chore(deps): bump selenium 4.14.0+ (#25933 )

Co-authored-by: Evan Rusackas <evan@rusackas.com>
fix(Embedded): Skip CSRF validation for dashboard download endpoints (#31798 )
2026-05-04 23:44:23 +00:00 · 2025-01-13 14:52:29 -07:00 · 2025-01-13 16:50:24 -03:00 · 2025-01-13 11:11:23 -08:00 · 2025-01-13 18:30:32 +01:00 · 2025-01-13 17:30:29 +01:00
1275 changed files with 46541 additions and 30610 deletions
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -53,6 +53,9 @@ github:
    merge: false
    rebase: false

+  ghp_branch:  gh-pages
+  ghp_path: /
+
  protected_branches:
    master:
      required_status_checks:
@@ -69,18 +72,16 @@ github:
          - cypress-matrix (3, chrome)
          - cypress-matrix (4, chrome)
          - cypress-matrix (5, chrome)
+          - dependency-review
          - frontend-build
          - pre-commit (current)
-          - pre-commit (next)
          - pre-commit (previous)
          - test-mysql
          - test-postgres (current)
-          - test-postgres (next)
          - test-postgres-hive
          - test-postgres-presto
          - test-sqlite
          - unit-tests (current)
-          - unit-tests (next)

      required_pull_request_reviews:
        dismiss_stale_reviews: false
@@ -88,3 +89,10 @@ github:
        required_approving_review_count: 1

      required_signatures: false
+    gh-pages:
+      required_pull_request_reviews:
+        dismiss_stale_reviews: false
+        require_code_owner_reviews: true
+        required_approving_review_count: 1
+
+      required_signatures: false
--- a/.dockerignore
+++ b/.dockerignore
@@ -34,7 +34,6 @@
 **/*.sqllite
 **/*.swp
 **/.terser-plugin-cache/
-**/.storybook/
 **/node_modules/

 tests/
@@ -42,6 +41,8 @@ docs/
 install/
 superset-frontend/cypress-base/
 superset-frontend/coverage/
+superset-frontend/.temp_cache/
 superset/static/assets/
 superset-websocket/dist/
 venv
+.venv
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,3 @@
 docker/**/*.sh text eol=lf
 *.svg binary
+*.ipynb binary
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -12,21 +12,21 @@

 # Notify Helm Chart maintainers about changes in it

-/helm/superset/ @craig-rueda @dpgaspar @villebro @nytai @michael-s-molina
+/helm/superset/ @craig-rueda @dpgaspar @villebro @nytai @michael-s-molina @mistercrunch @rusackas @Antonio-RiveroMartnez

 # Notify E2E test maintainers of changes

-/superset-frontend/cypress-base/ @jinghua-qa @geido @eschutho @rusackas @betodealmeida
+/superset-frontend/cypress-base/ @sadpandajoe @geido @eschutho @rusackas @betodealmeida

 # Notify PMC members of changes to GitHub Actions

-/.github/ @villebro @geido @eschutho @rusackas @betodealmeida @nytai @mistercrunch @craig-rueda @john-bodley @kgabryje @dpgaspar
+/.github/ @villebro @geido @eschutho @rusackas @betodealmeida @nytai @mistercrunch @craig-rueda @kgabryje @dpgaspar

 # Notify PMC members of changes to required GitHub Actions

-/.asf.yaml @villebro @geido @eschutho @rusackas @betodealmeida @nytai @mistercrunch @craig-rueda @john-bodley @kgabryje @dpgaspar
+/.asf.yaml @villebro @geido @eschutho @rusackas @betodealmeida @nytai @mistercrunch @craig-rueda @kgabryje @dpgaspar @Antonio-RiveroMartnez

-# Maps are a finnicky contribution process we care about
+# Maps are a finicky contribution process we care about

 **/*.geojson @villebro @rusackas
 /superset-frontend/plugins/legacy-plugin-chart-country-map/ @villebro @rusackas
--- a/.github/ISSUE_TEMPLATE/bug-report.yml
+++ b/.github/ISSUE_TEMPLATE/bug-report.yml
@@ -41,8 +41,8 @@ body:
      label: Superset version
      options:
        - master / latest-dev
-        - "4.1.0"
-        - "3.1.3"
+        - "4.1.1"
+        - "4.0.2"
    validations:
      required: true
  - type: dropdown
--- a/.github/actions/change-detector/label-draft-pr.yml
+++ b/.github/actions/change-detector/label-draft-pr.yml
@@ -0,0 +1,23 @@
+name: Label Draft PRs
+on:
+  pull_request:
+    types:
+      - opened
+      - converted_to_draft
+jobs:
+  label-draft:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check if the PR is a draft
+        id: check-draft
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const isDraft = context.payload.pull_request.draft;
+            core.setOutput('isDraft', isDraft);
+      - name: Add `review:draft` Label
+        if: steps.check-draft.outputs.isDraft == 'true'
+        uses: actions-ecosystem/action-add-labels@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          labels: "review:draft"
--- a/.github/actions/setup-backend/action.yml
+++ b/.github/actions/setup-backend/action.yml
@@ -43,11 +43,14 @@ runs:
      run: |
        if [ "${{ inputs.install-superset }}" = "true" ]; then
          sudo apt-get update && sudo apt-get -y install libldap2-dev libsasl2-dev
-          pip install --upgrade pip setuptools wheel
+          pip install --upgrade pip setuptools wheel uv
+
          if [ "${{ inputs.requirements-type }}" = "dev" ]; then
-            pip install -r requirements/development.txt
+            uv pip install --system -r requirements/development.txt
          elif [ "${{ inputs.requirements-type }}" = "base" ]; then
-            pip install -r requirements/base.txt
+            uv pip install --system -r requirements/base.txt
          fi
+
+          uv pip install --system -e .
        fi
      shell: bash
--- a/.github/actions/setup-docker/action.yml
+++ b/.github/actions/setup-docker/action.yml
@@ -0,0 +1,69 @@
+name: "Setup Docker Environment"
+description: "Reusable steps for setting up QEMU, Docker Buildx, DockerHub login, Supersetbot, and optionally Docker Compose"
+inputs:
+  build:
+    description: "Used for building?"
+    required: false
+    default: "false"
+  dockerhub-user:
+    description: "DockerHub username"
+    required: false
+  dockerhub-token:
+    description: "DockerHub token"
+    required: false
+  install-docker-compose:
+    description: "Flag to install Docker Compose"
+    required: false
+    default: "true"
+  login-to-dockerhub:
+    description: "Whether you want to log into dockerhub"
+    required: false
+    default: "true"
+outputs: {}
+runs:
+  using: "composite"
+  steps:
+
+    - name: Set up QEMU
+      if: ${{ inputs.build == 'true' }}
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      if: ${{ inputs.build == 'true' }}
+      uses: docker/setup-buildx-action@v3
+
+    - name: Try to login to DockerHub
+      if: ${{ inputs.login-to-dockerhub == 'true' }}
+      continue-on-error: true
+      uses: docker/login-action@v3
+      with:
+        username: ${{ inputs.dockerhub-user }}
+        password: ${{ inputs.dockerhub-token }}
+
+    - name: Install Docker Compose
+      if: ${{ inputs.install-docker-compose == 'true' }}
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y ca-certificates curl
+        sudo install -m 0755 -d /etc/apt/keyrings
+
+        # Download and save the Docker GPG key in the correct format
+        curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+
+        # Ensure the key file is readable
+        sudo chmod a+r /etc/apt/keyrings/docker.gpg
+
+        # Add the Docker repository using the correct key
+        echo \
+          "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
+          $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
+          sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+
+        # Update package lists and install Docker Compose plugin
+        sudo apt update
+        sudo apt install -y docker-compose-plugin
+
+    - name: Docker Version Info
+      shell: bash
+      run: docker info
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -22,8 +22,7 @@ updates:


  # - package-ecosystem: "pip"
-  # NOTE: as dependabot isn't compatible with our python
-  # dependency setup (pip-compile-multi), we'll be using
+  # NOTE: as dependabot isn't compatible with our usage of `uv pip compile` we're using
  # `supersetbot` instead

  - package-ecosystem: "npm"
--- a/.github/workflows/bump-python-package.yml
+++ b/.github/workflows/bump-python-package.yml
@@ -14,10 +14,16 @@ on:
        required: true
        description: Max number of PRs to open (0 for no limit)
        default: 5
+      extra-flags:
+        required: false
+        default: --only-base
+        description: Additional flags to pass to the bump-python command
+  #schedule:
+  #  - cron: '0 0 * * *'  # Runs daily at midnight UTC

 jobs:
  bump-python-package:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    permissions:
      actions: write
      contents: write
@@ -39,8 +45,8 @@ jobs:
        with:
          python-version: "3.10"

-      - name: Install pip-compile-multi
-        run: pip install pip-compile-multi
+      - name: Install uv
+        run: pip install uv

      - name: supersetbot bump-python -p "${{ github.event.inputs.package }}"
        env:
@@ -59,10 +65,13 @@ jobs:
            GROUP_OPT="-g ${{ github.event.inputs.group }}"
          fi

+          EXTRA_FLAGS="${{ github.event.inputs.extra-flags }}"
+
          supersetbot bump-python \
            --verbose \
            --use-current-repo \
            --include-subpackages \
            --limit ${{ github.event.inputs.limit }} \
            $PACKAGE_OPT \
-            $GROUP_OPT
+            $GROUP_OPT \
+            $EXTRA_FLAGS
--- a/.github/workflows/cancel_duplicates.yml
+++ b/.github/workflows/cancel_duplicates.yml
@@ -9,7 +9,7 @@ on:
 jobs:
  cancel-duplicate-runs:
    name: Cancel duplicate workflow runs
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    permissions:
      actions: write
      contents: read
--- a/.github/workflows/check-python-deps.yml
+++ b/.github/workflows/check-python-deps.yml
@@ -0,0 +1,44 @@
+name: Check python dependencies
+
+on:
+  push:
+    branches:
+      - "master"
+      - "[0-9].[0-9]*"
+  pull_request:
+    types: [synchronize, opened, reopened, ready_for_review]
+
+# cancel previous workflow jobs for PRs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  check-python-deps:
+    runs-on: ubuntu-22.04
+    steps:
+
+      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          submodules: recursive
+          depth: 1
+
+      - name: Setup Python
+        if: steps.check.outputs.python
+        uses: ./.github/actions/setup-backend/
+
+      - name: Run uv
+        if: steps.check.outputs.python
+        run: ./scripts/uv-pip-compile.sh
+
+      - name: Check for uncommitted changes
+        run: |
+          if [[ -n "$(git diff)" ]]; then
+            echo "ERROR: The pinned dependencies are not up-to-date."
+            echo "Please run './scripts/uv-pip-compile.sh' and commit the changes."
+            exit 1
+          else
+            echo "Pinned dependencies are up-to-date."
+          fi
--- a/.github/workflows/check_db_migration_confict.yml
+++ b/.github/workflows/check_db_migration_confict.yml
@@ -19,7 +19,7 @@ concurrency:
 jobs:
  check_db_migration_conflict:
    name: Check DB migration conflict
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    permissions:
      contents: read
      pull-requests: write
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -17,7 +17,7 @@ concurrency:
 jobs:
  analyze:
    name: Analyze
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    permissions:
      actions: read
      contents: read
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -5,14 +5,26 @@
 # Source repository: https://github.com/actions/dependency-review-action
 # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
 name: "Dependency Review"
-on: [pull_request]
+on:
+  push:
+    branches:
+      - "master"
+      - "[0-9].[0-9]*"
+  pull_request:
+    types: [synchronize, opened, reopened, ready_for_review]
+
+# cancel previous workflow jobs for PRs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true

 permissions:
  contents: read

 jobs:
  dependency-review:
-    runs-on: ubuntu-22.04
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout Repository"
        uses: actions/checkout@v4
@@ -32,4 +44,25 @@ jobs:
          #   license: https://applitools.com/legal/open-source-terms-of-use/
          # pkg:npm/node-forge@1.3.1
          #   selecting BSD-3-Clause licensing terms for node-forge to ensure compatibility with Apache
-          allow-dependencies-licenses: pkg:npm/store2@2.14.2, pkg:npm/applitools/core, pkg:npm/applitools/core-base, pkg:npm/applitools/css-tree, pkg:npm/applitools/ec-client, pkg:npm/applitools/eg-socks5-proxy-server, pkg:npm/applitools/eyes, pkg:npm/applitools/eyes-cypress, pkg:npm/applitools/nml-client, pkg:npm/applitools/tunnel-client, pkg:npm/applitools/utils, pkg:npm/node-forge@1.3.1, pkg:npm/rgbcolor
+          allow-dependencies-licenses: pkg:npm/store2@2.14.2, pkg:npm/applitools/core, pkg:npm/applitools/core-base, pkg:npm/applitools/css-tree, pkg:npm/applitools/ec-client, pkg:npm/applitools/eg-socks5-proxy-server, pkg:npm/applitools/eyes, pkg:npm/applitools/eyes-cypress, pkg:npm/applitools/nml-client, pkg:npm/applitools/tunnel-client, pkg:npm/applitools/utils, pkg:npm/node-forge@1.3.1, pkg:npm/rgbcolor, pkg:npm/jszip@3.10.1
+
+  python-dependency-liccheck:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: ./.github/actions/setup-backend/
+        with:
+          requirements-type: base
+
+      - name: "Set up liccheck"
+        run: |
+          uv pip install --system liccheck
+      - name: "Run liccheck"
+        run: |
+          # run the checks
+          liccheck -R output.txt
+          # Print the report
+          cat output.txt
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -14,21 +14,22 @@ concurrency:
  cancel-in-progress: true

 jobs:
+
  setup_matrix:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    outputs:
      matrix_config: ${{ steps.set_matrix.outputs.matrix_config }}
    steps:
      - id: set_matrix
        run: |
-          MATRIX_CONFIG=$(if [ "${{ github.event_name }}" == "pull_request" ]; then echo '["dev"]'; else echo '["dev", "lean", "py310", "websocket", "dockerize", "py311"]'; fi)
+          MATRIX_CONFIG=$(if [ "${{ github.event_name }}" == "pull_request" ]; then echo '["dev", "lean"]'; else echo '["dev", "lean", "py310", "websocket", "dockerize", "py311"]'; fi)
          echo "matrix_config=${MATRIX_CONFIG}" >> $GITHUB_OUTPUT
          echo $GITHUB_OUTPUT

  docker-build:
    name: docker-build
    needs: setup_matrix
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    strategy:
      matrix:
        build_preset: ${{fromJson(needs.setup_matrix.outputs.matrix_config)}}
@@ -36,6 +37,7 @@ jobs:
    env:
      DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+      IMAGE_TAG: apache/superset:GHA-${{ matrix.build_preset }}-${{ github.run_id }}

    steps:

@@ -50,21 +52,13 @@ jobs:
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

-      - name: Set up QEMU
+      - name: Setup Docker Environment
        if: steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        if: steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker
-        uses: docker/setup-buildx-action@v3
-
-      - name: Try to login to DockerHub
-        if: steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker
-        continue-on-error: true
-        uses: docker/login-action@v3
+        uses: ./.github/actions/setup-docker
        with:
-          username: ${{ secrets.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          dockerhub-user: ${{ secrets.DOCKERHUB_USER }}
+          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
+          build: "true"

      - name: Setup supersetbot
        if: steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker
@@ -79,12 +73,65 @@ jobs:
          # Single platform builds in pull_request context to speed things up
          if [ "${{ github.event_name }}" = "push" ]; then
            PLATFORM_ARG="--platform linux/arm64 --platform linux/amd64"
+            # can only --load images in single-platform builds
+            PUSH_OR_LOAD="--push"
          elif [ "${{ github.event_name }}" = "pull_request" ]; then
            PLATFORM_ARG="--platform linux/amd64"
+            PUSH_OR_LOAD="--load"
          fi

          supersetbot docker \
+            $PUSH_OR_LOAD \
            --preset ${{ matrix.build_preset }} \
            --context "$EVENT" \
            --context-ref "$RELEASE" $FORCE_LATEST \
+            --extra-flags "--build-arg INCLUDE_CHROMIUM=false --tag $IMAGE_TAG" \
            $PLATFORM_ARG
+
+      # in the context of push (using multi-platform build), we need to pull the image locally
+      - name: Docker pull
+        if: github.event_name == 'push' && (steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker)
+        run:  docker pull $IMAGE_TAG
+
+      - name: Print docker stats
+        if: steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker
+        run: |
+          echo "SHA: ${{ github.sha }}"
+          echo "IMAGE: $IMAGE_TAG"
+          docker images $IMAGE_TAG
+          docker history $IMAGE_TAG
+
+      - name: docker-compose sanity check
+        if: (steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker) && (matrix.build_preset == 'dev' || matrix.build_preset == 'lean')
+        shell: bash
+        run: |
+          export SUPERSET_BUILD_TARGET=${{ matrix.build_preset }}
+          # This should reuse the CACHED image built in the previous steps
+          docker compose build superset-init --build-arg DEV_MODE=false --build-arg INCLUDE_CHROMIUM=false
+          docker compose up superset-init --exit-code-from superset-init
+
+  docker-compose-image-tag:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Check for file changes
+        id: check
+        uses: ./.github/actions/change-detector/
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Setup Docker Environment
+        if: steps.check.outputs.docker
+        uses: ./.github/actions/setup-docker
+        with:
+          dockerhub-user: ${{ secrets.DOCKERHUB_USER }}
+          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
+          build: "false"
+          install-docker-compose: "true"
+      - name: docker-compose sanity check
+        if: steps.check.outputs.docker
+        shell: bash
+        run: |
+          docker compose -f docker-compose-image-tag.yml up superset-init --exit-code-from superset-init
--- a/.github/workflows/embedded-sdk-release.yml
+++ b/.github/workflows/embedded-sdk-release.yml
@@ -8,7 +8,7 @@ on:

 jobs:
  config:
-    runs-on: "ubuntu-22.04"
+    runs-on: ubuntu-24.04
    outputs:
      has-secrets: ${{ steps.check.outputs.has-secrets }}
    steps:
@@ -23,7 +23,7 @@ jobs:
  build:
    needs: config
    if: needs.config.outputs.has-secrets
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    defaults:
      run:
        working-directory: superset-embedded-sdk
--- a/.github/workflows/embedded-sdk-test.yml
+++ b/.github/workflows/embedded-sdk-test.yml
@@ -13,7 +13,7 @@ concurrency:

 jobs:
  embedded-sdk-test:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    defaults:
      run:
        working-directory: superset-embedded-sdk
--- a/.github/workflows/ephemeral-env-pr-close.yml
+++ b/.github/workflows/ephemeral-env-pr-close.yml
@@ -6,7 +6,7 @@ on:

 jobs:
  config:
-    runs-on: "ubuntu-22.04"
+    runs-on: ubuntu-24.04
    outputs:
      has-secrets: ${{ steps.check.outputs.has-secrets }}
    steps:
@@ -22,7 +22,7 @@ jobs:
    needs: config
    if: needs.config.outputs.has-secrets
    name: Cleanup ephemeral envs
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    permissions:
      pull-requests: write
    steps:
--- a/.github/workflows/ephemeral-env.yml
+++ b/.github/workflows/ephemeral-env.yml
@@ -1,37 +1,35 @@
 name: Ephemeral env workflow

+# Example manual trigger:  gh workflow run ephemeral-env.yml --ref fix_ephemerals  --field comment_body="/testenv up" --field issue_number=666
+
 on:
  issue_comment:
    types: [created]
+  workflow_dispatch:
+    inputs:
+      comment_body:
+        description: 'Comment body to simulate /testenv command'
+        required: true
+        default: '/testenv up'
+      issue_number:
+        description: 'Issue or PR number'
+        required: true

 jobs:
-  config:
-    runs-on: "ubuntu-22.04"
-    if: github.event.issue.pull_request
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.AWS_ACCESS_KEY_ID != '' && secrets.AWS_SECRET_ACCESS_KEY != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
  ephemeral-env-comment:
    concurrency:
-      group: ${{ github.workflow }}-${{ github.event.issue.number || github.run_id }}-comment
+      group: ${{ github.workflow }}-${{ github.event.inputs.issue_number || github.event.issue.number || github.run_id }}-comment
      cancel-in-progress: true
-    needs: config
-    if: needs.config.outputs.has-secrets
    name: Evaluate ephemeral env comment trigger (/testenv)
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    permissions:
      pull-requests: write
    outputs:
      slash-command: ${{ steps.eval-body.outputs.result }}
      feature-flags: ${{ steps.eval-feature-flags.outputs.result }}
+    env:
+      DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}

    steps:
    - name: Debug
@@ -40,22 +38,26 @@ jobs:

    - name: Eval comment body for /testenv slash command
      uses: actions/github-script@v7
+      env:
+        COMMENT_BODY: ${{ github.event.inputs.comment_body || github.event.comment.body }}
      id: eval-body
      with:
        result-encoding: string
        script: |
-          const pattern = /^\/testenv (up|down)/
-          const result = pattern.exec(context.payload.comment.body)
-          return result === null ? 'noop' : result[1]
+          const pattern = /^\/testenv (up|down)/;
+          const result = pattern.exec(process.env.COMMENT_BODY || '');
+          return result === null ? 'noop' : result[1];

-    - name: Eval comment body for feature flags
+    - name: Looking for feature flags
      uses: actions/github-script@v7
+      env:
+        COMMENT_BODY: ${{ github.event.inputs.comment_body || github.event.comment.body }}
      id: eval-feature-flags
      with:
        script: |
          const pattern = /FEATURE_(\w+)=(\w+)/g;
          let results = [];
-          [...context.payload.comment.body.matchAll(pattern)].forEach(match => {
+          [...process.env.COMMENT_BODY.matchAll(pattern)].forEach(match => {
            const config = {
              name: `SUPERSET_FEATURE_${match[1]}`,
              value: match[2],
@@ -67,28 +69,53 @@ jobs:
    - name: Limit to committers
      if: >
        steps.eval-body.outputs.result != 'noop' &&
+        github.event_name == 'issue_comment' &&
        github.event.comment.author_association != 'MEMBER' &&
        github.event.comment.author_association != 'OWNER'
      uses: actions/github-script@v7
      with:
-        github-token: ${{github.token}}
+        github-token: ${{ github.token }}
        script: |
-          const errMsg = '@${{ github.event.comment.user.login }} Ephemeral environment creation is currently limited to committers.'
+          const errMsg = '@${{ github.event.comment.user.login }} Ephemeral environment creation is currently limited to committers.';
          github.rest.issues.createComment({
            issue_number: ${{ github.event.issue.number }},
            owner: context.repo.owner,
            repo: context.repo.repo,
            body: errMsg
-          })
-          core.setFailed(errMsg)
+          });
+          core.setFailed(errMsg);
+
+    - name: Reply with confirmation comment
+      uses: actions/github-script@v7
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        script: |
+          const issueNumber = ${{ github.event.inputs.issue_number || github.event.issue.number }};
+          const user = '${{ github.event.comment.user.login || github.actor }}';
+          const action = '${{ steps.eval-body.outputs.result }}';
+          const runId = context.runId;
+          const workflowUrl = `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${runId}`;
+          const body = `@${user} Processing your ephemeral environment request [here](${workflowUrl}).`;
+          if (action !== 'noop') {
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: issueNumber,
+              body,
+            });
+          }
+          else {
+            core.setFailed('No ephemeral environment action detected.');
+          }

  ephemeral-docker-build:
    concurrency:
-      group: ${{ github.workflow }}-${{ github.event.issue.number || github.run_id }}-build
+      group: ${{ github.workflow }}-${{ github.event.inputs.issue_number || github.event.issue.number || github.run_id }}-build
      cancel-in-progress: true
    needs: ephemeral-env-comment
+    if: needs.ephemeral-env-comment.outputs.slash-command == 'up'
    name: ephemeral-docker-build
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
      - name: Get Info from comment
        uses: actions/github-script@v7
@@ -98,9 +125,9 @@ jobs:
            const request = {
                owner: context.repo.owner,
                repo: context.repo.repo,
-                pull_number: ${{ github.event.issue.number }},
-            }
-            core.info(`Getting PR #${request.pull_number} from ${request.owner}/${request.repo}`)
+                pull_number: ${{ github.event.inputs.issue_number || github.event.issue.number }},
+            };
+            core.info(`Getting PR #${request.pull_number} from ${request.owner}/${request.repo}`);
            const pr = await github.rest.pulls.get(request);
            return pr.data;

