitting beside the page content. |
+
+The user's last selected mode and open/closed state are persisted across page reloads.
+
+## Registering a Chat
+
+Call `chat.registerChat` from your extension's entry point with a descriptor, a trigger factory, and a panel factory:
+
+```tsx
+import { chat } from '@apache-superset/core';
+import ChatTrigger from './ChatTrigger';
+import ChatPanel from './ChatPanel';
+
+chat.registerChat(
+  { id: 'my-org.my-chat', name: 'My Chat' },
+  ChatTrigger,
+  ChatPanel,
+);
+```
+
+Only one chat registration is active at a time. If a second extension calls `registerChat`, it replaces the first and a warning is logged.
+
+## Opening and Closing the Chat
+
+The trigger component is responsible for toggling the panel. Use `chat.isOpen()`, `chat.open()`, and `chat.close()` to control visibility:
+
+```tsx
+import { chat } from '@apache-superset/core';
+
+export default function ChatTrigger() {
+  return (
+    <button onClick={() => (chat.isOpen() ? chat.close() : chat.open())}>
+      💬
+    </button>
+  );
+}
+```
+
+You can also subscribe to open/close events from any component:
+
+```tsx
+useEffect(() => {
+  const { dispose } = chat.onDidOpen(() => console.log('chat opened'));
+  return dispose;
+}, []);
+```
+
+## Changing the Display Mode
+
+Call `chat.setDisplayMode` to switch between `'floating'` and `'panel'` modes. In your panel component, subscribe to `onDidChangeDisplayMode` to react to changes (including those triggered by the user):
+
+```tsx
+import { useState, useEffect } from 'react';
+import { chat } from '@apache-superset/core';
+
+export default function ChatPanel() {
+  const [mode, setMode] = useState(chat.getDisplayMode());
+
+  useEffect(() => {
+    const { dispose } = chat.onDidChangeDisplayMode(m => setMode(m));
+    return dispose;
+  }, []);
+
+  return (
+    <div style={{ height: mode === 'panel' ? '100%' : '80vh' }}>
+      <button onClick={() => chat.setDisplayMode(mode === 'panel' ? 'floating' : 'panel')}>
+        {mode === 'panel' ? 'Float' : 'Dock'}
+      </button>
+      {/* message list and input */}
+    </div>
+  );
+}
+```
+
+## Chat API Reference
+
+All methods are available on the `chat` namespace from `@apache-superset/core`:
+
+| Method / Event | Description |
+|----------------|-------------|
+| `registerChat(descriptor, trigger, panel)` | Register a chat extension. Returns a `Disposable` to unregister. |
+| `open()` | Open the chat panel. No-op if already open or no registration. |
+| `close()` | Close the chat panel. |
+| `isOpen()` | Returns `true` if the panel is currently open. |
+| `getDisplayMode()` | Returns the current display mode (`'floating'` or `'panel'`). |
+| `setDisplayMode(mode)` | Switch between `'floating'` and `'panel'` mode. |
+| `onDidOpen(listener)` | Subscribe to panel open events. Returns a `Disposable`. |
+| `onDidClose(listener)` | Subscribe to panel close events. Returns a `Disposable`. |
+| `onDidChangeDisplayMode(listener)` | Subscribe to display mode changes. Returns a `Disposable`. |
+| `onDidRegisterChat(listener)` | Subscribe to registration events. |
+| `onDidUnregisterChat(listener)` | Subscribe to unregistration events. |
+| `onDidResizePanel(listener)` | Subscribe to panel resize events (panel mode only). Not all hosts provide a resizer — do not rely on this firing. Returns a `Disposable`. |
+
+## Next Steps
+
+- **[Contribution Types](../contribution-types.md)** — Explore other contribution types
+- **[Development](../development.md)** — Set up your development environment
--- a/docs/developer_docs/sidebars.js
+++ b/docs/developer_docs/sidebars.js
@@ -47,6 +47,8 @@ module.exports = {
          collapsed: true,
          items: [
            'extensions/extension-points/sqllab',
+            'extensions/extension-points/editors',
+            'extensions/extension-points/chat',
          ],
        },
        'extensions/development',
--- a/docs/netlify.toml
+++ b/docs/netlify.toml
@@ -28,14 +28,19 @@
  # Skip builds when no docs changes (exit 0 = skip, non-zero = build).
  # Checks for changes in docs/ and README.md (which gets pulled into docs).
  #
-  # $CACHED_COMMIT_REF is the last *deployed* commit. On a PR's first build it
-  # is empty, so the original `git diff` errored and Netlify fell back to
-  # building -- which is why every PR built a docs preview once even with no
-  # docs changes. When it is empty we instead diff the whole branch against its
-  # merge-base with master, so non-docs PRs are skipped from the very first
-  # build. Subsequent builds (and the master production build) keep the cheaper
-  # incremental $CACHED_COMMIT_REF diff. Any failure exits non-zero -> build.
-  ignore = 'if [ -n "$CACHED_COMMIT_REF" ]; then git diff --quiet "$CACHED_COMMIT_REF" "$COMMIT_REF" -- . ../README.md; else git fetch origin master --depth=100 >/dev/null 2>&1; git diff --quiet "$(git merge-base origin/master "$COMMIT_REF" 2>/dev/null || echo origin/master)" "$COMMIT_REF" -- . ../README.md; fi'
+  # $CACHED_COMMIT_REF is the last *deployed* commit; it is set on incremental
+  # builds (notably the master production deploy) and empty on a context's
+  # first build (every deploy preview). The production path diffs against it
+  # and skips correctly.
+  #
+  # Deploy previews need different handling: Netlify checks out a *merge*
+  # commit, so $COMMIT_REF (the PR head SHA) is frequently not resolvable in
+  # the clone, and on a shallow clone `git merge-base` can fail too -- so the
+  # previous logic fell through to a build on every PR, even non-docs ones.
+  # Instead, always diff the checked-out HEAD against its merge-base with
+  # master, deepening the shallow clone until that merge-base resolves. If it
+  # genuinely can't be determined, exit non-zero to build (fail safe).
+  ignore = 'if [ -n "$CACHED_COMMIT_REF" ]; then git diff --quiet "$CACHED_COMMIT_REF" HEAD -- . ../README.md; else git fetch --no-tags origin master >/dev/null 2>&1 || true; i=0; while [ "$i" -lt 10 ] && ! git merge-base origin/master HEAD >/dev/null 2>&1; do git fetch --deepen=200 origin master >/dev/null 2>&1 || break; i=$((i+1)); done; BASE="$(git merge-base origin/master HEAD 2>/dev/null || true)"; if [ -z "$BASE" ]; then exit 1; fi; git diff --quiet "$BASE" HEAD -- . ../README.md; fi'

 [build.environment]
  # Node version matching docs/.nvmrc
--- a/docs/package.json
+++ b/docs/package.json
@@ -71,9 +71,9 @@
    "@storybook/theming": "^8.6.15",
    "@superset-ui/core": "^0.20.4",
    "@swc/core": "^1.15.41",
-    "antd": "^6.4.3",
-    "baseline-browser-mapping": "^2.10.35",
-    "caniuse-lite": "^1.0.30001797",
+    "antd": "^6.4.4",
+    "baseline-browser-mapping": "^2.10.38",
+    "caniuse-lite": "^1.0.30001799",
    "docusaurus-plugin-openapi-docs": "^5.0.2",
    "docusaurus-theme-openapi-docs": "^5.0.2",
    "js-yaml": "^4.2.0",
@@ -109,7 +109,7 @@
    "globals": "^17.6.0",
    "prettier": "^3.8.4",
    "typescript": "~6.0.3",
-    "typescript-eslint": "^8.61.0",
+    "typescript-eslint": "^8.61.1",
    "webpack": "^5.107.2"
  },
  "browserslist": {
--- a/docs/user_docs_versioned_docs/version-6.0.0/configuration/databases.mdx
+++ b/docs/user_docs_versioned_docs/version-6.0.0/configuration/databases.mdx
@@ -1808,6 +1808,10 @@ If you enable DML in the meta database users will be able to run DML queries on

 Second, you might want to change the value of `SUPERSET_META_DB_LIMIT`. The default value is 1000, and defines how many are read from each database before any aggregations and joins are executed. You can also set this value `None` if you only have small tables.

+:::warning
+`SUPERSET_META_DB_LIMIT` is applied to **each** underlying table *before* the in-memory join runs, not to the final result. If any table involved in a join has more rows than the limit, the meta database will read only the first `SUPERSET_META_DB_LIMIT` rows of that table, which means matching rows can be silently dropped and the join can return **incomplete or even empty** results with no error. If you join tables larger than the limit, raise `SUPERSET_META_DB_LIMIT` to comfortably exceed your largest joined table, or set it to `None` when working only with small tables, to get correct results.
+:::
+
 Additionally, you might want to restrict the databases to with the meta database has access to. This can be done in the database configuration, under "Advanced" -> "Other" -> "ENGINE PARAMETERS" and adding:

 ```json
--- a/docs/yarn.lock
+++ b/docs/yarn.lock
@@ -212,7 +212,7 @@
  resolved "https://registry.npmjs.org/@ant-design/icons-svg/-/icons-svg-4.4.2.tgz"
  integrity sha512-vHbT+zJEVzllwP+CM+ul7reTEfBR0vgxFe7+lREAsAA7YGsYpboiq2sQNeQeRvh09GfQgs/GyFEvZpJ9cLXpXA==

-"@ant-design/icons@^6.2.3", "@ant-design/icons@^6.2.5":
+"@ant-design/icons@^6.2.5":
  version "6.2.5"
  resolved "https://registry.yarnpkg.com/@ant-design/icons/-/icons-6.2.5.tgz#31c142aa6ce5eaf99598aaead222f4c459693512"
  integrity sha512-0hKtoKqTjGFOndUyJLJmC9Cg6k4rEO7rLo6xmgbNJH+/ZX1C57RVals2v1j1knHl9n7Q+sBOveTvn931wLOCKw==
@@ -3162,21 +3162,21 @@
  resolved "https://registry.npmjs.org/@polka/url/-/url-1.0.0-next.29.tgz"
  integrity sha512-wwQAWhWSuHaag8c4q/KN/vCoeOJYshAIvMQwD4GpSb3OiZklFfvAgmj0VCBBImRpuF/aFgIRzllXlVX93Jevww==

-"@rc-component/async-validator@^5.1.0":
-  version "5.1.0"
-  resolved "https://registry.npmjs.org/@rc-component/async-validator/-/async-validator-5.1.0.tgz"
-  integrity sha512-n4HcR5siNUXRX23nDizbZBQPO0ZM/5oTtmKZ6/eqL0L2bo747cklFdZGRN2f+c9qWGICwDzrhW0H7tE9PptdcA==
+"@rc-component/async-validator@^6.0.0":
+  version "6.0.0"
+  resolved "https://registry.yarnpkg.com/@rc-component/async-validator/-/async-validator-6.0.0.tgz#1c20b8864f69bac63b7876b1321697c2ea71c68d"
+  integrity sha512-D3AGQwdyE58gmvx6waVSXJ80JGO+IY5L2O8HDnSOex7JNlzB3GuN/4hyHNTdhy2qtOhkpbIjmeAN3tL993wKbA==
  dependencies:
    "@babel/runtime" "^7.24.4"

-"@rc-component/cascader@~1.15.0":
-  version "1.15.0"
-  resolved "https://registry.yarnpkg.com/@rc-component/cascader/-/cascader-1.15.0.tgz#554cba8e01e94a1288547cec96422b2cfc73ff40"
-  integrity sha512-ZzpMtwFCRo3fbXHuDnncARJMZQjdqA2w7aDuPofNQt+aDx39st1hgfIpEwTBLhe2Hqsvs/zOr8RTtgxTkCPySw==
+"@rc-component/cascader@~1.16.1":
+  version "1.16.1"
+  resolved "https://registry.yarnpkg.com/@rc-component/cascader/-/cascader-1.16.1.tgz#94193ee55009219999a46e005a0f8589c8c021a2"
+  integrity sha512-wxLopwM+EBed0zNNGdnGE4coYoqcO+XD42fHgn+pDvO+XzhNFbdgSlSNXdKocIYqccvqgWvoxDPNb0OVRdi59A==
  dependencies:
-    "@rc-component/select" "~1.6.0"
-    "@rc-component/tree" "~1.3.0"
-    "@rc-component/util" "^1.4.0"
+    "@rc-component/select" "~1.7.1"
+    "@rc-component/tree" "~1.3.2"
+    "@rc-component/util" "^1.11.1"
    clsx "^2.1.1"

 "@rc-component/checkbox@~2.0.0":
@@ -3242,13 +3242,13 @@
    "@rc-component/util" "^1.2.1"
    clsx "^2.1.1"

-"@rc-component/form@~1.8.1":
-  version "1.8.1"
-  resolved "https://registry.yarnpkg.com/@rc-component/form/-/form-1.8.1.tgz#d811fb52df41bf72297938ebfe5cf4a4774588d4"
-  integrity sha512-8O7TB55Fi2mWIGvSnwZjk8jFqVNYyKDAswglwGShcbndxqzKz4cHwNtNaLjZlAeRge9wcB0LL8IWsC/Bl18raQ==
+"@rc-component/form@~1.8.3":
+  version "1.8.5"
+  resolved "https://registry.yarnpkg.com/@rc-component/form/-/form-1.8.5.tgz#20571cfd401dc38c74c38cdf4722ddc6c23a9806"
+  integrity sha512-d24EYtvUOBhxEtSd/EqIu9DaMuqrWF2IRIvAFCTM6NQ/GJIYNr8DvEpUSUlv2uPxEJ0ZPwYQ+wwlGIAaiHvdrw==
  dependencies:
-    "@rc-component/async-validator" "^5.1.0"
-    "@rc-component/util" "^1.6.2"
+    "@rc-component/async-validator" "^6.0.0"
+    "@rc-component/util" "^1.11.1"
    clsx "^2.1.1"

 "@rc-component/image@~1.9.0":
@@ -3270,13 +3270,13 @@
    "@rc-component/util" "^1.4.0"
    clsx "^2.1.1"

-"@rc-component/input@~1.3.0":
-  version "1.3.0"
-  resolved "https://registry.yarnpkg.com/@rc-component/input/-/input-1.3.0.tgz#a8c113000bbc39089cf75337bec68120115b9e05"
-  integrity sha512-IUUNOdAuWuEvDEFFgfmwQl818tiDbvXwLgon4HL1q2hJeYkqrRrYwYhJN0zfPHGTDxs3gvyVC/C02D4hWFoIcA==
+"@rc-component/input@~1.3.0", "@rc-component/input@~1.3.1":
+  version "1.3.1"
+  resolved "https://registry.yarnpkg.com/@rc-component/input/-/input-1.3.1.tgz#230b8b59cdde8521d50f0eede63ddacb61cc0cd3"
+  integrity sha512-iFvTUT9W+JC/MSin2aGAk8NqsVlTzcExNC9DZariON1IWirju9NoNeEk47an4Q8iHazkoVI/y1LnDi88+CPcig==
  dependencies:
    "@rc-component/resize-observer" "^1.1.1"
-    "@rc-component/util" "^1.4.0"
+    "@rc-component/util" "^1.11.1"
    clsx "^2.1.1"

 "@rc-component/mentions@~1.9.0":
@@ -3290,15 +3290,15 @@
    "@rc-component/util" "^1.3.0"
    clsx "^2.1.1"

-"@rc-component/menu@~1.3.0":
-  version "1.3.0"
-  resolved "https://registry.yarnpkg.com/@rc-component/menu/-/menu-1.3.0.tgz#fc70d81ca76ae6013b0d7955f20a2393adef04b3"
-  integrity sha512-u3NfiwpiEgT177qa5Yxm5QsI8i/93EBGpWj8HYZQDnh2pCZ2xtQCe/+w3pSR2NlwKOZDTCKzEhEyD09mGphssA==
+"@rc-component/menu@~1.3.0", "@rc-component/menu@~1.3.1":
+  version "1.3.1"
+  resolved "https://registry.yarnpkg.com/@rc-component/menu/-/menu-1.3.1.tgz#16cae71a01080914e8bac08359fccdda7bfce540"
+  integrity sha512-pSZl9nBPgKgxN0aaW7NilIBEwWsc+43S+ulGdWAg9afak96dNOGWsGx0DLLBB1VQsAJvo6bQMTDzXoPlEHsBEw==
  dependencies:
    "@rc-component/motion" "^1.1.4"
    "@rc-component/overflow" "^1.0.0"
    "@rc-component/trigger" "^3.0.0"
-    "@rc-component/util" "^1.3.0"
+    "@rc-component/util" "^1.11.1"
    clsx "^2.1.1"

 "@rc-component/mini-decimal@^1.0.1":
@@ -3308,12 +3308,12 @@
  dependencies:
    "@babel/runtime" "^7.18.0"

-"@rc-component/motion@^1.0.0", "@rc-component/motion@^1.1.3", "@rc-component/motion@^1.1.4", "@rc-component/motion@^1.3.2":
-  version "1.3.2"
-  resolved "https://registry.yarnpkg.com/@rc-component/motion/-/motion-1.3.2.tgz#bd96e0fd16ee9d98c1d9be14198f003e367d8feb"
