Merge remote-tracking branch 'origin/master' into docs/testing-guidelines-test-function

Added comprehensive testing structure guidelines to LLMS.md that explain why and how to use test() instead of describe() and it(), following the "avoid nesting when testing" principle for better test isolation and readability.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

.claude/commands/js-to-ts.md

@@ -0,0 +1,10 @@
+# JavaScript to TypeScript Migration Command
+
+## Usage
+```
+/js-to-ts <core-filename>
+```
+- `<core-filename>` - Path to CORE file relative to `superset-frontend/` (e.g., `src/utils/common.js`, `src/middleware/loggerMiddleware.js`)
+
+## Agent Instructions
+**See:** [../projects/js-to-ts/AGENT.md](../projects/js-to-ts/AGENT.md) for complete migration guide.

.claude/projects/js-to-ts/AGENT.md

@@ -0,0 +1,684 @@
+# JavaScript to TypeScript Migration Agent Guide
+
+**Complete technical reference for converting JavaScript/JSX files to TypeScript/TSX in Apache Superset frontend.**
+
+**Agent Role:** Atomic migration unit - migrate the core file + ALL related tests/mocks as one cohesive unit. Use `git mv` to preserve history, NO `git commit`. NO global import changes. Report results upon completion.
+
+---
+
+## 🎯 Migration Principles
+
+1. **Atomic migration units** - Core file + all related tests/mocks migrate together
+2. **Zero `any` types** - Use proper TypeScript throughout
+3. **Leverage existing types** - Reuse established definitions
+4. **Type inheritance** - Derivatives extend base component types
+5. **Strategic placement** - File types for maximum discoverability
+6. **Surgical improvements** - Enhance existing types during migration
+
+---
+
+## Step 0: Dependency Check (MANDATORY)
+
+**Command:**
+```bash
+grep -E "from '\.\./.*\.jsx?'|from '\./.*\.jsx?'|from 'src/.*\.jsx?'" superset-frontend/{filename}
+```
+
+**Decision:**
+- ✅ No matches → Proceed with atomic migration (core + tests + mocks)
+- ❌ Matches found → EXIT with dependency report (see format below)
+
+---
+
+## Step 1: Identify Related Files (REQUIRED)
+
+**Atomic Migration Scope:**
+For core file `src/utils/example.js`, also migrate:
+- `src/utils/example.test.js` / `src/utils/example.test.jsx`
+- `src/utils/example.spec.js` / `src/utils/example.spec.jsx`
+- `src/utils/__mocks__/example.js`
+- Any other related test/mock files found by pattern matching
+
+**Find all related test and mock files:**
+```bash
+# Pattern-based search for related files
+basename=$(basename {filename} .js)
+dirname=$(dirname superset-frontend/{filename})
+
+# Find test files
+find "$dirname" -name "${basename}.test.js" -o -name "${basename}.test.jsx"
+find "$dirname" -name "${basename}.spec.js" -o -name "${basename}.spec.jsx"
+
+# Find mock files  
+find "$dirname" -name "__mocks__/${basename}.js"
+find "$dirname" -name "${basename}.mock.js"
+```
+
+**Migration Requirement:** All discovered related files MUST be migrated together as one atomic unit.
+
+**Test File Creation:** If NO test files exist for the core file, CREATE a minimal test file using the following pattern:
+- Location: Same directory as core file
+- Name: `{basename}.test.ts` (e.g., `DebouncedMessageQueue.test.ts`)
+- Content: Basic test structure importing and testing the main functionality
+- Use proper TypeScript types in test file
+
+---
+
+## 🗺️ Type Reference Map
+
+### From `@superset-ui/core`
+```typescript
+// Data & Query
+QueryFormData, QueryData, JsonObject, AnnotationData, AdhocMetric
+LatestQueryFormData, GenericDataType, DatasourceType, ExtraFormData
+DataMaskStateWithId, NativeFilterScope, NativeFiltersState, NativeFilterTarget
+
+// UI & Theme  
+FeatureFlagMap, LanguagePack, ColorSchemeConfig, SequentialSchemeConfig
+```
+
+### From `@superset-ui/chart-controls`
+```typescript
+Dataset, ColumnMeta, ControlStateMapping
+```
+
+### From Local Types (`src/types/`)
+```typescript
+// Authentication
+User, UserWithPermissionsAndRoles, BootstrapUser, PermissionsAndRoles
+
+// Dashboard
+Dashboard, DashboardState, DashboardInfo, DashboardLayout, LayoutItem
+ComponentType, ChartConfiguration, ActiveFilters
+
+// Charts
+Chart, ChartState, ChartStatus, ChartLinkedDashboard, Slice, SaveActionType
+
+// Data
+Datasource, Database, Owner, Role
+
+// UI Components
+TagType, FavoriteStatus, Filter, ImportResourceName
+```
+
+### From Domain Types
+```typescript
+// src/dashboard/types.ts
+RootState, ChartsState, DatasourcesState, FilterBarOrientation
+ChartCrossFiltersConfig, ActiveTabs, MenuKeys
+
+// src/explore/types.ts  
+ExplorePageInitialData, ExplorePageState, ExploreResponsePayload, OptionSortType
+
+// src/SqlLab/types.ts
+[SQL Lab specific types]
+```
+
+---
+
+## 🏗️ Type Organization Strategy
+
+### Type Placement Hierarchy
+
+1. **Component-Colocated** (90% of cases)
+   ```typescript
+   // Same file as component
+   interface MyComponentProps {
+     title: string;
+     onClick: () => void;
+   }
+   ```
+
+2. **Feature-Shared**
+   ```typescript
+   // src/[domain]/components/[Feature]/types.ts
+   export interface FilterConfiguration {
+     filterId: string;
+     targets: NativeFilterTarget[];
+   }
+   ```
+
+3. **Domain-Wide**
+   ```typescript
+   // src/[domain]/types.ts
+   export interface ExploreFormData extends QueryFormData {
+     viz_type: string;
+   }
+   ```
+
+4. **Global**
+   ```typescript
+   // src/types/[TypeName].ts
+   export interface ApiResponse<T> {
+     result: T;
+     count?: number;
+   }
+   ```
+
+### Type Discovery Commands
+```bash
+# Search existing types before creating
+find superset-frontend/src -name "types.ts" -exec grep -l "[TypeConcept]" {} \;
+grep -r "interface.*Props\|type.*Props" superset-frontend/src/
+```
+
+### Derivative Component Patterns
+
+**Rule:** Components that extend others should extend their type interfaces.
+
+```typescript
+// ✅ Base component type
+interface SelectProps {
+  value: string | number;
+  options: SelectOption[];
+  onChange: (value: string | number) => void;
+  disabled?: boolean;
+}
+
+// ✅ Derivative extends base
+interface ChartSelectProps extends SelectProps {
+  charts: Chart[];
+  onChartSelect: (chart: Chart) => void;
+}
+
+// ✅ Derivative with modified props  
+interface DatabaseSelectProps extends Omit<SelectProps, 'value' | 'onChange'> {
+  value: number;  // Narrowed type
+  onChange: (databaseId: number) => void;  // Specific signature
+}
+```
+
+**Common Patterns:**
+- **Extension:** `extends BaseProps` - adds new props
+- **Omission:** `Omit<BaseProps, 'prop'>` - removes props
+- **Modification:** `Omit<BaseProps, 'prop'> & { prop: NewType }` - changes prop type
+- **Restriction:** Override with narrower types (union → specific)
+
+---
+
+## 📋 Migration Recipe
+
+### Step 2: File Conversion
+```bash
+# Use git mv to preserve history
+git mv component.js component.ts
+git mv Component.jsx Component.tsx
+```
+
+### Step 3: Import & Type Setup
+```typescript
+// Import order (enforced by linting)
+import { FC, ReactNode } from 'react';
+import { JsonObject, QueryFormData } from '@superset-ui/core';
+import { Dataset } from '@superset-ui/chart-controls';
+import type { Dashboard } from 'src/types/Dashboard';
+```
+
+### Step 4: Function & Component Typing
+```typescript
+// Functions with proper parameter/return types
+export function processData(
+  data: Dataset[],
+  config: JsonObject
+): ProcessedData[] {
+  // implementation
+}
+
+// Component props with inheritance
+interface ComponentProps extends BaseProps {
+  data: Chart[];
+  onSelect: (id: number) => void;
+}
+
+const Component: FC<ComponentProps> = ({ data, onSelect }) => {
+  // implementation
+};
+```
+
+### Step 5: State & Redux Typing
+```typescript
+// Hooks with specific types
+const [data, setData] = useState<Chart[]>([]);
+const [selected, setSelected] = useState<number | null>(null);
+
+// Redux with existing RootState
+const mapStateToProps = (state: RootState) => ({
+  charts: state.charts,
+  user: state.user,
+});
+```
+
+---
+
+## 🧠 Type Debugging Strategies (Real-World Learnings)
+
+### The Evolution of Type Approaches
+When you hit type errors, follow this debugging evolution:
+
+#### 1. ❌ Idealized Union Types (First Attempt)
+```typescript
+// Looks clean but doesn't match reality
+type DatasourceInput = Datasource | QueryEditor;
+```
+**Problem**: Real calling sites pass variations, not exact types.
+
+#### 2. ❌ Overly Precise Types (Second Attempt)
+```typescript
+// Tried to match exact calling signatures
+type DatasourceInput =
+  | IDatasource  // From DatasourcePanel
+  | (QueryEditor & { columns: ColumnMeta[] });  // From SaveQuery
+```
+**Problem**: Too rigid, doesn't handle legacy variations.
+
+#### 3. ✅ Flexible Interface (Final Solution)
+```typescript
+// Captures what the function actually needs
+interface DatasourceInput {
+  name?: string | null;  // Allow null for compatibility
+  datasource_name?: string | null;  // Legacy variations
+  columns?: any[];  // Multiple column types accepted
+  database?: { id?: number };
+  // ... other optional properties
+}
+```
+**Success**: Works with all calling sites, focuses on function needs.
+
+### Type Debugging Process
+1. **Start with compilation errors** - they show exact mismatches
+2. **Examine actual usage** - look at calling sites, not idealized types  
+3. **Build flexible interfaces** - capture what functions need, not rigid contracts
+4. **Iterate based on downstream validation** - let calling sites guide your types
+
+---
+
+## 🚨 Anti-Patterns to Avoid
+
+```typescript
+// ❌ Never use any
+const obj: any = {};
+
+// ✅ Use proper types
+const obj: Record<string, JsonObject> = {};
+
+// ❌ Don't recreate base component props
+interface ChartSelectProps {
+  value: string;     // Duplicated from SelectProps
+  onChange: () => void;  // Duplicated from SelectProps
+  charts: Chart[];   // New prop
+}
+
+// ✅ Inherit and extend
+interface ChartSelectProps extends SelectProps {
+  charts: Chart[];   // Only new props
+}
+
+// ❌ Don't create ad-hoc type variations
+interface UserInfo {
+  name: string;
+  email: string;
+}
+
+// ✅ Extend existing types (DRY principle)
+import { User } from 'src/types/bootstrapTypes';
+type UserDisplayInfo = Pick<User, 'firstName' | 'lastName' | 'email'>;
+
+// ❌ Don't create overly rigid unions
+type StrictInput = ExactTypeA | ExactTypeB;
+
+// ✅ Create flexible interfaces for function parameters
+interface FlexibleInput {
+  // Focus on what the function actually needs
+  commonProperty: string;
+  optionalVariations?: any;  // Allow for legacy variations
+}
+```
+
+## 📍 DRY Type Guidelines (WHERE TYPES BELONG)
+
+### Type Placement Rules
+**CRITICAL**: Type variations must live close to where they belong, not scattered across files.
+
+#### ✅ Proper Type Organization
+```typescript
+// ❌ Don't create one-off interfaces in utility files
+// src/utils/datasourceUtils.ts
+interface DatasourceInput { /* custom interface */ }  // Wrong!
+
+// ✅ Use existing types or extend them in their proper domain
+// src/utils/datasourceUtils.ts
+import { IDatasource } from 'src/explore/components/DatasourcePanel';
+import { QueryEditor } from 'src/SqlLab/types';
+
+// Create flexible interface that references existing types
+interface FlexibleDatasourceInput {
+  // Properties that actually exist across variations
+}
+```
+
+#### Type Location Hierarchy
+1. **Domain Types**: `src/{domain}/types.ts` (dashboard, explore, SqlLab)
+2. **Component Types**: Co-located with components  
+3. **Global Types**: `src/types/` directory
+4. **Utility Types**: Only when they truly don't belong elsewhere