@@ -115,18 +142,28 @@ jobs:
          ref: ${{ steps.get-sha.outputs.sha }}
          persist-credentials: false

-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+      - name: Setup Docker Environment
+        uses: ./.github/actions/setup-docker
+        with:
+          dockerhub-user: ${{ secrets.DOCKERHUB_USER }}
+          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
+          build: "true"
+          install-docker-compose: "false"

-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+      - name: Setup supersetbot
+        uses: ./.github/actions/setup-supersetbot/

      - name: Build ephemeral env image
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
-          ./scripts/build_docker.py \
-            "ci" \
-            "pull_request" \
-            --build_context_ref ${{ github.event.issue.number }}
+          supersetbot docker \
+            --push \
+            --load \
+            --preset ci \
+            --platform  linux/amd64 \
+            --context-ref "$RELEASE" \
+            --extra-flags "--build-arg INCLUDE_CHROMIUM=false"

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
@@ -146,14 +183,14 @@ jobs:
          ECR_REPOSITORY: superset-ci
          IMAGE_TAG: apache/superset:${{ steps.get-sha.outputs.sha }}-ci
        run: |
-          docker tag $IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:pr-${{ github.event.issue.number }}-ci
+          docker tag $IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:pr-${{ github.event.inputs.issue_number || github.event.issue.number }}-ci
          docker push -a $ECR_REGISTRY/$ECR_REPOSITORY

  ephemeral-env-up:
    needs: [ephemeral-env-comment, ephemeral-docker-build]
    if: needs.ephemeral-env-comment.outputs.slash-command == 'up'
    name: Spin up an ephemeral environment
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    permissions:
      contents: read
      pull-requests: write
@@ -181,22 +218,22 @@ jobs:
        aws ecr describe-images \
        --registry-id $(echo "${{ steps.login-ecr.outputs.registry }}" | grep -Eo "^[0-9]+") \
        --repository-name superset-ci \
-        --image-ids imageTag=pr-${{ github.event.issue.number }}-ci
+        --image-ids imageTag=pr-${{ github.event.inputs.issue_number || github.event.issue.number }}-ci

    - name: Fail on missing container image
      if: steps.check-image.outcome == 'failure'
      uses: actions/github-script@v7
      with:
-        github-token: ${{github.token}}
+        github-token: ${{ github.token }}
        script: |
-          const errMsg = '@${{ github.event.comment.user.login }} Container image not yet published for this PR. Please try again when build is complete.'
+          const errMsg = '@${{ github.event.comment.user.login }} Container image not yet published for this PR. Please try again when build is complete.';
          github.rest.issues.createComment({
-            issue_number: ${{ github.event.issue.number }},
+            issue_number: ${{ github.event.inputs.issue_number || github.event.issue.number }},
            owner: context.repo.owner,
            repo: context.repo.repo,
            body: errMsg
-          })
-          core.setFailed(errMsg)
+          });
+          core.setFailed(errMsg);

    - name: Fill in the new image ID in the Amazon ECS task definition
      id: task-def
@@ -204,7 +241,7 @@ jobs:
      with:
        task-definition: .github/workflows/ecs-task-definition.json
        container-name: superset-ci
-        image: ${{ steps.login-ecr.outputs.registry }}/superset-ci:pr-${{ github.event.issue.number }}-ci
+        image: ${{ steps.login-ecr.outputs.registry }}/superset-ci:pr-${{ github.event.inputs.issue_number || github.event.issue.number }}-ci

    - name: Update env vars in the Amazon ECS task definition
      run: |
@@ -213,30 +250,29 @@ jobs:
    - name: Describe ECS service
      id: describe-services
      run: |
-        echo "active=$(aws ecs describe-services --cluster superset-ci --services pr-${{ github.event.issue.number }}-service | jq '.services[] | select(.status == "ACTIVE") | any')" >> $GITHUB_OUTPUT
+        echo "active=$(aws ecs describe-services --cluster superset-ci --services pr-${{ github.event.inputs.issue_number || github.event.issue.number }}-service | jq '.services[] | select(.status == "ACTIVE") | any')" >> $GITHUB_OUTPUT
    - name: Create ECS service
-      if: steps.describe-services.outputs.active != 'true'
      id: create-service
+      if: steps.describe-services.outputs.active != 'true'
      env:
        ECR_SUBNETS: subnet-0e15a5034b4121710,subnet-0e8efef4a72224974
        ECR_SECURITY_GROUP: sg-092ff3a6ae0574d91
      run: |
        aws ecs create-service \
        --cluster superset-ci \
-        --service-name pr-${{ github.event.issue.number }}-service \
+        --service-name pr-${{ github.event.inputs.issue_number || github.event.issue.number }}-service \
        --task-definition superset-ci \
        --launch-type FARGATE \
        --desired-count 1 \
        --platform-version LATEST \
        --network-configuration "awsvpcConfiguration={subnets=[$ECR_SUBNETS],securityGroups=[$ECR_SECURITY_GROUP],assignPublicIp=ENABLED}" \
-        --tags key=pr,value=${{ github.event.issue.number }} key=github_user,value=${{ github.actor }}
-
+        --tags key=pr,value=${{ github.event.inputs.issue_number || github.event.issue.number }} key=github_user,value=${{ github.actor }}
    - name: Deploy Amazon ECS task definition
      id: deploy-task
      uses: aws-actions/amazon-ecs-deploy-task-definition@v2
      with:
        task-definition: ${{ steps.task-def.outputs.task-definition }}
-        service: pr-${{ github.event.issue.number }}-service
+        service: pr-${{ github.event.inputs.issue_number || github.event.issue.number }}-service
        cluster: superset-ci
        wait-for-service-stability: true
        wait-for-minutes: 10
@@ -244,18 +280,15 @@ jobs:
    - name: List tasks
      id: list-tasks
      run: |
-        echo "task=$(aws ecs list-tasks --cluster superset-ci --service-name pr-${{ github.event.issue.number }}-service | jq '.taskArns | first')" >> $GITHUB_OUTPUT
-
+        echo "task=$(aws ecs list-tasks --cluster superset-ci --service-name pr-${{ github.event.inputs.issue_number || github.event.issue.number }}-service | jq '.taskArns | first')" >> $GITHUB_OUTPUT
    - name: Get network interface
      id: get-eni
      run: |
-        echo "eni=$(aws ecs describe-tasks --cluster superset-ci --tasks ${{ steps.list-tasks.outputs.task }} | jq '.tasks | .[0] | .attachments | .[0] | .details | map(select(.name=="networkInterfaceId")) | .[0] | .value')" >> $GITHUB_OUTPUT
-
+        echo "eni=$(aws ecs describe-tasks --cluster superset-ci --tasks ${{ steps.list-tasks.outputs.task }} | jq '.tasks | .[0] | .attachments | .[0] | .details | map(select(.name==\"networkInterfaceId\")) | .[0] | .value')" >> $GITHUB_OUTPUT
    - name: Get public IP
      id: get-ip
      run: |
        echo "ip=$(aws ec2 describe-network-interfaces --network-interface-ids ${{ steps.get-eni.outputs.eni }} | jq -r '.NetworkInterfaces | first | .Association.PublicIp')" >> $GITHUB_OUTPUT
-
    - name: Comment (success)
      if: ${{ success() }}
      uses: actions/github-script@v7
@@ -263,12 +296,11 @@ jobs:
        github-token: ${{github.token}}
        script: |
          github.rest.issues.createComment({
-            issue_number: ${{ github.event.issue.number }},
+            issue_number: ${{ github.event.inputs.issue_number || github.event.issue.number }},
            owner: context.repo.owner,
            repo: context.repo.repo,
-            body: '@${{ github.event.comment.user.login }} Ephemeral environment spinning up at http://${{ steps.get-ip.outputs.ip }}:8080. Credentials are `admin`/`admin`. Please allow several minutes for bootstrapping and startup.'
+            body: '@${{ github.event.inputs.user_login || github.event.comment.user.login }} Ephemeral environment spinning up at http://${{ steps.get-ip.outputs.ip }}:8080. Credentials are `admin`/`admin`. Please allow several minutes for bootstrapping and startup.'
          })
-
    - name: Comment (failure)
      if: ${{ failure() }}
      uses: actions/github-script@v7
@@ -276,8 +308,8 @@ jobs:
        github-token: ${{github.token}}
        script: |
          github.rest.issues.createComment({
-            issue_number: ${{ github.event.issue.number }},
+            issue_number: ${{ github.event.inputs.issue_number || github.event.issue.number }},
            owner: context.repo.owner,
            repo: context.repo.repo,
-            body: '@${{ github.event.comment.user.login }} Ephemeral environment creation failed. Please check the Actions logs for details.'
+            body: '@${{ github.event.inputs.user_login || github.event.comment.user.login }} Ephemeral environment creation failed. Please check the Actions logs for details.'
          })
--- a/.github/workflows/generate-FOSSA-report.yml
+++ b/.github/workflows/generate-FOSSA-report.yml
@@ -8,7 +8,7 @@ on:

 jobs:
  config:
-    runs-on: "ubuntu-22.04"
+    runs-on: ubuntu-24.04
    outputs:
      has-secrets: ${{ steps.check.outputs.has-secrets }}
    steps:
@@ -24,7 +24,7 @@ jobs:
    needs: config
    if: needs.config.outputs.has-secrets
    name: Generate Report
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
        uses: actions/checkout@v4
--- a/.github/workflows/github-action-validator.yml
+++ b/.github/workflows/github-action-validator.yml
@@ -11,7 +11,7 @@ on:
 jobs:

  validate-all-ghas:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4
--- a/.github/workflows/issue_creation.yml
+++ b/.github/workflows/issue_creation.yml
@@ -9,7 +9,7 @@ on:

 jobs:
  superbot-orglabel:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    permissions:
      contents: read
      pull-requests: write
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -7,7 +7,7 @@ jobs:
    permissions:
      contents: read
      pull-requests: write
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
    - uses: actions/labeler@v5
      with:
--- a/.github/workflows/latest-release-tag.yml
+++ b/.github/workflows/latest-release-tag.yml
@@ -6,7 +6,7 @@ on:
 jobs:
  latest-release:
    name: Add/update tag to new release
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    permissions:
      contents: write

--- a/.github/workflows/license-check.yml
+++ b/.github/workflows/license-check.yml
@@ -12,7 +12,7 @@ concurrency:
 jobs:
  license_check:
    name: License Check
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
        uses: actions/checkout@v4
--- a/.github/workflows/no-hold-label.yml
+++ b/.github/workflows/no-hold-label.yml
@@ -11,7 +11,7 @@ concurrency:

 jobs:
  check-hold-label:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
    - name: Check for 'hold' label
      uses: actions/github-script@v7
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -10,7 +10,7 @@ on:

 jobs:
  lint-check:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    permissions:
      contents: read
      pull-requests: write
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -15,7 +15,7 @@ concurrency:

 jobs:
  pre-commit:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    strategy:
      matrix:
        python-version: ["current", "next", "previous"]
--- a/.github/workflows/prefer-typescript.yml
+++ b/.github/workflows/prefer-typescript.yml
@@ -21,7 +21,7 @@ jobs:
  prefer_typescript:
    if: github.ref == 'ref/heads/master' && github.event_name == 'pull_request'
    name: Prefer TypeScript
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    permissions:
      contents: read
      pull-requests: write
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,7 +8,7 @@ on:

 jobs:
  config:
-    runs-on: "ubuntu-22.04"
+    runs-on: ubuntu-24.04
    outputs:
      has-secrets: ${{ steps.check.outputs.has-secrets }}
    steps:
@@ -25,7 +25,7 @@ jobs:
    if: needs.config.outputs.has-secrets
    name: Bump version and publish package(s)

-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04

    strategy:
      matrix:
--- a/.github/workflows/superset-applitool-cypress.yml
+++ b/.github/workflows/superset-applitool-cypress.yml
@@ -6,7 +6,7 @@ on:

 jobs:
  config:
-    runs-on: "ubuntu-22.04"
+    runs-on: ubuntu-24.04
    outputs:
      has-secrets: ${{ steps.check.outputs.has-secrets }}
    steps:
@@ -21,7 +21,7 @@ jobs:
  cypress-applitools:
    needs: config
    if: needs.config.outputs.has-secrets
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/superset-applitools-storybook.yml
+++ b/.github/workflows/superset-applitools-storybook.yml
@@ -12,7 +12,7 @@ env:

 jobs:
  config:
-    runs-on: "ubuntu-22.04"
+    runs-on: ubuntu-24.04
    outputs:
      has-secrets: ${{ steps.check.outputs.has-secrets }}
    steps:
@@ -27,7 +27,7 @@ jobs:
  cron:
    needs: config
    if: needs.config.outputs.has-secrets
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    strategy:
      matrix:
        node: [20]
--- a/.github/workflows/superset-cli.yml
+++ b/.github/workflows/superset-cli.yml
@@ -15,7 +15,7 @@ concurrency:

 jobs:
  test-load-examples:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    env:
      PYTHONPATH: ${{ github.workspace }}
      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
--- a/.github/workflows/superset-docs-deploy.yml
+++ b/.github/workflows/superset-docs-deploy.yml
@@ -12,7 +12,7 @@ on:

 jobs:
  config:
-    runs-on: "ubuntu-22.04"
+    runs-on: ubuntu-24.04
    outputs:
      has-secrets: ${{ steps.check.outputs.has-secrets }}
    steps:
@@ -28,7 +28,7 @@ jobs:
    needs: config
    if: needs.config.outputs.has-secrets
    name: Build & Deploy
-    runs-on: "ubuntu-22.04"
+    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
        uses: actions/checkout@v4
--- a/.github/workflows/superset-docs-verify.yml
+++ b/.github/workflows/superset-docs-verify.yml
@@ -24,7 +24,7 @@ jobs:
      - uses: JustinBeckwith/linkinator-action@v1.11.0
        continue-on-error: true # This will make the job advisory (non-blocking, no red X)
        with:
-          paths: "**/*.md, **/*.mdx"
+          paths: "**/*.md, **/*.mdx, !superset-frontend/CHANGELOG.md"
          linksToSkip: >-
            ^https://github.com/apache/(superset|incubator-superset)/(pull|issue)/\d+,
            http://localhost:8088/,
@@ -51,7 +51,7 @@ jobs:
            https://www.plaidcloud.com/
  build-deploy:
    name: Build & Deploy
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    defaults:
      run:
        working-directory: docs
--- a/.github/workflows/superset-e2e.yml
+++ b/.github/workflows/superset-e2e.yml
@@ -28,6 +28,7 @@ concurrency:

 jobs:
  cypress-matrix:
+    # Somehow one test flakes on 24.04 for unknown reasons, this is the only GHA left on 22.04
    runs-on: ubuntu-22.04
    permissions:
      contents: read
--- a/.github/workflows/superset-frontend.yml
+++ b/.github/workflows/superset-frontend.yml
@@ -1,4 +1,4 @@
-name: Frontend
+name: "Frontend Build CI (unit tests, linting & sanity checks)"

 on:
  push:
@@ -13,68 +13,168 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
  cancel-in-progress: true

+env:
+  TAG: apache/superset:GHA-${{ github.run_id }}
+
 jobs:
  frontend-build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    outputs:
+      should-run: ${{ steps.check.outputs.frontend }}
    steps:
-      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
+      - name: Checkout Code
        uses: actions/checkout@v4
        with:
          persist-credentials: false
-          submodules: recursive
-      - name: Check npm lock file version
-        run: ./scripts/ci_check_npm_lock_version.sh ./superset-frontend/package-lock.json
-      - name: Check for file changes
+
+      - name: Check for File Changes
        id: check
        uses: ./.github/actions/change-detector/
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Setup Node.js
+
+      - name: Build Docker Image
        if: steps.check.outputs.frontend
-        uses: actions/setup-node@v4
+        shell: bash
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          docker buildx build \
+            -t $TAG \
+            --cache-from=type=registry,ref=apache/superset-cache:3.10-slim-bookworm \
+            --target superset-node-ci \
+            .
+
+      - name: Save Docker Image as Artifact
+        if: steps.check.outputs.frontend
+        run: |
+          docker save $TAG | gzip > docker-image.tar.gz
+
+      - name: Upload Docker Image Artifact
+        if: steps.check.outputs.frontend
+        uses: actions/upload-artifact@v4
        with:
-          node-version: "20"
-      - name: Install dependencies
-        if: steps.check.outputs.frontend
-        uses: ./.github/actions/cached-dependencies
+          name: docker-image
+          path: docker-image.tar.gz
+
+  sharded-jest-tests:
+    needs: frontend-build
+    if: needs.frontend-build.outputs.should-run == 'true'
+    strategy:
+      matrix:
+        shard: [1, 2, 3, 4, 5, 6, 7, 8]
+      fail-fast: false
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Download Docker Image Artifact
+        uses: actions/download-artifact@v4
        with:
-          run: npm-install
-      - name: eslint
-        if: steps.check.outputs.frontend
-        working-directory: ./superset-frontend
+          name: docker-image
+
+      - name: Load Docker Image
+        run: docker load < docker-image.tar.gz
+
+      - name: npm run test with coverage
        run: |
-          npm run eslint -- . --quiet
-      - name: tsc
-        if: steps.check.outputs.frontend
-        working-directory: ./superset-frontend
-        run: |
-          npm run type
-      - name: Build plugins packages
-        if: steps.check.outputs.frontend
-        working-directory: ./superset-frontend
-        run: npm run plugins:build
-      - name: Build plugins Storybook
-        if: steps.check.outputs.frontend
-        working-directory: ./superset-frontend
-        run: npm run plugins:build-storybook
-      - name: superset-ui/core coverage
-        if: steps.check.outputs.frontend
-        working-directory: ./superset-frontend
-        run: |
-          npm run core:cover
-      - name: unit tests
-        if: steps.check.outputs.frontend
-        working-directory: ./superset-frontend
-        run: |
-          npm run test -- --coverage --silent
-      # todo: remove this step when fix generator as a project in root jest.config.js
-      - name: generator-superset unit tests
-        if: steps.check.outputs.frontend
-        working-directory: ./superset-frontend/packages/generator-superset
-        run: npm run test
-      - name: Upload code coverage
-        uses: codecov/codecov-action@v4
+          mkdir -p ${{ github.workspace }}/superset-frontend/coverage
+          docker run \
+          -v ${{ github.workspace }}/superset-frontend/coverage:/app/superset-frontend/coverage \
+          --rm $TAG \
+          bash -c \
+          "npm run test -- --coverage --shard=${{ matrix.shard }}/8 --coverageReporters=json-summary"
+
+      - name: Upload Coverage Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-artifacts-${{ matrix.shard }}
+          path: superset-frontend/coverage
+
+  report-coverage:
+    needs: [sharded-jest-tests]
+    if: needs.frontend-build.outputs.should-run == 'true'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Download Coverage Artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: coverage-artifacts-*
+          path: coverage/
+
+      - name: Show Files
+        run: find coverage/
+
+      - name: Merge Code Coverage
+        run: npx nyc merge coverage/ merged-output/coverage-summary.json
+
+      - name: Upload Code Coverage
+        uses: codecov/codecov-action@v5
        with:
          flags: javascript
          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true
+          files: merged-output/coverage-summary.json
+          slug: apache/superset
+
+  core-cover:
+    needs: frontend-build
+    if: needs.frontend-build.outputs.should-run == 'true'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Download Docker Image Artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: docker-image
+
+      - name: Load Docker Image
+        run: docker load < docker-image.tar.gz
+
+      - name: superset-ui/core coverage
+        run: |
+          docker run --rm $TAG bash -c \
+          "npm run core:cover"
+
+  lint-frontend:
+    needs: frontend-build
+    if: needs.frontend-build.outputs.should-run == 'true'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Download Docker Image Artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: docker-image
+
+      - name: Load Docker Image
+        run: docker load < docker-image.tar.gz
+
+      - name: eslint
+        run: |
+          docker run --rm $TAG bash -c \
+          "npm i && npm run eslint -- . --quiet"
+
+      - name: tsc
+        run: |
+          docker run --rm $TAG bash -c \
+          "npm run type"
+
+  validate-frontend:
+    needs: frontend-build
+    if: needs.frontend-build.outputs.should-run == 'true'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Download Docker Image Artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: docker-image
+
+      - name: Load Docker Image
+        run: docker load < docker-image.tar.gz
+
+      - name: Build Plugins Packages
+        run: |
+          docker run --rm $TAG bash -c \
+          "npm run plugins:build"
+
+      - name: Build Plugins Storybook
+        run: |
+          docker run --rm $TAG bash -c \
+          "npm run plugins:build-storybook"
--- a/.github/workflows/superset-helm-lint.yml
+++ b/.github/workflows/superset-helm-lint.yml
@@ -1,4 +1,4 @@
-name: Lint and Test Charts
+name: "Helm: lint and test charts"

 on:
  pull_request:
@@ -13,7 +13,7 @@ concurrency:

 jobs:
  lint-test:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
        uses: actions/checkout@v4
@@ -25,7 +25,7 @@ jobs:
      - name: Set up Helm
        uses: azure/setup-helm@v4
        with:
-          version: v3.5.4
+          version: v3.16.4

      - name: Setup Python
        uses: ./.github/actions/setup-backend/
--- a/.github/workflows/superset-helm-release.yml
+++ b/.github/workflows/superset-helm-release.yml
@@ -1,4 +1,8 @@
-name: Release Charts
+# This workflow automates the release process for Helm charts.
+# The workflow creates a new branch for the release and opens a pull request against the 'gh-pages' branch,
+# allowing the changes to be reviewed and merged manually.
+
+name: "Helm: release charts"

 on:
  push:
@@ -7,18 +11,28 @@ on:
      - "[0-9].[0-9]*"
    paths:
      - "helm/**"
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: "The branch, tag, or commit SHA to check out"
+        required: false
+        default: "master"

 jobs:
  release:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    permissions:
      contents: write
+      pull-requests: write
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    steps:
-      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
+      - name: Checkout code
        uses: actions/checkout@v4
        with:
-          persist-credentials: false
+          ref: ${{ inputs.ref || github.ref_name }}
+          persist-credentials: true
          submodules: recursive
          fetch-depth: 0

@@ -35,11 +49,77 @@ jobs:
      - name: Add bitnami repo dependency
        run: helm repo add bitnami https://charts.bitnami.com/bitnami