-  integrity sha512-itfd+GztzJYAb04Z4RkEub1TbJAfZc2Iuy8p44U44xD1F5+fNYFKI3897ijlbIyfvXkTmMm+KGcjkQQGMHywEQ==
+"@rc-component/motion@^1.0.0", "@rc-component/motion@^1.1.3", "@rc-component/motion@^1.1.4", "@rc-component/motion@^1.3.3":
+  version "1.3.3"
+  resolved "https://registry.yarnpkg.com/@rc-component/motion/-/motion-1.3.3.tgz#6a7bbe0a9f070bd11642168f741d40e78bb28565"
+  integrity sha512-Xh3IszxvlSv3/PLYFyC2UZi9LNB83yOnkB/LNmRzaypZLvkhqUIPS7MQpGZcCMWrNsXV2p6YTSWbSGvFpEle9A==
  dependencies:
-    "@rc-component/util" "^1.2.0"
+    "@rc-component/util" "^1.11.0"
    clsx "^2.1.1"

 "@rc-component/mutate-observer@^2.0.1":
@@ -3342,12 +3342,12 @@
    "@rc-component/util" "^1.4.0"
    clsx "^2.1.1"

-"@rc-component/pagination@~1.2.0":
-  version "1.2.0"
-  resolved "https://registry.npmjs.org/@rc-component/pagination/-/pagination-1.2.0.tgz"
-  integrity sha512-YcpUFE8dMLfSo6OARJlK6DbHHvrxz7pMGPGmC/caZSJJz6HRKHC1RPP001PRHCvG9Z/veD039uOQmazVuLJzlw==
+"@rc-component/pagination@~1.3.0":
+  version "1.3.0"
+  resolved "https://registry.yarnpkg.com/@rc-component/pagination/-/pagination-1.3.0.tgz#ee66301e37a03974826fb3028a91a1aeacdcd0ac"
+  integrity sha512-12ahTY+HPITg1L2bjWKXUqBJe/oOnpA2QsChdCjthqLVf/e19StiCsv8OLKpWoHbc+8PFEkNjRqRqrLoRBHjFw==
  dependencies:
-    "@rc-component/util" "^1.3.0"
+    "@rc-component/util" "^1.11.1"
    clsx "^2.1.1"

 "@rc-component/picker@~1.10.0":
@@ -3377,10 +3377,10 @@
    "@rc-component/util" "^1.2.1"
    clsx "^2.1.1"

-"@rc-component/qrcode@~1.1.1":
-  version "1.1.1"
-  resolved "https://registry.npmjs.org/@rc-component/qrcode/-/qrcode-1.1.1.tgz"
-  integrity sha512-LfLGNymzKdUPjXUbRP+xOhIWY4jQ+YMj5MmWAcgcAq1Ij8XP7tRmAXqyuv96XvLUBE/5cA8hLFl9eO1JQMujrA==
+"@rc-component/qrcode@~2.0.0":
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/@rc-component/qrcode/-/qrcode-2.0.0.tgz#ef4134c213002e7a43edbe609b24248914de4974"
+  integrity sha512-aAv3QhPP1xyafuTZOxub6a54pCeBnN3IwQkpETrBtthq4BL5IgxnCbuoBWPDpdLw1y1j6BgBUCAKV92+yX06Dw==
  dependencies:
    "@babel/runtime" "^7.24.7"

@@ -3409,15 +3409,15 @@
    "@rc-component/util" "^1.3.0"
    clsx "^2.1.1"

-"@rc-component/select@~1.6.0", "@rc-component/select@~1.6.15":
-  version "1.6.15"
-  resolved "https://registry.yarnpkg.com/@rc-component/select/-/select-1.6.15.tgz#de2a3c8b020834cabd600b52de573a328c061eef"
-  integrity sha512-SyVCWnqxCQZZcQvQJ/CxSjx2bGma6ds/HtnpkIfZVnt6RoEgbqUmHgD6vrzNarNXwbLXerwVzWwq8F3d1sst7g==
+"@rc-component/select@~1.7.0", "@rc-component/select@~1.7.1":
+  version "1.7.1"
+  resolved "https://registry.yarnpkg.com/@rc-component/select/-/select-1.7.1.tgz#cdda0ac185f00ebed1c85e7809ae1f7855a9f7ab"
+  integrity sha512-GZ1cMJk2xQh0VHyOQjjG8drYL4iu24NcbkXioUcReQOCUr+ub/3fmRonZe6cRPEZhWMbJdeHsqnEltogDaZ5Tg==
  dependencies:
    "@rc-component/overflow" "^1.0.0"
    "@rc-component/trigger" "^3.0.0"
-    "@rc-component/util" "^1.3.0"
-    "@rc-component/virtual-list" "^1.0.1"
+    "@rc-component/util" "^1.11.1"
+    "@rc-component/virtual-list" "^1.2.0"
    clsx "^2.1.1"

 "@rc-component/slider@~1.0.1":
@@ -3444,27 +3444,27 @@
    "@rc-component/util" "^1.3.0"
    clsx "^2.1.1"

-"@rc-component/table@~1.10.0":
-  version "1.10.0"
-  resolved "https://registry.yarnpkg.com/@rc-component/table/-/table-1.10.0.tgz#7a98d68176f23f50a762df464f4c9142e7db3942"
-  integrity sha512-SjtpcCf+rL7dDc62GKT3rXTdERjVuJvRiqjpU7g0Jc/ewCifXynHc7Nm3Em1XsD+WhGrgQtxNDScI/0+Lpfr0w==
+"@rc-component/table@~1.10.2":
+  version "1.10.2"
+  resolved "https://registry.yarnpkg.com/@rc-component/table/-/table-1.10.2.tgz#7b052fd5eb2ccf6996a93eebeb7af7036a262c8b"
+  integrity sha512-b3PjqB9Gp25p5t/zq+9QrbXbodkptT8/zvLmwgd2FNPUUtaYyDnQqfxeD5a7ao8E8lpinLHsi2u2vdfPhyNvAw==
  dependencies:
    "@rc-component/context" "^2.0.1"
    "@rc-component/resize-observer" "^1.0.0"
-    "@rc-component/util" "^1.1.0"
+    "@rc-component/util" "^1.11.1"
    "@rc-component/virtual-list" "^1.0.1"
    clsx "^2.1.1"

-"@rc-component/tabs@~1.9.0":
-  version "1.9.0"
-  resolved "https://registry.yarnpkg.com/@rc-component/tabs/-/tabs-1.9.0.tgz#8f3e3755450e5a90d240d1ed3dc140d520b1fbef"
-  integrity sha512-tn1slmbbaTyt8mgwyWJcT8jo/qNiYUs6u1H7OgGQt9faYO06BJIkU5cTmMqORzIrNmSEeeUY6pD5i+JlqSHYhg==
+"@rc-component/tabs@~1.9.1":
+  version "1.9.1"
+  resolved "https://registry.yarnpkg.com/@rc-component/tabs/-/tabs-1.9.1.tgz#52b9cb0392c718fba43e7d558f46f6c910d19acb"
+  integrity sha512-6mY08Fce6aNOHuGsxbzT+f2ekgL9mg1cGGHkittMlVGymjGg+kGupu5v90sRxcUd/paRU9jclLLXtF/PkK1FUA==
  dependencies:
    "@rc-component/dropdown" "~1.0.0"
    "@rc-component/menu" "~1.3.0"
    "@rc-component/motion" "^1.1.3"
    "@rc-component/resize-observer" "^1.0.0"
-    "@rc-component/util" "^1.3.0"
+    "@rc-component/util" "^1.11.1"
    clsx "^2.1.1"

 "@rc-component/tooltip@~1.4.0":
@@ -3486,30 +3486,30 @@
    "@rc-component/util" "^1.7.0"
    clsx "^2.1.1"

-"@rc-component/tree-select@~1.9.0":
-  version "1.9.0"
-  resolved "https://registry.yarnpkg.com/@rc-component/tree-select/-/tree-select-1.9.0.tgz#13ea516478b6cb558e04181abb0a01ae6fbdd31f"
-  integrity sha512-GXcFe15a+trUl1/J3OHWQhsVWFpwFpGFK2cqYWZ1sK22Zs3KZTvMwDpzr75PIo1s6QVioVxpE/pRwRopkeDQ6w==
+"@rc-component/tree-select@~1.10.0":
+  version "1.10.0"
+  resolved "https://registry.yarnpkg.com/@rc-component/tree-select/-/tree-select-1.10.0.tgz#72e337fd58591f677404189cb3e9d3f718cd3332"
+  integrity sha512-E1U4pn2LAbXEhLJdzIzid7WYbIuFbkTIctuFoeC6weppf8UbPR3+YYB6/ay0c0ksand4gXMRQpa1Z60Auo7VJA==
  dependencies:
-    "@rc-component/select" "~1.6.0"
+    "@rc-component/select" "~1.7.0"
    "@rc-component/tree" "~1.3.0"
    "@rc-component/util" "^1.4.0"
    clsx "^2.1.1"

-"@rc-component/tree@~1.3.0", "@rc-component/tree@~1.3.1":
-  version "1.3.1"
-  resolved "https://registry.yarnpkg.com/@rc-component/tree/-/tree-1.3.1.tgz#6983ca6bd9d5f6d04dd7258d00cb0fe71cdfe661"
-  integrity sha512-zlL0PW0bTFlveTtLcA01VD/yMWKK73EywItFMgIZUY5sb6tMOAw7zV6qGzqldufqrV93ZWQB4H3NBNoTMCueJA==
+"@rc-component/tree@~1.3.0", "@rc-component/tree@~1.3.2":
+  version "1.3.2"
+  resolved "https://registry.yarnpkg.com/@rc-component/tree/-/tree-1.3.2.tgz#4b0c13564314eff61ca948c18ef923b87c9d7e44"
+  integrity sha512-bJFj46wEkpBPnWyTm18XmgAgNQ/4YvprxMOPPY2a6rmhGJYxLuNKEFiL5Qej4Qctu9wHJm8WW+v2SYskafE0kA==
  dependencies:
    "@rc-component/motion" "^1.0.0"
-    "@rc-component/util" "^1.8.1"
-    "@rc-component/virtual-list" "^1.0.1"
+    "@rc-component/util" "^1.11.1"
+    "@rc-component/virtual-list" "^1.2.0"
    clsx "^2.1.1"

-"@rc-component/trigger@^3.0.0", "@rc-component/trigger@^3.6.15", "@rc-component/trigger@^3.7.1", "@rc-component/trigger@^3.9.0":
-  version "3.9.0"
-  resolved "https://registry.npmjs.org/@rc-component/trigger/-/trigger-3.9.0.tgz"
-  integrity sha512-X8btpwfrT27AgrZVOz4swclhEHTZcqaHeQMXXBgveagOiakTa36uObXbdwerXffgV8G9dH1fAAE0DHtVQs8EHg==
+"@rc-component/trigger@^3.0.0", "@rc-component/trigger@^3.6.15", "@rc-component/trigger@^3.7.1", "@rc-component/trigger@^3.9.1":
+  version "3.9.1"
+  resolved "https://registry.yarnpkg.com/@rc-component/trigger/-/trigger-3.9.1.tgz#3f730315c558bc392921a563ac9109a1d094ef23"
+  integrity sha512-LNsYvz60mrLJ/kRvKcHE7boUvcQfVMCfRqZ71x3Fo9AOiZ1KKIEqkzMA8DNvz2V3Bcvir/vwQNn7JF1NPODQ7Q==
  dependencies:
    "@rc-component/motion" "^1.1.4"
    "@rc-component/portal" "^2.2.0"
@@ -3517,18 +3517,18 @@
    "@rc-component/util" "^1.2.1"
    clsx "^2.1.1"

-"@rc-component/upload@~1.1.0":
-  version "1.1.0"
-  resolved "https://registry.npmjs.org/@rc-component/upload/-/upload-1.1.0.tgz"
-  integrity sha512-LIBV90mAnUE6VK5N4QvForoxZc4XqEYZimcp7fk+lkE4XwHHyJWxpIXQQwMU8hJM+YwBbsoZkGksL1sISWHQxw==
+"@rc-component/upload@~1.1.1":
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/@rc-component/upload/-/upload-1.1.1.tgz#90d16edcdaeb104ffa9111fd0b428061de7c21ac"
+  integrity sha512-GvYWSKeaJTOxxC5p6+nOSadzfvXA1h8C/iHFPFZX+szH3JUXrvs+DLiW8YUTBgvMh8m63mJeHrlYlJzAlg+pDA==
  dependencies:
-    "@rc-component/util" "^1.3.0"
+    "@rc-component/util" "^1.11.1"
    clsx "^2.1.1"

-"@rc-component/util@^1.1.0", "@rc-component/util@^1.10.1", "@rc-component/util@^1.11.0", "@rc-component/util@^1.2.0", "@rc-component/util@^1.2.1", "@rc-component/util@^1.3.0", "@rc-component/util@^1.4.0", "@rc-component/util@^1.6.2", "@rc-component/util@^1.7.0", "@rc-component/util@^1.8.1", "@rc-component/util@^1.9.0":
-  version "1.11.0"
-  resolved "https://registry.yarnpkg.com/@rc-component/util/-/util-1.11.0.tgz#965c8b44a3f57fc96dc14e5072afbe32e422fd4d"
-  integrity sha512-jHG3/BYgUWiP5c7RZHiaUNToyw1L3nlPSKG2RPu+YoiD9b3ajiJwBWhsjO+ZELmCsKFAjNR5DelbKdlF0e2BDA==
+"@rc-component/util@^1.10.1", "@rc-component/util@^1.11.0", "@rc-component/util@^1.11.1", "@rc-component/util@^1.2.0", "@rc-component/util@^1.2.1", "@rc-component/util@^1.3.0", "@rc-component/util@^1.4.0", "@rc-component/util@^1.7.0", "@rc-component/util@^1.9.0":
+  version "1.11.1"
+  resolved "https://registry.yarnpkg.com/@rc-component/util/-/util-1.11.1.tgz#07d698908339c55648e4f974afa739345e65b483"
+  integrity sha512-awVlI3ub2vqfqkYxOBc/uQ0efm3jw0wcrhtO/YWLyZfxiKXczKwNbVuhlnyxytDt7H9pbbVQiqr+O6MLATtRYg==
  dependencies:
    is-mobile "^5.0.0"
    react-is "^18.2.0"
@@ -3543,6 +3543,16 @@
    "@rc-component/util" "^1.4.0"
    clsx "^2.1.1"

+"@rc-component/virtual-list@^1.2.0":
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/@rc-component/virtual-list/-/virtual-list-1.2.0.tgz#3c9ee8cd7d10da334a2a06ad86ca234e2792a381"
+  integrity sha512-iavRm1Jo4GDbASQwdGa7jFyk93RvSOo9xHyBT4QL1pgFJj/Fdf1G+3RErH7/7BmAMvx2AkF62mjGYxDbXsK9TQ==
+  dependencies:
+    "@babel/runtime" "^7.20.0"
+    "@rc-component/resize-observer" "^1.0.1"
+    "@rc-component/util" "^1.4.0"
+    clsx "^2.1.1"
+
 "@redocly/ajv@^8.18.0":
  version "8.18.3"
  resolved "https://registry.yarnpkg.com/@redocly/ajv/-/ajv-8.18.3.tgz#a925753d9a33375219f1b2ba91aef320f9929577"
@@ -4922,110 +4932,110 @@
  dependencies:
    "@types/yargs-parser" "*"

-"@typescript-eslint/eslint-plugin@8.61.0", "@typescript-eslint/eslint-plugin@^8.59.3":
-  version "8.61.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.61.0.tgz#db20271974b94a3a54d3b9544e5f5b3481448400"
-  integrity sha512-bFNvl9ZczlVb+wR2Akszf3gHfKVj/8WanXaGJ3UstTA7brNKg0cNdk6X1Psu5V7MZ2oQtzZKOEzIUehaoxbDGw==
+"@typescript-eslint/eslint-plugin@8.61.1", "@typescript-eslint/eslint-plugin@^8.59.3":
+  version "8.61.1"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.61.1.tgz#6e4b7fee21f1983308e9e9b634ecbaf702c86006"
+  integrity sha512-ZPlVl3PB3et/59Ne0fv/sci6ZXz4T4Hp4nTJ56i/Y0gR89ARb+KphojTq6j+56E5PIezmOIOOWyY+aWQFd+IkQ==
  dependencies:
    "@eslint-community/regexpp" "^4.12.2"
-    "@typescript-eslint/scope-manager" "8.61.0"
-    "@typescript-eslint/type-utils" "8.61.0"
-    "@typescript-eslint/utils" "8.61.0"
-    "@typescript-eslint/visitor-keys" "8.61.0"
+    "@typescript-eslint/scope-manager" "8.61.1"
+    "@typescript-eslint/type-utils" "8.61.1"
+    "@typescript-eslint/utils" "8.61.1"
+    "@typescript-eslint/visitor-keys" "8.61.1"
    ignore "^7.0.5"
    natural-compare "^1.4.0"
    ts-api-utils "^2.5.0"

-"@typescript-eslint/parser@8.61.0", "@typescript-eslint/parser@^8.61.0":
-  version "8.61.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/parser/-/parser-8.61.0.tgz#1afe73c9ccce16b7a26d6b95f9400b0ccc34af87"
-  integrity sha512-5B7PfA2e1NQGCnDHd/0lW7W3gvp3d59Ryw54FYO8Uswxo9f6ikw3AZV+Xj/TvpImmpsiYyUqAfhC6kJID1jF6w==
+"@typescript-eslint/parser@8.61.1", "@typescript-eslint/parser@^8.61.0":
+  version "8.61.1"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/parser/-/parser-8.61.1.tgz#881fba60b50636249cdeea2e547bf75715254c72"
+  integrity sha512-PJ5vePq5/ognBbrIcoC5+SHO5dfpeLPzP9FpLkzWrguoYQEeeSjlJpVwOpo1JRSTEi7dRcwNy4h4dzV70PqHcg==
  dependencies:
-    "@typescript-eslint/scope-manager" "8.61.0"
-    "@typescript-eslint/types" "8.61.0"
-    "@typescript-eslint/typescript-estree" "8.61.0"
-    "@typescript-eslint/visitor-keys" "8.61.0"
+    "@typescript-eslint/scope-manager" "8.61.1"
+    "@typescript-eslint/types" "8.61.1"
+    "@typescript-eslint/typescript-estree" "8.61.1"
+    "@typescript-eslint/visitor-keys" "8.61.1"
    debug "^4.4.3"

-"@typescript-eslint/project-service@8.61.0":
-  version "8.61.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/project-service/-/project-service-8.61.0.tgz#417a2feac32e8ebd336d63f068c3b42b736ea1ac"
-  integrity sha512-DV42F7MLJO6Rax7SK1yg43tcnEfGUrurSpSxKuVX+a3RCTzBlH3fuxprrOJXKCJGAaw82xXocikJ0uQaqwXgGA==
+"@typescript-eslint/project-service@8.61.1":
+  version "8.61.1"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/project-service/-/project-service-8.61.1.tgz#fcd9739964a40867eed55f1ac318d3909f24b4af"
+  integrity sha512-PrC4JYGmR241lYnfhmKGTXkFqv8+ymbTFgSAY0fVXpY82/QkMw5TZPl+vGzuDDU2QYJk9fIDOBTntF+yDv9LEA==
  dependencies:
-    "@typescript-eslint/tsconfig-utils" "^8.61.0"
-    "@typescript-eslint/types" "^8.61.0"
+    "@typescript-eslint/tsconfig-utils" "^8.61.1"
+    "@typescript-eslint/types" "^8.61.1"
    debug "^4.4.3"

-"@typescript-eslint/scope-manager@8.61.0":
-  version "8.61.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/scope-manager/-/scope-manager-8.61.0.tgz#93c2520d05653fe65eb9ee98efc74fd0134a7852"
-  integrity sha512-IWdXFHFSb6mlC3HPc7QsLDm5zYEbUla6trDEHf32D3/dnuUyXd87plScSNXSbm0/RxMvObpI17sv/EDTGrGZkA==
+"@typescript-eslint/scope-manager@8.61.1":
+  version "8.61.1"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/scope-manager/-/scope-manager-8.61.1.tgz#2479921a40fdb0afa18f5838fae6167264b417b2"
+  integrity sha512-L2bdIeoQS8FlKAvONAr20w6OcLXeB+qiDKbAooS9A0Ben+iSIkBef0FxqwKWYqt5sa0i4KJtxVyVmhMylKzF5w==
  dependencies:
-    "@typescript-eslint/types" "8.61.0"
-    "@typescript-eslint/visitor-keys" "8.61.0"
+    "@typescript-eslint/types" "8.61.1"