+
+#### ✅ DRY Type Patterns
+```typescript
+// ✅ Extend existing domain types
+interface SaveQueryData extends Pick<QueryEditor, 'sql' | 'dbId' | 'catalog'> {
+  columns: ColumnMeta[];  // Add what's needed
+}
+
+// ✅ Create flexible interfaces for cross-domain utilities
+interface CrossDomainInput {
+  // Common properties that exist across different source types
+  name?: string | null;  // Accommodate legacy null values
+  // Only include properties the function actually uses
+}
+```
+
+---
+
+## 🎯 PropTypes Auto-Generation (Elegant Approach)
+
+**IMPORTANT**: Superset has `babel-plugin-typescript-to-proptypes` configured to automatically generate PropTypes from TypeScript interfaces. Use this instead of manual PropTypes duplication!
+
+### ❌ Manual PropTypes Duplication (Avoid This)
+```typescript
+export interface MyComponentProps {
+  title: string;
+  count?: number;
+}
+
+// 8+ lines of manual PropTypes duplication 😱
+const propTypes = PropTypes.shape({
+  title: PropTypes.string.isRequired,
+  count: PropTypes.number,
+});
+
+export default propTypes;
+```
+
+### ✅ Auto-Generated PropTypes (Use This)
+```typescript
+import { InferProps } from 'prop-types';
+
+export interface MyComponentProps {
+  title: string;
+  count?: number;
+}
+
+// Single validator function - babel plugin auto-generates PropTypes! ✨
+export default function MyComponentValidator(props: MyComponentProps) {
+  return null; // PropTypes auto-assigned by babel-plugin-typescript-to-proptypes
+}
+
+// Optional: For consumers needing PropTypes type inference
+export type MyComponentPropsInferred = InferProps<typeof MyComponentValidator>;
+```
+
+### Migration Pattern for Type-Only Files
+
+**When migrating type-only files with manual PropTypes:**
+
+1. **Keep the TypeScript interfaces** (single source of truth)
+2. **Replace manual PropTypes** with validator function
+3. **Remove PropTypes imports** and manual shape definitions
+4. **Add InferProps import** if type inference needed
+
+**Example Migration:**
+```typescript
+// Before: 25+ lines with manual PropTypes duplication
+export interface AdhocFilterType { /* ... */ }
+const adhocFilterTypePropTypes = PropTypes.oneOfType([...]);
+
+// After: 3 lines with auto-generation
+export interface AdhocFilterType { /* ... */ }
+export default function AdhocFilterValidator(props: { filter: AdhocFilterType }) {
+  return null; // Auto-generated PropTypes by babel plugin
+}
+```
+
+### Component PropTypes Pattern
+
+**For React components, the babel plugin works automatically:**
+
+```typescript
+interface ComponentProps {
+  title: string;
+  onClick: () => void;
+}
+
+const MyComponent: FC<ComponentProps> = ({ title, onClick }) => {
+  // Component implementation
+};
+
+// PropTypes automatically generated by babel plugin - no manual work needed!
+export default MyComponent;
+```
+
+### Auto-Generation Benefits
+
+- ✅ **Single source of truth**: TypeScript interfaces drive PropTypes
+- ✅ **No duplication**: Eliminate 15-20 lines of manual PropTypes code
+- ✅ **Automatic updates**: Changes to TypeScript automatically update PropTypes
+- ✅ **Type safety**: Compile-time checking ensures PropTypes match interfaces
+- ✅ **Backward compatibility**: Existing JavaScript components continue working
+
+### Babel Plugin Configuration
+
+The plugin is already configured in `babel.config.js`:
+```javascript
+['babel-plugin-typescript-to-proptypes', { loose: true }]
+```
+
+**No additional setup required** - just use TypeScript interfaces and the plugin handles the rest!
+
+---
+
+## 🧪 Test File Migration Patterns
+
+### Test File Priority
+- **Always migrate test files** alongside production files
+- **Test files are often leaf nodes** - good starting candidates
+- **Create tests if missing** - Leverage new TypeScript types for better test coverage
+
+### Test-Specific Type Patterns
+```typescript
+// Mock interfaces for testing
+interface MockStore {
+  getState: () => Partial<RootState>;  // Partial allows minimal mocking
+}
+
+// Type-safe mocking for complex objects
+const mockDashboardInfo: Partial<DashboardInfo> as DashboardInfo = {
+  id: 123,
+  json_metadata: '{}',
+};
+
+// Sinon stub typing
+let postStub: sinon.SinonStub;
+beforeEach(() => {
+  postStub = sinon.stub(SupersetClient, 'post');
+});
+
+// Use stub reference instead of original method
+expect(postStub.callCount).toBe(1);
+expect(postStub.getCall(0).args[0].endpoint).toMatch('/api/');
+```
+
+### Test Migration Recipe
+1. **Migrate production file first** (if both need migration)
+2. **Update test imports** to point to `.ts/.tsx` files
+3. **Add proper mock typing** using `Partial<T> as T` pattern
+4. **Fix stub typing** - Use stub references, not original methods
+5. **Verify all tests pass** with TypeScript compilation
+
+---
+
+## 🔧 Type Conflict Resolution
+
+### Multiple Type Definitions Issue
+**Problem**: Same type name defined in multiple files causes compilation errors.
+
+**Example**: `DashboardInfo` defined in both:
+- `src/dashboard/reducers/types.ts` (minimal)
+- `src/dashboard/components/Header/types.ts` (different shape)  
+- `src/dashboard/types.ts` (complete - used by RootState)
+
+### Resolution Strategy
+1. **Identify the authoritative type**:
+   ```bash
+   # Find which type is used by RootState/main interfaces
+   grep -r "DashboardInfo" src/dashboard/types.ts
+   ```
+
+2. **Use import from authoritative source**:
+   ```typescript
+   // ✅ Import from main domain types
+   import { RootState, DashboardInfo } from 'src/dashboard/types';
+
+   // ❌ Don't import from component-specific files
+   import { DashboardInfo } from 'src/dashboard/components/Header/types';
+   ```
+
+3. **Mock complex types in tests**:
+   ```typescript
+   // For testing - provide minimal required fields
+   const mockInfo: Partial<DashboardInfo> as DashboardInfo = {
+     id: 123,
+     json_metadata: '{}',
+     // Only provide fields actually used in test
+   };
+   ```
+
+### Type Hierarchy Discovery Commands
+```bash
+# Find all definitions of a type
+grep -r "interface.*TypeName\|type.*TypeName" src/
+
+# Find import usage patterns
+grep -r "import.*TypeName" src/
+
+# Check what RootState uses
+grep -A 10 -B 10 "TypeName" src/*/types.ts
+```
+
+---
+
+## Agent Constraints (CRITICAL)
+
+1. **Use git mv** - Run `git mv file.js file.ts` to preserve git history, but NO `git commit`
+2. **NO global import changes** - Don't update imports across codebase
+3. **Type files OK** - Can modify existing type files to improve/align types
+4. **Single-File TypeScript Validation** (CRITICAL) - tsc has known issues with multi-file compilation:
+   - **Core Issue**: TypeScript's `tsc` has documented problems validating multiple files simultaneously in complex projects
+   - **Solution**: ALWAYS validate files one at a time using individual `tsc` calls
+   - **Command Pattern**: `cd superset-frontend && npx tscw --noEmit --allowJs --composite false --project tsconfig.json {single-file-path}`
+   - **Why**: Multi-file validation can produce false positives, miss real errors, and conflict during parallel agent execution
+5. **Downstream Impact Validation** (CRITICAL) - Your migration affects calling sites:
+   - **Find downstream files**: `find superset-frontend/src -name "*.tsx" -o -name "*.ts" | xargs grep -l "your-core-filename" 2>/dev/null || echo "No files found"`
+   - **Validate each downstream file individually**: `cd superset-frontend && npx tscw --noEmit --allowJs --composite false --project tsconfig.json {each-downstream-file}`
+   - **Fix type mismatches** you introduced in calling sites
+   - **NEVER ignore downstream errors** - they indicate your types don't match reality
+6. **Avoid Project-Wide Validation During Migration**:
+   - **NEVER use `npm run type`** during parallel agent execution - produces unreliable results
+   - **Single-file validation is authoritative** - trust individual file checks over project-wide scans
+6. **ESLint validation** - Run `npm run eslint -- --fix {file}` for each migrated file to auto-fix formatting/linting issues
+6. Zero `any` types - use proper TypeScript types
+7. Search existing types before creating new ones
+8. Follow patterns from this guide
+
+---
+
+## Success Report Format
+
+```
+SUCCESS: Atomic Migration of {core-filename}
+
+## Files Migrated (Atomic Unit)
+- Core: {core-filename} → {core-filename.ts/tsx}
+- Tests: {list-of-test-files} → {list-of-test-files.ts/tsx} OR "CREATED: {basename}.test.ts"
+- Mocks: {list-of-mock-files} → {list-of-mock-files.ts}
+- Type files modified: {list-of-type-files}
+
+## Types Created/Improved
+- {TypeName}: {location} ({scope}) - {rationale}
+- {ExistingType}: enhanced in {location} - {improvement-description}
+
+## Documentation Recommendations  
+- ADD_TO_DIRECTORY: {TypeName} - {reason}
+- NO_DOCUMENTATION: {TypeName} - {reason}
+
+## Quality Validation
+- **Single-File TypeScript Validation**: ✅ PASS - Core files individually validated
+  - Core file: `npx tscw --noEmit --allowJs --composite false --project tsconfig.json {core-file}`
+  - Test files: `npx tscw --noEmit --allowJs --composite false --project tsconfig.json {test-file}` (if exists)
+- **Downstream Impact Check**: ✅ PASS - Found {N} files importing this module, all validate individually
+  - Downstream files: {list-of-files-that-import-your-module}
+  - Individual validation: `npx tscw --noEmit --allowJs --composite false --project tsconfig.json {each-downstream-file}`
+- **ESLint validation**: ✅ PASS (using `npm run eslint -- --fix {files}` to auto-fix formatting)
+- **Zero any types**: ✅ PASS
+- **Local imports resolved**: ✅ PASS  
+- **Functionality preserved**: ✅ PASS
+- **Tests pass** (if test file): ✅ PASS
+- **Follow-up action required**: {YES/NO}
+
+## Validation Strategy Notes
+- **Single-file approach used**: Avoided multi-file tsc validation due to known TypeScript compilation issues
+- **Project-wide validation skipped**: `npm run type` not used during parallel migration to prevent false positives
+
+## Migration Learnings
+- Type conflicts encountered: {describe any multiple type definitions}
+- Mock patterns used: {describe test mocking approaches}
+- Import hierarchy decisions: {note authoritative type sources used}
+- PropTypes strategy: {AUTO_GENERATED via babel plugin | MANUAL_DUPLICATION_REMOVED | N/A}
+
+## Improvement Suggestions for Documentation
+- AGENT.md enhancement: {suggest additions to migration guide}
+- Common pattern identified: {note reusable patterns for future migrations}
+```
+
+---
+
+## Dependency Block Report Format
+
+```
+DEPENDENCY_BLOCK: Cannot migrate {filename}
+
+## Blocking Dependencies
+- {path}: {type} - {usage} - {priority}
+
+## Impact Analysis
+- Estimated types: {number}
+- Expected locations: {list}
+- Cross-domain: {YES/NO}
+
+## Recommended Order
+{ordered-list}
+```
+
+---
+
+## 📚 Quick Reference
+
+**Type Utilities:**
+- `Record<K, V>` - Object with specific key/value types
+- `Partial<T>` - All properties optional
+- `Pick<T, K>` - Subset of properties
+- `Omit<T, K>` - Exclude specific properties
+- `NonNullable<T>` - Exclude null/undefined
+
+**Event Types:**
+- `MouseEvent<HTMLButtonElement>`
+- `ChangeEvent<HTMLInputElement>`
+- `FormEvent<HTMLFormElement>`
+
+**React Types:**
+- `FC<Props>` - Functional component
+- `ReactNode` - Any renderable content
+- `CSSProperties` - Style objects
+
+---
+
+**Remember:** Every type should add value and clarity. The goal is meaningful type safety that catches bugs and improves developer experience.