+      - name: Fetch/list all tags
+        run: |
+          # Debugging tags
+          git fetch --tags --force
+          git tag -d superset-helm-chart-0.13.4 || true
+          echo "DEBUG TAGS"
+          git show-ref --tags
+
+      - name: Create unique pages branch name
+        id: vars
+        run: echo "branch_name=helm-publish-${GITHUB_SHA:0:7}" >> $GITHUB_ENV
+
+      - name: Force recreate branch from gh-pages
+        run: |
+          # Ensure a clean working directory
+          git reset --hard
+          git clean -fdx
+          git checkout -b local_gha_temp
+          git submodule update
+
+          # Fetch the latest gh-pages branch
+          git fetch origin gh-pages
+
+          # Check out and reset the target branch based on gh-pages
+          git checkout -B ${{ env.branch_name }} origin/gh-pages
+
+          # Remove submodules from the branch
+          git submodule deinit -f --all
+
+          # Force push to the remote branch
+          git push origin ${{ env.branch_name }} --force
+
+          # Return to the original branch
+          git checkout local_gha_temp
+
+      - name: Fetch/list all tags
+        run: |
+          git submodule update
+          cat .github/actions/chart-releaser-action/action.yml
+
      - name: Run chart-releaser
        uses: ./.github/actions/chart-releaser-action
        with:
+          version: v1.6.0
          charts_dir: helm
          mark_as_latest: false
+          pages_branch: ${{ env.branch_name }}
        env:
          CR_TOKEN: "${{ github.token }}"
          CR_RELEASE_NAME_TEMPLATE: "superset-helm-chart-{{ .Version }}"
+
+      - name: Open Pull Request
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const branchName = '${{ env.branch_name }}';
+            const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');
+
+            if (!branchName) {
+              throw new Error("Branch name is not defined.");
+            }
+
+            const pr = await github.rest.pulls.create({
+              owner,
+              repo,
+              title: `Helm chart release for ${branchName}`,
+              head: branchName,
+              base: "gh-pages", // Adjust if the target branch is different
+              body: `This PR releases Helm charts to the gh-pages branch.`,
+            });
+
+            core.info(`Pull request created: ${pr.data.html_url}`);
+        env:
+          BRANCH_NAME: ${{ env.branch_name }}
--- a/.github/workflows/superset-python-integrationtest.yml
+++ b/.github/workflows/superset-python-integrationtest.yml
@@ -15,7 +15,7 @@ concurrency:

 jobs:
  test-mysql:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    env:
      PYTHONPATH: ${{ github.workspace }}
      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -68,13 +68,13 @@ jobs:
        run: |
          ./scripts/python_tests.sh
      - name: Upload code coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
        with:
          flags: python,mysql
          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true
  test-postgres:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    strategy:
      matrix:
        python-version: ["current", "next", "previous"]
@@ -129,14 +129,14 @@ jobs:
        run: |
          ./scripts/python_tests.sh
      - name: Upload code coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
        with:
          flags: python,postgres
          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true

  test-sqlite:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    env:
      PYTHONPATH: ${{ github.workspace }}
      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -181,7 +181,7 @@ jobs:
        run: |
          ./scripts/python_tests.sh
      - name: Upload code coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
        with:
          flags: python,sqlite
          token: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/superset-python-presto-hive.yml
+++ b/.github/workflows/superset-python-presto-hive.yml
@@ -16,7 +16,7 @@ concurrency:

 jobs:
  test-postgres-presto:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    env:
      PYTHONPATH: ${{ github.workspace }}
      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -77,14 +77,14 @@ jobs:
        run: |
          ./scripts/python_tests.sh -m 'chart_data_flow or sql_json_flow'
      - name: Upload code coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
        with:
          flags: python,presto
          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true

  test-postgres-hive:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    env:
      PYTHONPATH: ${{ github.workspace }}
      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -142,9 +142,10 @@ jobs:
      - name: Python unit tests (PostgreSQL)
        if: steps.check.outputs.python
        run: |
+          pip install -e .[hive]
          ./scripts/python_tests.sh -m 'chart_data_flow or sql_json_flow'
      - name: Upload code coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
        with:
          flags: python,hive
          token: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/superset-python-unittest.yml
+++ b/.github/workflows/superset-python-unittest.yml
@@ -16,7 +16,7 @@ concurrency:

 jobs:
  unit-tests:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    strategy:
      matrix:
        python-version: ["current", "next"]
@@ -46,7 +46,7 @@ jobs:
        run: |
          pytest --durations-min=0.5 --cov-report= --cov=superset ./tests/common ./tests/unit_tests --cache-clear
      - name: Upload code coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
        with:
          flags: python,unit
          token: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/superset-translations.yml
+++ b/.github/workflows/superset-translations.yml
@@ -15,7 +15,7 @@ concurrency:

 jobs:
  frontend-check-translations:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
        uses: actions/checkout@v4
@@ -46,7 +46,7 @@ jobs:
          npm run build-translation

  babel-extract:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
        uses: actions/checkout@v4
--- a/.github/workflows/superset-websocket.yml
+++ b/.github/workflows/superset-websocket.yml
@@ -18,7 +18,7 @@ concurrency:

 jobs:
  app-checks:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
        uses: actions/checkout@v4
--- a/.github/workflows/supersetbot.yml
+++ b/.github/workflows/supersetbot.yml
@@ -15,7 +15,7 @@ on:

 jobs:
  supersetbot:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    if: >
      github.event_name == 'workflow_dispatch' ||
      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@supersetbot'))
--- a/.github/workflows/tag-release.yml
+++ b/.github/workflows/tag-release.yml
@@ -23,7 +23,7 @@ on:
          - 'false'
 jobs:
  config:
-    runs-on: "ubuntu-22.04"
+    runs-on: ubuntu-24.04
    outputs:
      has-secrets: ${{ steps.check.outputs.has-secrets }}
    steps:
@@ -39,23 +39,26 @@ jobs:
    needs: config
    if: needs.config.outputs.has-secrets
    name: docker-release
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    strategy:
      matrix:
        build_preset: ["dev", "lean", "py310", "websocket", "dockerize", "py311"]
      fail-fast: false
    steps:
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3

      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

+      - name: Setup Docker Environment
+        uses: ./.github/actions/setup-docker
+        with:
+          dockerhub-user: ${{ secrets.DOCKERHUB_USER }}
+          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
+          install-docker-compose: "false"
+          build: "true"
+
      - name: Use Node.js 20
        uses: actions/setup-node@v4
        with:
@@ -64,13 +67,6 @@ jobs:
      - name: Setup supersetbot
        uses: ./.github/actions/setup-supersetbot/

-      - name: Try to login to DockerHub
-        continue-on-error: true
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
      - name: Execute custom Node.js script
        env:
          DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
@@ -91,6 +87,7 @@ jobs:
          fi

          supersetbot docker \
+            --push \
            --preset ${{ matrix.build_preset }} \
            --context "$EVENT" \
            --context-ref "$RELEASE" $FORCE_LATEST \
@@ -103,7 +100,7 @@ jobs:
  update-prs-with-release-info:
    needs: config
    if: needs.config.outputs.has-secrets
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    permissions:
      contents: read
      pull-requests: write
--- a/.github/workflows/tech-debt.yml
+++ b/.github/workflows/tech-debt.yml
@@ -8,7 +8,7 @@ on:

 jobs:
  config:
-    runs-on: "ubuntu-22.04"
+    runs-on: ubuntu-24.04
    outputs:
      has-secrets: ${{ steps.check.outputs.has-secrets }}
    steps:
@@ -23,7 +23,7 @@ jobs:
  process-and-upload:
    needs: config
    if: needs.config.outputs.has-secrets
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    name: Generate Reports
    steps:
      - name: Checkout Repository
--- a/.github/workflows/welcome-new-users.yml
+++ b/.github/workflows/welcome-new-users.yml
@@ -6,7 +6,7 @@ on:

 jobs:
  welcome:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    permissions:
      pull-requests: write

--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -16,11 +16,11 @@
 #
 repos:
  - repo: https://github.com/MarcoGorelli/auto-walrus
-    rev: v0.2.2
+    rev: 0.3.4
    hooks:
      - id: auto-walrus
  - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.3.0
+    rev: v1.13.0
    hooks:
      - id: mypy
        args: [--check-untyped-defs]
@@ -38,25 +38,22 @@ repos:
            types-paramiko,
            types-Markdown,
          ]
-  - repo: https://github.com/peterdemin/pip-compile-multi
-    rev: v2.6.2
-    hooks:
-      - id: pip-compile-multi-verify
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v5.0.0
    hooks:
      - id: check-docstring-first
      - id: check-added-large-files
-        exclude: ^.*\.(geojson)$|^docs/static/img/screenshots/.*
+        exclude: ^.*\.(geojson)$|^docs/static/img/screenshots/.*|^superset-frontend/CHANGELOG\.md$
      - id: check-yaml
        exclude: ^helm/superset/templates/
      - id: debug-statements
      - id: end-of-file-fixer
+        exclude: .*/lerna\.json$
      - id: trailing-whitespace
        exclude: ^.*\.(snap)
        args: ["--markdown-linebreak-ext=md"]
  - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: v3.1.0 # Use the sha or tag you want to point at
+    rev: v4.0.0-alpha.8 # Use the sha or tag you want to point at
    hooks:
      - id: prettier
        additional_dependencies:
@@ -70,27 +67,13 @@ repos:
      - id: blacklist
        args: ["--blacklisted-names=make_url", "--ignore=tests/"]
  - repo: https://github.com/norwoodj/helm-docs
-    rev: v1.11.0
+    rev: v1.14.2
    hooks:
      - id: helm-docs
        files: helm
  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.4.0
+    rev: v0.8.0
    hooks:
      - id: ruff
        args: [ --fix ]
      - id: ruff-format
-  - repo: local
-    hooks:
-      - id: pylint
-        name: pylint
-        entry: pylint
-        language: system
-        types: [python]
-        exclude: ^(tests/|superset/migrations/|scripts/|RELEASING/|docker/)
-        args:
-          [
-            "-rn", # Only display messages
-            "-sn", # Don't display the score
-            "--rcfile=.pylintrc",
-          ]
--- a/.pylintrc
+++ b/.pylintrc
@@ -1,380 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-[MASTER]
-
-# Specify a configuration file.
-#rcfile=
-
-# Python code to execute, usually for sys.path manipulation such as
-# pygtk.require().
-#init-hook=
-
-# Add files or directories to the blacklist. They should be base names, not
-# paths.
-ignore=CVS,migrations
-
-# Add files or directories matching the regex patterns to the blacklist. The
-# regex matches against base names, not paths.
-ignore-patterns=
-
-# Pickle collected data for later comparisons.
-persistent=yes
-
-# List of plugins (as comma separated values of python modules names) to load,
-# usually to register additional checkers.
-load-plugins=superset.extensions.pylint
-
-# Use multiple processes to speed up Pylint.
-jobs=2
-
-# Allow loading of arbitrary C extensions. Extensions are imported into the
-# active Python interpreter and may run arbitrary code.
-unsafe-load-any-extension=no
-
-# A comma-separated list of package or module names from where C extensions may
-# be loaded. Extensions are loading into the active Python interpreter and may
-# run arbitrary code
-extension-pkg-whitelist=pyarrow
-
-
-[MESSAGES CONTROL]
-
-# Only show warnings with the listed confidence levels. Leave empty to show
-# all. Valid levels: HIGH, INFERENCE, INFERENCE_FAILURE, UNDEFINED
-confidence=
-
-# Enable the message, report, category or checker with the given id(s). You can
-# either give multiple identifier separated by comma (,) or put this option
-# multiple time (only on the command line, not in the configuration file where
-# it should appear only once). See also the "--disable" option for examples.
-enable=
-    useless-suppression,
-
-# Disable the message, report, category or checker with the given id(s). You
-# can either give multiple identifiers separated by comma (,) or put this
-# option multiple times (only on the command line, not in the configuration
-# file where it should appear only once).You can also use "--disable=all" to
-# disable everything first and then reenable specific checks. For example, if
-# you want to run only the similarities checker, you can use "--disable=all
-# --enable=similarities". If you want to run only the classes checker, but have
-# no Warning level messages displayed, use"--disable=all --enable=classes
-# --disable=W"
-disable=
-    cyclic-import,  # re-enable once this no longer raises false positives
-    missing-docstring,
-    duplicate-code,
-    line-too-long,
-    unspecified-encoding,
-    too-many-instance-attributes  # re-enable once this no longer raises false positives
-
-[REPORTS]
-
-# Set the output format. Available formats are text, parseable, colorized, msvs
-# (visual studio) and html. You can also give a reporter class, eg
-# mypackage.mymodule.MyReporterClass.
-output-format=text
-
-# Tells whether to display a full report or only the messages
-reports=yes
-
-# Python expression which should return a note less than 10 (10 is the highest
-# note). You have access to the variables errors warning, statement which
-# respectively contain the number of errors / warnings messages and the total
-# number of statements analyzed. This is used by the global evaluation report
-# (RP0004).
-evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10)
-
-# Template used to display messages. This is a python new-style format string
-# used to format the message information. See doc for all details
-#msg-template=
-
-
-[BASIC]
-
-# Good variable names which should always be accepted, separated by a comma
-good-names=_,df,ex,f,i,id,j,k,l,o,pk,Run,ts,v,x,y
-
-# Bad variable names which should always be refused, separated by a comma
-bad-names=bar,baz,db,fd,foo,sesh,session,tata,toto,tutu
-
-# Colon-delimited sets of names that determine each other's naming style when
-# the name regexes allow several styles.
-name-group=
-
-# Include a hint for the correct naming format with invalid-name
-include-naming-hint=no
-
-# List of decorators that produce properties, such as abc.abstractproperty. Add
-# to this list to register other decorators that produce valid properties.
-property-classes=
-    abc.abstractproperty,
-    sqlalchemy.ext.hybrid.hybrid_property
-
-# Regular expression matching correct argument names
-argument-rgx=[a-z_][a-z0-9_]{2,30}$
-
-# Regular expression matching correct method names
-method-rgx=[a-z_][a-z0-9_]{2,30}$
-
-# Regular expression matching correct variable names
-variable-rgx=[a-z_][a-z0-9_]{1,30}$
-
-# Regular expression matching correct inline iteration names
-inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$
-
-# Regular expression matching correct constant names
-const-rgx=(([A-Za-z_][A-Za-z0-9_]*)|(__.*__))$
-
-# Regular expression matching correct class names
-class-rgx=[A-Z_][a-zA-Z0-9]+$
-
-# Regular expression matching correct class attribute names
-class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$
-
-# Regular expression matching correct module names
-module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$
-
-# Regular expression matching correct attribute names
-attr-rgx=[a-z_][a-z0-9_]{2,30}$
-
-# Regular expression matching correct function names
-function-rgx=[a-z_][a-z0-9_]{2,30}$
-
-# Regular expression which should only match function or class names that do
-# not require a docstring.
-no-docstring-rgx=^_
-
-# Minimum line length for functions/classes that require docstrings, shorter
-# ones are exempt.
-docstring-min-length=10
-
-
-[ELIF]
-
-# Maximum number of nested blocks for function / method body
-max-nested-blocks=5
-
-
-[FORMAT]
-
-# Maximum number of characters on a single line.
-max-line-length=100
-
-# Regexp for a line that is allowed to be longer than the limit.
-ignore-long-lines=^\s*(# )?<?https?://\S+>?$
-
-# Allow the body of an if to be on the same line as the test if there is no
-# else.
-single-line-if-stmt=no
-
-# Maximum number of lines in a module
-max-module-lines=1000
-
-# String used as indentation unit. This is usually "    " (4 spaces) or "\t" (1
-# tab).
-indent-string='    '
-
-# Number of spaces of indent required inside a hanging  or continued line.
-indent-after-paren=4
-
-# Expected format of line ending, e.g. empty (any line ending), LF or CRLF.
-expected-line-ending-format=
-
-
-[LOGGING]
-
-# Logging modules to check that the string format arguments are in logging
-# function parameter format
-logging-modules=logging
-
-
-[MISCELLANEOUS]
-
-# List of note tags to take in consideration, separated by a comma.
-notes=FIXME,XXX
-
-
-[SIMILARITIES]
-
-# Minimum lines number of a similarity.
-min-similarity-lines=5
-
-# Ignore comments when computing similarities.
-ignore-comments=yes
-
-# Ignore docstrings when computing similarities.
-ignore-docstrings=yes
-
-# Ignore imports when computing similarities.
-ignore-imports=no
-
-
-[SPELLING]
-
-# Spelling dictionary name. Available dictionaries: none. To make it working
-# install python-enchant package.
-spelling-dict=
-
-# List of comma separated words that should not be checked.
-spelling-ignore-words=
-
-# A path to a file that contains private dictionary; one word per line.
-spelling-private-dict-file=
-
-# Tells whether to store unknown words to indicated private dictionary in
-# --spelling-private-dict-file option instead of raising a message.
-spelling-store-unknown-words=no
-
-
-[TYPECHECK]
-
-# Tells whether missing members accessed in mixin class should be ignored. A
-# mixin class is detected if its name ends with "mixin" (case insensitive).
-ignore-mixin-members=yes
-
-# List of module names for which member attributes should not be checked
-# (useful for modules/projects where namespaces are manipulated during runtime
-# and thus existing member attributes cannot be deduced by static analysis. It
-# supports qualified module names, as well as Unix pattern matching.
-ignored-modules=numpy,pandas,alembic.op,sqlalchemy,alembic.context,flask_appbuilder.security.sqla.PermissionView.role,flask_appbuilder.Model.metadata,flask_appbuilder.Base.metadata
-
-# List of class names for which member attributes should not be checked (useful
-# for classes with dynamically set attributes). This supports the use of
-# qualified names.
-ignored-classes=contextlib.closing,optparse.Values,thread._local,_thread._local
-
-# List of members which are set dynamically and missed by pylint inference
-# system, and so shouldn't trigger E1101 when accessed. Python regular
-# expressions are accepted.
-generated-members=
-
-# List of decorators that produce context managers, such as
-# contextlib.contextmanager. Add to this list to register other decorators that
-# produce valid context managers.
-contextmanager-decorators=contextlib.contextmanager
-
-
-[VARIABLES]
-
-# Tells whether we should check for unused import in __init__ files.
-init-import=no
-
-# A regular expression matching the name of dummy variables (i.e. expectedly
-# not used).
-dummy-variables-rgx=(_+[a-zA-Z0-9]*?$)|dummy
-
-# List of additional names supposed to be defined in builtins. Remember that
-# you should avoid to define new builtins when possible.
-additional-builtins=
-
-# List of strings which can identify a callback function by name. A callback
-# name must start or end with one of those strings.
-callbacks=cb_,_cb
-
-# List of qualified module names which can have objects that can redefine
-# builtins.
-redefining-builtins-modules=six.moves,future.builtins
-
-
-[CLASSES]
-
-# List of method names used to declare (i.e. assign) instance attributes.
-defining-attr-methods=__init__,__new__,setUp
-
-# List of valid names for the first argument in a class method.
-valid-classmethod-first-arg=cls
-
-# List of valid names for the first argument in a metaclass class method.
-valid-metaclass-classmethod-first-arg=mcs
-
-# List of member names, which should be excluded from the protected access
-# warning.
-exclude-protected=_asdict,_fields,_replace,_source,_make
-
-
-[DESIGN]
-
-# Maximum number of arguments for function / method
-max-args=5
-
-# Argument names that match this expression will be ignored. Default to name
-# with leading underscore
-ignored-argument-names=_.*
-
-# Maximum number of locals for function / method body
-max-locals=15
-
-# Maximum number of return / yield for function / method body
-max-returns=10
-
-# Maximum number of branch for function / method body
-max-branches=15
-
-# Maximum number of statements in function / method body
-max-statements=50
-
-# Maximum number of parents for a class (see R0901).
-max-parents=7
-
-# Maximum number of attributes for a class (see R0902).
-max-attributes=8
-
-# Minimum number of public methods for a class (see R0903).
-min-public-methods=2
-
-# Maximum number of public methods for a class (see R0904).
-max-public-methods=20
-
-# Maximum number of boolean expressions in a if statement
-max-bool-expr=5
-
-
-[IMPORTS]
-
-# Deprecated modules which should not be used, separated by a comma
-deprecated-modules=optparse
-
-# Create a graph of every (i.e. internal and external) dependencies in the
-# given file (report RP0402 must not be disabled)
-import-graph=
-
-# Create a graph of external dependencies in the given file (report RP0402 must
-# not be disabled)
-ext-import-graph=
-
-# Create a graph of internal dependencies in the given file (report RP0402 must
-# not be disabled)
-int-import-graph=
-
-# Force import order to recognize a module as part of the standard
-# compatibility libraries.
-known-standard-library=
-
-# Force import order to recognize a module as part of a third party library.
-known-third-party=enchant
-
-# Analyse import fallback blocks. This can be used to support both Python 2 and
-# 3 compatible code, which means that the block might have code that exists
-# only in one or another interpreter, leading to false positives when analysed.
-analyse-fallback-blocks=no
-
-
-[EXCEPTIONS]
-
-# Exceptions that will emit a warning when being caught. Defaults to
-# "Exception"
-overgeneral-exceptions=builtins.Exception
--- a/.rat-excludes
+++ b/.rat-excludes
@@ -70,6 +70,7 @@ google-sheets.svg
 ibm-db2.svg
 postgresql.svg
 snowflake.svg
+ydb.svg

 # docs-related
 erd.puml
--- a/316
+++ b/316
@@ -20,44 +20,47 @@
 ######################################################################
 ARG PY_VER=3.10-slim-bookworm

-# if BUILDPLATFORM is null, set it to 'amd64' (or leave as is otherwise).
+# If BUILDPLATFORM is null, set it to 'amd64' (or leave as is otherwise).
 ARG BUILDPLATFORM=${BUILDPLATFORM:-amd64}
-FROM --platform=${BUILDPLATFORM} node:20-bullseye-slim AS superset-node

+######################################################################
+# superset-node-ci used as a base for building frontend assets and CI
+######################################################################
+FROM --platform=${BUILDPLATFORM} node:20-bullseye-slim AS superset-node-ci
+ARG BUILD_TRANSLATIONS="false" # Include translations in the final build
+ENV BUILD_TRANSLATIONS=${BUILD_TRANSLATIONS}
+ARG DEV_MODE="false"           # Skip frontend build in dev mode
+ENV DEV_MODE=${DEV_MODE}
+
+COPY docker/ /app/docker/
+# Arguments for build configuration
 ARG NPM_BUILD_CMD="build"

-# Include translations in the final build. The default supports en only to
-# reduce complexity and weight for those only using en
-ARG BUILD_TRANSLATIONS="false"
-
-# Used by docker-compose to skip the frontend build,
-# in dev we mount the repo and build the frontend inside docker
-ARG DEV_MODE="false"
-
-# Include headless browsers? Allows for alerts, reports & thumbnails, but bloats the images
-ARG INCLUDE_CHROMIUM="true"
-ARG INCLUDE_FIREFOX="false"
-
-# Somehow we need python3 + build-essential on this side of the house to install node-gyp
-RUN apt-get update -qq \
-    && apt-get install \
-        -yqq --no-install-recommends \
-        build-essential \
-        python3 \
-        zstd
+# Install system dependencies required for node-gyp
+RUN /app/docker/apt-install.sh build-essential python3 zstd