+    "@typescript-eslint/visitor-keys" "8.61.1"

-"@typescript-eslint/tsconfig-utils@8.61.0":
-  version "8.61.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.61.0.tgz#05d6e3ff20001674ebcd22d03dac29ee448043ba"
-  integrity sha512-O5Amvdv9ztMpxpf+vmFULGG78IE6Qwdr3bCGvqwG4nwc9H2qXkOYJJnRbRHyMkQTjv1d03olqwwwzHLMqpFePQ==
-
-"@typescript-eslint/tsconfig-utils@^8.61.0":
+"@typescript-eslint/tsconfig-utils@8.61.1":
  version "8.61.1"
  resolved "https://registry.yarnpkg.com/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.61.1.tgz#ca88080e0cf191d49516d7f300b67aa090d2254f"
  integrity sha512-UN/H4di+OO7EWx2ovME+8t31YO+KVnK0RRKEHR3kOt21/Ay8BOq3M1OMvWs5vNiqcFCYGYoxK3MXPZzmMUE+yg==

-"@typescript-eslint/type-utils@8.61.0":
-  version "8.61.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/type-utils/-/type-utils-8.61.0.tgz#50219b57e6b89cecfb1a15f093b15ec9ee019974"
-  integrity sha512-TuBiQYIkd97yBfInHCTKVYMbX4kvEmpOEuixIuzCU9p8BGT1SfyyO0d0IfDMbPIHcjn/hWnusUX5e8v5Xg+X8A==
+"@typescript-eslint/tsconfig-utils@^8.61.1":
+  version "8.62.0"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.62.0.tgz#9440a673581c6d9de308c4d5803dd52ed5d71729"
+  integrity sha512-y2GAdB6ykaXUvuspbYnizQc4oDDz0Tz/Yc7iWrXf9mx8vm/L/0vLHCe0tS2boG96Zy+DivnVDQ9ZUEWoHqqx1g==
+
+"@typescript-eslint/type-utils@8.61.1":
+  version "8.61.1"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/type-utils/-/type-utils-8.61.1.tgz#8fa18f453ee140893b47d339d1a6b64cac9b08a1"
+  integrity sha512-GYRicKmVK0C4fsKgaACaknOUAq9Oa2kwsjnpFhFcS/5p4Ht5IP9OVLbgIgcK4SRk92nVHFluurg1lumD9dBcLw==
  dependencies:
-    "@typescript-eslint/types" "8.61.0"
-    "@typescript-eslint/typescript-estree" "8.61.0"
-    "@typescript-eslint/utils" "8.61.0"
+    "@typescript-eslint/types" "8.61.1"
+    "@typescript-eslint/typescript-estree" "8.61.1"
+    "@typescript-eslint/utils" "8.61.1"
    debug "^4.4.3"
    ts-api-utils "^2.5.0"

-"@typescript-eslint/types@8.61.0":
-  version "8.61.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/types/-/types-8.61.0.tgz#0ddb46e012a4288292950bdd253db42f278ce64d"
-  integrity sha512-9QTQpZ5Iin4CdIodfbDQFSeiSJKidgYJYug1P9CC2xWgUTvlmixViqDZNciMjwLBZyJnG4tGmPl97rVAFb1AJg==
-
-"@typescript-eslint/types@^8.61.0":
+"@typescript-eslint/types@8.61.1":
  version "8.61.1"
  resolved "https://registry.yarnpkg.com/@typescript-eslint/types/-/types-8.61.1.tgz#0c51f518e4e6848371a1c988e859d59eb7522d5a"
  integrity sha512-G+CRlPqLv7Bz1IZVs03x5K59F1veqL0EJUROAdGhKsEq8qOiRiZbI+HUojPq5l0fEGOKModD9br6lObhB8zkoA==

-"@typescript-eslint/typescript-estree@8.61.0":
-  version "8.61.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/typescript-estree/-/typescript-estree-8.61.0.tgz#98ca47260bbf627fc28f018b3a0abf00e3090690"
-  integrity sha512-42zatd5qSvvcV1JdDBCLxYRznvP4eIHpPoZXdkPFnAmanA4FuZ5dibSnCBggY8hQnqajPpoGjXFdZ7fIJKQnlA==
+"@typescript-eslint/types@^8.61.1":
+  version "8.62.0"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/types/-/types-8.62.0.tgz#601427c10203d9f0f34f0b3e474df735eb12b593"
+  integrity sha512-KvAclkktORPvM54TgLgA4z9HIV1M8zOgw9ZVNXl9f/8dLYfXYX1wkMXP7qmabpijQRV5bHJLOmoyGQbLMaUYeg==
+
+"@typescript-eslint/typescript-estree@8.61.1":
+  version "8.61.1"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/typescript-estree/-/typescript-estree-8.61.1.tgz#febbe70365ac0bf7611262b61b338fc8797965c7"
+  integrity sha512-u+oQD3BqYWPc8YV9Zab4vaJElJuwOLPRc10Jm1o/qS+6Qwen14HCWwx0Seo4LnSn2wxea2Ik8DxPt2/FHmuhrg==
  dependencies:
-    "@typescript-eslint/project-service" "8.61.0"
-    "@typescript-eslint/tsconfig-utils" "8.61.0"
-    "@typescript-eslint/types" "8.61.0"
-    "@typescript-eslint/visitor-keys" "8.61.0"
+    "@typescript-eslint/project-service" "8.61.1"
+    "@typescript-eslint/tsconfig-utils" "8.61.1"
+    "@typescript-eslint/types" "8.61.1"
+    "@typescript-eslint/visitor-keys" "8.61.1"
    debug "^4.4.3"
    minimatch "^10.2.2"
    semver "^7.7.3"
    tinyglobby "^0.2.15"
    ts-api-utils "^2.5.0"

-"@typescript-eslint/utils@8.61.0":
-  version "8.61.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/utils/-/utils-8.61.0.tgz#ed3546a052787e84ea6c5064d0919fc5eea8522f"
-  integrity sha512-3bzFt7ImFMW/jVYwJamDoe/dMOdFLSC6pom6rRjdh4SZJEYupyMzem8e7vKZLclLfpHjlwSAXOUxtKxGXUiLqA==
+"@typescript-eslint/utils@8.61.1":
+  version "8.61.1"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/utils/-/utils-8.61.1.tgz#ffd1054de7dd33b7873cd6c6713ec6b0366316d3"
+  integrity sha512-1+P/3Dj6jvtybE1q0HQ6yBt/gq+oKJyLdEv4HdnqasaEXRSYCAsD59mXEVQnM/ULNdQxbX77tdG4jPRjIS6knA==
  dependencies:
    "@eslint-community/eslint-utils" "^4.9.1"
-    "@typescript-eslint/scope-manager" "8.61.0"
-    "@typescript-eslint/types" "8.61.0"
-    "@typescript-eslint/typescript-estree" "8.61.0"
+    "@typescript-eslint/scope-manager" "8.61.1"
+    "@typescript-eslint/types" "8.61.1"
+    "@typescript-eslint/typescript-estree" "8.61.1"

-"@typescript-eslint/visitor-keys@8.61.0":
-  version "8.61.0"
-  resolved "https://registry.yarnpkg.com/@typescript-eslint/visitor-keys/-/visitor-keys-8.61.0.tgz#39b4e1ab8936d23bea973d39fd092f9aa21f275e"
-  integrity sha512-QVLZu3ZPQEE+HICQyAMZ2yLQhxf0meY/wx6Hx14YcTNj13JB3qHlX3lJ02L3fLGHgERRH71kvYDwiXIguT3AjQ==
+"@typescript-eslint/visitor-keys@8.61.1":
+  version "8.61.1"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/visitor-keys/-/visitor-keys-8.61.1.tgz#546cf102b4efdb72a9a08e63a1b0d7d745eb66eb"
+  integrity sha512-6fJ9MHWtK14C1DSkiMlHUSOmrVebL7150xZJBlJiL62jjhIA4JmOq6flwBgDxIdBKKdoiZRel+dfPD5MLfny3w==
  dependencies:
-    "@typescript-eslint/types" "8.61.0"
+    "@typescript-eslint/types" "8.61.1"
    eslint-visitor-keys "^5.0.0"

 "@ungap/structured-clone@^1.0.0":
@@ -5382,54 +5392,54 @@ ansis@^3.2.0:
  resolved "https://registry.yarnpkg.com/ansis/-/ansis-3.17.0.tgz#fa8d9c2a93fe7d1177e0c17f9eeb562a58a832d7"
  integrity sha512-0qWUglt9JEqLFr3w1I1pbrChn1grhaiAR2ocX1PP/flRmxgtwTzPFFFnfIlD6aMOLQZgSuCRlidD70lvx8yhzg==

-antd@^6.4.3:
-  version "6.4.3"
-  resolved "https://registry.yarnpkg.com/antd/-/antd-6.4.3.tgz#80a7aab9c13c35daa0e0e7eea80585ba57cb7203"
-  integrity sha512-6H2avkxCGfxcF67r3J2mwm9Ck50el1pks/73vfM1wDsPL/tPtj5vHuauMgJFnrqmq7CH3g8aoZ0VBQbt+jpAsw==
+antd@^6.4.4:
+  version "6.4.4"
+  resolved "https://registry.yarnpkg.com/antd/-/antd-6.4.4.tgz#a422610959b37ac4d4b766dbaac67ea2d8fd0785"
+  integrity sha512-lgPz4KhfhiYddV/qPYo0ieqWimCVgV2OQF72mbeGNixE753JWNnmEc7UNGy08wBS/zZ7hxrmX0pc5aX7EUaIIg==
  dependencies:
    "@ant-design/colors" "^8.0.1"
    "@ant-design/cssinjs" "^2.1.2"
    "@ant-design/cssinjs-utils" "^2.1.2"
    "@ant-design/fast-color" "^3.0.1"
-    "@ant-design/icons" "^6.2.3"
+    "@ant-design/icons" "^6.2.5"
    "@ant-design/react-slick" "~2.0.0"
    "@babel/runtime" "^7.29.2"
-    "@rc-component/cascader" "~1.15.0"
+    "@rc-component/cascader" "~1.16.1"
    "@rc-component/checkbox" "~2.0.0"
    "@rc-component/collapse" "~1.2.0"
    "@rc-component/color-picker" "~3.1.1"
    "@rc-component/dialog" "~1.9.0"
    "@rc-component/drawer" "~1.4.2"
    "@rc-component/dropdown" "~1.0.2"
-    "@rc-component/form" "~1.8.1"
+    "@rc-component/form" "~1.8.3"
    "@rc-component/image" "~1.9.0"
-    "@rc-component/input" "~1.3.0"
+    "@rc-component/input" "~1.3.1"
    "@rc-component/input-number" "~1.6.2"
    "@rc-component/mentions" "~1.9.0"
-    "@rc-component/menu" "~1.3.0"
-    "@rc-component/motion" "^1.3.2"
+    "@rc-component/menu" "~1.3.1"
+    "@rc-component/motion" "^1.3.3"
    "@rc-component/mutate-observer" "^2.0.1"
    "@rc-component/notification" "~2.0.7"
-    "@rc-component/pagination" "~1.2.0"
+    "@rc-component/pagination" "~1.3.0"
    "@rc-component/picker" "~1.10.0"
    "@rc-component/progress" "~1.0.2"
-    "@rc-component/qrcode" "~1.1.1"
+    "@rc-component/qrcode" "~2.0.0"
    "@rc-component/rate" "~1.0.1"
    "@rc-component/resize-observer" "^1.1.2"
    "@rc-component/segmented" "~1.3.0"
-    "@rc-component/select" "~1.6.15"
+    "@rc-component/select" "~1.7.1"
    "@rc-component/slider" "~1.0.1"
    "@rc-component/steps" "~1.2.2"
    "@rc-component/switch" "~1.0.3"
-    "@rc-component/table" "~1.10.0"
-    "@rc-component/tabs" "~1.9.0"
+    "@rc-component/table" "~1.10.2"
+    "@rc-component/tabs" "~1.9.1"
    "@rc-component/tooltip" "~1.4.0"
    "@rc-component/tour" "~2.4.0"
-    "@rc-component/tree" "~1.3.1"
-    "@rc-component/tree-select" "~1.9.0"
-    "@rc-component/trigger" "^3.9.0"
-    "@rc-component/upload" "~1.1.0"
-    "@rc-component/util" "^1.11.0"
+    "@rc-component/tree" "~1.3.2"
+    "@rc-component/tree-select" "~1.10.0"
+    "@rc-component/trigger" "^3.9.1"
+    "@rc-component/upload" "~1.1.1"
+    "@rc-component/util" "^1.11.1"
    clsx "^2.1.1"
    dayjs "^1.11.11"
    scroll-into-view-if-needed "^3.1.0"
@@ -5688,10 +5698,10 @@ base64-js@^1.3.1, base64-js@^1.5.1:
  resolved "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz"
  integrity sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==

-baseline-browser-mapping@^2.10.35, baseline-browser-mapping@^2.9.0, baseline-browser-mapping@^2.9.19:
-  version "2.10.35"
-  resolved "https://registry.yarnpkg.com/baseline-browser-mapping/-/baseline-browser-mapping-2.10.35.tgz#f0f2232e0de2d2f82cc491bcf830b05ed05937c6"
-  integrity sha512-honAfLBde0HAFLdNyBEfuuENkF6zR+ozxqxa/2zJKHBe1qzLqyTSeRKpdPEHAP03rlDGyQOPnCSxnVpVqQo9Mg==
+baseline-browser-mapping@^2.10.38, baseline-browser-mapping@^2.9.0, baseline-browser-mapping@^2.9.19:
+  version "2.10.38"
+  resolved "https://registry.yarnpkg.com/baseline-browser-mapping/-/baseline-browser-mapping-2.10.38.tgz#c84d093c4bf7325c5053c279d90f153c66526042"
+  integrity sha512-31/02mVB4yuQU6adKk5SlY6m+mxDwUq5KZkyYgnLrrKl7TEm1+3PyDtDBz2kOv/wxZz41GHsvV1A/u6RmiyBvw==

 batch@0.6.1:
  version "0.6.1"
@@ -5934,10 +5944,10 @@ caniuse-api@^3.0.0:
    lodash.memoize "^4.1.2"
    lodash.uniq "^4.5.0"

-caniuse-lite@^1.0.0, caniuse-lite@^1.0.30001702, caniuse-lite@^1.0.30001759, caniuse-lite@^1.0.30001797:
-  version "1.0.30001797"
-  resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001797.tgz#1332709e1439f01ff92085dd17001e0a45897ec0"
-  integrity sha512-l8xKG+gwAIExZGl9FrF7KUwuOmk6wbEPC9Xoy/RtnWv1XG0Q4LFlagaLpUv3Kiza3W/wm27zy0yWJEieYKAP6w==
+caniuse-lite@^1.0.0, caniuse-lite@^1.0.30001702, caniuse-lite@^1.0.30001759, caniuse-lite@^1.0.30001799:
+  version "1.0.30001799"
+  resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001799.tgz#5c909138c27f1a61219d3e092071c1cc7d32dc55"
+  integrity sha512-hG1bReV+OUU+MOqK4t/ZWI0tZOyz3rqS9XuhOUz1cIcbwBKjOyJEJuw9ER5JuNyqxNk8u/JUVbGibBOL1yrjFw==

 ccount@^2.0.0:
  version "2.0.1"
@@ -7252,17 +7262,10 @@ domhandler@^5.0.2, domhandler@^5.0.3:
  dependencies:
    domelementtype "^2.3.0"

-dompurify@^3.3.1:
-  version "3.4.2"
-  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.4.2.tgz#f0ff81be682c485505097ba8195a058d8f575218"
-  integrity sha512-lHeS9SA/IKeIFFyYciHBr2n0v1VMPlSj843HdLOwjb2OxNwdq9Xykxqhk+FE42MzAdHvInbAolSE4mhahPpjXA==
-  optionalDependencies:
-    "@types/trusted-types" "^2.0.7"
-
-dompurify@^3.4.0:
-  version "3.4.1"
-  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.4.1.tgz#521d04483ac12631b2aedf434a5f5390933b8789"
-  integrity sha512-JahakDAIg1gyOm7dlgWSDjV4n7Ip2PKR55NIT6jrMfIgLFgWo81vdr1/QGqWtFNRqXP9UV71oVePtjqS2ebnPw==
+dompurify@^3.3.1, dompurify@^3.4.0:
+  version "3.4.11"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.4.11.tgz#29c8ba496475f279ef4015784068452fb14a0680"
+  integrity sha512-zhlUV12GsaRzMsf9q5M254YhA4+VuF0fG+QFqu6aYpoGlKtz+w8//jBcGVYBgQkR5GHjUomejY84AV+/uPbWdw==
  optionalDependencies:
    "@types/trusted-types" "^2.0.7"

@@ -8765,9 +8768,9 @@ http-parser-js@>=0.5.1:
  integrity sha512-Pysuw9XpUq5dVc/2SMHpuTY01RFl8fttgcyunjL7eEMhGM3cI4eOmiCycJDVCo/7O7ClfQD3SaI6ftDzqOXYMA==

 http-proxy-middleware@^2.0.9:
-  version "2.0.9"
-  resolved "https://registry.npmjs.org/http-proxy-middleware/-/http-proxy-middleware-2.0.9.tgz"
-  integrity sha512-c1IyJYLYppU574+YI7R4QyX2ystMtVXZwIdzazUIPIJsHuWNd+mho2j+bKoHftndicGj9yh+xjd+l0yj7VeT1Q==
+  version "2.0.10"
+  resolved "https://registry.yarnpkg.com/http-proxy-middleware/-/http-proxy-middleware-2.0.10.tgz#b2df7b705203d7a8c269ac8450cf96b00c532f94"
+  integrity sha512-RKzRWNPxUZqbuk3BC5mGVJbBnWgr+diEnjJexIOytFbBzDy88Fbh/YvBr3DsNrl1jYAfjWfpATEv0NO35FDuPQ==
  dependencies:
    "@types/http-proxy" "^1.17.8"
    http-proxy "^1.18.1"
@@ -14499,15 +14502,15 @@ types-ramda@^0.30.1:
  dependencies:
    ts-toolbelt "^9.6.0"

-typescript-eslint@^8.61.0:
-  version "8.61.0"
-  resolved "https://registry.yarnpkg.com/typescript-eslint/-/typescript-eslint-8.61.0.tgz#6927fb94f5f29623e370d33fd9fa61f15d6d996b"
-  integrity sha512-8y31Rd0eGTrDKqhy6vT0HtzhN+YLjQizwX3aA3hPXP/ynSfnrBXcQY5IzsP9/DM7+klX4IUncZZjkchP0z+rUw==
+typescript-eslint@^8.61.1:
+  version "8.61.1"
+  resolved "https://registry.yarnpkg.com/typescript-eslint/-/typescript-eslint-8.61.1.tgz#7c224a9a643b7f42d295c67a75c1e30fee8c3eaa"
+  integrity sha512-V7PayAfJokV3pEHgN7/v03D1SpujhRfQtYLbLIiBfDDncdg4PAiRBfoS4cnCANK4jmAPncczi59QO3afiXUlNw==
  dependencies:
-    "@typescript-eslint/eslint-plugin" "8.61.0"
-    "@typescript-eslint/parser" "8.61.0"
-    "@typescript-eslint/typescript-estree" "8.61.0"
-    "@typescript-eslint/utils" "8.61.0"
+    "@typescript-eslint/eslint-plugin" "8.61.1"
+    "@typescript-eslint/parser" "8.61.1"
+    "@typescript-eslint/typescript-estree" "8.61.1"
+    "@typescript-eslint/utils" "8.61.1"

 typescript@~6.0.3:
  version "6.0.3"
--- a/helm/superset/Chart.yaml
+++ b/helm/superset/Chart.yaml
@@ -29,7 +29,7 @@ maintainers:
  - name: craig-rueda
    email: craig@craigrueda.com
    url: https://github.com/craig-rueda
-version: 0.16.2 # See [README](https://github.com/apache/superset/blob/master/helm/superset/README.md#versioning) for version details.