.claude/projects/js-to-ts/COORDINATOR.md

@@ -0,0 +1,199 @@
+# JS-to-TS Coordinator Workflow
+
+**Role:** Strategic migration coordination - select leaf-node files, trigger agents, review results, handle integration, manage dependencies.
+
+---
+
+## 1. Core File Selection Strategy
+
+**Target ONLY Core Files**: Coordinators identify core files (production code), agents handle related tests/mocks atomically.
+
+**File Analysis Commands**:
+```bash
+# Find CORE files with no JS/JSX dependencies (exclude tests/mocks) - SIZE PRIORITIZED
+find superset-frontend/src -name "*.js" -o -name "*.jsx" | grep -v "test\|spec\|mock" | xargs wc -l | sort -n | head -20
+
+# Alternative: Get file sizes in lines with paths
+find superset-frontend/src -name "*.js" -o -name "*.jsx" | grep -v "test\|spec\|mock" | while read file; do
+  lines=$(wc -l < "$file")
+  echo "$lines $file"
+done | sort -n | head -20
+
+# Check dependencies for core files only (start with smallest)
+for file in <core-files-sorted-by-size>; do
+  echo "=== $file ($(wc -l < "$file") lines) ==="
+  grep -E "from '\.\./.*\.jsx?'|from '\./.*\.jsx?'|from 'src/.*\.jsx?'" "$file" || echo "✅ LEAF CANDIDATE"
+done
+
+# Identify heavily imported files (migrate last)  
+grep -r "from.*utils/common" superset-frontend/src/ | wc -l
+
+# Quick leaf analysis with size priority
+find superset-frontend/src -name "*.js" -o -name "*.jsx" | grep -v "test\|spec\|mock" | head -30 | while read file; do
+  deps=$(grep -E "from '\.\./.*\.jsx?'|from '\./.*\.jsx?'|from 'src/.*\.jsx?'" "$file" | wc -l)
+  lines=$(wc -l < "$file")
+  if [ "$deps" -eq 0 ]; then
+    echo "✅ LEAF: $lines lines - $file"
+  fi
+done | sort -n
+```
+
+**Priority Order** (Smallest files first for easier wins):
+1. **Small leaf files** (<50 lines) - No JS/JSX imports, quick TypeScript conversion
+2. **Medium leaf files** (50-200 lines) - Self-contained utilities and helpers  
+3. **Small dependency files** (<100 lines) - Import only already-migrated files
+4. **Larger components** (200+ lines) - Complex but well-contained functionality
+5. **Core foundational files** (utils/common.js, controls.jsx) - migrate last regardless of size
+
+**Size-First Benefits**:
+- Faster completion builds momentum
+- Earlier validation of migration patterns
+- Easier rollback if issues arise
+- Better success rate for agent learning
+
+**Migration Unit**: Each agent call migrates:
+- 1 core file (primary target)
+- All related `*.test.js/jsx` files
+- All related `*.mock.js` files  
+- All related `__mocks__/` files
+
+---
+
+## 2. Task Creation & Agent Control
+
+### Task Triggering
+When triggering the `/js-to-ts` command:
+- **Task Title**: Use the core filename as the task title (e.g., "DebouncedMessageQueue.js migration", "hostNamesConfig.js migration")
+- **Task Description**: Include the full relative path to help agent locate the file
+- **Reference**: Point agent to [AGENT.md](./AGENT.md) for technical instructions
+
+### Post-Processing Workflow
+After each agent completes:
+
+1. **Review Agent Report**: Always read and analyze the complete agent report
+2. **Share Summary**: Provide user with key highlights from agent's work:
+   - Files migrated (core + tests/mocks)
+   - Types created or improved
+   - Any validation issues or coordinator actions needed
+3. **Quality Assessment**: Evaluate agent's TypeScript implementation against criteria:
+   - ✅ **Type Usage**: Proper types used, no `any` types
+   - ✅ **Type Filing**: Types placed in correct hierarchy (component → feature → domain → global)
+   - ✅ **Side Effects**: No unintended changes to other files
+   - ✅ **Import Alignment**: Proper .ts/.tsx import extensions
+4. **Integration Decision**:
+   - **COMMIT**: If agent work is complete and high quality
+   - **FIX & COMMIT**: If minor issues need coordinator fixes
+   - **ROLLBACK**: If major issues require complete rework
+5. **Next Action**: Ask user preference - commit this work or trigger next migration
+
+---
+
+## 3. Integration Decision Framework
+
+**Automatic Integration** ✅:
+- `npm run type` passes without errors
+- Agent created clean TypeScript with proper types
+- Types appropriately filed in hierarchy
+
+**Coordinator Integration** (Fix Side-Effects) 🔧:
+- `npm run type` fails BUT agent's work is high quality
+- Good type usage, proper patterns, well-organized
+- Side-effects are manageable TypeScript compilation errors
+- **Coordinator Action**: Integrate the change, then fix global compilation issues
+
+**Rollback Only** ❌:
+- Agent introduced `any` types or poor type choices
+- Types poorly organized or conflicting with existing patterns
+- Fundamental approach issues requiring complete rework
+
+**Integration Process**:
+1. **Review**: Agent already used `git mv` to preserve history
+2. **Fix Side-Effects**: Update dependent files with proper import extensions
+3. **Resolve Types**: Fix any cascading type issues across codebase
+4. **Validate**: Ensure `npm run type` passes after fixes
+
+---
+
+## 4. Common Integration Patterns
+
+**Common Side-Effects (Expect These)**:
+- **Type import conflicts**: Multiple definitions of same type name
+- **Mock object typing**: Tests need complete type satisfaction
+- **Stub method references**: Use stub vars instead of original methods
+
+**Coordinator Fixes (Standard Process)**:
+1. **Import Resolution**:
+   ```bash
+   # Find authoritative type source
+   grep -r "TypeName" src/*/types.ts
+   # Import from domain types (src/dashboard/types.ts) not component types
+   ```
+
+2. **Test Mock Completion**:
+   ```typescript
+   // Use Partial<T> as T pattern for minimal mocking
+   const mockDashboard: Partial<DashboardInfo> as DashboardInfo = {
+     id: 123,
+     json_metadata: '{}',
+   };
+   ```
+
+3. **Stub Reference Fixes**:
+   ```typescript
+   // ✅ Use stub variable
+   expect(postStub.callCount).toBe(1);
+   // ❌ Don't use original method
+   expect(SupersetClient.post.callCount).toBe(1);
+   ```
+
+4. **Validation Commands**:
+   ```bash
+   npm run type          # TypeScript compilation
+   npm test -- filename  # Test functionality
+   git status           # Should show rename, not add/delete
+   ```
+
+---
+
+## 5. File Categories for Planning
+
+### Leaf Files (Start Here)
+**Self-contained files with minimal JS/JSX dependencies**:
+- Test files (80 files) - Usually only import the file being tested
+- Utility files without internal dependencies
+- Components importing only external libraries
+
+### Heavily Imported Files (Migrate Last)
+**Core files that many others depend on**:
+- `utils/common.js` - Core utility functions
+- `utils/reducerUtils.js` - Redux helpers  
+- `@superset-ui/core` equivalent files
+- Major state management files (`explore/store.js`, `dashboard/actions/`)
+
+### Complex Components (Middle Priority)  
+**Large files requiring careful type analysis**:
+- `components/Datasource/DatasourceEditor.jsx` (1,809 lines)
+- `explore/components/controls/AnnotationLayerControl/AnnotationLayer.jsx` (1,031 lines)
+- `explore/components/ExploreViewContainer/index.jsx` (911 lines)
+
+---
+
+## 6. Success Metrics & Continuous Improvement
+
+**Per-File Gates**:
+- ✅ `npm run type` passes after each migration
+- ✅ Zero `any` types introduced
+- ✅ All imports properly typed
+- ✅ Types filed in correct hierarchy
+
+**Linear Scheduling**:
+When agents report `DEPENDENCY_BLOCK`:
+- Queue dependencies in linear order
+- Process one file at a time to avoid conflicts
+- Handle cascading type changes between files
+
+**After Each Migration**:
+1. **Update guides** with new patterns discovered
+2. **Document coordinator fixes** that become common
+3. **Enhance agent instructions** based on recurring issues
+4. **Track success metrics** - automatic vs coordinator integration rates