+# Define environment variables for frontend build
 ENV BUILD_CMD=${NPM_BUILD_CMD} \
    PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true
-# NPM ci first, as to NOT invalidate previous steps except for when package.json changes

-RUN --mount=type=bind,target=/frontend-mem-nag.sh,src=./docker/frontend-mem-nag.sh \
-    /frontend-mem-nag.sh
+# Run the frontend memory monitoring script
+RUN /app/docker/frontend-mem-nag.sh

 WORKDIR /app/superset-frontend
-# Creating empty folders to avoid errors when running COPY later on
-RUN mkdir -p /app/superset/static/assets
-RUN --mount=type=bind,target=./package.json,src=./superset-frontend/package.json \
-    --mount=type=bind,target=./package-lock.json,src=./superset-frontend/package-lock.json \
+
+# Create necessary folders to avoid errors in subsequent steps
+RUN mkdir -p /app/superset/static/assets \
+             /app/superset/translations
+
+# Mount package files and install dependencies if not in dev mode
+# NOTE: we mount packages and plugins as they are referenced in package.json as workspaces
+# ideally we'd COPY only their package.json. Here npm ci will be cached as long
+# as the full content of these folders don't change, yielding a decent cache reuse rate.
+# Note that's it's not possible selectively COPY of mount using blobs.
+RUN --mount=type=bind,source=./superset-frontend/package.json,target=./package.json \
+    --mount=type=bind,source=./superset-frontend/package-lock.json,target=./package-lock.json \
+    --mount=type=cache,target=/root/.cache \
+    --mount=type=cache,target=/root/.npm \
    if [ "$DEV_MODE" = "false" ]; then \
        npm ci; \
    else \
@@ -66,36 +69,42 @@ RUN --mount=type=bind,target=./package.json,src=./superset-frontend/package.json

 # Runs the webpack build process
 COPY superset-frontend /app/superset-frontend
-# This copies the .po files needed for translation
-RUN mkdir -p /app/superset/translations
-COPY superset/translations /app/superset/translations
-RUN if [ "$DEV_MODE" = "false" ]; then \
-        BUILD_TRANSLATIONS=$BUILD_TRANSLATIONS npm run ${BUILD_CMD}; \
+
+######################################################################
+# superset-node used for compile frontend assets
+######################################################################
+FROM superset-node-ci AS superset-node
+
+# Build the frontend if not in dev mode
+RUN --mount=type=cache,target=/app/superset-frontend/.temp_cache \
+    --mount=type=cache,target=/root/.npm \
+    if [ "$DEV_MODE" = "false" ]; then \
+        echo "Running 'npm run ${BUILD_CMD}'"; \
+        npm run ${BUILD_CMD}; \
    else \
        echo "Skipping 'npm run ${BUILD_CMD}' in dev mode"; \
-    fi
+    fi;

+# Copy translation files
+COPY superset/translations /app/superset/translations

-# Compiles .json files from the .po files, then deletes the .po files
+# Build the frontend if not in dev mode
 RUN if [ "$BUILD_TRANSLATIONS" = "true" ]; then \
        npm run build-translation; \
-    else \
-        echo "Skipping translations as requested by build flag"; \
-    fi
-RUN rm /app/superset/translations/*/LC_MESSAGES/*.po
-RUN rm /app/superset/translations/messages.pot
+    fi; \
+    rm -rf /app/superset/translations/*/*/*.po; \
+    rm -rf /app/superset/translations/*/*/*.mo;

+
+######################################################################
+# Base python layer
+######################################################################
 FROM python:${PY_VER} AS python-base
-######################################################################
-# Final lean image...
-######################################################################
-FROM python-base AS lean
+ARG BUILD_TRANSLATIONS="false" # Include translations in the final build
+ENV BUILD_TRANSLATIONS=${BUILD_TRANSLATIONS}
+ARG DEV_MODE="false"           # Skip frontend build in dev mode
+ENV DEV_MODE=${DEV_MODE}

-# Include translations in the final build. The default supports en only to
-# reduce complexity and weight for those only using en
-ARG BUILD_TRANSLATIONS="false"
-
-WORKDIR /app
 ENV LANG=C.UTF-8 \
    LC_ALL=C.UTF-8 \
    SUPERSET_ENV=production \
@@ -104,123 +113,144 @@ ENV LANG=C.UTF-8 \
    SUPERSET_HOME="/app/superset_home" \
    SUPERSET_PORT=8088

-RUN mkdir -p ${PYTHONPATH} superset/static requirements superset-frontend apache_superset.egg-info requirements \
-    && useradd --user-group -d ${SUPERSET_HOME} -m --no-log-init --shell /bin/bash superset \
-    && apt-get update -qq && apt-get install -yqq --no-install-recommends \
-        curl \
-        libsasl2-dev \
-        libsasl2-modules-gssapi-mit \
-        libpq-dev \
-        libecpg-dev \
-        libldap2-dev \
-    && touch superset/static/version_info.json \
-    && chown -R superset:superset ./* \
-    && rm -rf /var/lib/apt/lists/*

-COPY --chown=superset:superset pyproject.toml setup.py MANIFEST.in README.md ./
-# setup.py uses the version information in package.json
-COPY --chown=superset:superset superset-frontend/package.json superset-frontend/
-COPY --chown=superset:superset requirements/base.txt requirements/
-COPY --chown=superset:superset scripts/check-env.py scripts/
-RUN --mount=type=cache,target=/root/.cache/pip \
-    apt-get update -qq && apt-get install -yqq --no-install-recommends \
-      build-essential \
-    && pip install --no-cache-dir --upgrade setuptools pip \
-    && pip install --no-cache-dir -r requirements/base.txt \
-    && apt-get autoremove -yqq --purge build-essential \
-    && rm -rf /var/lib/apt/lists/*
+RUN useradd --user-group -d ${SUPERSET_HOME} -m --no-log-init --shell /bin/bash superset

-# Copy the compiled frontend assets
-COPY --chown=superset:superset --from=superset-node /app/superset/static/assets superset/static/assets
+# Some bash scripts needed throughout the layers
+COPY --chmod=755 docker/*.sh /app/docker/

-## Lastly, let's install superset itself
-COPY --chown=superset:superset superset superset
-RUN --mount=type=cache,target=/root/.cache/pip \
-    pip install --no-cache-dir -e .
+RUN pip install --no-cache-dir --upgrade uv

-# Copy the .json translations from the frontend layer
-COPY --chown=superset:superset --from=superset-node /app/superset/translations superset/translations
+# Using uv as it's faster/simpler than pip
+RUN uv venv /app/.venv
+ENV PATH="/app/.venv/bin:${PATH}"

-# Compile translations for the backend - this generates .mo files, then deletes the .po files
-COPY ./scripts/translations/generate_mo_files.sh ./scripts/translations/
-RUN if [ "$BUILD_TRANSLATIONS" = "true" ]; then \
-        ./scripts/translations/generate_mo_files.sh \
-        && chown -R superset:superset superset/translations \
-        && rm superset/translations/messages.pot \
-        && rm superset/translations/*/LC_MESSAGES/*.po; \
+# Install Playwright and optionally setup headless browsers
+ARG INCLUDE_CHROMIUM="true"
+ARG INCLUDE_FIREFOX="false"
+RUN --mount=type=cache,target=/root/.cache/uv\
+    if [ "$INCLUDE_CHROMIUM" = "true" ] || [ "$INCLUDE_FIREFOX" = "true" ]; then \
+        uv pip install playwright && \
+        playwright install-deps && \
+        if [ "$INCLUDE_CHROMIUM" = "true" ]; then playwright install chromium; fi && \
+        if [ "$INCLUDE_FIREFOX" = "true" ]; then playwright install firefox; fi; \
    else \
-        echo "Skipping translations as requested by build flag"; \
+        echo "Skipping browser installation"; \
    fi

-COPY --chmod=755 ./docker/run-server.sh /usr/bin/
-USER superset
+######################################################################
+# Python translation compiler layer
+######################################################################
+FROM python-base AS python-translation-compiler
+
+# Install Python dependencies using docker/pip-install.sh
+COPY requirements/translations.txt requirements/
+RUN --mount=type=cache,target=/root/.cache/uv \
+    /app/docker/pip-install.sh --requires-build-essential -r requirements/translations.txt
+
+COPY superset/translations/ /app/translations_mo/
+RUN if [ "$BUILD_TRANSLATIONS" = "true" ]; then \
+        pybabel compile -d /app/translations_mo | true; \
+    fi; \
+    rm -f /app/translations_mo/*/*/*.po; \
+    rm -f /app/translations_mo/*/*/*.json;
+
+######################################################################
+# Python APP common layer
+######################################################################
+FROM python-base AS python-common
+# Copy the entrypoints, make them executable in userspace
+COPY --chmod=755 docker/entrypoints /app/docker/entrypoints
+
+WORKDIR /app
+# Set up necessary directories and user
+RUN mkdir -p \
+      ${SUPERSET_HOME} \
+      ${PYTHONPATH} \
+      superset/static \
+      requirements \
+      superset-frontend \
+      apache_superset.egg-info \
+      requirements \
+    && touch superset/static/version_info.json
+
+# Copy required files for Python build
+COPY pyproject.toml setup.py MANIFEST.in README.md ./
+COPY superset-frontend/package.json superset-frontend/
+COPY scripts/check-env.py scripts/
+
+# keeping for backward compatibility
+COPY --chmod=755 ./docker/entrypoints/run-server.sh /usr/bin/
+
+# Some debian libs
+RUN /app/docker/apt-install.sh \
+      curl \
+      libsasl2-dev \
+      libsasl2-modules-gssapi-mit \
+      libpq-dev \
+      libecpg-dev \
+      libldap2-dev
+
+# Copy compiled things from previous stages
+COPY --from=superset-node /app/superset/static/assets superset/static/assets
+
+# TODO, when the next version comes out, use --exclude superset/translations
+COPY superset superset
+# TODO in the meantime, remove the .po files
+RUN rm superset/translations/*/*/*.po
+
+# Merging translations from backend and frontend stages
+COPY --from=superset-node /app/superset/translations superset/translations
+COPY --from=python-translation-compiler /app/translations_mo superset/translations

 HEALTHCHECK CMD curl -f "http://localhost:${SUPERSET_PORT}/health"
-
+CMD ["/app/docker/entrypoints/run-server.sh"]
 EXPOSE ${SUPERSET_PORT}

-CMD ["/usr/bin/run-server.sh"]
+######################################################################
+# Final lean image...
+######################################################################
+FROM python-common AS lean
+
+# Install Python dependencies using docker/pip-install.sh
+COPY requirements/base.txt requirements/
+RUN --mount=type=cache,target=/root/.cache/uv \
+    /app/docker/pip-install.sh --requires-build-essential -r requirements/base.txt
+# Install the superset package
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv pip install .
+
+RUN python -m compileall /app/superset
+
+USER superset

 ######################################################################
 # Dev image...
 ######################################################################
-FROM lean AS dev
+FROM python-common AS dev

-USER root
-RUN apt-get update -qq \
-    && apt-get install -yqq --no-install-recommends \
-        libnss3 \
-        libdbus-glib-1-2 \
-        libgtk-3-0 \
-        libx11-xcb1 \
-        libasound2 \
-        libxtst6 \
-        git \
-        pkg-config \
-        && rm -rf /var/lib/apt/lists/*
+# Debian libs needed for dev
+RUN /app/docker/apt-install.sh \
+    git \
+    pkg-config \
+    default-libmysqlclient-dev

-RUN --mount=type=cache,target=/root/.cache/pip \
-    pip install --no-cache-dir playwright
-RUN playwright install-deps
+# Copy development requirements and install them
+COPY requirements/*.txt requirements/
+# Install Python dependencies using docker/pip-install.sh
+RUN --mount=type=cache,target=/root/.cache/uv \
+    /app/docker/pip-install.sh --requires-build-essential -r requirements/development.txt
+# Install the superset package
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv pip install .

-RUN if [ "$INCLUDE_CHROMIUM" = "true" ]; then \
-        playwright install chromium; \
-    else \
-        echo "Skipping translations in dev mode"; \
-    fi
-
-# Install GeckoDriver WebDriver
-ARG GECKODRIVER_VERSION=v0.34.0 \
-    FIREFOX_VERSION=125.0.3
-
-RUN if [ "$INCLUDE_FIREFOX" = "true" ]; then \
-        apt-get update -qq \
-        && apt-get install -yqq --no-install-recommends wget bzip2 \
-        && wget -q https://github.com/mozilla/geckodriver/releases/download/${GECKODRIVER_VERSION}/geckodriver-${GECKODRIVER_VERSION}-linux64.tar.gz -O - | tar xfz - -C /usr/local/bin \
-        && wget -q https://download-installer.cdn.mozilla.net/pub/firefox/releases/${FIREFOX_VERSION}/linux-x86_64/en-US/firefox-${FIREFOX_VERSION}.tar.bz2 -O - | tar xfj - -C /opt \
-        && ln -s /opt/firefox/firefox /usr/local/bin/firefox \
-        && apt-get autoremove -yqq --purge wget bzip2 && rm -rf /var/[log,tmp]/* /tmp/* /var/lib/apt/lists/*; \
-    fi
-
-# Installing mysql client os-level dependencies in dev image only because GPL
-RUN apt-get install -yqq --no-install-recommends \
-        default-libmysqlclient-dev \
-    && rm -rf /var/lib/apt/lists/*
-
-COPY --chown=superset:superset requirements/development.txt requirements/
-RUN --mount=type=cache,target=/root/.cache/pip \
-    apt-get update -qq && apt-get install -yqq --no-install-recommends \
-      build-essential \
-    && pip install --no-cache-dir -r requirements/development.txt \
-    && apt-get autoremove -yqq --purge build-essential \
-    && rm -rf /var/lib/apt/lists/*
+RUN python -m compileall /app/superset

 USER superset
+
 ######################################################################
 # CI image...
 ######################################################################
 FROM lean AS ci

-COPY --chown=superset:superset --chmod=755 ./docker/*.sh /app/docker/
-
-CMD ["/app/docker/docker-ci.sh"]
+CMD ["/app/docker/entrypoints/docker-ci.sh"]
--- a/3
+++ b/3
@@ -87,9 +87,6 @@ format: py-format js-format
 py-format: pre-commit
 	pre-commit run black --all-files

-py-lint: pre-commit
-	pylint -j 0 superset
-
 js-format:
 	cd superset-frontend; npm run prettier

--- a/README.md
+++ b/README.md
@@ -136,6 +136,7 @@ Here are some of the major database solutions that are supported:
  <img src="https://superset.apache.org/img/databases/oceanbase.svg" alt="oceanbase" border="0" width="220" />
  <img src="https://superset.apache.org/img/databases/sap-hana.png" alt="oceanbase" border="0" width="220" />
  <img src="https://superset.apache.org/img/databases/denodo.png" alt="denodo" border="0" width="200" />
+  <img src="https://superset.apache.org/img/databases/ydb.svg" alt="ydb" border="0" width="200" />
 </p>

 **A more comprehensive list of supported databases** along with the configuration instructions can be found [here](https://superset.apache.org/docs/configuration/databases).
--- a/RELEASING/changelog.py
+++ b/RELEASING/changelog.py
@@ -272,14 +272,14 @@ class GitLogs:

    @staticmethod
    def _git_get_current_head() -> str:
-        output = os.popen("git status | head -1").read()
+        output = os.popen("git status | head -1").read()  # noqa: S605, S607
        match = re.match("(?:HEAD detached at|On branch) (.*)", output)
        if not match:
            return ""
        return match.group(1)

    def _git_checkout(self, git_ref: str) -> None:
-        os.popen(f"git checkout {git_ref}").read()
+        os.popen(f"git checkout {git_ref}").read()  # noqa: S605
        current_head = self._git_get_current_head()
        if current_head != git_ref:
            print(f"Could not checkout {git_ref}")
@@ -290,7 +290,7 @@ class GitLogs:
        current_git_ref = self._git_get_current_head()
        self._git_checkout(self._git_ref)
        output = (
-            os.popen('git --no-pager log --pretty=format:"%h|%an|%ae|%ad|%s|"')
+            os.popen('git --no-pager log --pretty=format:"%h|%an|%ae|%ad|%s|"')  # noqa: S605, S607
            .read()
            .split("\n")
        )
--- a/RELEASING/generate_email.py
+++ b/RELEASING/generate_email.py
@@ -31,7 +31,7 @@ except ModuleNotFoundError:
 RECEIVER_EMAIL = "dev@superset.apache.org"
 PROJECT_NAME = "Superset"
 PROJECT_MODULE = "superset"
-PROJECT_DESCRIPTION = "Apache Superset is a modern, enterprise-ready business intelligence web application."
+PROJECT_DESCRIPTION = "Apache Superset is a modern, enterprise-ready business intelligence web application."  # noqa: E501


 def string_comma_to_list(message: str) -> list[str]:
--- a/RELEASING/verify_release.py
+++ b/RELEASING/verify_release.py
@@ -23,12 +23,12 @@ from typing import Optional

 import requests

-# Part 1: Verify SHA512 hash - this is the same as running `shasum -a 512 {release}` and comparing it against `{release}.sha512`
+# Part 1: Verify SHA512 hash - this is the same as running `shasum -a 512 {release}` and comparing it against `{release}.sha512`  # noqa: E501


 def get_sha512_hash(filename: str) -> str:
    """Run the shasum command on the file and return the SHA512 hash."""
-    result = subprocess.run(["shasum", "-a", "512", filename], stdout=subprocess.PIPE)
+    result = subprocess.run(["shasum", "-a", "512", filename], stdout=subprocess.PIPE)  # noqa: S603, S607
    sha512_hash = result.stdout.decode().split()[0]
    return sha512_hash

@@ -43,7 +43,7 @@ def read_sha512_file(filename: str) -> str:


 def verify_sha512(filename: str) -> str:
-    """Verify if the SHA512 hash of the file matches with the hash in the .sha512 file."""
+    """Verify if the SHA512 hash of the file matches with the hash in the .sha512 file."""  # noqa: E501
    sha512_hash = get_sha512_hash(filename)
    sha512_file_content = read_sha512_file(filename)

@@ -53,14 +53,15 @@ def verify_sha512(filename: str) -> str:
        return "SHA failed"


-# Part 2: Verify RSA key - this is the same as running `gpg --verify {release}.asc {release}` and comparing the RSA key and email address against the KEYS file
+# Part 2: Verify RSA key - this is the same as running `gpg --verify {release}.asc {release}` and comparing the RSA key and email address against the KEYS file  # noqa: E501


 def get_gpg_info(filename: str) -> tuple[Optional[str], Optional[str]]:
    """Run the GPG verify command and extract RSA key and email address."""
    asc_filename = filename + ".asc"
-    result = subprocess.run(
-        ["gpg", "--verify", asc_filename, filename], capture_output=True
+    result = subprocess.run(  # noqa: S603
+        ["gpg", "--verify", asc_filename, filename],  # noqa: S607
+        capture_output=True,  # noqa: S607
    )
    output = result.stderr.decode()

@@ -90,7 +91,7 @@ def get_gpg_info(filename: str) -> tuple[Optional[str], Optional[str]]:
 def verify_key(key: str, email: Optional[str]) -> str:
    """Fetch the KEYS file and verify if the RSA/EDDSA key and email match."""
    url = "https://downloads.apache.org/superset/KEYS"
-    response = requests.get(url)
+    response = requests.get(url)  # noqa: S113
    if response.status_code == 200:
        if key not in response.text:
            return "RSA/EDDSA key not found on KEYS page"
--- a/RESOURCES/FEATURE_FLAGS.md
+++ b/RESOURCES/FEATURE_FLAGS.md
@@ -44,7 +44,6 @@ These features are **finished** but currently being tested. They are usable, but
 - ALLOW_FULL_CSV_EXPORT
 - CACHE_IMPERSONATION
 - CONFIRM_DASHBOARD_DIFF
- DRILL_TO_DETAIL
 - DYNAMIC_PLUGINS
 - ENABLE_SUPERSET_META_DB: [(docs)](https://superset.apache.org/docs/configuration/databases/#querying-across-databases)
 - ESTIMATE_QUERY_COST
@@ -99,5 +98,6 @@ These features flags currently default to True and **will be removed in a future

 - AVOID_COLORS_COLLISION
 - DASHBOARD_CROSS_FILTERS
+- DRILL_TO_DETAIL
 - ENABLE_JAVASCRIPT_CONTROLS
 - KV_STORE
--- a/RESOURCES/INTHEWILD.md
+++ b/RESOURCES/INTHEWILD.md
@@ -43,10 +43,12 @@ Join our growing community!
 - [Capital Service S.A.](https://capitalservice.pl) [@pkonarzewski]
 - [Clark.de](https://clark.de/)
 - [KarrotPay](https://www.daangnpay.com/)
+- [Remita](https://remita.net) [@mujibishola]
 - [Taveo](https://www.taveo.com) [@codek]
 - [Unit](https://www.unit.co/about-us) [@amitmiran137]
 - [Wise](https://wise.com) [@koszti]
 - [Xendit](https://xendit.co/) [@LieAlbertTriAdrian]
+- [Cover Genius](https://covergenius.com/)

 ### Gaming
 - [Popoko VM Games Studio](https://popoko.live)
@@ -59,18 +61,21 @@ Join our growing community!
 - [Fanatics](https://www.fanatics.com/) [@coderfender]
 - [Fordeal](https://www.fordeal.com) [@Renkai]
 - [GFG - Global Fashion Group](https://global-fashion-group.com) [@ksaagariconic]
+- [GoTo/Gojek](https://www.gojek.io/) [@gwthm-in]
 - [HuiShouBao](https://www.huishoubao.com/) [@Yukinoshita-Yukino]
 - [Now](https://www.now.vn/) [@davidkohcw]
 - [Qunar](https://www.qunar.com/) [@flametest]
 - [Rakuten Viki](https://www.viki.com)
 - [Shopee](https://shopee.sg) [@xiaohanyu]
 - [Shopkick](https://www.shopkick.com) [@LAlbertalli]
+- [ShopUp](https://www.shopup.org/) [@gwthm-in]
 - [Tails.com](https://tails.com/gb/) [@alanmcruickshank]
 - [THE ICONIC](https://theiconic.com.au/) [@ksaagariconic]
 - [Utair](https://www.utair.ru) [@utair-digital]
 - [VkusVill](https://vkusvill.ru/) [@ETselikov]
 - [Zalando](https://www.zalando.com) [@dmigo]
 - [Zalora](https://www.zalora.com) [@ksaagariconic]
+- [Zepto](https://www.zeptonow.com/) [@gwthm-in]

 ### Enterprise Technology
 - [A3Data](https://a3data.com.br) [@neylsoncrepalde]
@@ -79,7 +84,7 @@ Join our growing community!
 - [Astronomer](https://www.astronomer.io) [@ryw]
 - [Avesta Technologies](https://avestatechnologies.com/) [@TheRum]
 - [Caizin](https://caizin.com/) [@tejaskatariya]
- [Careem](https://www.careem.com/) [@SamraHanifCareem]
+- [Careem](https://www.careem.com/) [@samraHanif0340]
 - [Cloudsmith](https://cloudsmith.io) [@alancarson]
 - [Cyberhaven](https://www.cyberhaven.com/) [@toliver-ch]
 - [Deepomatic](https://deepomatic.com/) [@Zanoellia]
@@ -119,6 +124,7 @@ Join our growing community!
 - [Tobii](https://www.tobii.com/) [@dwa]
 - [Tooploox](https://www.tooploox.com/) [@jakubczaplicki]
 - [Unvired](https://unvired.com) [@srinisubramanian]
+- [Virtuoso QA](https://www.virtuosoqa.com)
 - [Whale](https://whale.im)
 - [Windsor.ai](https://www.windsor.ai/) [@octaviancorlade]
 - [Zeta](https://www.zeta.tech/) [@shaikidris]
@@ -138,6 +144,7 @@ Join our growing community!
 ### Education
 - [Aveti Learning](https://avetilearning.com/) [@TheShubhendra]
 - [Brilliant.org](https://brilliant.org/)
+- [Open edX](https://openedx.org/)
 - [Platzi.com](https://platzi.com/)
 - [Sunbird](https://www.sunbird.org/) [@eksteporg]
 - [The GRAPH Network](https://thegraphnetwork.org/) [@fccoelho]
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -23,10 +23,15 @@ This file documents any backwards-incompatible changes in Superset and
 assists people when migrating to a new version.