+version: 0.17.3 # See [README](https://github.com/apache/superset/blob/master/helm/superset/README.md#versioning) for version details.
 dependencies:
  - name: postgresql
    version: 16.7.27
--- a/helm/superset/README.md
+++ b/helm/superset/README.md
@@ -23,7 +23,7 @@ NOTE: This file is generated by helm-docs: https://github.com/norwoodj/helm-docs

 # superset

-![Version: 0.16.2](https://img.shields.io/badge/Version-0.16.2-informational?style=flat-square)
+![Version: 0.17.3](https://img.shields.io/badge/Version-0.17.3-informational?style=flat-square)

 Apache Superset is a modern, enterprise-ready business intelligence web application

@@ -111,9 +111,6 @@ On helm this can be set on `extraSecretEnv.SUPERSET_SECRET_KEY` or `configOverri
 | init.resources | object | `{}` |  |
 | init.tolerations | list | `[]` |  |
 | init.topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to init job |
-| initImage.pullPolicy | string | `"IfNotPresent"` |  |
-| initImage.repository | string | `"apache/superset"` |  |
-| initImage.tag | string | `"dockerize"` |  |
 | nameOverride | string | `nil` | Provide a name to override the name of the chart |
 | nodeSelector | object | `{}` |  |
 | postgresql | object | see `values.yaml` | Configuration values for the postgresql dependency. ref: https://github.com/bitnami/charts/tree/main/bitnami/postgresql |
@@ -219,6 +216,7 @@ On helm this can be set on `extraSecretEnv.SUPERSET_SECRET_KEY` or `configOverri
 | supersetNode.extraContainers | list | `[]` | Launch additional containers into supersetNode pod |
 | supersetNode.forceReload | bool | `false` | If true, forces deployment to reload on each upgrade |
 | supersetNode.initContainers | list | a container waiting for postgres | Init containers |
+| supersetNode.lifecycle | object | `{}` | Container lifecycle hooks, e.g. a preStop sleep so the Service/Ingress stops routing to the pod before gunicorn receives SIGTERM |
 | supersetNode.livenessProbe.failureThreshold | int | `3` |  |
 | supersetNode.livenessProbe.httpGet.path | string | `"/health"` |  |
 | supersetNode.livenessProbe.httpGet.port | string | `"http"` |  |
@@ -251,6 +249,7 @@ On helm this can be set on `extraSecretEnv.SUPERSET_SECRET_KEY` or `configOverri
 | supersetNode.startupProbe.successThreshold | int | `1` |  |
 | supersetNode.startupProbe.timeoutSeconds | int | `1` |  |
 | supersetNode.strategy | object | `{}` |  |
+| supersetNode.terminationGracePeriodSeconds | string | `nil` | Pod termination grace period (seconds). Set greater than GUNICORN_TIMEOUT so in-flight requests can drain before SIGKILL |
 | supersetNode.topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to supersetNode deployments |
 | supersetWebsockets.affinity | object | `{}` | Affinity to be added to supersetWebsockets deployment |
 | supersetWebsockets.command | list | `[]` |  |
@@ -314,6 +313,7 @@ On helm this can be set on `extraSecretEnv.SUPERSET_SECRET_KEY` or `configOverri
 | supersetWorker.extraContainers | list | `[]` | Launch additional containers into supersetWorker pod |
 | supersetWorker.forceReload | bool | `false` | If true, forces deployment to reload on each upgrade |
 | supersetWorker.initContainers | list | a container waiting for postgres and redis | Init container |
+| supersetWorker.lifecycle | object | `{}` | Container lifecycle hooks for the worker pod |
 | supersetWorker.livenessProbe.exec.command | list | a `celery inspect ping` command | Liveness probe command |
 | supersetWorker.livenessProbe.failureThreshold | int | `3` |  |
 | supersetWorker.livenessProbe.initialDelaySeconds | int | `120` |  |
@@ -334,6 +334,7 @@ On helm this can be set on `extraSecretEnv.SUPERSET_SECRET_KEY` or `configOverri
 | supersetWorker.resources | object | `{}` | Resource settings for the supersetWorker pods - these settings overwrite might existing values from the global resources object defined above. |
 | supersetWorker.startupProbe | object | `{}` | No startup/readiness probes by default since we don't really care about its startup time (it doesn't serve traffic) |
 | supersetWorker.strategy | object | `{}` |  |
+| supersetWorker.terminationGracePeriodSeconds | string | `nil` | Pod termination grace period (seconds) for the worker pod so in-flight tasks can drain before SIGKILL |
 | supersetWorker.topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to supersetWorker deployments |
 | tolerations | list | `[]` |  |
 | topologySpreadConstraints | list | `[]` | TopologySpreadConstrains to be added to all deployments |
--- a/helm/superset/templates/_helpers.tpl
+++ b/helm/superset/templates/_helpers.tpl
@@ -108,8 +108,6 @@ else:
    {{ fail (printf "Unsupported database type: %s. Please use 'postgresql' or 'mysql'." .Values.supersetNode.connections.db_type) }}
    {{- end }}

-SQLALCHEMY_TRACK_MODIFICATIONS = True
-
 class CeleryConfig:
  imports  = ("superset.sql_lab", )
  broker_url = CELERY_REDIS_URL
--- a/helm/superset/templates/deployment-worker.yaml
+++ b/helm/superset/templates/deployment-worker.yaml
@@ -134,6 +134,9 @@ spec:
          {{- if .Values.supersetWorker.livenessProbe }}
          livenessProbe: {{- .Values.supersetWorker.livenessProbe | toYaml | nindent 12 }}
          {{- end }}
+          {{- if .Values.supersetWorker.lifecycle }}
+          lifecycle: {{- .Values.supersetWorker.lifecycle | toYaml | nindent 12 }}
+          {{- end }}
          resources:
            {{- if .Values.supersetWorker.resources }}
              {{- toYaml .Values.supersetWorker.resources | nindent 12 }}
@@ -170,6 +173,9 @@ spec:
      {{- with .Values.tolerations }}
      tolerations: {{- toYaml . | nindent 8 }}
      {{- end }}
+      {{- if .Values.supersetWorker.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ .Values.supersetWorker.terminationGracePeriodSeconds }}
+      {{- end }}
      {{- if .Values.imagePullSecrets }}
      imagePullSecrets: {{- toYaml .Values.imagePullSecrets | nindent 8 }}
      {{- end }}
--- a/helm/superset/templates/deployment.yaml
+++ b/helm/superset/templates/deployment.yaml
@@ -144,6 +144,9 @@ spec:
          {{- if .Values.supersetNode.livenessProbe }}
          livenessProbe: {{- .Values.supersetNode.livenessProbe | toYaml | nindent 12 }}
          {{- end }}
+          {{- if .Values.supersetNode.lifecycle }}
+          lifecycle: {{- .Values.supersetNode.lifecycle | toYaml | nindent 12 }}
+          {{- end }}
          resources:
            {{- if .Values.supersetNode.resources }}
              {{- toYaml .Values.supersetNode.resources | nindent 12 }}
@@ -180,6 +183,9 @@ spec:
      {{- with .Values.tolerations }}
      tolerations: {{- toYaml . | nindent 8 }}
      {{- end }}
+      {{- if .Values.supersetNode.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ .Values.supersetNode.terminationGracePeriodSeconds }}
+      {{- end }}
      {{- if .Values.imagePullSecrets }}
      imagePullSecrets: {{- toYaml .Values.imagePullSecrets | nindent 8 }}
      {{- end }}
--- a/helm/superset/values.yaml
+++ b/helm/superset/values.yaml
@@ -194,11 +194,6 @@ image:

 imagePullSecrets: []

-initImage:
-  repository: apache/superset
-  tag: dockerize
-  pullPolicy: IfNotPresent
-
 service:
  type: ClusterIP
  port: 8088
@@ -274,7 +269,7 @@ supersetNode:
  command:
    - "/bin/sh"
    - "-c"
-    - ". {{ .Values.configMountPath }}/superset_bootstrap.sh; /usr/bin/run-server.sh"
+    - ". {{ .Values.configMountPath }}/superset_bootstrap.sh; exec /usr/bin/run-server.sh"
  connections:
    # -- Change in case of bringing your own redis and then also set redis.enabled:false
    redis_host: "{{ .Release.Name }}-redis-headless"
@@ -303,15 +298,29 @@ supersetNode:
  # @default -- a container waiting for postgres
  initContainers:
    - name: wait-for-postgres
-      image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
-      imagePullPolicy: "{{ .Values.initImage.pullPolicy }}"
+      image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+      imagePullPolicy: "{{ .Values.image.pullPolicy }}"
      envFrom:
        - secretRef:
            name: "{{ tpl .Values.envFromSecret . }}"
      command:
-        - /bin/sh
+        - /bin/bash
        - -c
-        - dockerize -wait "tcp://$DB_HOST:$DB_PORT" -timeout 120s
+        - |
+          # opening a /dev/tcp fd performs a TCP connect without sending any
+          # payload (avoids postgres "incomplete startup packet" log noise);
+          # no external `dockerize`, `nc`, or busybox needed. SECONDS-based
+          # deadline mirrors the prior `dockerize -timeout 120s` behaviour.
+          SECONDS=0
+          until (exec 3<>/dev/tcp/"$DB_HOST"/"$DB_PORT") 2>/dev/null; do
+            if [ "$SECONDS" -ge 120 ]; then
+              echo "timeout waiting for postgres at $DB_HOST:$DB_PORT after 120s" >&2
+              exit 1
+            fi
+            echo "waiting for postgres at $DB_HOST:$DB_PORT (elapsed ${SECONDS}s)"
+            sleep 2
+          done
+          echo "postgres at $DB_HOST:$DB_PORT is up"
      resources:
        limits:
          memory: "256Mi"
@@ -360,6 +369,12 @@ supersetNode:
    failureThreshold: 3
    periodSeconds: 15
    successThreshold: 1
+  # -- Container lifecycle hooks, e.g. a preStop sleep so the Service/Ingress
+  # stops routing to the pod before gunicorn receives SIGTERM
+  lifecycle: {}
+  # -- Pod termination grace period (seconds). Set greater than GUNICORN_TIMEOUT so
+  # in-flight requests can drain before SIGKILL
+  terminationGracePeriodSeconds: ~
  # -- Resource settings for the supersetNode pods - these settings overwrite might existing values from the global resources object defined above.
  resources: {}
    # limits:
@@ -400,22 +415,38 @@ supersetWorker:
  command:
    - "/bin/sh"
    - "-c"
-    - ". {{ .Values.configMountPath }}/superset_bootstrap.sh; celery --app=superset.tasks.celery_app:app worker"
+    - ". {{ .Values.configMountPath }}/superset_bootstrap.sh; exec celery --app=superset.tasks.celery_app:app worker"
  # -- If true, forces deployment to reload on each upgrade
  forceReload: false
  # -- Init container
  # @default -- a container waiting for postgres and redis
  initContainers:
    - name: wait-for-postgres-redis
-      image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
-      imagePullPolicy: "{{ .Values.initImage.pullPolicy }}"
+      image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+      imagePullPolicy: "{{ .Values.image.pullPolicy }}"
      envFrom:
        - secretRef:
            name: "{{ tpl .Values.envFromSecret . }}"
      command:
-        - /bin/sh
+        - /bin/bash
        - -c
-        - dockerize -wait "tcp://$DB_HOST:$DB_PORT" -wait "tcp://$REDIS_HOST:$REDIS_PORT" -timeout 120s
+        - |
+          # See supersetNode.initContainers for the rationale.
+          SECONDS=0
+          wait_for() {
+            local host=$1 port=$2 name=$3
+            until (exec 3<>/dev/tcp/"$host"/"$port") 2>/dev/null; do
+              if [ "$SECONDS" -ge 120 ]; then
+                echo "timeout waiting for $name at $host:$port after 120s" >&2
+                exit 1
+              fi
+              echo "waiting for $name at $host:$port (elapsed ${SECONDS}s)"
+              sleep 2
+            done
+            echo "$name at $host:$port is up"
+          }
+          wait_for "$DB_HOST" "$DB_PORT" postgres
+          wait_for "$REDIS_HOST" "$REDIS_PORT" redis
      resources:
        limits:
          memory: "256Mi"
@@ -464,6 +495,10 @@ supersetWorker:
    failureThreshold: 3
    periodSeconds: 60
    successThreshold: 1
+  # -- Container lifecycle hooks for the worker pod
+  lifecycle: {}
+  # -- Pod termination grace period (seconds) for the worker pod so in-flight tasks can drain before SIGKILL
+  terminationGracePeriodSeconds: ~
  # -- No startup/readiness probes by default since we don't really care about its startup time (it doesn't serve traffic)
  startupProbe: {}
  # -- No startup/readiness probes by default since we don't really care about its startup time (it doesn't serve traffic)
@@ -488,22 +523,38 @@ supersetCeleryBeat:
  command:
    - "/bin/sh"
    - "-c"
-    - ". {{ .Values.configMountPath }}/superset_bootstrap.sh; celery --app=superset.tasks.celery_app:app beat --pidfile /tmp/celerybeat.pid --schedule /tmp/celerybeat-schedule"
+    - ". {{ .Values.configMountPath }}/superset_bootstrap.sh; exec celery --app=superset.tasks.celery_app:app beat --pidfile /tmp/celerybeat.pid --schedule /tmp/celerybeat-schedule"
  # -- If true, forces deployment to reload on each upgrade
  forceReload: false
  # -- List of init containers
  # @default -- a container waiting for postgres
  initContainers:
    - name: wait-for-postgres-redis
-      image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
-      imagePullPolicy: "{{ .Values.initImage.pullPolicy }}"
+      image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+      imagePullPolicy: "{{ .Values.image.pullPolicy }}"
      envFrom:
        - secretRef:
            name: "{{ tpl .Values.envFromSecret . }}"
      command:
-        - /bin/sh
+        - /bin/bash
        - -c
-        - dockerize -wait "tcp://$DB_HOST:$DB_PORT" -wait "tcp://$REDIS_HOST:$REDIS_PORT" -timeout 120s
+        - |
+          # See supersetNode.initContainers for the rationale.