.claude/projects/js-to-ts/PROJECT.md

@@ -0,0 +1,76 @@
+# JavaScript to TypeScript Migration Project
+
+Progressive migration of 219 JS/JSX files to TypeScript in Apache Superset frontend.
+
+## 📁 Project Documentation
+
+- **[AGENT.md](./AGENT.md)** - Complete technical migration guide for agents (includes type reference, patterns, validation)
+- **[COORDINATOR.md](./COORDINATOR.md)** - Strategic workflow for coordinators (file selection, task management, integration)
+
+## 🎯 Quick Start
+
+**For Agents:** Read [AGENT.md](./AGENT.md) for complete migration instructions
+**For Coordinators:** Read [COORDINATOR.md](./COORDINATOR.md) for workflow and [AGENT.md](./AGENT.md) for supervision
+
+**Command:** `/js-to-ts <filename>` - See [../../commands/js-to-ts.md](../../commands/js-to-ts.md)
+
+## 📊 Migration Progress
+
+**Scope**: 219 files total (112 JS + 107 JSX)
+- Production files: 139 (63%)  
+- Test files: 80 (37%)
+
+**Strategy**: Leaf-first migration with dependency-aware coordination
+
+### Completed Migrations ✅
+
+1. **roundDecimal** - `plugins/legacy-plugin-chart-map-box/src/utils/roundDecimal.js`
+   - Migrated core + test files
+   - Added proper TypeScript function signature with optional precision parameter
+   - All tests pass
+
+2. **timeGrainSqlaAnimationOverrides** - `src/explore/controlPanels/timeGrainSqlaAnimationOverrides.js`
+   - Migrated to TypeScript with ControlPanelState and Dataset types
+   - Added TimeGrainOverrideState interface for return type
+   - Used type guards for safe property access
+
+3. **DebouncedMessageQueue** - `src/utils/DebouncedMessageQueue.js`
+   - Migrated to TypeScript with proper generics
+   - Created DebouncedMessageQueueOptions interface
+   - **CREATED test file** with 4 comprehensive test cases
+   - Excellent class property typing with private/readonly modifiers
+
+**Files Migrated**: 3/219 (1.4%)
+**Tests Created**: 2 (roundDecimal had existing, DebouncedMessageQueue created)
+
+### Next Candidates (Leaf Nodes) 🎯
+
+**Identified leaf files with no JS/JSX dependencies:**
+- `src/utils/hostNamesConfig.js` - Domain configuration utility
+- `src/explore/controlPanels/Separator.js` - Control panel configuration  
+- `src/middleware/loggerMiddleware.js` - Logging middleware
+
+**Migration Quality**: All completed migrations have:
+- ✅ Zero `any` types
+- ✅ Proper TypeScript compilation
+- ✅ ESLint validation passed
+- ✅ Test coverage (created where missing)
+
+---
+
+## 📈 Success Metrics
+
+**Per-File Gates**:
+- ✅ `npm run type` passes after each migration
+- ✅ Zero `any` types introduced  
+- ✅ All imports properly typed
+- ✅ Types filed in correct hierarchy
+
+**Overall Progress**:
+- **Automatic Integration Rate**: 100% (3/3 migrations required no coordinator fixes)
+- **Test Coverage**: Improved (1 new test file created)
+- **Type Safety**: Enhanced with proper interfaces and generics
+
+---
+
+*This is a claudette-managed progressive refactor. All documentation and coordination resources are organized under `.claude/projects/js-to-ts/`*

.devcontainer/Dockerfile

@@ -1,5 +1,5 @@
 # Keep this in sync with the base image in the main Dockerfile (ARG PY_VER)
-FROM python:3.11.13-bookworm AS base
+FROM python:3.11.13-trixie AS base
 
 # Install system dependencies that Superset needs
 # This layer will be cached across Codespace sessions

.github/CODEOWNERS

@@ -33,10 +33,10 @@
 
 # Notify PMC members of changes to extension-related files
 
-/superset-core/ @michael-s-molina @villebro
-/superset-cli/ @michael-s-molina @villebro
-/superset/core/ @michael-s-molina @villebro
-/superset/extensions/ @michael-s-molina @villebro
-/superset-frontend/src/packages/superset-core/ @michael-s-molina @villebro
-/superset-frontend/src/core/ @michael-s-molina @villebro
-/superset-frontend/src/extensions/ @michael-s-molina @villebro
+/superset-core/ @michael-s-molina @villebro @geido @eschutho @rusackas @kgabryje
+/superset-extensions-cli/ @michael-s-molina @villebro @geido @eschutho @rusackas @kgabryje
+/superset/core/ @michael-s-molina @villebro @geido @eschutho @rusackas @kgabryje
+/superset/extensions/ @michael-s-molina @villebro @geido @eschutho @rusackas @kgabryje
+/superset-frontend/src/packages/superset-core/ @michael-s-molina @villebro @geido @eschutho @rusackas @kgabryje
+/superset-frontend/src/core/ @michael-s-molina @villebro @geido @eschutho @rusackas @kgabryje
+/superset-frontend/src/extensions/ @michael-s-molina @villebro @geido @eschutho @rusackas @kgabryje

.github/actions/change-detector/action.yml

@@ -17,9 +17,9 @@ outputs:
   docs:
     description: Whether docs-related files were changed
     value: ${{ steps.change-detector.outputs.docs }}
-  superset-cli:
-    description: Whether superset-cli package-related files were changed
-    value: ${{ steps.change-detector.outputs.superset-cli }}
+  superset-extensions-cli:
+    description: Whether superset-extensions-cli package-related files were changed
+    value: ${{ steps.change-detector.outputs.superset-extensions-cli }}
 runs:
   using: composite
   steps:

.github/copilot-instructions.md

@@ -1 +1 @@
-../LLMS.md
+../AGENTS.md

.github/workflows/bashlib.sh

@@ -182,6 +182,76 @@ cypress-run-all() {
   kill $flaskProcessId
 }
 
+playwright-install() {
+  cd "$GITHUB_WORKSPACE/superset-frontend"
+
+  say "::group::Install Playwright browsers"
+  npx playwright install --with-deps chromium
+  # Create output directories for test results and debugging
+  mkdir -p playwright-results
+  mkdir -p test-results
+  say "::endgroup::"
+}
+
+playwright-run() {
+  local APP_ROOT=$1
+
+  # Start Flask from the project root (same as Cypress)
+  cd "$GITHUB_WORKSPACE"
+  local flasklog="${HOME}/flask-playwright.log"
+  local port=8081
+  PLAYWRIGHT_BASE_URL="http://localhost:${port}"
+  if [ -n "$APP_ROOT" ]; then
+    export SUPERSET_APP_ROOT=$APP_ROOT
+    PLAYWRIGHT_BASE_URL=${PLAYWRIGHT_BASE_URL}${APP_ROOT}/
+  fi
+  export PLAYWRIGHT_BASE_URL
+
+  nohup flask run --no-debugger -p $port >"$flasklog" 2>&1 </dev/null &
+  local flaskProcessId=$!
+
+  # Ensure cleanup on exit
+  trap "kill $flaskProcessId 2>/dev/null || true" EXIT
+
+  # Wait for server to be ready with health check
+  local timeout=60
+  say "Waiting for Flask server to start on port $port..."
+  while [ $timeout -gt 0 ]; do
+    if curl -f ${PLAYWRIGHT_BASE_URL}/health >/dev/null 2>&1; then
+      say "Flask server is ready"
+      break
+    fi
+    sleep 1
+    timeout=$((timeout - 1))
+  done
+
+  if [ $timeout -eq 0 ]; then
+    echo "::error::Flask server failed to start within 60 seconds"
+    echo "::group::Flask startup log"
+    cat "$flasklog"
+    echo "::endgroup::"
+    return 1
+  fi
+
+  # Change to frontend directory for Playwright execution
+  cd "$GITHUB_WORKSPACE/superset-frontend"
+
+  say "::group::Run Playwright tests"
+  echo "Running Playwright with baseURL: ${PLAYWRIGHT_BASE_URL}"
+  npx playwright test auth/login --reporter=github --output=playwright-results
+  local status=$?
+  say "::endgroup::"
+
+  # After job is done, print out Flask log for debugging
+  echo "::group::Flask log for Playwright run"
+  cat "$flasklog"
+  echo "::endgroup::"
+  # make sure the program exits
+  kill $flaskProcessId
+
+  return $status
+}
+
 eyes-storybook-dependencies() {
   say "::group::install eyes-storyook dependencies"
   sudo apt-get update -y && sudo apt-get -y install gconf-service ca-certificates libxshmfence-dev fonts-liberation libappindicator3-1 libasound2 libatk-bridge2.0-0 libatk1.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 libgbm1 libgcc1 libgconf-2-4 libglib2.0-0 libgdk-pixbuf2.0-0 libgtk-3-0 libnspr4 libnss3 libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxss1 libxtst6 lsb-release xdg-utils libappindicator1

.github/workflows/bump-python-package.yml

@@ -32,7 +32,7 @@ jobs:
     steps:
 
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: true
           ref: master

.github/workflows/cancel_duplicates.yml

@@ -31,7 +31,7 @@ jobs:
 
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
         if: steps.check_queued.outputs.count >= 20
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Cancel duplicate workflow runs
         if: steps.check_queued.outputs.count >= 20

.github/workflows/check-python-deps.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive

.github/workflows/check_db_migration_confict.yml

@@ -25,7 +25,7 @@ jobs:
       pull-requests: write
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Check and notify
         uses: actions/github-script@v7
         with:

.github/workflows/claude.yml

@@ -71,7 +71,7 @@ jobs:
       id-token: write
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         fetch-depth: 1
 

.github/workflows/codeql-analysis.yml

@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Check for file changes
         id: check

.github/workflows/dependency-review.yml

@@ -27,7 +27,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout Repository"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: "Dependency Review"
         uses: actions/dependency-review-action@v4
         continue-on-error: true
@@ -53,7 +53,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: "Checkout Repository"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Python
         uses: ./.github/actions/setup-backend/

.github/workflows/docker.yml

@@ -22,7 +22,7 @@ jobs:
     steps:
       - id: set_matrix
         run: |
-          MATRIX_CONFIG=$(if [ "${{ github.event_name }}" == "pull_request" ]; then echo '["dev", "lean"]'; else echo '["dev", "lean", "py310", "websocket", "dockerize", "py311"]'; fi)
+          MATRIX_CONFIG=$(if [ "${{ github.event_name }}" == "pull_request" ]; then echo '["dev", "lean"]'; else echo '["dev", "lean", "py310", "websocket", "dockerize", "py311", "py312"]'; fi)
           echo "matrix_config=${MATRIX_CONFIG}" >> $GITHUB_OUTPUT
           echo $GITHUB_OUTPUT
 
@@ -42,7 +42,7 @@ jobs:
     steps:
 
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
 
@@ -117,7 +117,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
       - name: Check for file changes

.github/workflows/embedded-sdk-release.yml

@@ -28,7 +28,7 @@ jobs:
       run:
         working-directory: superset-embedded-sdk
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/setup-node@v4
         with:
           node-version-file: './superset-embedded-sdk/.nvmrc'

.github/workflows/embedded-sdk-test.yml

@@ -18,7 +18,7 @@ jobs:
       run:
         working-directory: superset-embedded-sdk
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: actions/setup-node@v4
         with:
           node-version-file: './superset-embedded-sdk/.nvmrc'

.github/workflows/ephemeral-env-pr-close.yml

@@ -1,4 +1,10 @@
-name: Cleanup ephemeral envs (PR close)
+name: Cleanup ephemeral envs (PR close) [DEPRECATED]
+
+# ⚠️  DEPRECATION NOTICE ⚠️
+# This workflow is deprecated and will be removed in a future version.
+# The new Superset Showtime workflow handles cleanup automatically.
+# See .github/workflows/showtime.yml and showtime-cleanup.yml for replacements.
+# Migration guide: https://github.com/mistercrunch/superset-showtime
 
 on:
   pull_request_target:
@@ -71,5 +77,5 @@ jobs:
               issue_number: ${{ github.event.number }},
               owner: context.repo.owner,
               repo: context.repo.repo,
-              body: 'Ephemeral environment shutdown and build artifacts deleted.'
+              body: '⚠️ **DEPRECATED WORKFLOW** - Ephemeral environment shutdown and build artifacts deleted. Please migrate to the new Superset Showtime system for future PRs.'
             })

.github/workflows/ephemeral-env.yml

@@ -1,4 +1,12 @@
-name: Ephemeral env workflow
+name: Ephemeral env workflow [DEPRECATED]
+
+# ⚠️  DEPRECATION NOTICE ⚠️
+# This workflow is deprecated and will be removed in a future version.
+# Please use the new Superset Showtime workflow instead:
+# - Use label "🎪 trigger-start" instead of "testenv-up"
+# - Showtime provides better reliability and easier management
+# - See .github/workflows/showtime.yml for the replacement
+# - Migration guide: https://github.com/mistercrunch/superset-showtime
 
 # Example manual trigger:
 # gh workflow run ephemeral-env.yml --ref fix_ephemerals --field label_name="testenv-up" --field issue_number=666
@@ -126,8 +134,11 @@ jobs:
               throw new Error("Issue number is not available.");
             }
 
-            const body = `@${user} Processing your ephemeral environment request [here](${workflowUrl}).` +
-              ` Action: **${action}**.` +
+            const body = `⚠️ **DEPRECATED WORKFLOW** ⚠️\n\n@${user} This workflow is deprecated! Please use the new **Superset Showtime** system instead:\n\n` +
+              `- Replace "testenv-up" label with "🎪 trigger-start"\n` +
+              `- Better reliability and easier management\n` +
+              `- See https://github.com/mistercrunch/superset-showtime for details\n\n` +
+              `Processing your ephemeral environment request [here](${workflowUrl}). Action: **${action}**.` +
               ` More information on [how to use or configure ephemeral environments]` +
               `(https://superset.apache.org/docs/contributing/howtos/#github-ephemeral-environments)`;
 
@@ -149,7 +160,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ needs.ephemeral-env-label.outputs.sha }} : ${{steps.get-sha.outputs.sha}} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           ref: ${{ needs.ephemeral-env-label.outputs.sha }}
           persist-credentials: false
@@ -209,7 +220,7 @@ jobs:
       pull-requests: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           persist-credentials: false
 

.github/workflows/generate-FOSSA-report.yml

@@ -27,12 +27,12 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
       - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           distribution: "temurin"
           java-version: "11"

.github/workflows/github-action-validator.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up Node.js
         uses: actions/setup-node@v4

.github/workflows/issue_creation.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
 
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
 

.github/workflows/latest-release-tag.yml

@@ -12,7 +12,7 @@ jobs:
 
     steps:
     - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         persist-credentials: false
         submodules: recursive

.github/workflows/license-check.yml

@@ -15,12 +15,12 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
       - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
           java-version: '11'

.github/workflows/pr-lint.yml

@@ -16,7 +16,7 @@ jobs:
       pull-requests: write
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive

.github/workflows/pre-commit.yml

@@ -21,7 +21,7 @@ jobs:
         python-version: ["current", "previous", "next"]
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive

.github/workflows/prefer-typescript.yml

@@ -27,7 +27,7 @@ jobs:
       pull-requests: write
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive

.github/workflows/release.yml

@@ -26,7 +26,7 @@ jobs:
     name: Bump version and publish package(s)
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           # pulls all commits (needed for lerna / semantic release to correctly version)
           fetch-depth: 0