 ## Next
-
+- [31774](https://github.com/apache/superset/pull/31774): Fixes the spelling of the `USE-ANALAGOUS-COLORS` feature flag. Please update any scripts/configuration item to use the new/corrected `USE-ANALOGOUS-COLORS` flag spelling.
+- [31582](https://github.com/apache/superset/pull/31582) Removed the legacy Area, Bar, Event Flow, Heatmap, Histogram, Line, Sankey, and Sankey Loop charts. They were all automatically migrated to their ECharts counterparts with the exception of the Event Flow and Sankey Loop charts which were removed as they were not actively maintained and not widely used. If you were using the Event Flow or Sankey Loop charts, you will need to find an alternative solution.
+- [31198](https://github.com/apache/superset/pull/31198) Disallows by default the use of the following ClickHouse functions: "version", "currentDatabase", "hostName".
 - [29798](https://github.com/apache/superset/pull/29798) Since 3.1.0, the intial schedule for an alert or report was mistakenly offset by the specified timezone's relation to UTC. The initial schedule should now begin at the correct time.
 - [30021](https://github.com/apache/superset/pull/30021) The `dev` layer in our Dockerfile no long includes firefox binaries, only Chromium to reduce bloat/docker-build-time.
 - [30099](https://github.com/apache/superset/pull/30099) Translations are no longer included in the default docker image builds. If your environment requires translations, you'll want to set the docker build arg `BUILD_TRANSACTION=true`.
+- [31262](https://github.com/apache/superset/pull/31262) NOTE: deprecated `pylint` in favor of `ruff` as our only python linter. Only affect development workflows positively (not the release itself). It should cover most important rules, be much faster, but some things linting rules that were enforced before may not be enforce in the exact same way as before.
+- [31173](https://github.com/apache/superset/pull/31173) Modified `fetch_csrf_token` to align with HTTP standards, particularly regarding how cookies are handled. If you encounter any issues related to CSRF functionality, please report them as a new issue and reference this PR for context.
+- [31385](https://github.com/apache/superset/pull/31385) Significant docker refactor, reducing access levels for the `superset` user, streamlining layer building, ...

 ### Potential Downtime

--- a/docker-compose-image-tag.yml
+++ b/docker-compose-image-tag.yml
@@ -22,9 +22,6 @@
 # unique random secure passwords and SECRET_KEY.
 # -----------------------------------------------------------------------
 x-superset-image: &superset-image apachesuperset.docker.scarf.sh/apache/superset:${TAG:-latest-dev}
-x-superset-depends-on: &superset-depends-on
-  - db
-  - redis
 x-superset-volumes:
  &superset-volumes # /app/pythonpath_docker will be appended to the PYTHONPATH in the final container
  - ./docker:/app/docker
@@ -64,8 +61,12 @@ services:
    restart: unless-stopped
    ports:
      - 8088:8088
-    depends_on: *superset-depends-on
+    depends_on:
+      superset-init:
+        condition: service_completed_successfully
    volumes: *superset-volumes
+    environment:
+      SUPERSET_LOG_LEVEL: "${SUPERSET_LOG_LEVEL:-info}"

  superset-init:
    image: *superset-image
@@ -76,11 +77,18 @@ services:
        required: true
      - path: docker/.env-local # optional override
        required: false
-    depends_on: *superset-depends-on
+    depends_on:
+      db:
+        condition: service_started
+      redis:
+        condition: service_started
    user: "root"
    volumes: *superset-volumes
    healthcheck:
      disable: true
+    environment:
+      SUPERSET_LOAD_EXAMPLES: "${SUPERSET_LOAD_EXAMPLES:-yes}"
+      SUPERSET_LOG_LEVEL: "${SUPERSET_LOG_LEVEL:-info}"

  superset-worker:
    image: *superset-image
@@ -92,7 +100,9 @@ services:
      - path: docker/.env-local # optional override
        required: false
    restart: unless-stopped
-    depends_on: *superset-depends-on
+    depends_on:
+      superset-init:
+        condition: service_completed_successfully
    user: "root"
    volumes: *superset-volumes
    healthcheck:
@@ -101,6 +111,8 @@ services:
          "CMD-SHELL",
          "celery -A superset.tasks.celery_app:app inspect ping -d celery@$$HOSTNAME",
        ]
+    environment:
+      SUPERSET_LOG_LEVEL: "${SUPERSET_LOG_LEVEL:-info}"

  superset-worker-beat:
    image: *superset-image
@@ -112,11 +124,15 @@ services:
      - path: docker/.env-local # optional override
        required: false
    restart: unless-stopped
-    depends_on: *superset-depends-on
+    depends_on:
+      superset-init:
+        condition: service_completed_successfully
    user: "root"
    volumes: *superset-volumes
    healthcheck:
      disable: true
+    environment:
+      SUPERSET_LOG_LEVEL: "${SUPERSET_LOG_LEVEL:-info}"

 volumes:
  superset_home:
--- a/docker-compose-non-dev.yml
+++ b/docker-compose-non-dev.yml
@@ -21,9 +21,6 @@
 # create you own docker environment file (docker/.env) with your own
 # unique random secure passwords and SECRET_KEY.
 # -----------------------------------------------------------------------
-x-superset-depends-on: &superset-depends-on
-  - db
-  - redis
 x-superset-volumes:
  &superset-volumes # /app/pythonpath_docker will be appended to the PYTHONPATH in the final container
  - ./docker:/app/docker
@@ -70,8 +67,12 @@ services:
    restart: unless-stopped
    ports:
      - 8088:8088
-    depends_on: *superset-depends-on
+    depends_on:
+      superset-init:
+        condition: service_completed_successfully
    volumes: *superset-volumes
+    environment:
+      SUPERSET_LOG_LEVEL: "${SUPERSET_LOG_LEVEL:-info}"

  superset-init:
    container_name: superset_init
@@ -83,11 +84,18 @@ services:
        required: true
      - path: docker/.env-local # optional override
        required: false
-    depends_on: *superset-depends-on
+    depends_on:
+      db:
+        condition: service_started
+      redis:
+        condition: service_started
    user: "root"
    volumes: *superset-volumes
    healthcheck:
      disable: true
+    environment:
+      SUPERSET_LOAD_EXAMPLES: "${SUPERSET_LOAD_EXAMPLES:-yes}"
+      SUPERSET_LOG_LEVEL: "${SUPERSET_LOG_LEVEL:-info}"

  superset-worker:
    build:
@@ -100,7 +108,9 @@ services:
      - path: docker/.env-local # optional override
        required: false
    restart: unless-stopped
-    depends_on: *superset-depends-on
+    depends_on:
+      superset-init:
+        condition: service_completed_successfully
    user: "root"
    volumes: *superset-volumes
    healthcheck:
@@ -109,6 +119,8 @@ services:
          "CMD-SHELL",
          "celery -A superset.tasks.celery_app:app inspect ping -d celery@$$HOSTNAME",
        ]
+    environment:
+      SUPERSET_LOG_LEVEL: "${SUPERSET_LOG_LEVEL:-info}"

  superset-worker-beat:
    build:
@@ -121,11 +133,15 @@ services:
      - path: docker/.env-local # optional override
        required: false
    restart: unless-stopped
-    depends_on: *superset-depends-on
+    depends_on:
+      superset-init:
+        condition: service_completed_successfully
    user: "root"
    volumes: *superset-volumes
    healthcheck:
      disable: true
+    environment:
+      SUPERSET_LOG_LEVEL: "${SUPERSET_LOG_LEVEL:-info}"

 volumes:
  superset_home:
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -22,10 +22,6 @@
 # unique random secure passwords and SECRET_KEY.
 # -----------------------------------------------------------------------
 x-superset-user: &superset-user root
-x-superset-depends-on: &superset-depends-on
-  - db
-  - redis
-  - superset-checks
 x-superset-volumes: &superset-volumes
  # /app/pythonpath_docker will be appended to the PYTHONPATH in the final container
  - ./docker:/app/docker
@@ -36,11 +32,14 @@ x-superset-volumes: &superset-volumes

 x-common-build: &common-build
  context: .
-  target: dev
+  target: ${SUPERSET_BUILD_TARGET:-dev} # can use `dev` (default) or `lean`
  cache_from:
    - apache/superset-cache:3.10-slim-bookworm
  args:
    DEV_MODE: "true"
+    INCLUDE_CHROMIUM: ${INCLUDE_CHROMIUM:-false}
+    INCLUDE_FIREFOX: ${INCLUDE_FIREFOX:-false}
+    BUILD_TRANSLATIONS: ${BUILD_TRANSLATIONS:-false}

 services:
  nginx:
@@ -93,10 +92,13 @@ services:
    extra_hosts:
      - "host.docker.internal:host-gateway"
    user: *superset-user
-    depends_on: *superset-depends-on
+    depends_on:
+      superset-init:
+        condition: service_completed_successfully
    volumes: *superset-volumes
    environment:
      CYPRESS_CONFIG: "${CYPRESS_CONFIG:-}"
+      SUPERSET_LOG_LEVEL: "${SUPERSET_LOG_LEVEL:-info}"

  superset-websocket:
    container_name: superset_websocket
@@ -131,23 +133,6 @@ services:
      - REDIS_PORT=6379
      - REDIS_SSL=false

-  superset-checks:
-    build:
-      context: .
-      target: python-base
-      cache_from:
-        - apache/superset-cache:3.10-slim-bookworm
-    container_name: superset_checks
-    command: ["/app/scripts/check-env.py"]
-    env_file:
-      - path: docker/.env # default
-        required: true
-      - path: docker/.env-local # optional override
-        required: false
-    user: *superset-user
-    healthcheck:
-      disable: true
-
  superset-init:
    build:
      <<: *common-build
@@ -158,11 +143,17 @@ services:
        required: true
      - path: docker/.env-local # optional override
        required: false
-    depends_on: *superset-depends-on
+    depends_on:
+      db:
+        condition: service_started
+      redis:
+        condition: service_started
    user: *superset-user
    volumes: *superset-volumes
    environment:
      CYPRESS_CONFIG: "${CYPRESS_CONFIG:-}"
+      SUPERSET_LOAD_EXAMPLES: "${SUPERSET_LOAD_EXAMPLES:-yes}"
+      SUPERSET_LOG_LEVEL: "${SUPERSET_LOG_LEVEL:-info}"
    healthcheck:
      disable: true

@@ -175,10 +166,12 @@ services:
        # and build it on startup while firing docker-frontend.sh in dev mode, where
        # it'll mount and watch local files and rebuild as you update them
        DEV_MODE: "true"
+        BUILD_TRANSLATIONS: ${BUILD_TRANSLATIONS:-false}
    environment:
      # set this to false if you have perf issues running the npm i; npm run dev in-docker
      # if you do so, you have to run this manually on the host, which should perform better!
      BUILD_SUPERSET_FRONTEND_IN_DOCKER: true
+      NPM_RUN_PRUNE: false
      SCARF_ANALYTICS: "${SCARF_ANALYTICS:-}"
    container_name: superset_node
    command: ["/app/docker/docker-frontend.sh"]
@@ -187,7 +180,6 @@ services:
        required: true
      - path: docker/.env-local # optional override
        required: false
-    depends_on: *superset-depends-on
    volumes: *superset-volumes

  superset-worker:
@@ -202,8 +194,12 @@ services:
        required: false
    environment:
      CELERYD_CONCURRENCY: 2
+      CYPRESS_CONFIG: "${CYPRESS_CONFIG:-}"
+      SUPERSET_LOG_LEVEL: "${SUPERSET_LOG_LEVEL:-info}"
    restart: unless-stopped
-    depends_on: *superset-depends-on
+    depends_on:
+      superset-init:
+        condition: service_completed_successfully
    user: *superset-user
    volumes: *superset-volumes
    extra_hosts:
@@ -225,11 +221,15 @@ services:
      - path: docker/.env-local # optional override
        required: false
    restart: unless-stopped
-    depends_on: *superset-depends-on
+    depends_on:
+      - superset-worker
    user: *superset-user
    volumes: *superset-volumes
    healthcheck:
      disable: true
+    environment:
+      CYPRESS_CONFIG: "${CYPRESS_CONFIG:-}"
+      SUPERSET_LOG_LEVEL: "${SUPERSET_LOG_LEVEL:-info}"

  superset-tests-worker:
    build:
@@ -250,8 +250,11 @@ services:
      REDIS_RESULTS_DB: 3
      REDIS_HOST: localhost
      CELERYD_CONCURRENCY: 8
+      SUPERSET_LOG_LEVEL: "${SUPERSET_LOG_LEVEL:-info}"
    network_mode: host
-    depends_on: *superset-depends-on
+    depends_on:
+      superset-init:
+        condition: service_completed_successfully
    user: *superset-user
    volumes: *superset-volumes
    healthcheck:
--- a/docker/.env
+++ b/docker/.env
@@ -15,8 +15,11 @@
 # limitations under the License.
 #

+# Allowing python to print() in docker
+PYTHONUNBUFFERED=1

 COMPOSE_PROJECT_NAME=superset
+DEV_MODE=true

 # database configurations (do not modify)
 DATABASE_DB=superset
@@ -63,3 +66,4 @@ SUPERSET_SECRET_KEY=TEST_NON_DEV_SECRET
 ENABLE_PLAYWRIGHT=false
 PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true
 BUILD_SUPERSET_FRONTEND_IN_DOCKER=true
+SUPERSET_LOG_LEVEL=info
--- a/docker/apt-install.sh
+++ b/docker/apt-install.sh
@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+set -euo pipefail
+
+# Ensure this script is run as root
+if [[ $EUID -ne 0 ]]; then
+  echo "This script must be run as root" >&2
+  exit 1
+fi
+
+# Check for required arguments
+if [[ $# -lt 1 ]]; then
+  echo "Usage: $0 <package1> [<package2> ...]" >&2
+  exit 1
+fi
+
+# Colors for better logging (optional)
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+RESET='\033[0m'
+
+# Install packages with clean-up
+echo -e "${GREEN}Updating package lists...${RESET}"
+apt-get update -qq
+
+echo -e "${GREEN}Installing packages: $@${RESET}"
+apt-get install -yqq --no-install-recommends "$@"
+
+echo -e "${GREEN}Autoremoving unnecessary packages...${RESET}"
+apt-get autoremove -y
+
+echo -e "${GREEN}Cleaning up package cache and metadata...${RESET}"
+apt-get clean
+rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/* /tmp/* /var/tmp/*
+
+echo -e "${GREEN}Installation and cleanup complete.${RESET}"
--- a/docker/docker-bootstrap.sh
+++ b/docker/docker-bootstrap.sh
@@ -18,6 +18,13 @@

 set -eo pipefail

+# Make python interactive
+if [ "$DEV_MODE" == "true" ]; then
+    if command -v uv > /dev/null 2>&1; then
+      echo "Reinstalling the app in editable mode"
+      uv pip install -e .
+    fi
+fi
 REQUIREMENTS_LOCAL="/app/docker/requirements-local.txt"
 # If Cypress run – overwrite the password for admin and export env variables
 if [ "$CYPRESS_CONFIG" == "true" ]; then
@@ -25,12 +32,22 @@ if [ "$CYPRESS_CONFIG" == "true" ]; then
    export SUPERSET_TESTENV=true
    export SUPERSET__SQLALCHEMY_DATABASE_URI=postgresql+psycopg2://superset:superset@db:5432/superset
 fi
+if [[ "$DATABASE_DIALECT" == postgres* ]] ; then
+    echo "Installing postgres requirements"
+    if command -v uv > /dev/null 2>&1; then
+        # Use uv in newer images
+        uv pip install -e .[postgres]
+    else
+        # Use pip in older images
+        pip install -e .[postgres]
+    fi
+fi
 #
 # Make sure we have dev requirements installed
 #
 if [ -f "${REQUIREMENTS_LOCAL}" ]; then
  echo "Installing local overrides at ${REQUIREMENTS_LOCAL}"
-  pip install --no-cache-dir -r "${REQUIREMENTS_LOCAL}"
+  uv pip install --no-cache-dir -r "${REQUIREMENTS_LOCAL}"
 else
  echo "Skipping local overrides"
 fi
--- a/docker/docker-frontend.sh
+++ b/docker/docker-frontend.sh
@@ -27,10 +27,15 @@ if [ "$BUILD_SUPERSET_FRONTEND_IN_DOCKER" = "true" ]; then
    echo "Building Superset frontend in dev mode inside docker container"
    cd /app/superset-frontend

+    if [ "$NPM_RUN_PRUNE" = "true" ]; then
+        echo "Running `npm run prune`"
+        npm run prune
+    fi
+
    echo "Running `npm install`"
    npm install

-    echo "Running frontend"
+    echo "Start webpack dev server"
    npm run dev

 else
--- a/docker/docker-init.sh
+++ b/docker/docker-init.sh
@@ -76,7 +76,7 @@ if [ "$SUPERSET_LOAD_EXAMPLES" = "yes" ]; then
        superset load_test_users
        superset load_examples --load-test-data
    else
-        superset load_examples --force
+        superset load_examples
    fi
    echo_step "4" "Complete" "Loading examples"
 fi
--- a/docker/entrypoints/docker-ci.sh
+++ b/docker/entrypoints/docker-ci.sh
--- a/docker/entrypoints/run-server.sh
+++ b/docker/entrypoints/run-server.sh
--- a/docker/pip-install.sh
+++ b/docker/pip-install.sh
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+set -euo pipefail
+
+# Default flag
+REQUIRES_BUILD_ESSENTIAL=false
+USE_CACHE=true
+
+# Filter arguments
+ARGS=()
+for arg in "$@"; do
+  case "$arg" in
+    --requires-build-essential)
+      REQUIRES_BUILD_ESSENTIAL=true
+      ;;
+    --no-cache)
+      USE_CACHE=false
+      ;;
+    *)
+      ARGS+=("$arg")
+      ;;
+  esac
+done
+
+# Install build-essential if required
+if $REQUIRES_BUILD_ESSENTIAL; then
+  echo "Installing build-essential for package builds..."
+  apt-get update -qq \
+    && apt-get install -yqq --no-install-recommends build-essential
+fi
+
+# Choose whether to use pip cache
+if $USE_CACHE; then
+  echo "Using pip cache..."
+  uv pip install "${ARGS[@]}"
+else
+  echo "Disabling pip cache..."
+  uv pip install --no-cache-dir "${ARGS[@]}"
+fi
+
+# Remove build-essential if it was installed
+if $REQUIRES_BUILD_ESSENTIAL; then
+  echo "Removing build-essential to keep the image lean..."
+  apt-get autoremove -yqq --purge build-essential \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
+fi
+
+echo "Python packages installed successfully."
--- a/docker/pythonpath_dev/superset_config.py
+++ b/docker/pythonpath_dev/superset_config.py
@@ -99,11 +99,14 @@ CELERY_CONFIG = CeleryConfig

 FEATURE_FLAGS = {"ALERT_REPORTS": True}
 ALERT_REPORTS_NOTIFICATION_DRY_RUN = True
-WEBDRIVER_BASEURL = "http://superset:8088/"  # When using docker compose baseurl should be http://superset_app:8088/
+WEBDRIVER_BASEURL = "http://superset:8088/"  # When using docker compose baseurl should be http://superset_app:8088/  # noqa: E501
 # The base URL for the email report hyperlinks.
 WEBDRIVER_BASEURL_USER_FRIENDLY = WEBDRIVER_BASEURL
 SQLLAB_CTAS_NO_LIMIT = True

+log_level_text = os.getenv("SUPERSET_LOG_LEVEL", "INFO")
+LOG_LEVEL = getattr(logging, log_level_text.upper(), logging.INFO)
+
 #
 # Optionally import superset_config_docker.py (which will have been included on
 # the PYTHONPATH) in order to allow for local settings to be overridden
--- a/docs/data/countries.json
+++ b/docs/data/countries.json
@@ -63,6 +63,7 @@
    "Fiji",
    "Finland",
    "France",
+    "France (with overseas)",
    "France (regions)",
    "French Polynesia",
    "Gabon",
--- a/docs/docs/configuration/alerts-reports.mdx
+++ b/docs/docs/configuration/alerts-reports.mdx
@@ -53,11 +53,14 @@ To send alerts and reports to Slack channels, you need to create a new Slack App
   - `incoming-webhook`
   - `files:write`
   - `chat:write`
+   - `channels:read`
+   - `groups:read`
 4. At the top of the "OAuth and Permissions" section, click "install to workspace".
 5. Select a default channel for your app and continue.
   (You can post to any channel by inviting your Superset app into that channel).
 6. The app should now be installed in your workspace, and a "Bot User OAuth Access Token" should have been created. Copy that token in the `SLACK_API_TOKEN` variable of your `superset_config.py`.
-7. Restart the service (or run `superset init`) to pull in the new configuration.
+7. Ensure the feature flag `ALERT_REPORT_SLACK_V2` is set to True in `superset_config.py`
+8. Restart the service (or run `superset init`) to pull in the new configuration.

 Note: when you configure an alert or a report, the Slack channel list takes channel names without the leading '#' e.g. use `alerts` instead of `#alerts`.