+          SECONDS=0
+          wait_for() {
+            local host=$1 port=$2 name=$3
+            until (exec 3<>/dev/tcp/"$host"/"$port") 2>/dev/null; do
+              if [ "$SECONDS" -ge 120 ]; then
+                echo "timeout waiting for $name at $host:$port after 120s" >&2
+                exit 1
+              fi
+              echo "waiting for $name at $host:$port (elapsed ${SECONDS}s)"
+              sleep 2
+            done
+            echo "$name at $host:$port is up"
+          }
+          wait_for "$DB_HOST" "$DB_PORT" postgres
+          wait_for "$REDIS_HOST" "$REDIS_PORT" redis
      resources:
        limits:
          memory: "256Mi"
@@ -594,15 +645,31 @@ supersetCeleryFlower:
  # @default -- a container waiting for postgres and redis
  initContainers:
    - name: wait-for-postgres-redis
-      image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
-      imagePullPolicy: "{{ .Values.initImage.pullPolicy }}"
+      image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+      imagePullPolicy: "{{ .Values.image.pullPolicy }}"
      envFrom:
        - secretRef:
            name: "{{ tpl .Values.envFromSecret . }}"
      command:
-        - /bin/sh
+        - /bin/bash
        - -c
-        - dockerize -wait "tcp://$DB_HOST:$DB_PORT" -wait "tcp://$REDIS_HOST:$REDIS_PORT" -timeout 120s
+        - |
+          # See supersetNode.initContainers for the rationale.
+          SECONDS=0
+          wait_for() {
+            local host=$1 port=$2 name=$3
+            until (exec 3<>/dev/tcp/"$host"/"$port") 2>/dev/null; do
+              if [ "$SECONDS" -ge 120 ]; then
+                echo "timeout waiting for $name at $host:$port after 120s" >&2
+                exit 1
+              fi
+              echo "waiting for $name at $host:$port (elapsed ${SECONDS}s)"
+              sleep 2
+            done
+            echo "$name at $host:$port is up"
+          }
+          wait_for "$DB_HOST" "$DB_PORT" postgres
+          wait_for "$REDIS_HOST" "$REDIS_PORT" redis
      resources:
        limits:
          memory: "256Mi"
@@ -764,15 +831,26 @@ init:
  # @default -- a container waiting for postgres
  initContainers:
    - name: wait-for-postgres
-      image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
-      imagePullPolicy: "{{ .Values.initImage.pullPolicy }}"
+      image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+      imagePullPolicy: "{{ .Values.image.pullPolicy }}"
      envFrom:
        - secretRef:
            name: "{{ tpl .Values.envFromSecret . }}"
      command:
-        - /bin/sh
+        - /bin/bash
        - -c
-        - dockerize -wait "tcp://$DB_HOST:$DB_PORT" -timeout 120s
+        - |
+          # See supersetNode.initContainers for the rationale.
+          SECONDS=0
+          until (exec 3<>/dev/tcp/"$DB_HOST"/"$DB_PORT") 2>/dev/null; do
+            if [ "$SECONDS" -ge 120 ]; then
+              echo "timeout waiting for postgres at $DB_HOST:$DB_PORT after 120s" >&2
+              exit 1
+            fi
+            echo "waiting for postgres at $DB_HOST:$DB_PORT (elapsed ${SECONDS}s)"
+            sleep 2
+          done
+          echo "postgres at $DB_HOST:$DB_PORT is up"
      resources:
        limits:
          memory: "256Mi"
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -38,14 +38,20 @@ dependencies = [
    # no bounds for apache-superset-core until we have a stable version
    "apache-superset-core",
    "backoff>=1.8.0",
+    # cachetools is used directly by ``superset.db_engine_specs.aws_iam`` (TTLCache).
+    # It used to be installed transitively via ``google-auth`` (<2.53), but
+    # ``google-auth`` 2.53+ dropped it, so Superset must declare it
+    # explicitly to keep fresh ``pip install apache-superset`` working
+    # without the ``base.txt`` lock file (#40962).
+    "cachetools>=6.2.1, <7",
    "celery>=5.3.6, <6.0.0",
    "click>=8.4.0",
    "click-option-group",
    "colorama",
-    "flask-cors>=6.0.0, <7.0",
+    "flask-cors>=6.0.5, <7.0",
    "croniter>=6.2.2",
    "cron-descriptor",
-    "cryptography>=42.0.4, <47.0.0",
+    "cryptography>=48.0.0, <49.0.0",
    "deprecation>=2.1.0, <2.2.0",
    "flask>=2.2.5, <4.0.0",
    "flask-appbuilder>=5.2.1, <6.0.0",
@@ -57,7 +63,7 @@ dependencies = [
    "flask-session>=0.4.0, <1.0",
    "flask-wtf>=1.3.0, <2.0",
    "geopy",
-    "greenlet>=3.0.3, <=3.5.0",
+    "greenlet<=3.5.1, >=3.5.1",
    "gunicorn>=25.3.0, <26; sys_platform != 'win32'",
    "hashids>=1.3.1, <2",
    # holidays>=0.45 required for security fix
@@ -67,10 +73,12 @@ dependencies = [
    "jsonpath-ng>=1.8.0, <2",
    "Mako>=1.2.2",
    "markdown>=3.10.2",
-    # marshmallow>=4 has issues: https://github.com/apache/superset/issues/33162
-    "marshmallow>=3.0, <4",
+    # marshmallow 4 compatibility: see superset/marshmallow_compatibility.py for a
+    # Flask-AppBuilder workaround. Tracking issue:
+    # https://github.com/apache/superset/issues/33162
+    "marshmallow>=3.0, <5",
    "marshmallow-union>=0.1",
-    "msgpack>=1.0.0, <1.2",
+    "msgpack>=1.2.0, <1.3",
    "nh3>=0.3.5, <0.4",
    "numpy>1.23.5, <2.3",
    "packaging",
@@ -90,7 +98,7 @@ dependencies = [
    "python-dotenv", # optional dependencies for Flask but required for Superset, see https://flask.palletsprojects.com/en/stable/installation/#optional-dependencies
    "pygeohash",
    "pyarrow>=24.0.0, <25", # before upgrading pyarrow, check that all db dependencies support this, see e.g. https://github.com/apache/superset/pull/34693
-    "pyyaml>=6.0.0, <7.0.0",
+    "pyyaml>=6.0.3, <7.0.0",
    "PyJWT>=2.4.0, <3.0",
    "redis>=5.0.0, <6.0",
    "rison>=2.0.0, <3.0",
@@ -141,7 +149,7 @@ drill = ["sqlalchemy-drill>=1.1.10, <2"]
 druid = ["pydruid>=0.6.5,<0.7"]
 duckdb = ["duckdb>=1.5.2,<2", "duckdb-engine>=0.17.0"]
 dynamodb = ["pydynamodb>=0.4.2"]
-solr = ["sqlalchemy-solr >= 0.2.0"]
+solr = ["sqlalchemy-solr >= 0.2.4.3"]
 elasticsearch = ["elasticsearch-dbapi>=0.2.13, <0.3.0"]
 exasol = ["sqlalchemy-exasol>=2.4.0, <8.0"]
 excel = ["xlrd>=2.0.2, <2.1"]
@@ -183,7 +191,7 @@ pinot = ["pinotdb>=5.0.0, <10.0.0"]
 playwright = ["playwright>=1.60.0, <2"]
 postgres = ["psycopg2-binary==2.9.12"]
 presto = ["pyhive[presto]>=0.6.5"]
-trino = ["trino>=0.328.0"]
+trino = ["trino>=0.337.0"]
 prophet = ["prophet>=1.1.6, <2"]
 redshift = ["sqlalchemy-redshift>=0.8.1, <0.9"]
 risingwave = ["sqlalchemy-risingwave"]
@@ -208,7 +216,7 @@ netezza = ["nzalchemy>=11.0.2"]
 starrocks = ["starrocks>=1.3.3, <2"]
 doris = ["pydoris>=1.0.0, <2.0.0"]
 oceanbase = ["oceanbase_py>=0.0.1.2"]
-ydb = ["ydb-sqlalchemy>=0.1.2", "ydb-sqlglot-plugin>=0.2.5"]
+ydb = ["ydb-sqlalchemy>=0.1.22", "ydb-sqlglot-plugin>=0.2.5"]
 development = [
    # no bounds for apache-superset-extensions-cli until a stable version
    "apache-superset-extensions-cli",
@@ -216,7 +224,7 @@ development = [
    "docker",
    "flask-testing",
    "freezegun",
-    "grpcio>=1.55.3",
+    "grpcio>=1.81.1",
    "openapi-spec-validator",
    "parameterized",
    "pip",
@@ -367,7 +375,6 @@ select = [

 ignore = [
    "S101",
-    "PT004",  # Fixtures that don't return values - underscore prefix conflicts with pytest usage
    "PT006",
    "T201",
    "N999",
--- a/pytest.ini
+++ b/pytest.ini
@@ -18,5 +18,30 @@
 testpaths =
    tests
 python_files = *_test.py test_*.py *_tests.py *viz/utils.py
-addopts = -p no:warnings
+# `-p no:warnings` temporarily disabled in favor of more finely tuned `filterwarnings`.
+#addopts = -p no:warnings
 asyncio_mode = auto
+
+# `ignore` is effectively equivalent to `-p no:warnings`.
+# Always print RemovedIn20Warning when SQLALCHEMY_WARN_20=1.
+# Additionally, raise errors for refactored RemovedIn20Warning cases to prevent regression.
+filterwarnings =
+    ignore
+    always::sqlalchemy.exc.RemovedIn20Warning
+    error:Passing a string to Connection.execute\(\) is deprecated:sqlalchemy.exc.RemovedIn20Warning
+#    error:"Query" object is being merged into a Session:sqlalchemy.exc.RemovedIn20Warning
+#    error:"SavedQuery" object is being merged into a Session:sqlalchemy.exc.RemovedIn20Warning
+#    error:"SqlaTable" object is being merged into a Session:sqlalchemy.exc.RemovedIn20Warning
+#    error:"SqlMetric" object is being merged into a Session:sqlalchemy.exc.RemovedIn20Warning
+#    error:"TableColumn" object is being merged into a Session:sqlalchemy.exc.RemovedIn20Warning
+#    error:"TaggedObject" object is being merged into a Session:sqlalchemy.exc.RemovedIn20Warning
+#    error:The ``as_declarative\(\)`` function is now available:sqlalchemy.exc.RemovedIn20Warning
+#    error:The autoload parameter is deprecated:sqlalchemy.exc.RemovedIn20Warning
+#    error:The connection.execute\(\) method:sqlalchemy.exc.RemovedIn20Warning
+#    error:The current statement is being autocommitted using implicit autocommit:sqlalchemy.exc.RemovedIn20Warning
+#    error:The `database` package is deprecated:sqlalchemy.exc.RemovedIn20Warning
+#    error:The ``declarative_base\(\)`` function is now available:sqlalchemy.exc.RemovedIn20Warning
+#    error:The Engine.execute\(\) method is considered legacy:sqlalchemy.exc.RemovedIn20Warning
+    error:The legacy calling style of select\(\) is deprecated:sqlalchemy.exc.RemovedIn20Warning
+#    error:The "whens" argument to case:sqlalchemy.exc.RemovedIn20Warning
+#    error:"User" object is being merged into a Session:sqlalchemy.exc.RemovedIn20Warning
--- a/requirements/base.in
+++ b/requirements/base.in
@@ -26,7 +26,7 @@ filelock>=3.20.3,<4.0.0
 brotli>=1.2.0,<2.0.0
 numexpr>=2.9.0
 # Security: CVE-2026-34073 (MEDIUM) - Improper Certificate Validation
-cryptography>=46.0.7,<47.0.0
+cryptography>=48.0.0,<49.0.0
 # Security: Snyk - XSS vulnerability in Mako templates
 mako>=1.3.11,<2.0.0
 # Security: CVE-2024-52338 (CRITICAL) - Deserialization of untrusted data in IPC/Parquet readers
@@ -44,11 +44,10 @@ async_timeout>=4.0.0,<5.0.0
 # a bit of attention to bump.
 apispec>=6.0.0,<6.7.0

-# 1.4.1 appears to use much more memory, where the python test suite runs out of memory
-# causing CI to fail. 1.4.0 is the last version that works.
-# https://marshmallow-sqlalchemy.readthedocs.io/en/latest/changelog.html#id3
-# Opened this issue https://github.com/marshmallow-code/marshmallow-sqlalchemy/issues/665
-marshmallow-sqlalchemy>=1.3.0,<1.4.1
+# 1.4.1 introduced a memory regression that exhausts memory in the test suite
+# (https://github.com/marshmallow-code/marshmallow-sqlalchemy/issues/665). 1.4.2
+# claimed a fix but did not address the root cause; only 1.5.0 actually fixes it.
+marshmallow-sqlalchemy>=1.5.0

 # needed for python 3.12 support
 openapi-schema-validator>=0.6.3
@@ -58,3 +57,9 @@ openapi-schema-validator>=0.6.3
 # Known affected packages: Preset's 'clients' package
 # See docs/docs/contributing/pkg-resources-migration.md for details
 setuptools<81
+
+# google-auth 2.53+ dropped its transitive dependency on cachetools, which is
+# imported directly by superset.db_engine_specs.aws_iam. We declare cachetools
+# explicitly in pyproject.toml and pin google-auth to the post-drop range so
+# the install path is internally consistent (#40962).