.github/workflows/showtime-cleanup.yml

@@ -0,0 +1,50 @@
+name: 🎪 Showtime Cleanup
+
+# Scheduled cleanup of expired environments
+on:
+  schedule:
+    - cron: '0 */6 * * *'  # Every 6 hours
+
+  # Manual trigger for testing
+  workflow_dispatch:
+    inputs:
+      max_age_hours:
+        description: 'Maximum age in hours before cleanup'
+        required: false
+        default: '48'
+        type: string
+
+# Common environment variables
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  AWS_REGION: ${{ vars.AWS_REGION || 'us-west-2' }}
+  GITHUB_ORG: ${{ github.repository_owner }}
+  GITHUB_REPO: ${{ github.event.repository.name }}
+
+jobs:
+  cleanup-expired:
+    name: Clean up expired showtime environments
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Install Superset Showtime
+        run: pip install superset-showtime
+
+      - name: Cleanup expired environments
+        run: |
+          MAX_AGE="${{ github.event.inputs.max_age_hours || '48' }}"
+
+          # Validate max_age is numeric
+          if [[ ! "$MAX_AGE" =~ ^[0-9]+$ ]]; then
+            echo "❌ Invalid max_age_hours format: $MAX_AGE (must be numeric)"
+            exit 1
+          fi
+
+          echo "Cleaning up environments older than ${MAX_AGE}h"
+          python -m showtime cleanup --older-than "${MAX_AGE}h"

.github/workflows/showtime-trigger.yml

@@ -0,0 +1,179 @@
+name: 🎪 Superset Showtime
+
+# Ultra-simple: just sync on any PR state change
+on:
+  pull_request_target:
+    types: [labeled, unlabeled, synchronize, closed]
+
+  # Manual testing
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'PR number to sync'
+        required: true
+        type: number
+      sha:
+        description: 'Specific SHA to deploy (optional, defaults to latest)'
+        required: false
+        type: string
+
+# Common environment variables for all jobs (non-sensitive only)
+env:
+  AWS_REGION: us-west-2
+  GITHUB_ORG: ${{ github.repository_owner }}
+  GITHUB_REPO: ${{ github.event.repository.name }}
+  GITHUB_ACTOR: ${{ github.actor }}
+
+jobs:
+  sync:
+    name: 🎪 Sync PR to desired state
+    runs-on: ubuntu-latest
+    timeout-minutes: 90
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Security Check - Authorize Maintainers Only
+        id: auth
+        uses: actions/github-script@v7
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          script: |
+            const actor = context.actor;
+            console.log(`🔍 Checking authorization for ${actor}`);
+
+            // Early exit for workflow_dispatch - assume authorized since it's manually triggered
+            if (context.eventName === 'workflow_dispatch') {
+              console.log(`✅ Workflow dispatch event - assuming authorized for ${actor}`);
+              core.setOutput('authorized', 'true');
+              return;
+            }
+
+            const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              username: actor
+            });
+
+            console.log(`📊 Permission level for ${actor}: ${permission.permission}`);
+            const authorized = ['write', 'admin'].includes(permission.permission);
+
+            // If this is a synchronize event from unauthorized user, check if Showtime is active and set blocked label
+            if (!authorized && context.eventName === 'pull_request_target' && context.payload.action === 'synchronize') {
+              console.log(`🔒 Synchronize event detected - checking if Showtime is active`);
+
+              // Check if PR has any circus tent labels (Showtime is in use)
+              const { data: issue } = await github.rest.issues.get({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.payload.pull_request.number
+              });
+
+              const hasCircusLabels = issue.labels.some(label => label.name.startsWith('🎪 '));
+
+              if (hasCircusLabels) {
+                console.log(`🎪 Circus labels found - setting blocked label to prevent auto-deployment`);
+
+                await github.rest.issues.addLabels({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: context.payload.pull_request.number,
+                  labels: ['🎪 🔒 showtime-blocked']
+                });
+
+                console.log(`✅ Blocked label set - Showtime will detect and skip operations`);
+              } else {
+                console.log(`ℹ️ No circus labels found - Showtime not in use, skipping block`);
+              }
+            }
+
+            if (!authorized) {
+              console.log(`🚨 Unauthorized user ${actor} - skipping all operations`);
+              core.setOutput('authorized', 'false');
+              return;
+            }
+
+            console.log(`✅ Authorized maintainer: ${actor}`);
+            core.setOutput('authorized', 'true');
+
+      - name: Install Superset Showtime
+        if: steps.auth.outputs.authorized == 'true'
+        run: |
+          echo "::notice::Maintainer ${{ github.actor }} triggered deploy for PR ${{ github.event.pull_request.number || github.event.inputs.pr_number }}"
+          pip install --upgrade superset-showtime
+          showtime version
+
+      - name: Check what actions are needed
+        if: steps.auth.outputs.authorized == 'true'
+        id: check
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Bulletproof PR number extraction
+          if [[ -n "${{ github.event.pull_request.number }}" ]]; then
+            PR_NUM="${{ github.event.pull_request.number }}"
+          elif [[ -n "${{ github.event.inputs.pr_number }}" ]]; then
+            PR_NUM="${{ github.event.inputs.pr_number }}"
+          else
+            echo "❌ No PR number found in event or inputs"
+            exit 1
+          fi
+
+          echo "Using PR number: $PR_NUM"
+
+          # Run sync check-only with optional SHA override
+          if [[ -n "${{ github.event.inputs.sha }}" ]]; then
+            OUTPUT=$(python -m showtime sync $PR_NUM --check-only --sha "${{ github.event.inputs.sha }}")
+          else
+            OUTPUT=$(python -m showtime sync $PR_NUM --check-only)
+          fi
+          echo "$OUTPUT"
+
+          # Extract the outputs we need for conditional steps
+          BUILD=$(echo "$OUTPUT" | grep "build_needed=" | cut -d'=' -f2)
+          SYNC=$(echo "$OUTPUT" | grep "sync_needed=" | cut -d'=' -f2)
+          PR_NUM_OUT=$(echo "$OUTPUT" | grep "pr_number=" | cut -d'=' -f2)
+          TARGET_SHA=$(echo "$OUTPUT" | grep "target_sha=" | cut -d'=' -f2)
+
+          echo "build_needed=$BUILD" >> $GITHUB_OUTPUT
+          echo "sync_needed=$SYNC" >> $GITHUB_OUTPUT
+          echo "pr_number=$PR_NUM_OUT" >> $GITHUB_OUTPUT
+          echo "target_sha=$TARGET_SHA" >> $GITHUB_OUTPUT
+
+      - name: Checkout PR code (only if build needed)
+        if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.build_needed == 'true'
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ steps.check.outputs.target_sha }}
+          persist-credentials: false
+
+      - name: Setup Docker Environment (only if build needed)
+        if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.build_needed == 'true'
+        uses: ./.github/actions/setup-docker
+        with:
+          dockerhub-user: ${{ secrets.DOCKERHUB_USER }}
+          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
+          build: "true"
+          install-docker-compose: "false"
+
+      - name: Execute sync (handles everything)
+        if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.sync_needed == 'true'
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
+          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+        run: |
+          PR_NUM="${{ steps.check.outputs.pr_number }}"
+          TARGET_SHA="${{ steps.check.outputs.target_sha }}"
+          if [[ -n "$TARGET_SHA" ]]; then
+            python -m showtime sync $PR_NUM --sha "$TARGET_SHA"
+          else
+            python -m showtime sync $PR_NUM
+          fi

.github/workflows/superset-app-cli.yml

@@ -37,7 +37,7 @@ jobs:
           - 16379:6379
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive

.github/workflows/superset-applitool-cypress.yml

@@ -51,7 +51,7 @@ jobs:
           - 16379:6379
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive

.github/workflows/superset-applitools-storybook.yml

@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive

.github/workflows/superset-docs-deploy.yml

@@ -31,7 +31,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
@@ -41,7 +41,7 @@ jobs:
           node-version-file: './docs/.nvmrc'
       - name: Setup Python
         uses: ./.github/actions/setup-backend/
-      - uses: actions/setup-java@v4
+      - uses: actions/setup-java@v5
         with:
           distribution: 'zulu'
           java-version: '21'

.github/workflows/superset-docs-verify.yml

@@ -18,7 +18,7 @@ jobs:
     name: Link Checking
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       # Do not bump this linkinator-action version without opening
       # an ASF Infra ticket to allow the new version first!
       - uses: JustinBeckwith/linkinator-action@v1.11.0
@@ -56,7 +56,7 @@ jobs:
         working-directory: docs
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive

.github/workflows/superset-e2e.yml

@@ -69,21 +69,21 @@ jobs:
       # Conditional checkout based on context
       - name: Checkout for push or pull_request event
         if: github.event_name == 'push' || github.event_name == 'pull_request'
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
           ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
       - name: Checkout using ref (workflow_dispatch)
         if: github.event_name == 'workflow_dispatch' && github.event.inputs.ref != ''
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           ref: ${{ github.event.inputs.ref }}
           submodules: recursive
       - name: Checkout using PR ID (workflow_dispatch)
         if: github.event_name == 'workflow_dispatch' && github.event.inputs.pr_id != ''
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           ref: refs/pull/${{ github.event.inputs.pr_id }}/merge