--- a/docs/docs/configuration/databases.mdx
+++ b/docs/docs/configuration/databases.mdx
@@ -81,6 +81,7 @@ are compatible with Superset.
 | [TimescaleDB](/docs/configuration/databases#timescaledb)                | `pip install psycopg2`                                                             | `postgresql://<UserName>:<DBPassword>@<Database Host>:<Port>/<Database Name>`                                                                          |
 | [Trino](/docs/configuration/databases#trino)                            | `pip install trino`                                                                | `trino://{username}:{password}@{hostname}:{port}/{catalog}`                                                                                            |
 | [Vertica](/docs/configuration/databases#vertica)                        | `pip install sqlalchemy-vertica-python`                                            | `vertica+vertica_python://<UserName>:<DBPassword>@<Database Host>/<Database Name>`                                                                     |
+| [YDB](/docs/configuration/databases#ydb)                                | `pip install ydb-sqlalchemy`                                                       | `ydb://{host}:{port}/{database_name}`                                                                                                                  |
 | [YugabyteDB](/docs/configuration/databases#yugabytedb)                  | `pip install psycopg2`                                                             | `postgresql://<UserName>:<DBPassword>@<Database Host>/<Database Name>`                                                                                 |
 ---

@@ -1537,6 +1538,78 @@ Other parameters:
 - Load Balancer - Backup Host


+
+#### YDB
+
+The recommended connector library for [YDB](https://ydb.tech/) is
+[ydb-sqlalchemy](https://pypi.org/project/ydb-sqlalchemy/).
+
+##### Connection String
+
+The connection string for YDB looks like this:
+
+```
+ydb://{host}:{port}/{database_name}
+```
+
+##### Protocol
+You can specify `protocol` in the `Secure Extra` field at `Advanced / Security`:
+
+```
+{
+    "protocol": "grpcs"
+}
+```
+
+Default is `grpc`.
+
+
+##### Authentication Methods
+###### Static Credentials
+To use `Static Credentials` you should provide `username`/`password` in the `Secure Extra` field at `Advanced / Security`:
+
+```
+{
+    "credentials": {
+        "username": "...",
+        "password": "..."
+    }
+}
+```
+
+
+###### Access Token Credentials
+To use `Access Token Credentials` you should provide `token` in the `Secure Extra` field at `Advanced / Security`:
+
+```
+{
+    "credentials": {
+        "token": "...",
+    }
+}
+```
+
+
+##### Service Account Credentials
+To use Service Account Credentials, you should provide `service_account_json` in the `Secure Extra` field at `Advanced / Security`:
+
+```
+{
+    "credentials": {
+        "service_account_json": {
+            "id": "...",
+            "service_account_id": "...",
+            "created_at": "...",
+            "key_algorithm": "...",
+            "public_key": "...",
+            "private_key": "..."
+        }
+    }
+}
+```
+
+
+
 #### YugabyteDB

 [YugabyteDB](https://www.yugabyte.com/) is a distributed SQL database built on top of PostgreSQL.
--- a/docs/docs/contributing/development.mdx
+++ b/docs/docs/contributing/development.mdx
@@ -32,7 +32,9 @@ cd superset
 Setting things up to squeeze a "hello world" into any part of Superset should be as simple as

 ```bash
-docker compose up
+# getting docker compose to fire up services, and rebuilding if some docker layers have changed
+# using the `--build` suffix may be slower and optional if layers like py dependencies haven't changed
+docker compose up --build
 ```

 Note that:
@@ -70,6 +72,42 @@ documentation.
 configured to be secure.
 :::

+
+### Supported environment variables
+
+Affecting the Docker build process:
+- **SUPERSET_BUILD_TARGET (default=dev):** which --target to build, either `lean` or `dev` are commonly used
+- **INCLUDE_FIREFOX (default=false):** whether to include the Firefox headless browser in the build
+- **INCLUDE_CHROMIUM (default=false):** whether to include the Firefox headless browser in the build
+- **BUILD_TRANSLATIONS(default=false):** whether to compile the translations from the .po files available
+- **SUPERSET_LOAD_EXAMPLES (default=yes):** whether to load the examples into the database upon startup,
+  save some precious time on startup by `SUPERSET_LOAD_EXAMPLES=no docker compose up`
+- **SUPERSET_LOG_LEVEL (default=info)**: Can be set to debug, info, warning, error, critical
+  for more verbose logging
+
+For more env vars that affect your configuration, see this
+[superset_config.py](https://github.com/apache/superset/blob/master/docker/pythonpath_dev/superset_config.py)
+used in the `docker compose` context to assign env vars to the superset configuration.
+
+
+### Nuking the postgres database
+
+At times, it's possible to end up with your development database in a bad state, it's
+common while switching branches that contain migrations for instance, where the database
+version stamp that `alembic` manages is no longer available after switching branch.
+
+In that case, the easy solution is to nuke the postgres db and start fresh. Note that the full
+state of the database will be gone after doing this, so be cautious.
+
+```bash
+# first stop docker-compose if it's running
+docker-compose down
+# delete the volume containing the database
+docker volume rm superset_db_home
+# restart docker-compose, which will init a fresh database and load examples
+docker-compose up
+```
+
 ## Installing Development Tools

 :::note
@@ -84,7 +122,8 @@ instance, but many people like to run that tooling from their host.

 Assuming you already have a way to setup your python environments
 like `pyenv`, `virtualenv` or something else, all you should have to
-do is to install our dev, pinned python requirements bundle
+do is to install our dev, pinned python requirements bundle, after installing
+the prerequisites mentioned in [OS Dependencies](https://superset.apache.org/docs/installation/pypi/#os-dependencies)

 ```bash
 pip install -r requirements/development.txt
@@ -222,19 +261,19 @@ If you add a new requirement or update an existing requirement (per the `install
 $ python3 -m venv venv
 $ source venv/bin/activate
 $ python3 -m pip install -r requirements/development.txt
-$ pip-compile-multi --no-upgrade
+$ ./scripts/uv-pip-compile.sh
 ```

-When upgrading the version number of a single package, you should run `pip-compile-multi` with the `-P` flag:
+When upgrading the version number of a single package, you should run `./scripts/uv-pip-compile.sh` with the `-P` flag:

 ```bash
-$ pip-compile-multi -P my-package
+$ ./scripts/uv-pip-compile.sh -P some-package-to-upgrade
 ```

-To bring all dependencies up to date as per the restrictions defined in `setup.py` and `requirements/*.in`, run pip-compile-multi` without any flags:
+To bring all dependencies up to date as per the restrictions defined in `setup.py` and `requirements/*.in`, run `./scripts/uv-pip-compile.sh --upgrade`

 ```bash
-$ pip-compile-multi
+$ ./scripts/uv-pip-compile.sh --upgrade
 ```

 This should be done periodically, but it is recommended to do thorough manual testing of the application to ensure no breaking changes have been introduced that aren't caught by the unit and integration tests.
@@ -455,86 +494,113 @@ pre-commit install

 A series of checks will now run when you make a git commit.

-Alternatively, it is possible to run pre-commit via tox:
-
-```bash
-tox -e pre-commit
-```
-
-Or by running pre-commit manually:
-
-```bash
-pre-commit run --all-files
-```

 ## Linting

-### Python
+See [how tos](/docs/contributing/howtos#linting)

-We use [Pylint](https://pylint.org/) for linting which can be invoked via:
+
+## GitHub Actions and `act`
+
+:::tip
+`act` compatibility of Superset's GHAs is not fully tested. Running `act` locally may or may not
+work for different actions, and may require fine tunning and local secret-handling.
+For those more intricate GHAs that are tricky to run locally, we recommend iterating
+directly on GHA's infrastructure, by pushing directly on a branch and monitoring GHA logs.
+For more targetted iteration, see the `gh workflow run --ref {BRANCH}` subcommand of the GitHub CLI.
+:::
+
+For automation and CI/CD, Superset makes extensive use of GitHub Actions (GHA). You
+can find all of the workflows and other assets under the `.github/` folder. This includes:
+- running the backend unit test suites (`tests/`)
+- running the frontend test suites (`superset-frontend/src/**.*.test.*`)
+- running our Cypress end-to-end tests (`superset-frontend/cypress-base/`)
+- linting the codebase, including all Python, Typescript and Javascript, yaml and beyond
+- checking for all sorts of other rules conventions
+
+When you open a pull request (PR), the appropriate GitHub Actions (GHA) workflows will
+automatically run depending on the changes in your branch. It's perfectly reasonable
+(and required!) to rely on this automation. However, the downside is that it's mostly an
+all-or-nothing approach and doesn't provide much control to target specific tests or
+iterate quickly.
+
+At times, it may be more convenient to run GHA workflows locally. For that purpose
+we use [act](https://github.com/nektos/act), a tool that allows you to run GitHub Actions (GHA)
+workflows locally. It simulates the GitHub Actions environment, enabling developers to
+test and debug workflows on their local machines before pushing changes to the repository. More
+on how to use it in the next section.
+
+:::note
+In both GHA and `act`, we can run a more complex matrix for our tests, executing against different
+database engines (PostgreSQL, MySQL, SQLite) and different versions of Python.
+This enables us to ensure compatibility and stability across various environments.
+:::
+
+### Using `act`
+
+First, install `act` -> https://nektosact.com/
+
+To list the workflows, simply:

 ```bash
-# for python
-tox -e pylint
+act --list
 ```

-In terms of best practices please avoid blanket disabling of Pylint messages globally (via `.pylintrc`) or top-level within the file header, albeit there being a few exceptions. Disabling should occur inline as it prevents masking issues and provides context as to why said message is disabled.
-
-Additionally, the Python code is auto-formatted using [Black](https://github.com/python/black) which
-is configured as a pre-commit hook. There are also numerous [editor integrations](https://black.readthedocs.io/en/stable/integrations/editors.html)
-
-### TypeScript
+To run a specific workflow:

 ```bash
-cd superset-frontend
-npm ci
-# run eslint checks
-npm run eslint -- .
-# run tsc (typescript) checks
-npm run type
+act pull_request --job {workflow_name} --secret GITHUB_TOKEN=$GITHUB_TOKEN --container-architecture linux/amd64
 ```

-If using the eslint extension with vscode, put the following in your workspace `settings.json` file:
+In the example above, notice that:
+- we target a specific workflow, using `--job`
+- we pass a secret using `--secret`, as many jobs require read access (public) to the repo
+- we simulate a `pull_request` event by specifying it as the first arg,
+  similarly, we could simulate a `push` event or something else
+- we specify `--container-architecture`, which tends to emulate GHA more reliably

-```json
-"eslint.workingDirectories": [
-  "superset-frontend"
-]
-```
+:::note
+`act` is a rich tool that offers all sorts of features, allowing you to simulate different
+events (pull_request, push, ...), semantics around passing secrets where required and much
+more. For more information, refer to [act's documentation](https://nektosact.com/)
+:::
+
+:::note
+Some jobs require secrets to interact with external systems and accounts that you may
+not have in your possession. In those cases you may have to rely on remote CI or parameterize the
+job further to target a different environment/sandbox or your own alongside the related
+secrets.
+:::
+
+---

 ## Testing

 ### Python Testing

-All python tests are carried out in [tox](https://tox.readthedocs.io/en/latest/index.html)
-a standardized testing framework.
-All python tests can be run with any of the tox [environments](https://tox.readthedocs.io/en/latest/example/basic.html#a-simple-tox-ini-default-environments), via,
+#### Unit Tests
+
+For unit tests located in `tests/unit_tests/`, it's usually easy to simply run the script locally using:

 ```bash
-tox -e <environment>
+pytest tests/unit_tests/*
 ```

-For example,
+#### Integration Tests
+
+For more complex pytest-defined integration tests (not to be confused with our end-to-end Cypress tests), many tests will require having a working test environment. Some tests require a database, Celery, and potentially other services or libraries installed.
+
+### Running Tests with `act`
+
+To run integration tests locally using `act`, ensure you have followed the setup instructions from the [GitHub Actions and `act`](#github-actions-and-act) section. You can run specific workflows or jobs that include integration tests. For example:

 ```bash
-tox -e py38
+act --job test-python-38 --secret GITHUB_TOKEN=$GITHUB_TOKEN --event pull_request --container-architecture linux/amd64
 ```

-Alternatively, you can run all tests in a single file via,
+#### Running locally using a test script

-```bash
-tox -e <environment> -- tests/test_file.py
-```
-
-or for a specific test via,
-
-```bash
-tox -e <environment> -- tests/test_file.py::TestClassName::test_method_name
-```
-
-Note that the test environment uses a temporary directory for defining the
-SQLite databases which will be cleared each time before the group of test
-commands are invoked.
+There is also a utility script included in the Superset codebase to run Python integration tests. The [readme can be found here](https://github.com/apache/superset/tree/master/scripts/tests).

 There is also a utility script included in the Superset codebase to run python integration tests. The [readme can be
 found here](https://github.com/apache/superset/tree/master/scripts/tests)
@@ -545,7 +611,7 @@ To run all integration tests, for example, run this script from the root directo
 scripts/tests/run.sh
 ```

-You can run unit tests found in './tests/unit_tests' for example with pytest. It is a simple way to run an isolated test that doesn't need any database setup
+You can run unit tests found in `./tests/unit_tests` with pytest. It is a simple way to run an isolated test that doesn't need any database setup:

 ```bash
 pytest ./link_to_test.py
@@ -568,7 +634,7 @@ npm run test -- path/to/file.js

 ### Integration Testing

-We use [Cypress](https://www.cypress.io/) for integration tests. Tests can be run by `tox -e cypress`. To open Cypress and explore tests first setup and run test server:
+We use [Cypress](https://www.cypress.io/) for integration tests. To open Cypress and explore tests first setup and run test server:

 ```bash
 export SUPERSET_CONFIG=tests.integration_tests.superset_test_config
@@ -619,7 +685,7 @@ If you already have launched Docker environment please use the following command

 Launch environment:

-`CYPRESS_CONFIG=true docker compose up`
+`CYPRESS_CONFIG=true docker compose up --build`

 It will serve the backend and frontend on port 8088.

@@ -687,7 +753,7 @@ superset:
 Start Superset as usual

 ```bash
-docker compose up
+docker compose up --build
 ```

 Install the required libraries and packages to the docker container
--- a/docs/docs/contributing/howtos.mdx
+++ b/docs/docs/contributing/howtos.mdx
@@ -170,31 +170,10 @@ npm run dev-server

 ### Python Testing

-All python tests are carried out in [tox](https://tox.readthedocs.io/en/latest/index.html)
-a standardized testing framework.
-All python tests can be run with any of the tox [environments](https://tox.readthedocs.io/en/latest/example/basic.html#a-simple-tox-ini-default-environments), via,
+`pytest`, backend by docker-compose is how we recommend running tests locally.

-```bash
-tox -e <environment>
-```
-
-For example,
-
-```bash
-tox -e py38
-```
-
-Alternatively, you can run all tests in a single file via,
-
-```bash
-tox -e <environment> -- tests/test_file.py
-```
-
-or for a specific test via,
-
-```bash
-tox -e <environment> -- tests/test_file.py::TestClassName::test_method_name
-```
+For a more complex test matrix (against different database backends, python versions, ...) you
+can rely on our GitHub Actions by simply opening a draft pull request.

 Note that the test environment uses a temporary directory for defining the
 SQLite databases which will be cleared each time before the group of test
@@ -246,13 +225,7 @@ npm run test -- path/to/file.js

 ### e2e Integration Testing

-We use [Cypress](https://www.cypress.io/) for end-to-end integration
-tests. One easy option to get started quickly is to leverage `tox` to
-run the whole suite in an isolated environment.
-
-```bash
-tox -e cypress
-```
+For e2e testing, we recommend that you use a `docker-compose` backed-setup

 Alternatively, you can go lower level and set things up in your
 development environment by following these steps:
@@ -598,17 +571,24 @@ pybabel compile -d superset/translations

 ### Python

-We use [Pylint](https://pylint.org/) for linting which can be invoked via:
+We use [ruff](https://github.com/astral-sh/ruff) for linting which can be invoked via:

-```bash
-# for python
-tox -e pylint
+```
+# auto-reformat using ruff
+ruff format
+
+# lint check with ruff
+ruff check
+
+# lint fix with ruff
+ruff check --fix
 ```

-In terms of best practices please avoid blanket disabling of Pylint messages globally (via `.pylintrc`) or top-level within the file header, albeit there being a few exceptions. Disabling should occur inline as it prevents masking issues and provides context as to why said message is disabled.
+Ruff configuration is located in our
+(pyproject.toml)[https://github.com/apache/superset/blob/master/pyproject.toml] file

-Additionally, the Python code is auto-formatted using [Black](https://github.com/python/black) which
-is configured as a pre-commit hook. There are also numerous [editor integrations](https://black.readthedocs.io/en/stable/integrations/editors.html)
+All this is configured to run in pre-commit hooks, which we encourage you to setup
+with `pre-commit install`

 ### TypeScript

--- a/docs/docs/installation/docker-builds.mdx
+++ b/docs/docs/installation/docker-builds.mdx
@@ -29,7 +29,7 @@ We have a set of build "presets" that each represent a combination of
 parameters for the build, mostly pointing to either different target layer
 for the build, and/or base image.

-Here are the build presets that are exposed through the `build_docker.py` script:
+Here are the build presets that are exposed through the `supersetbot docker` utility:

 - `lean`: The default Docker image, including both frontend and backend. Tags
  without a build_preset are lean builds (ie: `latest`, `4.0.0`, `3.0.0`, ...). `lean`
@@ -62,8 +62,8 @@ Here are the build presets that are exposed through the `build_docker.py` script


 For insights or modifications to the build matrix and tagging conventions,
-check the [build_docker.py](https://github.com/apache/superset/blob/master/scripts/build_docker.py)
-script and the [docker.yml](https://github.com/apache/superset/blob/master/.github/workflows/docker.yml)
+check the [supersetbot docker](https://github.com/apache-superset/supersetbot)
+subcommand and the [docker.yml](https://github.com/apache/superset/blob/master/.github/workflows/docker.yml)
 GitHub action.

 ## Key ARGs in Dockerfile
--- a/docs/docs/installation/docker-compose.mdx
+++ b/docs/docs/installation/docker-compose.mdx
@@ -76,7 +76,8 @@ on latest base images using `docker compose build --pull`. In most cases though,
 ### Option #1 - for an interactive development environment

 ```bash
-docker compose up
+# The --build argument insures all the layers are up-to-date
+docker compose up --build
 ```

 :::tip
@@ -95,6 +96,14 @@ perform those operations. In this case, we recommend you set the env var
 Simply trigger `npm i && npm run dev`, this should be MUCH faster.
 :::

+:::tip
+Sometimes, your npm-related state can get out-of-wack, running `npm run prune` from
+the `superset-frontend/` folder will nuke the various' packages `node_module/` folders
+and help you start fresh. In the context of `docker compose` setting
+`export NPM_RUN_PRUNE=true` prior to running `docker compose up` will trigger that
+from within docker. This will slow down the startup, but will fix various npm-related issues.
+:::
+
 ### Option #2 - build a set of immutable images from the local branch

 ```bash
@@ -112,6 +121,13 @@ Here various release tags, github SHA, and latest `master` can be referenced by
 Refer to the docker-related documentation to learn more about existing tags you can point to
 from Docker Hub.

+:::note
+For option #2 and #3, we recommend checking out the release tag from the better repository
+(ie: `git checkout 4.0.0`) for more guaranteed results. This ensures that the `docker-compose.*.yml`
+configurations and that the mounted `docker/` scripts are in sync with the image you are
+looking to fire up.
+:::
+
 ## `docker compose` tips & configuration

 :::caution
@@ -227,3 +243,11 @@ may want to find the exact hostname you want to use, for that you can do `ifconf
 Docker for you. Alternately if you don't even see the `docker0` interface try (if needed with sudo)
 `docker network inspect bridge` and see if there is an entry for `"Gateway"` and note the IP
 address.
+
+## 4. To build or not to build
+
+When running `docker compose up`, docker will build what is required behind the scene, but
+may use the docker cache if assets already exist. Running `docker compose build` prior to
+`docker compose up` or the equivalent shortcut `docker compose up --build` ensures that your
+docker images matche the definition in the repository. This should only apply to the main
+docker-compose.yml file (default) and not to the alternative methods defined above.
--- a/docs/docs/installation/pypi.mdx
+++ b/docs/docs/installation/pypi.mdx
@@ -77,10 +77,6 @@ versions officially supported by Superset. We'd recommend using a Python version
 like [pyenv](https://github.com/pyenv/pyenv)
 (and also [pyenv-virtualenv](https://github.com/pyenv/pyenv-virtualenv)).

-:::tip
-To identify the Python version used by the official docker image, see the [Dockerfile](https://github.com/apache/superset/blob/master/Dockerfile). Additional docker images published for newer versions of Python can be found in [this file](https://github.com/apache/superset/blob/master/scripts/build_docker.py).
-:::
-
 Let's also make sure we have the latest version of `pip` and `setuptools`:

 ```bash
@@ -134,21 +130,22 @@ First, start by installing `apache-superset`:
 pip install apache-superset
 ```

+Then, define mandatory configurations, SECRET_KEY and FLASK_APP:
+```bash
+export SUPERSET_SECRET_KEY=YOUR-SECRET-KEY
+export FLASK_APP=superset
+```
+
 Then, you need to initialize the database:

 ```bash
 superset db upgrade
 ```

-:::tip
-Note that some configuration is mandatory for production instances of Superset. In particular, Superset will not start without a user-specified value of SECRET_KEY. Please see [Configuring Superset](/docs/configuration/configuring-superset).
-:::
-
 Finish installing by running through the following commands:

 ```bash
 # Create an admin user in your metadata database (use `admin` as username to be able to load the examples)
-export FLASK_APP=superset
 superset fab create-admin

 # Load some data to play with
--- a/docs/docs/quickstart.mdx
+++ b/docs/docs/quickstart.mdx
@@ -31,6 +31,9 @@ $ git clone https://github.com/apache/superset
 # Enter the repository you just cloned
 $ cd superset

+# Set the repo to the state associated with the latest official version
+$ git checkout tags/4.1.1
+
 # Fire up Superset using Docker Compose
 $ docker compose -f docker-compose-image-tag.yml up
 ```
--- a/docs/docs/security/cves.mdx
+++ b/docs/docs/security/cves.mdx
@@ -2,6 +2,15 @@
 title: CVEs fixed by release
 sidebar_position: 2
 ---
+#### Version 4.1.0
+
+| CVE            | Title                                                                              | Affected |
+|:---------------|:-----------------------------------------------------------------------------------|---------:|
+| CVE-2024-53947 | Improper SQL authorisation, parse for specific postgres functions                  |  < 4.1.0 |
+| CVE-2024-53948 | Error verbosity exposes metadata in analytics databases                            |  < 4.1.0 |
+| CVE-2024-53949 | Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled |  < 4.1.0 |
+| CVE-2024-55633 | SQLLab Improper readonly query validation allows unauthorized write access         |  < 4.1.0 |
+
 #### Version 4.0.2

 | CVE            | Title                       | Affected |
--- a/docs/docs/security/security.mdx
+++ b/docs/docs/security/security.mdx
@@ -253,6 +253,9 @@ You can get current nonce value by calling jinja macro `csp_nonce()`.
  connect-src 'self' https://api.mapbox.com https://events.mapbox.com
  ```

+- Cartodiagram charts request map data (image and json) from external resources that can be edited by users,
+and therefore either require a list of allowed domains to request from or a wildcard (`'*'`) for `img-src` and `connect-src`.
+
 * Other CSP directives default to `'self'` to limit content to the same origin as the Superset server.