+google-auth>=2.53.0,<3.0.0
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -45,7 +45,7 @@ cachelib==0.13.0
    #   flask-caching
    #   flask-session
 cachetools==6.2.1
-    # via google-auth
+    # via apache-superset (pyproject.toml)
 cattrs==25.1.1
    # via requests-cache
 celery==5.5.2
@@ -86,10 +86,11 @@ cron-descriptor==1.4.5
    # via apache-superset (pyproject.toml)
 croniter==6.2.2
    # via apache-superset (pyproject.toml)
-cryptography==46.0.7
+cryptography==48.0.1
    # via
    #   -r requirements/base.in
    #   apache-superset (pyproject.toml)
+    #   google-auth
    #   paramiko
    #   pyopenssl
 defusedxml==0.7.1
@@ -131,7 +132,7 @@ flask-caching==2.3.1
    # via apache-superset (pyproject.toml)
 flask-compress==1.17
    # via apache-superset (pyproject.toml)
-flask-cors==6.0.2
+flask-cors==6.0.5
    # via apache-superset (pyproject.toml)
 flask-jwt-extended==4.7.1
    # via flask-appbuilder
@@ -159,9 +160,11 @@ geographiclib==2.0
    # via geopy
 geopy==2.4.1
    # via apache-superset (pyproject.toml)
-google-auth==2.43.0
-    # via shillelagh
-greenlet==3.5.0
+google-auth==2.53.0
+    # via
+    #   -r requirements/base.in
+    #   shillelagh
+greenlet==3.5.1
    # via
    #   apache-superset (pyproject.toml)
    #   shillelagh
@@ -223,13 +226,13 @@ markupsafe==3.0.2
    #   mako
    #   werkzeug
    #   wtforms
-marshmallow==3.26.2
+marshmallow==4.3.0
    # via
    #   apache-superset (pyproject.toml)
    #   flask-appbuilder
    #   marshmallow-sqlalchemy
    #   marshmallow-union
-marshmallow-sqlalchemy==1.4.0
+marshmallow-sqlalchemy==1.5.0
    # via
    #   -r requirements/base.in
    #   flask-appbuilder
@@ -237,7 +240,7 @@ marshmallow-union==0.1.15
    # via apache-superset (pyproject.toml)
 mdurl==0.1.2
    # via markdown-it-py
-msgpack==1.0.8
+msgpack==1.2.1
    # via apache-superset (pyproject.toml)
 msgspec==0.19.0
    # via flask-session
@@ -270,7 +273,6 @@ packaging==25.0
    #   deprecation
    #   gunicorn
    #   limits
-    #   marshmallow
    #   shillelagh
 pandas==2.1.4
    # via apache-superset (pyproject.toml)
@@ -298,9 +300,7 @@ pyarrow==24.0.0
    #   apache-superset (pyproject.toml)
    #   apache-superset-core
 pyasn1==0.6.3
-    # via
-    #   pyasn1-modules
-    #   rsa
+    # via pyasn1-modules
 pyasn1-modules==0.4.2
    # via google-auth
 pycparser==2.22
@@ -315,7 +315,7 @@ pygeohash==3.2.2
    # via apache-superset (pyproject.toml)
 pygments==2.20.0
    # via rich
-pyjwt==2.12.0
+pyjwt==2.13.0
    # via
    #   apache-superset (pyproject.toml)
    #   flask-appbuilder
@@ -323,7 +323,7 @@ pyjwt==2.12.0
    #   redis
 pynacl==1.6.2
    # via paramiko
-pyopenssl==26.0.0
+pyopenssl==26.2.0
    # via
    #   -r requirements/base.in
    #   shillelagh
@@ -344,12 +344,11 @@ python-dotenv==1.2.2
    # via apache-superset (pyproject.toml)
 pytz==2025.2
    # via
-    #   croniter
    #   flask-babel
    #   pandas
 pyxlsb==1.0.10
    # via pandas
-pyyaml==6.0.2
+pyyaml==6.0.3
    # via
    #   apache-superset (pyproject.toml)
    #   apispec
@@ -376,8 +375,6 @@ rpds-py==0.25.0
    # via
    #   jsonschema
    #   referencing
-rsa==4.9.1
-    # via google-auth
 selenium==4.44.0
    # via apache-superset (pyproject.toml)
 setuptools==80.9.0
--- a/requirements/development.txt
+++ b/requirements/development.txt
@@ -100,7 +100,7 @@ cachelib==0.13.0
 cachetools==6.2.1
    # via
    #   -c requirements/base-constraint.txt
-    #   google-auth
+    #   apache-superset
    #   py-key-value-aio
 caio==0.9.25
    # via aiofile
@@ -178,11 +178,12 @@ croniter==6.2.2
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
-cryptography==46.0.7
+cryptography==48.0.1
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
    #   authlib
+    #   google-auth
    #   paramiko
    #   pyjwt
    #   pyopenssl
@@ -276,7 +277,7 @@ flask-compress==1.17
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
-flask-cors==6.0.2
+flask-cors==6.0.5
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
@@ -340,7 +341,7 @@ google-api-core==2.23.0
    #   google-cloud-core
    #   pandas-gbq
    #   sqlalchemy-bigquery
-google-auth==2.43.0
+google-auth==2.53.0
    # via
    #   -c requirements/base-constraint.txt
    #   google-api-core
@@ -373,7 +374,7 @@ googleapis-common-protos==1.66.0
    # via
    #   google-api-core
    #   grpcio-status
-greenlet==3.5.0
+greenlet==3.5.1
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
@@ -382,7 +383,7 @@ greenlet==3.5.0
    #   sqlalchemy
 griffelib==2.0.2
    # via fastmcp
-grpcio==1.71.0
+grpcio==1.81.1
    # via
    #   apache-superset
    #   google-api-core
@@ -507,6 +508,8 @@ limits==5.1.0
    # via
    #   -c requirements/base-constraint.txt
    #   flask-limiter
+lz4==4.4.5
+    # via trino
 mako==1.3.12
    # via
    #   -c requirements/base-constraint.txt
@@ -527,14 +530,14 @@ markupsafe==3.0.2
    #   mako
    #   werkzeug
    #   wtforms
-marshmallow==3.26.2
+marshmallow==4.3.0
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
    #   flask-appbuilder
    #   marshmallow-sqlalchemy
    #   marshmallow-union
-marshmallow-sqlalchemy==1.4.0
+marshmallow-sqlalchemy==1.5.0
    # via
    #   -c requirements/base-constraint.txt
    #   flask-appbuilder
@@ -556,7 +559,7 @@ more-itertools==10.8.0
    # via
    #   jaraco-classes
    #   jaraco-functools
-msgpack==1.0.8
+msgpack==1.2.1
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
@@ -608,6 +611,8 @@ ordered-set==4.1.0
    # via
    #   -c requirements/base-constraint.txt
    #   flask-limiter
+orjson==3.11.9
+    # via trino
 outcome==1.3.0.post0
    # via
    #   -c requirements/base-constraint.txt
@@ -626,7 +631,6 @@ packaging==25.0
    #   google-cloud-bigquery
    #   gunicorn
    #   limits
-    #   marshmallow
    #   matplotlib
    #   pytest
    #   shillelagh
@@ -723,7 +727,6 @@ pyasn1==0.6.3
    #   -c requirements/base-constraint.txt
    #   pyasn1-modules
    #   python-ldap
-    #   rsa
 pyasn1-modules==0.4.2
    # via
    #   -c requirements/base-constraint.txt
@@ -766,7 +769,7 @@ pyhive==0.7.0
    # via apache-superset
 pyinstrument==5.1.2
    # via apache-superset
-pyjwt==2.12.0
+pyjwt==2.13.0
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
@@ -780,7 +783,7 @@ pynacl==1.6.2
    # via
    #   -c requirements/base-constraint.txt
    #   paramiko
-pyopenssl==26.0.0
+pyopenssl==26.2.0
    # via
    #   -c requirements/base-constraint.txt
    #   shillelagh
@@ -841,7 +844,6 @@ python-multipart==0.0.29
 pytz==2025.2
    # via
    #   -c requirements/base-constraint.txt
-    #   croniter
    #   flask-babel
    #   pandas
    #   trino
@@ -849,7 +851,7 @@ pyxlsb==1.0.10
    # via
    #   -c requirements/base-constraint.txt
    #   pandas
-pyyaml==6.0.2
+pyyaml==6.0.3
    # via
    #   -c requirements/base-constraint.txt
    #   apache-superset
@@ -911,10 +913,6 @@ rpds-py==0.25.0
    #   -c requirements/base-constraint.txt
    #   jsonschema
    #   referencing
-rsa==4.9.1
-    # via
-    #   -c requirements/base-constraint.txt
-    #   google-auth
 ruff==0.9.7
    # via apache-superset
 s3transfer==0.16.0
@@ -1017,7 +1015,7 @@ tqdm==4.67.1
    # via
    #   cmdstanpy
    #   prophet
-trino==0.330.0
+trino==0.337.0
    # via apache-superset
 trio==0.33.0
    # via
@@ -1037,6 +1035,7 @@ typing-extensions==4.15.0
    #   apache-superset-core
    #   cattrs
    #   exceptiongroup
+    #   grpcio
    #   limits
    #   mcp
    #   opentelemetry-api
@@ -1151,3 +1150,4 @@ zstandard==0.23.0
    # via
    #   -c requirements/base-constraint.txt
    #   flask-compress
+    #   trino
--- a/scripts/benchmark_migration.py
+++ b/scripts/benchmark_migration.py
@@ -30,7 +30,7 @@ from flask import current_app
 from flask_appbuilder import Model
 from flask_migrate import downgrade, upgrade
 from progress.bar import ChargingBar
-from sqlalchemy import create_engine, inspect
+from sqlalchemy import create_engine, inspect, text
 from sqlalchemy.ext.automap import automap_base

 from superset import db
@@ -154,7 +154,7 @@ def main(  # noqa: C901

    print(f"Migration goes from {down_revision} to {revision}")
    current_revision = db.engine.execute(
-        "SELECT version_num FROM alembic_version"
+        text("SELECT version_num FROM alembic_version")
    ).scalar()
    print(f"Current version of the DB is {current_revision}")

--- a/scripts/translations/backfill_po.py
+++ b/scripts/translations/backfill_po.py
@@ -106,6 +106,7 @@ LANGUAGE_NAMES: dict[str, str] = {
    "ru": "Russian",
    "sk": "Slovak",
    "sl": "Slovenian",
+    "sr": "Serbian",
    "tr": "Turkish",
    "uk": "Ukrainian",
    "zh": "Chinese (Simplified)",
--- a/superset-embedded-sdk/release-if-necessary.js
+++ b/superset-embedded-sdk/release-if-necessary.js
@@ -47,7 +47,11 @@ function logError(...args) {
      execSync('npm publish --access public', { stdio: 'pipe' });
      log(`published ${version} to npm`);
    } catch (err) {
-      console.error(String(err.stdout));
+      // npm writes failure details to stderr (auth/permission/registry
+      // errors in particular), so surface both streams to avoid masking
+      // the real cause in CI logs.
+      if (err.stdout) console.error(String(err.stdout));
+      if (err.stderr) console.error(String(err.stderr));
      logError('Encountered an error, details should be above');
      process.exitCode = 1;
    }
--- a/superset-frontend/jest.config.js
+++ b/superset-frontend/jest.config.js
@@ -69,7 +69,7 @@ module.exports = {
  ],
  coverageReporters: ['lcov', 'json-summary', 'html', 'text'],
  transformIgnorePatterns: [
-    'node_modules/(?!@formatjs/.*|d3-(array|interpolate|color|time|scale|time-format|format)|internmap|@mapbox/tiny-sdf|remark-gfm|(?!@ngrx|(?!deck.gl)|d3-scale)|markdown-table|micromark-*.|decode-named-character-reference|character-entities|mdast-util-*.|unist-util-*.|ccount|escape-string-regexp|nanoid|uuid|@rjsf/*.|echarts|zrender|fetch-mock|pretty-ms|parse-ms|ol|@babel/runtime|@emotion|cheerio|cheerio/lib|parse5|dom-serializer|entities|htmlparser2|rehype-sanitize|hast-util-sanitize|unified|unist-.*|hast-.*|rehype-.*|remark-.*|mdast-.*|micromark-.*|parse-entities|property-information|space-separated-tokens|comma-separated-tokens|bail|devlop|zwitch|longest-streak|geostyler|geostyler-.*|(?!geostyler)lodash|react-error-boundary|react-json-tree|react-base16-styling|lodash-es|rbush|quickselect|react-diff-viewer-continued|storybook/*.)',
+    'node_modules/(?!@formatjs/.*|d3-(array|interpolate|color|time|scale|time-format|format)|internmap|@mapbox/tiny-sdf|remark-gfm|(?!@ngrx|(?!deck.gl)|d3-scale)|markdown-table|micromark-*.|decode-named-character-reference|character-entities|mdast-util-*.|unist-util-*.|ccount|escape-string-regexp|nanoid|uuid|@rjsf/*.|echarts|zrender|fetch-mock|pretty-ms|parse-ms|ol|@babel/runtime|@emotion|cheerio|cheerio/lib|parse5|dom-serializer|entities|htmlparser2|rehype-sanitize|hast-util-sanitize|unified|unist-.*|hast-.*|rehype-.*|remark-.*|mdast-.*|micromark-.*|parse-entities|property-information|space-separated-tokens|comma-separated-tokens|bail|devlop|zwitch|longest-streak|geostyler|geostyler-.*|(?!geostyler)lodash|react-error-boundary|react-json-tree|react-base16-styling|lodash-es|rbush|quickselect|react-diff-viewer-continued|storybook/*.|json-stringify-pretty-compact)',
  ],
  preset: 'ts-jest',
  transform: {
--- a/superset-frontend/package-lock.json
+++ b/superset-frontend/package-lock.json
--- a/superset-frontend/package.json
+++ b/superset-frontend/package.json
@@ -119,7 +119,7 @@
    "@great-expectations/jsonforms-antd-renderers": "^2.2.10",
    "@jsonforms/core": "^3.7.0",
    "@jsonforms/react": "^3.7.0",
-    "@jsonforms/vanilla-renderers": "^3.7.0",
+    "@jsonforms/vanilla-renderers": "^3.8.0",
    "@luma.gl/constants": "~9.2.5",
    "@luma.gl/core": "~9.2.5",
    "@luma.gl/engine": "~9.2.5",
@@ -158,22 +158,21 @@
    "@types/d3-selection": "^3.0.11",
    "@types/d3-time-format": "^4.0.3",
    "@types/react-google-recaptcha": "^2.1.9",
-    "@visx/axis": "^3.8.0",
-    "@visx/grid": "^3.5.0",
-    "@visx/responsive": "^3.0.0",
-    "@visx/scale": "^3.5.0",
-    "@visx/tooltip": "^3.0.0",
-    "@visx/xychart": "^3.5.1",
+    "@visx/axis": "^4.0.0",
+    "@visx/grid": "^4.0.0",
+    "@visx/responsive": "^4.0.0",
+    "@visx/scale": "^4.0.0",
+    "@visx/tooltip": "^4.0.0",
+    "@visx/xychart": "^4.0.0",
    "ag-grid-community": "35.3.1",
    "ag-grid-react": "35.3.1",
    "antd": "^5.26.0",
    "chrono-node": "^2.9.1",
    "classnames": "^2.2.5",
    "content-disposition": "^2.0.1",
-    "d3-color": "^3.1.0",
    "d3-scale": "^4.0.2",
    "dayjs": "^1.11.21",
-    "dom-to-image-more": "^3.7.2",
+    "dom-to-image-more": "^3.10.0",
    "dom-to-pdf": "^0.3.2",
    "echarts": "^5.6.0",
    "fast-glob": "^3.3.2",
@@ -191,12 +190,12 @@
    "jquery": "^4.0.0",
    "js-levenshtein": "^1.1.6",
    "json-bigint": "^1.0.0",
-    "json-stringify-pretty-compact": "^2.0.0",
+    "json-stringify-pretty-compact": "^4.0.0",
    "lodash": "^4.18.1",
-    "mapbox-gl": "^3.24.0",
-    "markdown-to-jsx": "^9.8.1",
+    "mapbox-gl": "^3.25.0",
+    "markdown-to-jsx": "^9.8.2",
    "match-sorter": "^8.3.0",
-    "memoize-one": "^5.2.1",
+    "memoize-one": "^6.0.0",
    "mousetrap": "^1.6.5",
    "mustache": "^4.2.0",
    "nanoid": "^5.1.11",
@@ -204,7 +203,7 @@
    "query-string": "9.4.0",
    "re-resizable": "^6.11.2",
    "react": "^18.3.0",
-    "react-arborist": "^3.10.1",
+    "react-arborist": "^3.10.5",
    "react-checkbox-tree": "^1.8.0",
    "react-diff-viewer-continued": "^4.2.2",
    "react-dnd": "^11.1.3",
@@ -231,9 +230,9 @@
    "redux-undo": "^1.0.0-beta9-9-7",
    "rison": "^0.1.1",
    "scroll-into-view-if-needed": "^3.1.0",
-    "simple-zstd": "^1.4.2",
+    "simple-zstd": "^2.1.0",
    "stream-browserify": "^3.0.0",
-    "tinycolor2": "^1.4.2",
+    "tinycolor2": "^1.6.0",
    "urijs": "^1.19.8",
    "use-event-callback": "^0.1.0",
    "use-immer": "^0.11.0",
@@ -261,17 +260,17 @@
    "@babel/types": "^7.29.7",
    "@emotion/babel-plugin": "^11.13.5",
    "@emotion/jest": "^11.14.2",
-    "@formatjs/intl-durationformat": "^0.10.14",
+    "@formatjs/intl-durationformat": "^0.10.15",
    "@istanbuljs/nyc-config-typescript": "^1.0.1",
-    "@playwright/test": "^1.60.0",
+    "@playwright/test": "^1.61.0",
    "@pmmmwh/react-refresh-webpack-plugin": "^0.6.2",
-    "@storybook/addon-docs": "10.4.3",
-    "@storybook/addon-links": "10.4.3",
-    "@storybook/react-webpack5": "10.4.3",
+    "@storybook/addon-docs": "10.4.5",
+    "@storybook/addon-links": "10.4.4",
+    "@storybook/react-webpack5": "10.4.4",
    "@storybook/test-runner": "0.24.4",
    "@svgr/webpack": "^8.1.0",
    "@swc/core": "^1.15.41",
-    "@swc/plugin-emotion": "^14.12.0",
+    "@swc/plugin-emotion": "^14.13.0",
    "@swc/plugin-transform-imports": "^12.5.0",
    "@testing-library/dom": "^9.3.4",
    "@testing-library/jest-dom": "^6.9.1",
@@ -284,7 +283,7 @@
    "@types/js-levenshtein": "^1.1.3",
    "@types/json-bigint": "^1.0.4",
    "@types/mousetrap": "^1.6.15",
-    "@types/node": "^25.9.2",
+    "@types/node": "^25.9.3",
    "@types/react": "^18.3.0",
    "@types/react-dom": "^18.3.0",
    "@types/react-loadable": "^5.5.11",
@@ -297,21 +296,21 @@
    "@types/rison": "0.1.0",
    "@types/tinycolor2": "^1.4.3",
    "@types/unzipper": "^0.10.11",
-    "@typescript-eslint/eslint-plugin": "^8.61.0",
+    "@typescript-eslint/eslint-plugin": "^8.61.1",
    "@typescript-eslint/parser": "^8.61.0",
    "babel-jest": "^30.4.1",
    "babel-loader": "^10.1.1",
    "babel-plugin-dynamic-import-node": "^2.3.3",
    "babel-plugin-jsx-remove-data-test-id": "^3.0.0",
    "babel-plugin-lodash": "^3.3.4",
-    "baseline-browser-mapping": "^2.10.34",
+    "baseline-browser-mapping": "^2.10.38",
    "cheerio": "1.2.0",
    "concurrently": "^10.0.3",
    "copy-webpack-plugin": "^14.0.0",
    "cross-env": "^10.1.0",
    "css-loader": "^7.1.4",
    "css-minimizer-webpack-plugin": "^8.0.0",
-    "eslint": "^10.4.1",
+    "eslint": "^10.5.0",
    "eslint-config-prettier": "^10.1.8",
    "eslint-import-resolver-alias": "^1.1.2",
    "eslint-import-resolver-typescript": "^4.4.5",
@@ -324,8 +323,8 @@
    "eslint-plugin-no-only-tests": "^3.4.0",
    "eslint-plugin-prettier": "^5.5.6",
    "eslint-plugin-react-prefer-function-component": "^5.0.0",
-    "eslint-plugin-react-you-might-not-need-an-effect": "^1.0.0",
-    "eslint-plugin-storybook": "10.4.2",
+    "eslint-plugin-react-you-might-not-need-an-effect": "^1.0.1",
+    "eslint-plugin-storybook": "10.4.5",
    "eslint-plugin-testing-library": "^7.16.2",
    "eslint-plugin-theme-colors": "file:eslint-rules/eslint-plugin-theme-colors",
    "fetch-mock": "^12.6.0",
@@ -344,19 +343,19 @@
    "lightningcss": "^1.32.0",
    "mini-css-extract-plugin": "^2.10.2",
    "open-cli": "^9.0.0",
-    "oxlint": "^1.69.0",
+    "oxlint": "^1.70.0",
    "po2json": "^0.4.5",
    "prettier": "3.8.4",
    "prettier-plugin-packagejson": "^3.0.2",
    "process": "^0.11.10",
-    "react-dnd-test-backend": "^11.1.3",
+    "react-dnd-test-backend": "^16.0.1",
    "react-refresh": "^0.18.0",
    "react-resizable": "^4.0.1",
    "redux-mock-store": "^1.5.4",
    "source-map": "^0.7.6",
    "source-map-support": "^0.5.21",
    "speed-measure-webpack-plugin": "^1.6.0",
-    "storybook": "10.4.3",
+    "storybook": "10.4.6",
    "style-loader": "^4.0.0",
    "swc-loader": "^0.2.7",
    "terser-webpack-plugin": "^5.6.1",
--- a/superset-frontend/packages/generator-superset/package.json
+++ b/superset-frontend/packages/generator-superset/package.json
@@ -37,7 +37,7 @@
    "cross-env": "^10.1.0",
    "fs-extra": "^11.3.5",
    "jest": "^30.4.2",
-    "yeoman-test": "^11.5.3"
+    "yeoman-test": "^11.6.0"
  },
  "engines": {
    "npm": ">= 4.0.0",
--- a/superset-frontend/packages/superset-core/package.json
+++ b/superset-frontend/packages/superset-core/package.json
@@ -18,6 +18,14 @@
      "types": "./lib/authentication/index.d.ts",
      "default": "./lib/authentication/index.js"
    },
+    "./chat": {
+      "types": "./lib/chat/index.d.ts",
+      "default": "./lib/chat/index.js"
+    },
+    "./navigation": {
+      "types": "./lib/navigation/index.d.ts",
+      "default": "./lib/navigation/index.js"
+    },
    "./commands": {
      "types": "./lib/commands/index.d.ts",
      "default": "./lib/commands/index.js"
--- a/superset-frontend/packages/superset-core/src/chat/index.ts
+++ b/superset-frontend/packages/superset-core/src/chat/index.ts
@@ -0,0 +1,156 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/**
+ * @fileoverview Chat contribution API for Superset extensions.
+ *
+ * Chat is a dedicated contribution type: an extension registers
+ * a chat via {@link registerChat} and the host owns where and how it is
+ * mounted. The host applies singleton resolution — multiple chat extensions
+ * may register, but exactly one is active at a time.
+ *
+ * @example
+ * ```typescript
+ * import { chat } from '@apache-superset/core';
+ *
+ * chat.registerChat(
+ *   { id: 'acme.chat', name: 'Acme Chat' },
+ *   AcmeTrigger,
+ *   AcmePanel,
+ * );
+ * ```
+ */
+
+import { ComponentType } from 'react';
+import type { Disposable, Event } from '../common';
+
+export interface Chat {
+  /** The unique identifier for the chat. */
+  id: string;
+  /** The display name of the chat. */
+  name: string;
+  /** Optional description of the chat. */
+  description?: string;
+}
+
+export type DisplayMode = 'floating' | 'panel';
+
+/**
+ * Registers a chat provider. Only one chat is active at a time; the most
+ * recently registered chat wins. Disposing the returned Disposable unregisters
+ * the chat.
+ *
+ * @param chat The chat descriptor (id, name).
+ * @param trigger The trigger component — the collapsed bubble entry point.
+ *   Owns dynamic state such as unread counts.
+ * @param panel The panel component, rendered in either display mode. In
+ *   'floating' mode it appears as an overlay; in 'panel' mode it is docked
+ *   alongside the main content.
+ * @returns A Disposable that unregisters the chat when disposed.
+ *
+ * @example
+ * ```typescript
+ * chat.registerChat(
+ *   { id: 'acme.chat', name: 'Acme Chat' },
+ *   AcmeTrigger,
+ *   AcmePanel,
+ * );
+ * ```
+ */
+export declare function registerChat(
+  chat: Chat,
+  trigger: ComponentType,
+  panel: ComponentType,
+): Disposable;
+
+/**
+ * Returns the active chat descriptor, or undefined if none is registered.
+ */
+export declare function getChat(): Chat | undefined;
+
+/**
+ * Event fired when a chat is registered.
+ */
+export declare const onDidRegisterChat: Event<Chat>;
+
+/**
+ * Event fired when a chat is unregistered.
+ */
+export declare const onDidUnregisterChat: Event<Chat>;
+
+/**
+ * Opens the active chat's panel.
+ *
+ * Acts on whichever chat is active, regardless of which extension calls it.
+ * No-op when no chat is registered or the panel is already open.
+ */
+export declare function open(): void;
+
+/**
+ * Closes the active chat's panel.
+ *
+ * Acts on whichever chat is active, regardless of which extension calls it.
+ * No-op when the panel is not open.
+ */
+export declare function close(): void;
+
+/**
+ * Returns whether the active chat's panel is currently open.
+ */
+export declare function isOpen(): boolean;
+
+/**
+ * Event fired when the chat panel opens. Also fired by the host's own
+ * controls, not only by an extension's open() call.
+ */
+export declare const onDidOpen: Event<void>;
+
+/**
+ * Event fired when the chat panel closes, whether triggered by an extension
+ * or by the host.
+ */
+export declare const onDidClose: Event<void>;
+
+/**
+ * Returns the current display mode.
+ */
+export declare function getDisplayMode(): DisplayMode;
+
+/**
+ * Sets the display mode. The mode is host-global and applies to whichever
+ * chat is active. Use {@link onDidChangeDisplayMode} to observe all changes,
+ * including those triggered by the host.
+ */
+export declare function setDisplayMode(displayMode: DisplayMode): void;
+
+/**
+ * Event fired when the display mode changes, whether triggered by an
+ * extension via setDisplayMode() or by host-provided controls.
+ */
+export declare const onDidChangeDisplayMode: Event<DisplayMode>;
+
+/**
+ * Event fired when the panel is resized in panel mode. Not all hosts provide
+ * a resizer — do not rely on this event firing.
+ */
+export declare const onDidResizePanel: Event<{ width: number }>;
+
+// TODO: client actions API — tool availability functions will be added here
+// once the client_actions SIP is finalized. The chat namespace is the
+// intended integration point between the two SIPs.
--- a/superset-frontend/packages/superset-core/src/common/index.ts
+++ b/superset-frontend/packages/superset-core/src/common/index.ts
@@ -223,8 +223,6 @@ export interface Extension {
  dependencies: string[];
  /** Human-readable description of the extension */
  description: string;
-  /** List of other extensions that this extension depends on */
-  extensionDependencies: string[];
  /** Unique identifier for the extension */
  id: string;
  /** Human-readable name of the extension */
--- a/superset-frontend/packages/superset-core/src/contributions/index.ts
+++ b/superset-frontend/packages/superset-core/src/contributions/index.ts
@@ -23,9 +23,10 @@
 * This module defines the aggregate interfaces used by the extension.json
 * manifest and the `superset-extensions` build command. Individual metadata
 * types are defined in their respective namespace modules (commands, views,
- * menus, editors) and re-exported here for the manifest schema.
+ * menus, editors, chat) and re-exported here for the manifest schema.
 */

+import { Chat } from '../chat';
 import { Command } from '../commands';
 import { View } from '../views';
 import { Menu } from '../menus';
@@ -71,7 +72,8 @@ export interface MenuContributions {
 }

 /**
- * Aggregates all contributions (commands, menus, views, and editors) provided by an extension or module.
+ * Aggregates all contributions (commands, menus, views, editors, and chat)
+ * provided by an extension or module.
 */
 export interface Contributions {
  /** List of commands. */
@@ -82,4 +84,10 @@ export interface Contributions {
  views: ViewContributions;
  /** List of editors. */
  editors?: Editor[];
+  /**
+   * The chat contributed by the extension — at most one per extension, since
+   * the host applies singleton resolution and renders exactly one active
+   * chat at a time.
+   */
+  chat?: Chat;
 }
--- a/superset-frontend/packages/superset-core/src/index.ts
+++ b/superset-frontend/packages/superset-core/src/index.ts
@@ -18,10 +18,12 @@
 */
 export * as common from './common';
 export * as authentication from './authentication';
+export * as chat from './chat';
 export * as commands from './commands';
 export * as editors from './editors';
 export * as extensions from './extensions';
 export * as menus from './menus';
+export * as navigation from './navigation';
 export * as sqlLab from './sqlLab';
 export * as views from './views';
 export * as contributions from './contributions';
--- a/superset-frontend/packages/superset-core/src/navigation/index.ts
+++ b/superset-frontend/packages/superset-core/src/navigation/index.ts
@@ -0,0 +1,81 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/**
+ * @fileoverview Navigation namespace for Superset extensions.
+ *
+ * Exposes the current application surface so extensions can react to route
+ * changes without polling. Entity-level context (chart, dashboard, dataset)
+ * is intentionally not included here — surface-specific namespaces that
+ * resolve entity payloads are introduced in later phases.
+ */
+
+import { Event } from '../common';
+
+/**
+ * The set of top-level application surfaces.
+ *
+ * `'explore'`, `'dashboard'` and `'dataset'` are the single-entity
+ * editing/viewing surfaces. `'chart_list'`, `'dashboard_list'` and
+ * `'dataset_list'` are the browse/list surfaces, distinct from those because no
+ * single entity is active. `'sqllab'` is the SQL editor where
+ * `sqlLab.getCurrentTab()` resolves; `'query_history'` and `'saved_queries'`
+ * are the related SQL Lab browse pages, which are not the editor. `'home'` is
+ * the welcome surface and the fallback for any route not explicitly enumerated.
+ */
+export type Page =
+  | 'dashboard'
+  | 'dashboard_list'
+  | 'explore'
+  | 'chart_list'
+  | 'sqllab'
+  | 'query_history'
+  | 'saved_queries'
+  | 'dataset'
+  | 'dataset_list'
+  | 'home';
+
+/**
+ * Returns the current page surface.
+ *
+ * @example
+ * ```typescript
+ * const page = navigation.getPage();
+ * if (page === 'dashboard') {
+ *   // react to being on a dashboard surface
+ * }
+ * ```
+ */
+export declare function getPage(): Page;
+
+/**
+ * Event fired whenever the user navigates to a different surface.
+ *
+ * @example
+ * ```typescript
+ * const sub = navigation.onDidChangePage(page => {
+ *   if (page === 'dashboard') {
+ *     // react to navigating onto a dashboard surface
+ *   }
+ * });
+ * // later:
+ * sub.dispose();
+ * ```
+ */
+export declare const onDidChangePage: Event<Page>;
--- a/superset-frontend/packages/superset-core/src/views/index.ts
+++ b/superset-frontend/packages/superset-core/src/views/index.ts
@@ -30,12 +30,12 @@
 *
 * views.registerView(
 *   { id: 'my_ext.result_stats', name: 'Result Stats', location: 'sqllab.panels' },
- *   () => <ResultStatsPanel />,
+ *   ResultStatsPanel,
 * );
 * ```
 */

-import { ReactElement } from 'react';
+import { ComponentType } from 'react';
 import { Disposable, Event } from '../common';

 /**
@@ -58,7 +58,7 @@ export interface View {
 *
 * @param view The view descriptor (id and name).
 * @param location The location where this view should appear (e.g. "sqllab.panels").
- * @param provider A function that returns the React element to render.
+ * @param component The React component to render at that location.
 * @returns A Disposable that unregisters the view when disposed.
 *
 * @example
@@ -66,14 +66,14 @@ export interface View {
 * views.registerView(
 *   { id: 'my_ext.result_stats', name: 'Result Stats' },
 *   'sqllab.panels',
- *   () => <ResultStatsPanel />,
+ *   ResultStatsPanel,
 * );
 * ```
 */
 export declare function registerView(
  view: View,
  location: string,
-  provider: () => ReactElement,
+  component: ComponentType,
 ): Disposable;

 /**
--- a/superset-frontend/packages/superset-ui-chart-controls/package.json
+++ b/superset-frontend/packages/superset-ui-chart-controls/package.json
@@ -39,7 +39,7 @@
    "@testing-library/user-event": "*",
    "ace-builds": "^1.4.14",
    "brace": "^0.11.1",
-    "memoize-one": "^5.1.1",
+    "memoize-one": "^6.0.0",
    "react": "^18.3.0",
    "react-ace": "^10.1.0",
    "react-dom": "^18.3.0"
--- a/superset-frontend/packages/superset-ui-chart-controls/src/sections/advancedAnalytics.tsx
+++ b/superset-frontend/packages/superset-ui-chart-controls/src/sections/advancedAnalytics.tsx
@@ -132,6 +132,26 @@ export const advancedAnalyticsControls: ControlPanelSectionConfig = {
        },
      },
    ],
+    [
+      {
+        name: 'time_compare_full_range',
+        config: {
+          type: 'CheckboxControl',
+          label: t('Show full range for time shift'),
+          default: false,
+          description: t(
+            'Plot each time-shifted series across its full time range instead ' +
+              'of truncating it to the main series. Useful for comparing a ' +
+              'partial current period (e.g. today so far) against complete ' +
+              'prior periods (e.g. all of yesterday).',
+          ),
+          visibility: ({ controls }) =>
+            Boolean(controls?.time_compare?.value) &&
+            (!Array.isArray(controls?.time_compare?.value) ||
+              controls.time_compare.value.length > 0),
+        },
+      },
+    ],
    [
      {
        name: 'comparison_type',
--- a/superset-frontend/packages/superset-ui-chart-controls/src/types.ts
+++ b/superset-frontend/packages/superset-ui-chart-controls/src/types.ts
@@ -677,7 +677,9 @@ export interface ServerPaginationData {

 export type TableColumnConfig = {
  d3NumberFormat?: string;
-  d3SmallNumberFormat?: string;
+  // Allow null to match JSON round-trips, where an unset value deserializes
+  // from the metadata DB as `null` rather than `undefined`.
+  d3SmallNumberFormat?: string | null;
  d3TimeFormat?: string;
  columnWidth?: number;
  horizontalAlign?: 'left' | 'right' | 'center';
--- a/superset-frontend/packages/superset-ui-core/README.md
+++ b/superset-frontend/packages/superset-ui-core/README.md
@@ -22,21 +22,50 @@ under the License.
 [![Version](https://img.shields.io/npm/v/@superset-ui/core.svg?style=flat)](https://www.npmjs.com/package/@superset-ui/core)
 [![Libraries.io](https://img.shields.io/librariesio/release/npm/%40superset-ui%2Fcore?style=flat)](https://libraries.io/npm/@superset-ui%2Fcore)

-Description
+The core package for Apache Superset's frontend. It provides shared utilities,
+types, and abstractions used across all Superset chart plugins and UI components.
+
+Key modules include:
+
+- **query** — Utilities for building queries and calling the Superset API
+  (including `makeApi`)
+- **number-format** — Number formatting helpers powered by d3-format
+- **time-format** — Time/date formatting helpers powered by d3-time-format
+- **connection** — `SupersetClient`, the HTTP client for the Superset REST API
+- **chart** — Base classes and types for building chart plugins
+
+> **Note:** i18n utilities (`t`, `tn`, etc.) are no longer part of this package.
+> They now live in `@apache-superset/core`, imported from
+> `@apache-superset/core/translation`.

 #### Example usage

 ```js
-import { xxx } from '@superset-ui/core';
+import { getNumberFormatter, makeApi } from '@superset-ui/core';
+import { t } from '@apache-superset/core/translation';
+
+// Format a number
+const formatter = getNumberFormatter('.2f');
+console.log(formatter(1234.5)); // "1234.50"
+
+// Translate a string
+console.log(t('Hello %s', 'world'));
+
+// Call a Superset API endpoint
+const fetchDashboards = makeApi({
+  method: 'GET',
+  endpoint: '/api/v1/dashboard',
+});
 ```

-#### API
-
-`fn(args)`
-
- TBD
-
 ### Development

-`@data-ui/build-config` is used to manage the build configuration for this package including babel
-builds, jest testing, eslint, and prettier.
+`@data-ui/build-config` is used to manage the build configuration for this package
+including babel builds, jest testing, eslint, and prettier.
+
+Run tests:
+
+```bash
+cd superset-frontend
+npx jest packages/superset-ui-core
+```
--- a/superset-frontend/packages/superset-ui-core/package.json
+++ b/superset-frontend/packages/superset-ui-core/package.json
@@ -29,7 +29,7 @@
    "@babel/runtime": "^7.29.7",
    "@braintree/sanitize-url": "^7.1.2",
    "@types/json-bigint": "^1.0.4",
-    "@visx/responsive": "^3.12.0",
+    "@visx/responsive": "^4.0.0",
    "ace-builds": "^1.44.0",
    "ag-grid-community": "35.3.1",
    "ag-grid-react": "35.3.1",
@@ -43,7 +43,7 @@
    "d3-time": "^3.1.0",
    "d3-time-format": "^4.1.0",
    "dayjs": "^1.11.21",
-    "dompurify": "^3.4.9",
+    "dompurify": "^3.4.11",
    "fetch-retry": "^6.0.0",
    "handlebars": "^4.7.9",
    "jed": "^1.1.1",
@@ -77,7 +77,7 @@
    "@types/d3-time-format": "^4.0.3",
    "@types/jquery": "^4.0.1",
    "@types/lodash": "^4.17.24",
-    "@types/node": "^25.9.2",
+    "@types/node": "^25.9.3",
    "@types/prop-types": "^15.7.15",
    "@types/react-syntax-highlighter": "^15.5.13",
    "@types/react-table": "^7.7.20",
--- a/superset-frontend/packages/superset-ui-core/src/components/Icons/AntdEnhanced.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/Icons/AntdEnhanced.tsx
@@ -86,6 +86,7 @@ import {
  FundProjectionScreenOutlined,
  FunctionOutlined,
  HighlightOutlined,
+  HomeOutlined,
  InfoCircleOutlined,
  InfoCircleFilled,
  InsertRowAboveOutlined,
@@ -243,6 +244,7 @@ const AntdIcons = {
  GoogleOutlined,
  GroupOutlined,
  HighlightOutlined,
+  HomeOutlined,
  InfoCircleOutlined,
  InfoCircleFilled,
  InsertRowAboveOutlined,
--- a/superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown/SafeMarkdown.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown/SafeMarkdown.tsx
@@ -22,7 +22,7 @@ import rehypeSanitize, { defaultSchema } from 'rehype-sanitize';
 // remark-gfm v4+ requires react-markdown v9+, which requires React 18.
 // Currently pinned to v3.0.1 for compatibility with react-markdown v8 and React 17.
 import remarkGfm from 'remark-gfm';
-import { mergeWith } from 'lodash';
+import { cloneDeep, mergeWith } from 'lodash';
 import { FeatureFlag, isFeatureEnabled } from '../../utils';

 interface SafeMarkdownProps {
@@ -74,7 +74,10 @@ export function transformLinkUri(uri: string): string {
  // "java\tscript:" or "java\x01script:") are ignored by browsers, so strip
  // them before comparing against the blocklist.
  // eslint-disable-next-line no-control-regex
-  const scheme = url.slice(0, colon).replace(/[\u0000-\u0020]/g, '').toLowerCase();
+  const scheme = url
+    .slice(0, colon)
+    .replace(/[\u0000-\u0020]/g, '')
+    .toLowerCase();
  return DANGEROUS_LINK_PROTOCOLS.includes(scheme) ? '' : url;
 }

@@ -82,8 +85,15 @@ export function getOverrideHtmlSchema(
  originalSchema: typeof defaultSchema,
  htmlSchemaOverrides: SafeMarkdownProps['htmlSchemaOverrides'],
 ) {
-  return mergeWith(originalSchema, htmlSchemaOverrides, (objValue, srcValue) =>
-    Array.isArray(objValue) ? objValue.concat(srcValue) : undefined,
+  // Merge into a fresh clone: mergeWith mutates its first argument, and the
+  // array customizer concatenates, so merging into the shared defaultSchema
+  // import would progressively widen the sanitization allowlist for every
+  // SafeMarkdown instance app-wide.