 In order to adjust provided CSP configuration to your needs, follow the instructions and examples provided in
--- a/docs/docusaurus.config.js
+++ b/docs/docusaurus.config.js
@@ -203,13 +203,18 @@ const config = {
      ({
        docs: {
          sidebarPath: require.resolve('./sidebars.js'),
-          editUrl: 'https://github.com/apache/superset/edit/master/docs',
+          editUrl:
+          ({versionDocsDirPath, docPath}) => {
+            if (docPath === 'intro.md') {
+              return 'https://github.com/apache/superset/edit/master/README.md'
+            }
+            return `https://github.com/apache/superset/edit/master/docs/${versionDocsDirPath}/${docPath}`
+          }
        },
        blog: {
          showReadingTime: true,
          // Please change this to your repo.
-          editUrl:
-            'https://github.com/facebook/docusaurus/edit/main/website/blog/',
+          editUrl: 'https://github.com/facebook/docusaurus/edit/main/website/blog/',
        },
        theme: {
          customCss: require.resolve('./src/styles/custom.css'),
--- a/docs/package.json
+++ b/docs/package.json
@@ -17,9 +17,9 @@
    "typecheck": "tsc"
  },
  "dependencies": {
-    "@algolia/client-search": "^5.12.0",
-    "@ant-design/icons": "^5.4.0",
-    "@docsearch/react": "^3.6.3",
+    "@algolia/client-search": "^5.18.0",
+    "@ant-design/icons": "^5.5.2",
+    "@docsearch/react": "^3.8.2",
    "@docusaurus/core": "^3.5.2",
    "@docusaurus/plugin-client-redirects": "^3.5.2",
    "@docusaurus/preset-classic": "^3.5.2",
@@ -29,28 +29,28 @@
    "@saucelabs/theme-github-codeblock": "^0.3.0",
    "@superset-ui/style": "^0.14.23",
    "@svgr/webpack": "^8.1.0",
-    "antd": "^5.21.6",
+    "antd": "^5.22.7",
    "buffer": "^6.0.3",
    "clsx": "^2.1.1",
    "docusaurus-plugin-less": "^2.0.2",
    "file-loader": "^6.2.0",
-    "less": "^4.2.0",
+    "less": "^4.2.1",
    "less-loader": "^11.0.0",
-    "prism-react-renderer": "^2.4.0",
+    "prism-react-renderer": "^2.4.1",
    "react": "^18.3.1",
    "react-dom": "^18.3.1",
    "react-github-btn": "^1.4.0",
    "react-svg-pan-zoom": "^3.13.1",
    "stream": "^0.0.3",
-    "swagger-ui-react": "^5.17.14",
+    "swagger-ui-react": "^5.18.2",
    "url-loader": "^4.1.1"
  },
  "devDependencies": {
-    "@docusaurus/module-type-aliases": "^3.5.2",
-    "@docusaurus/tsconfig": "^3.5.2",
+    "@docusaurus/module-type-aliases": "^3.6.3",
+    "@docusaurus/tsconfig": "^3.6.3",
    "@types/react": "^18.3.12",
-    "typescript": "^5.6.3",
-    "webpack": "^5.96.1"
+    "typescript": "^5.7.2",
+    "webpack": "^5.97.1"
  },
  "browserslist": {
    "production": [
--- a/docs/static/img/databases/ydb.svg
+++ b/docs/static/img/databases/ydb.svg
@@ -0,0 +1,20 @@
+<svg width="753" height="274" viewBox="0 0 753 274" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_28_1297)">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M5 53.8669C5 37.6466 29.6243 29 60 29C90.3757 29 115 37.6466 115 53.8669V138.133C115 154.353 90.3757 163 60 163C29.6243 163 5 154.353 5 138.133V53.8669Z" fill="#2399FF"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M175 53.8669C175 37.6466 199.624 29 230 29C260.376 29 285 37.6466 285 53.8669V138.133C285 154.353 260.376 163 230 163C199.624 163 175 154.353 175 138.133V53.8669Z" fill="#2399FF"/>
+<path d="M177 85H113V103H177V85Z" fill="#2399FF"/>
+<path d="M173 157H115L81 111H59L105 173H183L229 111H207L173 157Z" fill="white"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M89 145.867C89 129.647 113.624 121 144 121C174.376 121 199 129.647 199 145.867V230.133C199 246.353 174.376 255 144 255C113.624 255 89 246.353 89 230.133V145.867Z" fill="#2399FF"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M108.783 136.779C100.111 140.552 99 144.237 99 146C99 147.763 100.111 151.448 108.783 155.221C117.076 158.829 129.435 161 144 161C158.565 161 170.924 158.829 179.217 155.221C187.889 151.448 189 147.763 189 146C189 144.237 187.889 140.552 179.218 136.779C170.924 133.171 158.565 131 144 131C129.435 131 117.076 133.171 108.783 136.779Z" fill="white"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M24.7825 44.7792C16.1105 48.5515 15 52.2365 15 54C15 55.7635 16.1105 59.4485 24.7825 63.2208C33.0763 66.8287 45.4354 69 60 69C74.5646 69 86.9237 66.8287 95.2175 63.2208C103.889 59.4485 105 55.7635 105 54C105 52.2365 103.889 48.5515 95.2175 44.7792C86.9237 41.1713 74.5646 39 60 39C45.4354 39 33.0763 41.1713 24.7825 44.7792Z" fill="white"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M194.783 44.7792C186.111 48.5515 185 52.2365 185 54C185 55.7635 186.111 59.4485 194.783 63.2208C203.076 66.8287 215.435 69 230 69C244.565 69 256.924 66.8287 265.217 63.2208C273.889 59.4485 275 55.7635 275 54C275 52.2365 273.889 48.5515 265.218 44.7792C256.924 41.1713 244.565 39 230 39C215.435 39 203.076 41.1713 194.783 44.7792Z" fill="white"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M694.131 64H634.75V210H705.026C730.974 210 750.243 191.821 750.243 166.963C750.243 150.15 740.93 137.39 726.201 130.891C733.027 124.143 737.168 115.224 737.168 104.858C737.168 81.2033 718.875 64 694.131 64ZM660.899 85.791V123.925H691.951C702.482 123.925 711.019 115.389 711.019 104.858C711.019 94.3277 702.482 85.791 691.951 85.791H660.899ZM660.899 188.209V145.716H702.847C714.581 145.716 724.093 155.229 724.093 166.963C724.093 178.697 714.581 188.209 702.847 188.209H660.899Z" fill="black"/>
+<path d="M352.716 64.0039H382.134L419.179 128.287L456.223 64.0039H485.641L432.308 155.472V210.004H406.049V155.472L352.716 64.0039Z" fill="black"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M496.008 64.0039H546.127C589.713 64.0039 619.127 92.3289 619.127 137.004C619.127 181.679 589.713 210.004 546.127 210.004H496.008V64.0039ZM522.157 188.213V85.7949H543.948C573.32 85.7949 592.978 104.364 592.978 137.004C592.978 169.644 573.32 188.213 543.948 188.213H522.157Z" fill="black"/>
+</g>
+<defs>
+<clipPath id="clip0_28_1297">
+<rect width="753" height="274" fill="white"/>
+</clipPath>
+</defs>
+</svg>
--- a/docs/static/resources/openapi.json
+++ b/docs/static/resources/openapi.json
--- a/docs/yarn.lock
+++ b/docs/yarn.lock
--- a/helm/superset/Chart.lock
+++ b/helm/superset/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: postgresql
-  repository: https://charts.bitnami.com/bitnami
+  repository: oci://registry-1.docker.io/bitnamicharts
  version: 12.1.6
 - name: redis
-  repository: https://charts.bitnami.com/bitnami
+  repository: oci://registry-1.docker.io/bitnamicharts
  version: 17.9.4
-digest: sha256:98b6c107066652e40c242a6b0e3c573a4eedf9f64bae0d60f884f0f5cfa1c01a
-generated: "2023-04-17T10:38:41.966779+03:00"
+digest: sha256:9588e2a9f15d875a95763ed7da8e92b5b48a8d13cbacd66b775eacba3e8cebcd
+generated: "2024-12-29T12:19:15.365763+09:00"
--- a/helm/superset/Chart.yaml
+++ b/helm/superset/Chart.yaml
@@ -29,13 +29,13 @@ maintainers:
  - name: craig-rueda
    email: craig@craigrueda.com
    url: https://github.com/craig-rueda
-version: 0.13.3
+version: 0.14.0
 dependencies:
  - name: postgresql
    version: 12.1.6
-    repository: https://charts.bitnami.com/bitnami
+    repository: oci://registry-1.docker.io/bitnamicharts
    condition: postgresql.enabled
  - name: redis
    version: 17.9.4
-    repository: https://charts.bitnami.com/bitnami
+    repository: oci://registry-1.docker.io/bitnamicharts
    condition: redis.enabled
--- a/helm/superset/README.md
+++ b/helm/superset/README.md
@@ -23,7 +23,7 @@ NOTE: This file is generated by helm-docs: https://github.com/norwoodj/helm-docs

 # superset

-![Version: 0.13.3](https://img.shields.io/badge/Version-0.13.3-informational?style=flat-square)
+![Version: 0.14.0](https://img.shields.io/badge/Version-0.14.0-informational?style=flat-square)

 Apache Superset is a modern, enterprise-ready business intelligence web application

@@ -50,8 +50,8 @@ On helm this can be set on `extraSecretEnv.SUPERSET_SECRET_KEY` or `configOverri

 | Repository | Name | Version |
 |------------|------|---------|
-| https://charts.bitnami.com/bitnami | postgresql | 12.1.6 |
-| https://charts.bitnami.com/bitnami | redis | 17.9.4 |
+| oci://registry-1.docker.io/bitnamicharts | postgresql | 12.1.6 |
+| oci://registry-1.docker.io/bitnamicharts | redis | 17.9.4 |

 ## Values

@@ -66,12 +66,12 @@ On helm this can be set on `extraSecretEnv.SUPERSET_SECRET_KEY` or `configOverri
 | envFromSecret | string | `"{{ template \"superset.fullname\" . }}-env"` | The name of the secret which we will use to populate env vars in deployed pods This can be useful for secret keys, etc. |
 | envFromSecrets | list | `[]` | This can be a list of templated strings |
 | extraConfigMountPath | string | `"/app/configs"` |  |
-| extraConfigs | object | `{}` | Extra files to mount on `/app/pythonpath` |
+| extraConfigs | object | `{}` | Extra files to be mounted as ConfigMap on the path specified in `extraConfigMountPath` |
 | extraEnv | object | `{}` | Extra environment variables that will be passed into pods |
 | extraEnvRaw | list | `[]` | Extra environment variables in RAW format that will be passed into pods |
 | extraLabels | object | `{}` | Labels to be added to all resources |
 | extraSecretEnv | object | `{}` | Extra environment variables to pass as secrets |
-| extraSecrets | object | `{}` | Extra files to mount on `/app/pythonpath` as secrets |
+| extraSecrets | object | `{}` | Extra files to be mounted as Secrets on the path specified in `configMountPath` |
 | extraVolumeMounts | list | `[]` |  |
 | extraVolumes | list | `[]` |  |
 | fullnameOverride | string | `nil` | Provide a name to override the full names of resources |
@@ -105,6 +105,7 @@ On helm this can be set on `extraSecretEnv.SUPERSET_SECRET_KEY` or `configOverri
 | init.jobAnnotations."helm.sh/hook-delete-policy" | string | `"before-hook-creation"` |  |
 | init.loadExamples | bool | `false` |  |
 | init.podAnnotations | object | `{}` |  |
+| init.podLabels | object | `{}` |  |
 | init.podSecurityContext | object | `{}` |  |
 | init.priorityClassName | string | `nil` | Set priorityClassName for init job pods |
 | init.resources | object | `{}` |  |
--- a/helm/superset/templates/init-job.yaml
+++ b/helm/superset/templates/init-job.yaml
@@ -23,8 +23,12 @@ kind: Job
 metadata:
  name: {{ template "superset.fullname" . }}-init-db
  namespace: {{ .Release.Namespace }}
-  {{- if .Values.extraLabels }}
  labels:
+    app: {{ template "superset.name" . }}
+    chart: {{ template "superset.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  {{- if .Values.extraLabels }}
    {{- toYaml .Values.extraLabels | nindent 4 }}
  {{- end }}
  {{- if .Values.init.jobAnnotations }}
@@ -37,6 +41,15 @@ spec:
      {{- if .Values.init.podAnnotations }}
      annotations: {{- toYaml .Values.init.podAnnotations | nindent 8 }}
      {{- end }}
+      {{- if or .Values.extraLabels .Values.init.podLabels }}
+      labels:
+        {{- if .Values.extraLabels }}
+        {{- toYaml .Values.extraLabels | nindent 8 }}
+        {{- end }}
+        {{- if .Values.init.podLabels }}
+        {{- toYaml .Values.init.podLabels | nindent 8 }}
+        {{- end }}
+      {{- end }}
    spec:
      {{- if or (.Values.serviceAccount.create) (.Values.serviceAccountName) }}
      serviceAccountName: {{ template "superset.serviceAccountName" . }}
--- a/helm/superset/values.yaml
+++ b/helm/superset/values.yaml
@@ -19,7 +19,8 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.

-# A README is automatically generated from this file to document it, using helm-docs (see https://github.com/norwoodj/helm-docs)
+# A README is automatically generated from this file to document it,
+# using helm-docs (see https://github.com/norwoodj/helm-docs)
 # To update it, install helm-docs and run helm-docs from the root of this chart

 # -- Provide a name to override the name of the chart
@@ -105,7 +106,7 @@ extraSecretEnv: {}
  #   # Generate your own secret key for encryption. Use openssl rand -base64 42 to generate a good key
  #  SUPERSET_SECRET_KEY: 'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'

-# -- Extra files to mount on `/app/pythonpath`
+# -- Extra files to be mounted as ConfigMap on the path specified in `extraConfigMountPath`
 extraConfigs: {}
  # import_datasources.yaml: |
  #     databases:
@@ -119,7 +120,7 @@ extraConfigs: {}
  #       sqlalchemy_uri: example://example-db.local
  #       tables: []

-# -- Extra files to mount on `/app/pythonpath` as secrets
+# -- Extra files to be mounted as Secrets on the path specified in `configMountPath`
 extraSecrets: {}

 extraVolumes: []
@@ -276,7 +277,7 @@ supersetNode:
    - ". {{ .Values.configMountPath }}/superset_bootstrap.sh; /usr/bin/run-server.sh"
  connections:
    # -- Change in case of bringing your own redis and then also set redis.enabled:false
-    redis_host: '{{ .Release.Name }}-redis-headless'
+    redis_host: "{{ .Release.Name }}-redis-headless"
    redis_port: "6379"
    redis_user: ""
    # redis_password: superset
@@ -288,7 +289,7 @@ supersetNode:
      enabled: false
      ssl_cert_reqs: CERT_NONE
    # You need to change below configuration incase bringing own PostgresSQL instance and also set postgresql.enabled:false
-    db_host: '{{ .Release.Name }}-postgresql'
+    db_host: "{{ .Release.Name }}-postgresql"
    db_port: "5432"
    db_user: superset
    db_pass: superset
@@ -777,6 +778,8 @@ init:
  extraContainers: []
  ## Annotations to be added to init job pods
  podAnnotations: {}
+  # Labels to be added to init job pods
+  podLabels: {}
  podSecurityContext: {}
  containerSecurityContext: {}
  ## Tolerations to be added to init job pods
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -24,7 +24,7 @@ name = "apache-superset"
 description = "A modern, enterprise-ready business intelligence web application"
 readme = "README.md"
 dynamic = ["version", "scripts", "entry-points"]
-requires-python = "~=3.9"
+requires-python = ">=3.9"
 license = { file="LICENSE.txt" }
 authors = [
    { name = "Apache Software Foundation", email = "dev@superset.apache.org" },
@@ -53,8 +53,8 @@ dependencies = [
    "flask-migrate>=3.1.0, <4.0",
    "flask-session>=0.4.0, <1.0",
    "flask-wtf>=1.1.0, <2.0",
-    "func_timeout",
    "geopy",
+    "greenlet>=3.0.3, <=3.1.1",
    "gunicorn>=22.0.0; sys_platform != 'win32'",
    "hashids>=1.3.1, <2",
    # known issue with holidays 0.26.0 and above related to prophet lib #25017
@@ -69,7 +69,11 @@ dependencies = [
    "nh3>=0.2.11, <0.3",
    "numpy==1.23.5",
    "packaging",
-    "pandas[performance]>=2.0.3, <2.1",
+    # --------------------------
+    # pandas and related (wanting pandas[performance] without numba as it's 100+MB and not needed)
+    "pandas[excel]>=2.0.3, <2.1",
+    "bottleneck",
+    # --------------------------
    "parsedatetime",
    "paramiko>=3.4.0",
    "pgsanity",
@@ -82,7 +86,7 @@ dependencies = [
    "pyyaml>=6.0.0, <7.0.0",
    "PyJWT>=2.4.0, <3.0",
    "redis>=4.6.0, <5.0",
-    "selenium>=3.141.0, <4.10.0",
+    "selenium>=4.14.0, <5.0",
    "shillelagh[gsheetsapi]>=1.2.18, <2.0",
    "shortid",
    "sshtunnel>=0.4.0, <0.5",
@@ -90,7 +94,9 @@ dependencies = [
    "slack_sdk>=3.19.0, <4",
    "sqlalchemy>=1.4, <2",
    "sqlalchemy-utils>=0.38.3, <0.39",
-    "sqlglot>=25.24.0,<26",
+    # known breaking changes in sqlglot 25.25.0
+    #https://github.com/tobymao/sqlglot/blob/main/CHANGELOG.md#v25250---2024-10-14
+    "sqlglot>=25.24.0,<25.25.0",
    "sqlparse>=0.5.0",
    "tabulate>=0.8.9, <0.9",
    "typing-extensions>=4, <5",
@@ -135,7 +141,6 @@ gevent = ["gevent>=23.9.1"]
 gsheets = ["shillelagh[gsheetsapi]>=1.2.18, <2"]
 hana = ["hdbcli==2.4.162", "sqlalchemy_hana==0.4.0"]
 hive = [
-    "boto3",
    "pyhive[hive]>=0.6.5;python_version<'3.11'",
    "pyhive[hive_pure_sasl]>=0.7.0",
    "tableschema",
@@ -158,7 +163,7 @@ pinot = ["pinotdb>=5.0.0, <6.0.0"]
 playwright = ["playwright>=1.37.0, <2"]
 postgres = ["psycopg2-binary==2.9.6"]
 presto = ["pyhive[presto]>=0.6.5"]
-trino = ["boto3", "trino>=0.328.0"]
+trino = ["trino>=0.328.0"]
 prophet = ["prophet>=1.1.5, <2"]
 redshift = ["sqlalchemy-redshift>=0.8.1, <0.9"]
 rockset = ["rockset-sqlalchemy>=0.0.1, <1"]
@@ -177,21 +182,19 @@ netezza = ["nzalchemy>=11.0.2"]
 starrocks = ["starrocks>=1.0.0"]
 doris = ["pydoris>=1.0.0, <2.0.0"]
 oceanbase = ["oceanbase_py>=0.0.1"]
+ydb = ["ydb-sqlalchemy>=0.1.2"]
 development = [
    "docker",
    "flask-testing",
    "freezegun",
-    "greenlet>=2.0.2",
    "grpcio>=1.55.3",
    "openapi-spec-validator",
    "parameterized",
-    "pip-compile-multi",
    "pre-commit",
    "progress>=1.5,<2",
    "psutil",
    "pyfakefs",
    "pyinstrument>=4.0.2,<5",
-    "pylint",
    "pytest<8.0.0", # hairy issue with pytest >=8 where current_app proxies are not set in time
    "pytest-cov",
    "pytest-mock",
@@ -199,7 +202,6 @@ development = [
    "ruff",
    "sqloxide",
    "statsd",
-    "tox",
 ]

 [project.urls]
@@ -212,7 +214,7 @@ combine_as_imports = true
 include_trailing_comma = true
 line_length = 88
 known_first_party = "superset"
-known_third_party = "alembic, apispec, backoff, celery, click, colorama, cron_descriptor, croniter, cryptography, dateutil, deprecation, flask, flask_appbuilder, flask_babel, flask_caching, flask_compress, flask_jwt_extended, flask_login, flask_migrate, flask_sqlalchemy, flask_talisman, flask_testing, flask_wtf, freezegun, geohash, geopy, holidays, humanize, isodate, jinja2, jwt, markdown, markupsafe, marshmallow, msgpack, nh3, numpy, pandas, parameterized, parsedatetime, pgsanity, pkg_resources, polyline, prison, progress, pyarrow, sqlalchemy_bigquery, pyhive, pyparsing, pytest, pytest_mock, pytz, redis, requests, selenium, setuptools, shillelagh, simplejson, slack, sqlalchemy, sqlalchemy_utils, sqlparse, typing_extensions, urllib3, werkzeug, wtforms, wtforms_json, yaml"
+known_third_party = "alembic, apispec, backoff, celery, click, colorama, cron_descriptor, croniter, cryptography, dateutil, deprecation, flask, flask_appbuilder, flask_babel, flask_caching, flask_compress, flask_jwt_extended, flask_login, flask_migrate, flask_sqlalchemy, flask_talisman, flask_testing, flask_wtf, freezegun, geohash, geopy, holidays, humanize, isodate, jinja2, jwt, markdown, markupsafe, marshmallow, msgpack, nh3, numpy, pandas, parameterized, parsedatetime, pgsanity, polyline, prison, progress, pyarrow, sqlalchemy_bigquery, pyhive, pyparsing, pytest, pytest_mock, pytz, redis, requests, selenium, setuptools, shillelagh, simplejson, slack, sqlalchemy, sqlalchemy_utils, sqlparse, typing_extensions, urllib3, werkzeug, wtforms, wtforms_json, yaml"
 multi_line_output = 3
 order_by_type = false

@@ -236,172 +238,10 @@ disallow_untyped_calls = false
 disallow_untyped_defs = false
 disable_error_code = "annotation-unchecked"