+  return mergeWith(
+    cloneDeep(originalSchema),
+    htmlSchemaOverrides,
+    (objValue, srcValue) =>
+      Array.isArray(objValue) ? objValue.concat(srcValue) : undefined,
  );
 }

--- a/superset-frontend/packages/superset-ui-core/src/components/Select/Select.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/Select/Select.tsx
@@ -519,7 +519,8 @@ const Select = forwardRef(
              handleSelectAll();
            }}
          >
-            {t('Select all')} {`(${formatNumber('SMART_NUMBER', bulkSelectCounts.selectable)})`}
+            {t('Select all')}{' '}
+            {`(${formatNumber('SMART_NUMBER', bulkSelectCounts.selectable)})`}
          </Button>
          <Button
            type="link"
@@ -536,7 +537,8 @@ const Select = forwardRef(
              handleDeselectAll();
            }}
          >
-            {t('Clear')} {`(${formatNumber('SMART_NUMBER', bulkSelectCounts.deselectable)})`}
+            {t('Clear')}{' '}
+            {`(${formatNumber('SMART_NUMBER', bulkSelectCounts.deselectable)})`}
          </Button>
        </StyledBulkActionsContainer>
      ),
--- a/superset-frontend/packages/superset-ui-core/src/connection/SupersetClient.ts
+++ b/superset-frontend/packages/superset-ui-core/src/connection/SupersetClient.ts
@@ -52,6 +52,14 @@ const SupersetClient: SupersetClientInterface = {
  request: request => getInstance().request(request),
  getCSRFToken: () => getInstance().getCSRFToken(),
  getUrl: (...args) => getInstance().getUrl(...args),
+  postBlob: (endpoint, payload) => getInstance().postBlob(endpoint, payload),
+  get guestTokenHeaderName() {
+    try {
+      return getInstance().guestTokenHeaderName;
+    } catch {
+      return 'X-GuestToken';
+    }
+  },
 };

 export default SupersetClient;
--- a/superset-frontend/packages/superset-ui-core/src/connection/SupersetClientClass.ts
+++ b/superset-frontend/packages/superset-ui-core/src/connection/SupersetClientClass.ts
@@ -150,6 +150,26 @@ export default class SupersetClientClass {
    }
  }

+  /**
+   * POST request that returns a blob for file downloads.
+   * Unlike postForm, this uses AJAX so errors can be caught and handled.
+   * @param endpoint - API endpoint
+   * @param payload - Request payload
+   * @returns Promise resolving to Response with blob
+   */
+  async postBlob(
+    endpoint: string,
+    payload: Record<string, any>,
+  ): Promise<Response> {
+    await this.ensureAuth();
+    return this.post({
+      endpoint,
+      postPayload: payload,
+      parseMethod: 'raw',
+      stringify: false,
+    });
+  }
+
  async reAuthenticate() {
    return this.init(true);
  }
--- a/superset-frontend/packages/superset-ui-core/src/connection/types.ts
+++ b/superset-frontend/packages/superset-ui-core/src/connection/types.ts
@@ -152,6 +152,7 @@ export interface SupersetClientInterface extends Pick<
  | 'get'
  | 'post'
  | 'postForm'
+  | 'postBlob'
  | 'put'
  | 'request'
  | 'init'
@@ -163,6 +164,7 @@ export interface SupersetClientInterface extends Pick<
  configure: (config?: ClientConfig) => SupersetClientInterface;
  reset: () => void;
  getCSRFToken: () => CsrfPromise;
+  guestTokenHeaderName?: string;
 }

 export type SupersetClientResponse = Response | JsonResponse | TextResponse;
--- a/superset-frontend/packages/superset-ui-core/src/currency-format/CurrencyFormatter.ts
+++ b/superset-frontend/packages/superset-ui-core/src/currency-format/CurrencyFormatter.ts
@@ -18,7 +18,11 @@
 */

 import { ExtensibleFunction } from '../models';
-import { getNumberFormatter, NumberFormats } from '../number-format';
+// Import from the concrete modules rather than the `number-format` barrel to
+// avoid a circular dependency (the barrel pulls in getSmallNumberFormatter,
+// which imports CurrencyFormatter).
+import { getNumberFormatter } from '../number-format/NumberFormatterRegistrySingleton';
+import NumberFormats from '../number-format/NumberFormats';
 import { Currency } from '../query';
 import { RowData, RowDataValue } from './types';
 import { AUTO_CURRENCY_SYMBOL, ISO_4217_REGEX } from './CurrencyFormats';
--- a/superset-frontend/packages/superset-ui-core/src/number-format/getSmallNumberFormatter.ts
+++ b/superset-frontend/packages/superset-ui-core/src/number-format/getSmallNumberFormatter.ts
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { CurrencyFormatter } from '../currency-format';
+import { Currency } from '../query';
+import NumberFormatter from './NumberFormatter';
+import { getNumberFormatter } from './NumberFormatterRegistrySingleton';
+
+/**
+ * Returns the appropriate formatter for small numbers (|value| < 1).
+ *
+ * When `d3SmallNumberFormat` is nullish or blank the caller's default
+ * formatter is returned unchanged, which preserves percentage formats
+ * that would otherwise be lost.
+ *
+ * Handles the cases where `d3SmallNumberFormat` is `null` (from JSON
+ * serialization of `undefined`) or `""` (from a cleared Select control).
+ *
+ * The generic parameter `F` allows callers to pass any formatter type
+ * (e.g. TimeFormatter, CustomFormatter) without a circular dependency
+ * on @superset-ui/chart-controls.
+ */
+export default function getSmallNumberFormatter<F>(
+  defaultFormatter: F,
+  d3SmallNumberFormat: string | null | undefined,
+  currencyFormat?: Currency,
+): F | NumberFormatter | CurrencyFormatter {
+  if (d3SmallNumberFormat == null || d3SmallNumberFormat.trim() === '') {
+    return defaultFormatter;
+  }
+  if (currencyFormat) {
+    return new CurrencyFormatter({
+      d3Format: d3SmallNumberFormat,
+      currency: currencyFormat,
+    });
+  }
+  return getNumberFormatter(d3SmallNumberFormat);
+}
--- a/superset-frontend/packages/superset-ui-core/src/number-format/index.ts
+++ b/superset-frontend/packages/superset-ui-core/src/number-format/index.ts
@@ -34,3 +34,4 @@ export { default as createDurationFormatter } from './factories/createDurationFo
 export { default as createMemoryFormatter } from './factories/createMemoryFormatter';
 export { default as createSiAtMostNDigitFormatter } from './factories/createSiAtMostNDigitFormatter';
 export { default as createSmartNumberFormatter } from './factories/createSmartNumberFormatter';
+export { default as getSmallNumberFormatter } from './getSmallNumberFormatter';
--- a/superset-frontend/packages/superset-ui-core/test/components/SafeMarkdown.test.tsx
+++ b/superset-frontend/packages/superset-ui-core/test/components/SafeMarkdown.test.tsx
@@ -17,6 +17,8 @@
 * under the License.
 */
 import { render } from '@testing-library/react';
+import { cloneDeep } from 'lodash';
+import { defaultSchema } from 'rehype-sanitize';
 import {
  getOverrideHtmlSchema,
  SafeMarkdown,
@@ -51,6 +53,36 @@ describe('getOverrideHtmlSchema', () => {
    expect(result.attributes).toEqual({ '*': ['size', 'src'], h1: ['style'] });
    expect(result.tagNames).toEqual(['h1', 'h2', 'h3', 'iframe']);
  });
+
+  test('should not mutate the original schema', () => {
+    const original = {
+      attributes: { '*': ['size'] },
+      tagNames: ['h1'],
+    };
+    getOverrideHtmlSchema(original, {
+      attributes: { '*': ['src'] },
+      tagNames: ['iframe'],
+    });
+    // The original passed in is left untouched.
+    expect(original.attributes).toEqual({ '*': ['size'] });
+    expect(original.tagNames).toEqual(['h1']);
+  });
+
+  test('should not mutate the shared defaultSchema import or accumulate across calls', () => {
+    const snapshot = cloneDeep(defaultSchema);
+    const overrides = { tagNames: ['iframe'] };
+
+    const first = getOverrideHtmlSchema(defaultSchema, overrides);
+    const second = getOverrideHtmlSchema(defaultSchema, overrides);
+
+    // The shared singleton is never modified...
+    expect(defaultSchema).toEqual(snapshot);
+    // ...and repeated calls do not accumulate the override (no growing arrays).
+    expect(first.tagNames).toEqual(second.tagNames);
+    expect(
+      (second.tagNames ?? []).filter(name => name === 'iframe'),
+    ).toHaveLength(1);
+  });
 });

 describe('transformLinkUri', () => {
--- a/superset-frontend/packages/superset-ui-core/test/connection/SupersetClient.test.ts
+++ b/superset-frontend/packages/superset-ui-core/test/connection/SupersetClient.test.ts
@@ -36,12 +36,13 @@ describe('SupersetClient', () => {
    getUrl: (...args: unknown[]) => string;
  };

-  test('exposes configure, init, get, post, postForm, delete, put, request, reset, getGuestToken, getCSRFToken, getUrl, isAuthenticated, and reAuthenticate methods', () => {
+  test('exposes configure, init, get, post, postForm, postBlob, delete, put, request, reset, getGuestToken, getCSRFToken, getUrl, isAuthenticated, and reAuthenticate methods', () => {
    expect(typeof SupersetClient.configure).toBe('function');
    expect(typeof SupersetClient.init).toBe('function');
    expect(typeof SupersetClient.get).toBe('function');
    expect(typeof SupersetClient.post).toBe('function');
    expect(typeof SupersetClient.postForm).toBe('function');
+    expect(typeof SupersetClient.postBlob).toBe('function');
    expect(typeof SupersetClient.delete).toBe('function');
    expect(typeof SupersetClient.put).toBe('function');
    expect(typeof SupersetClient.request).toBe('function');
@@ -53,11 +54,12 @@ describe('SupersetClient', () => {
    expect(typeof SupersetClient.reAuthenticate).toBe('function');
  });

-  test('throws if you call init, get, post, postForm, delete, put, request, getGuestToken, getCSRFToken, getUrl, isAuthenticated, or reAuthenticate before configure', () => {
+  test('throws if you call init, get, post, postForm, postBlob, delete, put, request, getGuestToken, getCSRFToken, getUrl, isAuthenticated, or reAuthenticate before configure', () => {
    expect(SupersetClient.init).toThrow();
    expect(SupersetClient.get).toThrow();
    expect(SupersetClient.post).toThrow();
    expect(SupersetClient.postForm).toThrow();
+    expect(SupersetClient.postBlob).toThrow();
    expect(SupersetClient.delete).toThrow();
    expect(SupersetClient.put).toThrow();
    expect(SupersetClient.request).toThrow();
@@ -172,4 +174,15 @@ describe('SupersetClient', () => {
    const token = await SupersetClient.getCSRFToken();
    expect(token).toBe('my_token');
  });
+
+  test('guestTokenHeaderName returns the configured header name when instance exists', () => {
+    SupersetClient.configure({ guestTokenHeaderName: 'X-Custom-Guest' });
+    expect(SupersetClient.guestTokenHeaderName).toBe('X-Custom-Guest');
+  });
+
+  test('guestTokenHeaderName returns default X-GuestToken when instance is not configured', () => {
+    // Ensure instance is reset (afterEach calls SupersetClient.reset())
+    // Access the property without calling configure() first
+    expect(SupersetClient.guestTokenHeaderName).toBe('X-GuestToken');
+  });
 });
--- a/superset-frontend/packages/superset-ui-core/test/connection/SupersetClientClass.test.ts
+++ b/superset-frontend/packages/superset-ui-core/test/connection/SupersetClientClass.test.ts
@@ -780,4 +780,75 @@ describe('SupersetClientClass', () => {
      expect(authSpy).toHaveBeenCalledTimes(0);
    });
  });
+
+  describe('.postBlob()', () => {
+    const protocol = 'https:';
+    const host = 'host';
+    const mockPostBlobEndpoint = '/api/v1/chart/data';
+    const mockPostBlobUrl = `${protocol}//${host}${mockPostBlobEndpoint}`;
+    const postBlobPayload = { form_data: '{"viz_type":"table"}' };
+
+    let authSpy: jest.SpyInstance;
+    let client: SupersetClientClass;
+
+    beforeEach(async () => {
+      fetchMock.removeRoute(LOGIN_GLOB);
+      fetchMock.get(LOGIN_GLOB, { result: 1234 }, { name: LOGIN_GLOB });
+
+      client = new SupersetClientClass({ protocol, host });
+      await client.init();
+      authSpy = jest.spyOn(SupersetClientClass.prototype, 'ensureAuth');
+    });
+
+    afterEach(() => {
+      jest.restoreAllMocks();
+    });
+
+    test('calls ensureAuth and delegates to post with raw parseMethod', async () => {
+      const mockResponse = new Response('csv data', { status: 200 });
+      const postSpy = jest
+        .spyOn(client, 'post')
+        .mockResolvedValue(mockResponse);
+
+      const response = await client.postBlob(
+        mockPostBlobEndpoint,
+        postBlobPayload,
+      );
+
+      expect(authSpy).toHaveBeenCalledTimes(1);
+      expect(postSpy).toHaveBeenCalledWith({
+        endpoint: mockPostBlobEndpoint,
+        postPayload: postBlobPayload,
+        parseMethod: 'raw',
+        stringify: false,
+      });
+      expect(response).toBe(mockResponse);
+    });
+
+    test('passes payload in request body', async () => {
+      fetchMock.post(mockPostBlobUrl, {
+        status: 200,
+        body: 'csv data',
+      });
+
+      await client.postBlob(mockPostBlobEndpoint, postBlobPayload);
+
+      const fetchRequest = fetchMock.callHistory.calls(mockPostBlobUrl)[0]
+        .options as CallApi;
+      const formData = fetchRequest.body as FormData;
+
+      expect(formData.get('form_data')).toBe(postBlobPayload.form_data);
+    });
+
+    test('rejects when response is not ok', async () => {
+      fetchMock.post(mockPostBlobUrl, {
+        status: 413,
+        body: 'Payload Too Large',
+      });
+
+      await expect(
+        client.postBlob(mockPostBlobEndpoint, postBlobPayload),
+      ).rejects.toMatchObject({ status: 413 });
+    });
+  });
 });
--- a/superset-frontend/packages/superset-ui-core/test/number-format/getSmallNumberFormatter.test.ts
+++ b/superset-frontend/packages/superset-ui-core/test/number-format/getSmallNumberFormatter.test.ts
@@ -0,0 +1,82 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import {
+  CurrencyFormatter,
+  getNumberFormatter,
+  getSmallNumberFormatter,
+  NumberFormatter,
+} from '@superset-ui/core';
+
+const defaultFormatter = getNumberFormatter('.8%');
+
+describe('getSmallNumberFormatter', () => {
+  test('returns defaultFormatter when d3SmallNumberFormat is undefined', () => {
+    expect(getSmallNumberFormatter(defaultFormatter, undefined)).toBe(
+      defaultFormatter,
+    );
+  });
+
+  test('returns defaultFormatter when d3SmallNumberFormat is null (JSON round-trip)', () => {
+    expect(getSmallNumberFormatter(defaultFormatter, null)).toBe(
+      defaultFormatter,
+    );
+  });
+
+  test('returns defaultFormatter when d3SmallNumberFormat is empty string (cleared Select)', () => {
+    expect(getSmallNumberFormatter(defaultFormatter, '')).toBe(
+      defaultFormatter,
+    );
+  });
+
+  test('returns defaultFormatter when d3SmallNumberFormat is whitespace', () => {
+    expect(getSmallNumberFormatter(defaultFormatter, '  ')).toBe(
+      defaultFormatter,
+    );
+  });
+
+  test('returns a NumberFormatter when d3SmallNumberFormat is a valid format', () => {
+    const result = getSmallNumberFormatter(defaultFormatter, ',.4f');
+    expect(result).toBeInstanceOf(NumberFormatter);
+    expect(result).not.toBe(defaultFormatter);
+    expect(result!(0.12345)).toBe('0.1235');
+  });
+
+  test('returns a CurrencyFormatter when currencyFormat is provided', () => {
+    const result = getSmallNumberFormatter(defaultFormatter, ',.4f', {
+      symbol: 'USD',
+      symbolPosition: 'prefix',
+    });
+    expect(result).toBeInstanceOf(CurrencyFormatter);
+    expect(result!(0.12345)).toContain('0.1235');
+    expect(result!(0.12345)).toContain('$');
+  });
+
+  test('preserves percentage formatter output for small numbers when d3SmallNumberFormat is null', () => {
+    const pctFormatter = getNumberFormatter('.8%');
+    const result = getSmallNumberFormatter(pctFormatter, null);
+    expect(result!(-0.00001229)).toBe('-0.00122900%');
+  });
+
+  test('returns undefined when defaultFormatter is undefined and d3SmallNumberFormat is nullish', () => {
+    expect(getSmallNumberFormatter(undefined, null)).toBeUndefined();
+    expect(getSmallNumberFormatter(undefined, undefined)).toBeUndefined();
+    expect(getSmallNumberFormatter(undefined, '')).toBeUndefined();
+  });
+});
--- a/superset-frontend/playwright/tests/chart/handlebars-format-date.spec.ts
+++ b/superset-frontend/playwright/tests/chart/handlebars-format-date.spec.ts
@@ -97,8 +97,11 @@ testWithAssets(
    });

    // At least one list item should contain a DD.MM.YYYY formatted date.
-    await expect(panel.locator('li').first()).toHaveText(/\d{2}\.\d{2}\.\d{4}/, {
-      timeout: TIMEOUT.API_RESPONSE,
-    });
+    await expect(panel.locator('li').first()).toHaveText(
+      /\d{2}\.\d{2}\.\d{4}/,
+      {
+        timeout: TIMEOUT.API_RESPONSE,
+      },
+    );
  },
 );
--- a/Show More
+++ b/Show More