-[tool.tox]
-legacy_tox_ini = """
-# Remember to start celery workers to run celery tests, e.g.
-# celery --app=superset.tasks.celery_app:app worker -Ofair -c 2
-[testenv]
-basepython = python3.10
-ignore_basepython_conflict = true
-commands =
-    superset db upgrade
-    superset init
-    superset load-test-users
-    # use -s to be able to use break pointers.
-    # no args or tests/* can be passed as an argument to run all tests
-    pytest -s {posargs}
-deps =
-    -rrequirements/development.txt
-setenv =
-    PYTHONPATH = {toxinidir}
-    SUPERSET_TESTENV = true
-    SUPERSET_CONFIG = tests.integration_tests.superset_test_config
-    SUPERSET_HOME = {envtmpdir}
-    mysql: SUPERSET__SQLALCHEMY_DATABASE_URI = mysql://mysqluser:mysqluserpassword@localhost/superset?charset=utf8
-    postgres: SUPERSET__SQLALCHEMY_DATABASE_URI = postgresql+psycopg2://superset:superset@localhost/test
-    sqlite: SUPERSET__SQLALCHEMY_DATABASE_URI = sqlite:////{envtmpdir}/superset.db
-    sqlite: SUPERSET__SQLALCHEMY_EXAMPLES_URI = sqlite:////{envtmpdir}/examples.db
-    mysql-presto: SUPERSET__SQLALCHEMY_DATABASE_URI = mysql://mysqluser:mysqluserpassword@localhost/superset?charset=utf8
-    # docker run -p 8080:8080 --name presto starburstdata/presto
-    mysql-presto: SUPERSET__SQLALCHEMY_EXAMPLES_URI = presto://localhost:8080/memory/default
-    # based on https://github.com/big-data-europe/docker-hadoop
-    # clone the repo & run docker compose up -d to test locally
-    mysql-hive: SUPERSET__SQLALCHEMY_DATABASE_URI = mysql://mysqluser:mysqluserpassword@localhost/superset?charset=utf8
-    mysql-hive: SUPERSET__SQLALCHEMY_EXAMPLES_URI = hive://localhost:10000/default
-    # make sure that directory is accessible by docker
-    hive: UPLOAD_FOLDER = /tmp/.superset/app/static/uploads/
-usedevelop = true
-allowlist_externals =
-    npm
-    pkill
-
-[testenv:cypress]
-setenv =
-    PYTHONPATH = {toxinidir}
-    SUPERSET_TESTENV = true
-    SUPERSET_CONFIG = tests.integration_tests.superset_test_config
-    SUPERSET_HOME = {envtmpdir}
-commands =
-    npm install -g npm@'>=6.5.0'
-    pip install -e {toxinidir}/
-    {toxinidir}/superset-frontend/cypress_build.sh
-commands_post =
-    pkill -if "python {envbindir}/flask"
-
-[testenv:cypress-dashboard]
-setenv =
-    PYTHONPATH = {toxinidir}
-    SUPERSET_TESTENV = true
-    SUPERSET_CONFIG = tests.integration_tests.superset_test_config
-    SUPERSET_HOME = {envtmpdir}
-commands =
-    npm install -g npm@'>=6.5.0'
-    pip install -e {toxinidir}/
-    {toxinidir}/superset-frontend/cypress_build.sh dashboard
-commands_post =
-    pkill -if "python {envbindir}/flask"
-
-[testenv:cypress-explore]
-setenv =
-    PYTHONPATH = {toxinidir}
-    SUPERSET_TESTENV = true
-    SUPERSET_CONFIG = tests.integration_tests.superset_test_config
-    SUPERSET_HOME = {envtmpdir}
-commands =
-    npm install -g npm@'>=6.5.0'
-    pip install -e {toxinidir}/
-    {toxinidir}/superset-frontend/cypress_build.sh explore
-commands_post =
-    pkill -if "python {envbindir}/flask"
-
-[testenv:cypress-sqllab]
-setenv =
-    PYTHONPATH = {toxinidir}
-    SUPERSET_TESTENV = true
-    SUPERSET_CONFIG = tests.integration_tests.superset_test_config
-    SUPERSET_HOME = {envtmpdir}
-commands =
-    npm install -g npm@'>=6.5.0'
-    pip install -e {toxinidir}/
-    {toxinidir}/superset-frontend/cypress_build.sh sqllab
-commands_post =
-    pkill -if "python {envbindir}/flask"
-
-[testenv:cypress-sqllab-backend-persist]
-setenv =
-    PYTHONPATH = {toxinidir}
-    SUPERSET_TESTENV = true
-    SUPERSET_CONFIG = tests.integration_tests.superset_test_config
-    SUPERSET_HOME = {envtmpdir}
-commands =
-    npm install -g npm@'>=6.5.0'
-    pip install -e {toxinidir}/
-    {toxinidir}/superset-frontend/cypress_build.sh sqllab
-commands_post =
-    pkill -if "python {envbindir}/flask"
-
-[testenv:eslint]
-changedir = {toxinidir}/superset-frontend
-commands =
-    npm run lint
-deps =
-
-[testenv:fossa]
-commands =
-    {toxinidir}/scripts/fossa.sh
-deps =
-passenv = *
-
-[testenv:javascript]
-commands =
-    npm install -g npm@'>=6.5.0'
-    {toxinidir}/superset-frontend/js_build.sh
-deps =
-
-[testenv:license-check]
-commands =
-    {toxinidir}/scripts/check_license.sh
-passenv = *
-whitelist_externals =
-    {toxinidir}/scripts/check_license.sh
-deps =
-
-[testenv:pre-commit]
-commands =
-    pre-commit run --all-files
-deps =
-    -rrequirements/development.txt
-skip_install = true
-
-[testenv:pylint]
-commands =
-    pylint superset
-deps =
-    -rrequirements/development.txt
-
-[testenv:thumbnails]
-setenv =
-    SUPERSET_CONFIG = tests.integration_tests.superset_test_config_thumbnails
-deps =
-    -rrequirements/development.txt
-
-[tox]
-envlist =
-    cypress-dashboard
-    cypress-explore
-    cypress-sqllab
-    cypress-sqllab-backend-persist
-    eslint
-    fossa
-    javascript
-    license-check
-    pre-commit
-    pylint
-skipsdist = true
-"""
 [tool.ruff]
 # Exclude a variety of commonly ignored directories.
 exclude = [
+    "**/*.ipynb",
    ".bzr",
    ".direnv",
    ".eggs",
@@ -435,8 +275,8 @@ exclude = [
 line-length = 88
 indent-width = 4

-# Assume Python 3.8
-target-version = "py310"
+# Assume Python 3.9
+target-version = "py39"

 [tool.ruff.lint]
 # Enable Pyflakes (`F`) and a subset of the pycodestyle (`E`)  codes by default.
@@ -447,11 +287,27 @@ select = [
    "E4",
    "E7",
    "E9",
-    "F",
    "PT009",
    "TRY201",
+    "B",
+    "C",
+    "E",
+    "F",
+    "F",
+    "I",
+    "N",
+    "PT",
+    "Q",
+    "S",
+    "T",
+    "W",
+]
+ignore = [
+    "S101",
+    "PT006",
+    "T201",
+    "N999",
 ]
-ignore = []

 extend-select = ["I"]

@@ -504,3 +360,35 @@ docstring-code-format = false
 # This only has an effect when the `docstring-code-format` setting is
 # enabled.
 docstring-code-line-length = "dynamic"
+
+[tool.liccheck]
+requirement_txt_file = "requirements/base.txt"
+authorized_licenses = [
+    "academic free license (afl)",
+    "apache license 2.0",
+    "apache software",
+    "apache software, bsd",
+    "bsd",
+    "isc license (iscl)",
+    "isc license",
+    "mit",
+    "mozilla public license 2.0 (mpl 2.0)",
+    "osi approved",
+    "osi approved",
+    "python software foundation",
+    "the unlicense (unlicense)",
+    "the unlicense",
+]
+[tool.liccheck.authorized_packages]
+# --------------------------------------------------------------
+# These are ok, checked manually
+# Seems ok, might need legal review
+# https://github.com/urschrei/pypolyline/blob/master/LICENSE.md
+polyline = "2"
+# Apache 2.0 https://github.com/hkwi/python-geohash
+python-geohash = "0"
+# --------------------------------------------------------------
+
+# TODO REMOVE THESE DEPS FROM CODEBASE
+paramiko = "3"  # GPL
+pyxlsb = "1"  # GPL
--- a/requirements/base.in
+++ b/requirements/base.in
@@ -16,7 +16,15 @@
 # specific language governing permissions and limitations
 # under the License.
 #
-e file:.
 urllib3>=1.26.18
 werkzeug>=3.0.1
 numexpr>=2.9.0
+
+# 5.0.0 has a sensitive deprecation used in other libs
+# -> https://github.com/aio-libs/async-timeout/blob/master/CHANGES.rst#500-2024-10-31
+async_timeout>=4.0.0,<5.0.0
+
+# playwright requires greenlet==3.0.3
+# submitted a PR to relax deps in 11/2024
+# https://github.com/microsoft/playwright-python/pull/2669
+greenlet==3.0.3
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -1,62 +1,61 @@
-# SHA1:85649679306ea016e401f37adfbad832028d2e5f
-#
-# This file is autogenerated by pip-compile-multi
-# To update, run:
-#
-#    pip-compile-multi
-#
-e file:.
-    # via -r requirements/base.in
-alembic==1.13.1
+# This file was autogenerated by uv via the following command:
+#    uv pip compile pyproject.toml requirements/base.in -o requirements/base.txt
+alembic==1.14.0
    # via flask-migrate
-amqp==5.2.0
+amqp==5.3.1
    # via kombu
-apispec[yaml]==6.3.0
+apispec==6.3.0
    # via flask-appbuilder
 apsw==3.46.0.0
    # via shillelagh
 async-timeout==4.0.3
-    # via redis
+    # via
+    #   -r requirements/base.in
+    #   redis
 attrs==24.2.0
    # via
    #   cattrs
    #   jsonschema
+    #   outcome
    #   requests-cache
+    #   trio
 babel==2.16.0
    # via flask-babel
 backoff==2.2.1
-    # via apache-superset
-bcrypt==4.1.3
+    # via apache-superset (pyproject.toml)
+bcrypt==4.2.1
    # via paramiko
-billiard==4.2.0
+billiard==4.2.1
    # via celery
 blinker==1.9.0
    # via flask
-bottleneck==1.3.8
-    # via pandas
+bottleneck==1.4.2
+    # via apache-superset (pyproject.toml)
 brotli==1.1.0
    # via flask-compress
 cachelib==0.9.0
    # via
    #   flask-caching
    #   flask-session
-cachetools==5.3.3
+cachetools==5.5.0
    # via google-auth
 cattrs==24.1.2
    # via requests-cache
 celery==5.4.0
-    # via apache-superset
-certifi==2024.2.2
-    # via requests
+    # via apache-superset (pyproject.toml)
+certifi==2024.8.30
+    # via
+    #   requests
+    #   selenium
 cffi==1.17.1
    # via
    #   cryptography
    #   pynacl
-charset-normalizer==3.3.2
+charset-normalizer==3.4.0
    # via requests
 click==8.1.7
    # via
-    #   apache-superset
+    #   apache-superset (pyproject.toml)
    #   celery
    #   click-didyoumean
    #   click-option-group
@@ -67,37 +66,44 @@ click==8.1.7
 click-didyoumean==0.3.1
    # via celery
 click-option-group==0.5.6
-    # via apache-superset
+    # via apache-superset (pyproject.toml)
 click-plugins==1.1.1
    # via celery
 click-repl==0.3.0
    # via celery
 colorama==0.4.6
    # via
-    #   apache-superset
+    #   apache-superset (pyproject.toml)
    #   flask-appbuilder
-cron-descriptor==1.4.3
-    # via apache-superset
-croniter==2.0.5
-    # via apache-superset
-cryptography==42.0.8
+cron-descriptor==1.4.5
+    # via apache-superset (pyproject.toml)
+croniter==5.0.1
+    # via apache-superset (pyproject.toml)
+cryptography==43.0.3
    # via
-    #   apache-superset
+    #   apache-superset (pyproject.toml)
    #   paramiko
    #   pyopenssl
-deprecated==1.2.14
+defusedxml==0.7.1
+    # via odfpy
+deprecated==1.2.15
    # via limits
 deprecation==2.1.0
-    # via apache-superset
-dnspython==2.6.1
+    # via apache-superset (pyproject.toml)
+dnspython==2.7.0
    # via email-validator
-email-validator==2.1.1
+email-validator==2.2.0
    # via flask-appbuilder
+et-xmlfile==2.0.0
+    # via openpyxl
 exceptiongroup==1.2.2
-    # via cattrs
+    # via
+    #   cattrs
+    #   trio
+    #   trio-websocket
 flask==2.3.3
    # via
-    #   apache-superset
+    #   apache-superset (pyproject.toml)
    #   flask-appbuilder
    #   flask-babel
    #   flask-caching
@@ -110,65 +116,72 @@ flask==2.3.3
    #   flask-sqlalchemy
    #   flask-wtf
 flask-appbuilder==4.5.2
-    # via apache-superset
+    # via apache-superset (pyproject.toml)
 flask-babel==2.0.0
    # via flask-appbuilder
 flask-caching==2.3.0
-    # via apache-superset
-flask-compress==1.15
-    # via apache-superset
-flask-jwt-extended==4.6.0
+    # via apache-superset (pyproject.toml)
+flask-compress==1.17
+    # via apache-superset (pyproject.toml)
+flask-jwt-extended==4.7.1
    # via flask-appbuilder
-flask-limiter==3.7.0
+flask-limiter==3.8.0
    # via flask-appbuilder
 flask-login==0.6.3
    # via
-    #   apache-superset
+    #   apache-superset (pyproject.toml)
    #   flask-appbuilder
 flask-migrate==3.1.0
-    # via apache-superset
+    # via apache-superset (pyproject.toml)
 flask-session==0.8.0
-    # via apache-superset
+    # via apache-superset (pyproject.toml)
 flask-sqlalchemy==2.5.1
    # via
    #   flask-appbuilder
    #   flask-migrate
 flask-talisman==1.1.0
-    # via apache-superset
-flask-wtf==1.2.1
+    # via apache-superset (pyproject.toml)
+flask-wtf==1.2.2
    # via
-    #   apache-superset
+    #   apache-superset (pyproject.toml)
    #   flask-appbuilder
-func-timeout==4.3.5
-    # via apache-superset
 geographiclib==2.0
    # via geopy
 geopy==2.4.1
-    # via apache-superset
-google-auth==2.29.0
+    # via apache-superset (pyproject.toml)
+google-auth==2.36.0
    # via shillelagh
 greenlet==3.0.3
    # via
+    #   -r requirements/base.in
+    #   apache-superset (pyproject.toml)
    #   shillelagh
    #   sqlalchemy
-gunicorn==22.0.0
-    # via apache-superset
+gunicorn==23.0.0
+    # via apache-superset (pyproject.toml)
+h11==0.14.0
+    # via wsproto
 hashids==1.3.1
-    # via apache-superset
+    # via apache-superset (pyproject.toml)
 holidays==0.25
-    # via apache-superset
-humanize==4.9.0
-    # via apache-superset
-idna==3.7
+    # via apache-superset (pyproject.toml)
+humanize==4.11.0
+    # via apache-superset (pyproject.toml)
+idna==3.10
    # via
    #   email-validator
    #   requests
-importlib-metadata==7.1.0
-    # via apache-superset
-importlib-resources==6.4.0
+    #   trio
+importlib-metadata==8.5.0
+    # via
+    #   apache-superset (pyproject.toml)
+    #   flask
+    #   markdown
+    #   shillelagh
+importlib-resources==6.4.5
    # via limits
-isodate==0.6.1
-    # via apache-superset
+isodate==0.7.2
+    # via apache-superset (pyproject.toml)
 itsdangerous==2.2.0
    # via
    #   flask
@@ -177,24 +190,22 @@ jinja2==3.1.4
    # via
    #   flask
    #   flask-babel
-jsonpath-ng==1.6.1
-    # via apache-superset
+jsonpath-ng==1.7.0
+    # via apache-superset (pyproject.toml)
 jsonschema==4.17.3
    # via flask-appbuilder
-kombu==5.3.7
+kombu==5.4.2
    # via celery
 korean-lunar-calendar==0.3.1
    # via holidays
-limits==3.12.0
+limits==3.13.0
    # via flask-limiter
-llvmlite==0.42.0
-    # via numba
-mako==1.3.5
+mako==1.3.6
    # via
+    #   apache-superset (pyproject.toml)
    #   alembic
-    #   apache-superset
-markdown==3.6
-    # via apache-superset
+markdown==3.7
+    # via apache-superset (pyproject.toml)
 markdown-it-py==3.0.0
    # via rich
 markupsafe==3.0.2
@@ -203,7 +214,7 @@ markupsafe==3.0.2
    #   mako
    #   werkzeug
    #   wtforms
-marshmallow==3.21.2
+marshmallow==3.23.1
    # via
    #   flask-appbuilder
    #   marshmallow-sqlalchemy
@@ -212,30 +223,31 @@ marshmallow-sqlalchemy==0.28.2
 mdurl==0.1.2
    # via markdown-it-py
 msgpack==1.0.8
-    # via apache-superset
+    # via apache-superset (pyproject.toml)
 msgspec==0.18.6
    # via flask-session
-nh3==0.2.17
-    # via apache-superset
-numba==0.59.1
-    # via pandas
-numexpr==2.10.1
-    # via
-    #   -r requirements/base.in
-    #   pandas
+nh3==0.2.19
+    # via apache-superset (pyproject.toml)
+numexpr==2.10.2
+    # via -r requirements/base.in
 numpy==1.23.5
    # via
-    #   apache-superset
+    #   apache-superset (pyproject.toml)
    #   bottleneck
-    #   numba
    #   numexpr
    #   pandas
    #   pyarrow
+odfpy==1.4.1
+    # via pandas
+openpyxl==3.1.5
+    # via pandas
 ordered-set==4.1.0
    # via flask-limiter
-packaging==23.2
+outcome==1.3.0.post0
+    # via trio
+packaging==24.2
    # via
-    #   apache-superset
+    #   apache-superset (pyproject.toml)
    #   apispec
    #   deprecation
    #   gunicorn
@@ -243,54 +255,56 @@ packaging==23.2
    #   marshmallow
    #   marshmallow-sqlalchemy
    #   shillelagh
-pandas[performance]==2.0.3
-    # via apache-superset
-paramiko==3.4.0
+pandas==2.0.3
+    # via apache-superset (pyproject.toml)
+paramiko==3.5.0
    # via
-    #   apache-superset
+    #   apache-superset (pyproject.toml)
    #   sshtunnel
 parsedatetime==2.6
-    # via apache-superset
+    # via apache-superset (pyproject.toml)
 pgsanity==0.2.9
-    # via apache-superset
+    # via apache-superset (pyproject.toml)
 platformdirs==3.8.1
    # via requests-cache
 ply==3.11
    # via jsonpath-ng
 polyline==2.0.2
-    # via apache-superset
+    # via apache-superset (pyproject.toml)
 prison==0.2.1
    # via flask-appbuilder
-prompt-toolkit==3.0.44
+prompt-toolkit==3.0.48
    # via click-repl
 pyarrow==14.0.2
-    # via apache-superset
-pyasn1==0.6.0
+    # via apache-superset (pyproject.toml)
+pyasn1==0.6.1
    # via
    #   pyasn1-modules
    #   rsa
-pyasn1-modules==0.4.0
+pyasn1-modules==0.4.1
    # via google-auth
 pycparser==2.22
    # via cffi
 pygments==2.18.0
    # via rich
-pyjwt==2.8.0
+pyjwt==2.10.1
    # via
-    #   apache-superset
+    #   apache-superset (pyproject.toml)
    #   flask-appbuilder
    #   flask-jwt-extended
 pynacl==1.5.0
    # via paramiko
-pyopenssl==24.1.0
+pyopenssl==24.2.1
    # via shillelagh
-pyparsing==3.1.2
-    # via apache-superset
+pyparsing==3.2.0
+    # via apache-superset (pyproject.toml)
 pyrsistent==0.20.0
    # via jsonschema
+pysocks==1.7.1
+    # via urllib3
 python-dateutil==2.9.0.post0
    # via
-    #   apache-superset
+    #   apache-superset (pyproject.toml)
    #   celery
    #   croniter
    #   flask-appbuilder
@@ -298,51 +312,56 @@ python-dateutil==2.9.0.post0
    #   pandas
    #   shillelagh
 python-dotenv==1.0.1
-    # via apache-superset
+    # via apache-superset (pyproject.toml)
 python-geohash==0.8.5
-    # via apache-superset
+    # via apache-superset (pyproject.toml)
 pytz==2024.2
    # via
    #   croniter
    #   flask-babel
    #   pandas
-pyyaml==6.0.1
+pyxlsb==1.0.10
+    # via pandas
+pyyaml==6.0.2
    # via
-    #   apache-superset
+    #   apache-superset (pyproject.toml)
    #   apispec
 redis==4.6.0
-    # via apache-superset
+    # via apache-superset (pyproject.toml)
 requests==2.32.2
    # via
    #   requests-cache
    #   shillelagh
 requests-cache==1.2.0
    # via shillelagh
-rich==13.7.1
+rich==13.9.4
    # via flask-limiter
 rsa==4.9
    # via google-auth
-selenium==3.141.0
-    # via apache-superset
-shillelagh[gsheetsapi]==1.2.18
-    # via apache-superset
+selenium==4.27.1
+    # via apache-superset (pyproject.toml)
+shillelagh==1.2.18
+    # via apache-superset (pyproject.toml)
 shortid==0.1.2
-    # via apache-superset
-simplejson==3.19.2
-    # via apache-superset
+    # via apache-superset (pyproject.toml)
+simplejson==3.19.3
+    # via apache-superset (pyproject.toml)
 six==1.16.0
    # via
-    #   isodate
    #   prison
    #   python-dateutil
    #   url-normalize
    #   wtforms-json
-slack-sdk==3.27.2
-    # via apache-superset
-sqlalchemy==1.4.52
+slack-sdk==3.33.4
+    # via apache-superset (pyproject.toml)
+sniffio==1.3.1
+    # via trio
+sortedcontainers==2.4.0
+    # via trio
+sqlalchemy==1.4.54
    # via
+    #   apache-superset (pyproject.toml)
    #   alembic
-    #   apache-superset
    #   flask-appbuilder
    #   flask-sqlalchemy
    #   marshmallow-sqlalchemy
@@ -350,27 +369,37 @@ sqlalchemy==1.4.52
    #   sqlalchemy-utils
 sqlalchemy-utils==0.38.3
    # via
-    #   apache-superset
+    #   apache-superset (pyproject.toml)
    #   flask-appbuilder
-sqlglot==25.24.0
-    # via apache-superset
-sqlparse==0.5.0
-    # via apache-superset
+sqlglot==25.24.5
+    # via apache-superset (pyproject.toml)
+sqlparse==0.5.2
+    # via apache-superset (pyproject.toml)
 sshtunnel==0.4.0
-    # via apache-superset
+    # via apache-superset (pyproject.toml)
 tabulate==0.8.10
-    # via apache-superset
+    # via apache-superset (pyproject.toml)
+trio==0.28.0
+    # via
+    #   selenium
+    #   trio-websocket
+trio-websocket==0.11.1
+    # via selenium
 typing-extensions==4.12.2
    # via
+    #   apache-superset (pyproject.toml)
    #   alembic
-    #   apache-superset
    #   cattrs
    #   flask-limiter
+    #   kombu
    #   limits
+    #   rich
+    #   selenium
    #   shillelagh
-tzdata==2024.1
+tzdata==2024.2
    # via
    #   celery
+    #   kombu
    #   pandas
 url-normalize==1.4.3
    # via requests-cache
@@ -387,6 +416,8 @@ vine==5.1.0
    #   kombu
 wcwidth==0.2.13
    # via prompt-toolkit
+websocket-client==1.8.0
+    # via selenium
 werkzeug==3.1.3
    # via
    #   -r requirements/base.in
@@ -394,19 +425,27 @@ werkzeug==3.1.3
    #   flask-appbuilder
    #   flask-jwt-extended
    #   flask-login
-wrapt==1.16.0
+wrapt==1.17.0
    # via deprecated
+wsproto==1.2.0
+    # via trio-websocket
 wtforms==3.2.1
    # via
-    #   apache-superset
+    #   apache-superset (pyproject.toml)
    #   flask-appbuilder
    #   flask-wtf
    #   wtforms-json
 wtforms-json==0.3.5
-    # via apache-superset
+    # via apache-superset (pyproject.toml)
+xlrd==2.0.1
+    # via pandas
 xlsxwriter==3.0.9
-    # via apache-superset
-zipp==3.19.0
-    # via importlib-metadata
-zstandard==0.22.0
+    # via
+    #   apache-superset (pyproject.toml)
+    #   pandas
+zipp==3.21.0
+    # via
+    #   importlib-metadata
+    #   importlib-resources
+zstandard==0.23.0
    # via flask-compress
--- a/requirements/development.in
+++ b/requirements/development.in
@@ -16,5 +16,4 @@
 # specific language governing permissions and limitations
 # under the License.
 #
-r base.in
-e .[development,bigquery,cors,druid,gevent,gsheets,hive,mysql,playwright,postgres,presto,prophet,trino,thumbnails]
+-e .[development,bigquery,cors,druid,gevent,gsheets,mysql,postgres,presto,prophet,trino,thumbnails]
--- a/requirements/development.txt
+++ b/requirements/development.txt
--- a/requirements/translations.in
+++ b/requirements/translations.in
@@ -0,0 +1 @@
+babel
--- a/Show More
+++ b/Show More