.github/workflows/superset-extensions-cli.yml

@@ -1,4 +1,4 @@
-name: Superset CLI Package Tests
+name: Superset Extensions CLI Package Tests
 
 on:
   push:
@@ -14,17 +14,17 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  test-superset-cli-package:
+  test-superset-extensions-cli-package:
     runs-on: ubuntu-24.04
     strategy:
       matrix:
         python-version: ["previous", "current", "next"]
     defaults:
       run:
-        working-directory: superset-cli
+        working-directory: superset-extensions-cli
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
@@ -36,29 +36,29 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Setup Python
-        if: steps.check.outputs.superset-cli
+        if: steps.check.outputs.superset-extensions-cli
         uses: ./.github/actions/setup-backend/
         with:
           python-version: ${{ matrix.python-version }}
           requirements-type: dev
 
       - name: Run pytest with coverage
-        if: steps.check.outputs.superset-cli
+        if: steps.check.outputs.superset-extensions-cli
         run: |
-          pytest --cov=superset_cli --cov-report=xml --cov-report=term-missing --cov-report=html -v --tb=short
+          pytest --cov=superset_extensions_cli --cov-report=xml --cov-report=term-missing --cov-report=html -v --tb=short
 
       - name: Upload coverage reports to Codecov
-        if: steps.check.outputs.superset-cli
-        uses: codecov/codecov-action@v3
+        if: steps.check.outputs.superset-extensions-cli
+        uses: codecov/codecov-action@v5
         with:
           file: ./coverage.xml
-          flags: superset-cli
-          name: superset-cli-coverage
+          flags: superset-extensions-cli
+          name: superset-extensions-cli-coverage
           fail_ci_if_error: false
 
       - name: Upload HTML coverage report
-        if: steps.check.outputs.superset-cli
+        if: steps.check.outputs.superset-extensions-cli
         uses: actions/upload-artifact@v4
         with:
-          name: superset-cli-coverage-html
+          name: superset-extensions-cli-coverage-html
           path: htmlcov/

.github/workflows/superset-frontend.yml

@@ -23,7 +23,7 @@ jobs:
       should-run: ${{ steps.check.outputs.frontend }}
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -47,7 +47,7 @@ jobs:
           git show -s --format=raw HEAD
           docker buildx build \
             -t $TAG \
-            --cache-from=type=registry,ref=apache/superset-cache:3.10-slim-bookworm \
+            --cache-from=type=registry,ref=apache/superset-cache:3.10-slim-trixie \
             --target superset-node-ci \
             .
 
@@ -73,7 +73,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Download Docker Image Artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           name: docker-image
 
@@ -101,7 +101,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Download Coverage Artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           pattern: coverage-artifacts-*
           path: coverage/
@@ -127,7 +127,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Download Docker Image Artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           name: docker-image
 
@@ -143,7 +143,7 @@ jobs:
       - name: tsc
         run: |
           docker run --rm $TAG bash -c \
-          "npm run type"
+          "npm run plugins:build && npm run type"
 
   validate-frontend:
     needs: frontend-build
@@ -151,7 +151,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Download Docker Image Artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           name: docker-image
 

.github/workflows/superset-helm-lint.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive

.github/workflows/superset-helm-release.yml

@@ -29,7 +29,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           ref: ${{ inputs.ref || github.ref_name }}
           persist-credentials: true

.github/workflows/superset-playwright.yml

@@ -0,0 +1,141 @@
+name: Playwright E2E Tests
+
+on:
+  push:
+    branches:
+      - "master"
+      - "[0-9].[0-9]*"
+  pull_request:
+    types: [synchronize, opened, reopened, ready_for_review]
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: 'The branch or tag to checkout'
+        required: false
+        default: ''
+      pr_id:
+        description: 'The pull request ID to checkout'
+        required: false
+        default: ''
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  playwright-tests:
+    runs-on: ubuntu-22.04
+    # Allow workflow to succeed even if tests fail during shadow mode
+    continue-on-error: true
+    permissions:
+      contents: read
+      pull-requests: read
+    strategy:
+      fail-fast: false
+      matrix:
+        browser: ["chromium"]
+        app_root: ["", "/app/prefix"]
+    env:
+      SUPERSET_ENV: development
+      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
+      SUPERSET__SQLALCHEMY_DATABASE_URI: postgresql+psycopg2://superset:superset@127.0.0.1:15432/superset
+      PYTHONPATH: ${{ github.workspace }}
+      REDIS_PORT: 16379
+      GITHUB_TOKEN: ${{ github.token }}
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          POSTGRES_USER: superset
+          POSTGRES_PASSWORD: superset
+        ports:
+          - 15432:5432
+      redis:
+        image: redis:7-alpine
+        ports:
+          - 16379:6379
+    steps:
+      # -------------------------------------------------------
+      # Conditional checkout based on context (same as Cypress workflow)
+      - name: Checkout for push or pull_request event
+        if: github.event_name == 'push' || github.event_name == 'pull_request'
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          submodules: recursive
+          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
+      - name: Checkout using ref (workflow_dispatch)
+        if: github.event_name == 'workflow_dispatch' && github.event.inputs.ref != ''
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          ref: ${{ github.event.inputs.ref }}
+          submodules: recursive
+      - name: Checkout using PR ID (workflow_dispatch)
+        if: github.event_name == 'workflow_dispatch' && github.event.inputs.pr_id != ''
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          ref: refs/pull/${{ github.event.inputs.pr_id }}/merge
+          submodules: recursive
+      # -------------------------------------------------------
+      - name: Check for file changes
+        id: check
+        uses: ./.github/actions/change-detector/
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Setup Python
+        uses: ./.github/actions/setup-backend/
+        if: steps.check.outputs.python || steps.check.outputs.frontend
+      - name: Setup postgres
+        if: steps.check.outputs.python || steps.check.outputs.frontend
+        uses: ./.github/actions/cached-dependencies
+        with:
+          run: setup-postgres
+      - name: Import test data
+        if: steps.check.outputs.python || steps.check.outputs.frontend
+        uses: ./.github/actions/cached-dependencies
+        with:
+          run: testdata
+      - name: Setup Node.js
+        if: steps.check.outputs.python || steps.check.outputs.frontend
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: './superset-frontend/.nvmrc'
+      - name: Install npm dependencies
+        if: steps.check.outputs.python || steps.check.outputs.frontend
+        uses: ./.github/actions/cached-dependencies
+        with:
+          run: npm-install
+      - name: Build javascript packages
+        if: steps.check.outputs.python || steps.check.outputs.frontend
+        uses: ./.github/actions/cached-dependencies
+        with:
+          run: build-instrumented-assets
+      - name: Install Playwright
+        if: steps.check.outputs.python || steps.check.outputs.frontend
+        uses: ./.github/actions/cached-dependencies
+        with:
+          run: playwright-install
+      - name: Run Playwright
+        if: steps.check.outputs.python || steps.check.outputs.frontend
+        uses: ./.github/actions/cached-dependencies
+        env:
+          NODE_OPTIONS: "--max-old-space-size=4096"
+        with:
+          run: playwright-run ${{ matrix.app_root }}
+      - name: Set safe app root
+        if: failure()
+        id: set-safe-app-root
+        run: |
+          APP_ROOT="${{ matrix.app_root }}"
+          SAFE_APP_ROOT=${APP_ROOT//\//_}
+          echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT
+      - name: Upload Playwright Artifacts
+        uses: actions/upload-artifact@v4
+        if: failure()
+        with:
+          path: |
+            ${{ github.workspace }}/superset-frontend/playwright-results/
+            ${{ github.workspace }}/superset-frontend/test-results/
+          name: playwright-artifact-${{ github.run_id }}-${{ github.job }}-${{ matrix.browser }}--${{ steps.set-safe-app-root.outputs.safe_app_root }}

.github/workflows/superset-python-integrationtest.yml

@@ -41,7 +41,7 @@ jobs:
           - 16379:6379
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
@@ -99,7 +99,7 @@ jobs:
           - 16379:6379
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
@@ -152,7 +152,7 @@ jobs:
           - 16379:6379
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive

.github/workflows/superset-python-presto-hive.yml

@@ -48,7 +48,7 @@ jobs:
           - 16379:6379
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
@@ -108,7 +108,7 @@ jobs:
           - 16379:6379
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive

.github/workflows/superset-python-unittest.yml

@@ -24,7 +24,7 @@ jobs:
       PYTHONPATH: ${{ github.workspace }}
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive

.github/workflows/superset-translations.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive
@@ -49,7 +49,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           submodules: recursive

.github/workflows/superset-websocket.yml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
       - name: Install dependencies

.github/workflows/supersetbot.yml

@@ -38,7 +38,7 @@ jobs:
             });
 
       - name: "Checkout ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
 

.github/workflows/tag-release.yml

@@ -42,12 +42,12 @@ jobs:
     runs-on: ubuntu-24.04
     strategy:
       matrix:
-        build_preset: ["dev", "lean", "py310", "websocket", "dockerize", "py311"]
+        build_preset: ["dev", "lean", "py310", "websocket", "dockerize", "py311", "py312"]
       fail-fast: false
     steps:
 
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -107,7 +107,7 @@ jobs:
     steps:
 
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/tech-debt.yml

@@ -27,7 +27,7 @@ jobs:
     name: Generate Reports
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up Node.js
         uses: actions/setup-node@v4

.github/workflows/welcome-new-users.yml

@@ -12,7 +12,7 @@ jobs:
 
     steps:
       - name: Welcome Message
-        uses: actions/first-interaction@v2
+        uses: actions/first-interaction@v3
         continue-on-error: true
         with:
           repo-token: ${{ github.token }}

.pre-commit-config.yaml

@@ -25,7 +25,7 @@ repos:
       - id: mypy
         name: mypy (main)
         args: [--check-untyped-defs]
-        exclude: ^superset-cli/
+        exclude: ^superset-extensions-cli/
         additional_dependencies: [
             types-simplejson,
             types-python-dateutil,
@@ -41,9 +41,9 @@ repos:
             types-Markdown,
           ]
       - id: mypy
-        name: mypy (superset-cli)
+        name: mypy (superset-extensions-cli)
         args: [--check-untyped-defs]
-        files: ^superset-cli/
+        files: ^superset-extensions-cli/
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v5.0.0
     hooks:

.rat-excludes

@@ -73,6 +73,7 @@ ibm-db2.svg
 postgresql.svg
 snowflake.svg
 ydb.svg
+loading.svg
 
 # docs-related
 erd.puml
@@ -81,6 +82,7 @@ intro_header.txt
 
 # for LLMs
 llm-context.md
+AGENTS.md
 LLMS.md
 CLAUDE.md
 CURSOR.md

AGENTS.md

@@ -15,8 +15,9 @@ Apache Superset is a data visualization platform with Flask/Python backend and R
 
 ### Testing Strategy Migration
 - **Prefer unit tests** over integration tests
-- **Prefer integration tests** over Cypress end-to-end tests
-- **Cypress is last resort** - Actively moving away from Cypress
+- **Prefer integration tests** over end-to-end tests
+- **Use Playwright for E2E tests** - Migrating from Cypress
+- **Cypress is deprecated** - Will be removed once migration is completed
 - **Use Jest + React Testing Library** for component testing
 - **Use `test()` instead of `describe()`** - Follow [avoid nesting when testing](https://kentcdodds.com/blog/avoid-nesting-when-youre-testing) principles
 
@@ -67,7 +68,11 @@ superset/
 
 ### Apache License Headers
 - **New files require ASF license headers** - When creating new code files, include the standard Apache Software Foundation license header
-- **LLM instruction files are excluded** - Files like LLMS.md, CLAUDE.md, etc. are in `.rat-excludes` to avoid header token overhead
+- **LLM instruction files are excluded** - Files like AGENTS.md, CLAUDE.md, etc. are in `.rat-excludes` to avoid header token overhead
+
+### Code Comments
+- **Avoid time-specific language** - Don't use words like "now", "currently", "today" in code comments as they become outdated
+- **Write timeless comments** - Comments should remain accurate regardless of when they're read
 
 ## Documentation Requirements
 
@@ -97,6 +102,17 @@ superset/
 - **`selectOption()`** - Select component helper
 - **React Testing Library** - NO Enzyme (removed)
 
+### Test Structure Guidelines
+- **Use `test()` instead of `describe()` and `it()`** - Follow the [avoid nesting when testing](https://kentcdodds.com/blog/avoid-nesting-when-youre-testing) principle
+  - **Why**: Reduces unnecessary nesting, improves test isolation, and makes tests more readable
+  - **Pattern**: Write flat test files with descriptive test names that fully describe what's being tested
+  - **Example**: Instead of nested `describe('Component', () => { it('should render', ...) })`, use `test('Component renders correctly', ...)`
+  - **Benefits**:
+    - Each test stands alone with a clear, searchable name
+    - Easier to run individual tests
+    - Forces you to write more descriptive test names
+    - Reduces cognitive overhead from nested context switching
+
 ### Test Database Patterns
 - **Mock patterns**: Use `MagicMock()` for config objects, avoid `AsyncMock` for synchronous code
 - **API tests**: Update expected columns when adding new model fields
@@ -107,6 +123,18 @@ superset/
 npm run test                           # All tests
 npm run test -- filename.test.tsx     # Single file
 
+# E2E Tests (Playwright - NEW)
+npm run playwright:test                # All Playwright tests
+npm run playwright:ui                  # Interactive UI mode
+npm run playwright:headed              # See browser during tests
+npx playwright test tests/auth/login.spec.ts  # Single file
+npm run playwright:debug tests/auth/login.spec.ts  # Debug specific file
+
+# E2E Tests (Cypress - DEPRECATED)
+cd superset-frontend/cypress-base
+npm run cypress-run-chrome             # All Cypress tests (headless)
+npm run cypress-debug                  # Interactive Cypress UI
+
 # Backend  
 pytest                                 # All tests
 pytest tests/unit_tests/specific_test.py  # Single file
@@ -136,6 +164,19 @@ curl -f http://localhost:8088/health || echo "❌ Setup required - see https://s
 - **Use negation operator**: `~Model.field` instead of `== False` to avoid ruff E712 errors
 - **Example**: `~Model.is_active` instead of `Model.is_active == False`
 
+## Pull Request Guidelines
+
+**When creating pull requests:**
+
+1. **Read the current PR template**: Always check `.github/PULL_REQUEST_TEMPLATE.md` for the latest format
+2. **Use the template sections**: Include all sections from the template (SUMMARY, BEFORE/AFTER, TESTING INSTRUCTIONS, ADDITIONAL INFORMATION)
+3. **Follow PR title conventions**: Use [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/)
+   - Format: `type(scope): description`
+   - Example: `fix(dashboard): load charts correctly`
+   - Types: `fix`, `feat`, `docs`, `style`, `refactor`, `perf`, `test`, `chore`
+
+**Important**: Always reference the actual template file at `.github/PULL_REQUEST_TEMPLATE.md` instead of using cached content, as the template may be updated over time.
+
 ## Pre-commit Validation
 
 **Use pre-commit hooks for quality validation:**

CHANGELOG.md

@@ -44,4 +44,8 @@ under the License.
 - [4.0.1](./CHANGELOG/4.0.1.md)
 - [4.0.2](./CHANGELOG/4.0.2.md)
 - [4.1.0](./CHANGELOG/4.1.0.md)
+- [4.1.1](./CHANGELOG/4.1.1.md)
+- [4.1.2](./CHANGELOG/4.1.2.md)
+- [4.1.3](./CHANGELOG/4.1.3.md)
+- [4.1.4](./CHANGELOG/4.1.4.md)
 - [5.0.0](./CHANGELOG/5.0.0.md)

CHANGELOG/4.1.4.md

@@ -0,0 +1,33 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+## Change Log
+
+### 4.1.4 (Thu Jul 24 08:30:04 2025 -0300)
+
+**Database Migrations**
+
+**Features**
+
+**Fixes**
+- [#34289](https://github.com/apache/superset/pull/34289) fix: Saved queries list break if one query can't be parsed (@michael-s-molina)
+- [#33059](https://github.com/apache/superset/pull/33059) fix: Adds missing __init__ file to commands/logs (@michael-s-molina)
+
+**Others**
+- [#32236](https://github.com/apache/superset/pull/32236) chore(deps): bump cryptography from 43.0.3 to 44.0.1 (@dependabot[bot])

CLAUDE.md

@@ -1 +1 @@
-LLMS.md
+AGENTS.md

Dockerfile

@@ -18,7 +18,7 @@
 ######################################################################
 # Node stage to deal with static asset construction
 ######################################################################
-ARG PY_VER=3.11.13-slim-bookworm
+ARG PY_VER=3.11.13-slim-trixie
 
 # If BUILDPLATFORM is null, set it to 'amd64' (or leave as is otherwise).
 ARG BUILDPLATFORM=${BUILDPLATFORM:-amd64}
@@ -29,7 +29,7 @@ ARG BUILD_TRANSLATIONS="false"
 ######################################################################
 # superset-node-ci used as a base for building frontend assets and CI
 ######################################################################
-FROM --platform=${BUILDPLATFORM} node:20-bookworm-slim AS superset-node-ci
+FROM --platform=${BUILDPLATFORM} node:20-trixie-slim AS superset-node-ci
 ARG BUILD_TRANSLATIONS
 ENV BUILD_TRANSLATIONS=${BUILD_TRANSLATIONS}
 ARG DEV_MODE="false"           # Skip frontend build in dev mode
@@ -64,7 +64,7 @@ RUN --mount=type=bind,source=./superset-frontend/package.json,target=./package.j
     --mount=type=bind,source=./superset-frontend/package-lock.json,target=./package-lock.json \
     --mount=type=cache,target=/root/.cache \
     --mount=type=cache,target=/root/.npm \
-    if [ "$DEV_MODE" = "false" ]; then \
+    if [ "${DEV_MODE}" = "false" ]; then \
         npm ci; \
     else \
         echo "Skipping 'npm ci' in dev mode"; \
@@ -80,7 +80,7 @@ FROM superset-node-ci AS superset-node
 
 # Build the frontend if not in dev mode
 RUN --mount=type=cache,target=/root/.npm \
-    if [ "$DEV_MODE" = "false" ]; then \
+    if [ "${DEV_MODE}" = "false" ]; then \
         echo "Running 'npm run ${BUILD_CMD}'"; \
         npm run ${BUILD_CMD}; \
     else \
@@ -91,11 +91,10 @@ RUN --mount=type=cache,target=/root/.npm \
 COPY superset/translations /app/superset/translations
 
 # Build translations if enabled, then cleanup localization files
-RUN if [ "$BUILD_TRANSLATIONS" = "true" ]; then \
+RUN if [ "${BUILD_TRANSLATIONS}" = "true" ]; then \
         npm run build-translation; \
     fi; \
-    rm -rf /app/superset/translations/*/*/*.po; \
-    rm -rf /app/superset/translations/*/*/*.mo;
+    rm -rf /app/superset/translations/*/*/*.[po,mo];
 
 
 ######################################################################
@@ -106,10 +105,10 @@ FROM python:${PY_VER} AS python-base
 ARG SUPERSET_HOME="/app/superset_home"
 ENV SUPERSET_HOME=${SUPERSET_HOME}
 
-RUN mkdir -p $SUPERSET_HOME
+RUN mkdir -p ${SUPERSET_HOME}
 RUN useradd --user-group -d ${SUPERSET_HOME} -m --no-log-init --shell /bin/bash superset \
-    && chmod -R 1777 $SUPERSET_HOME \
-    && chown -R superset:superset $SUPERSET_HOME
+    && chmod -R 1777 ${SUPERSET_HOME} \
+    && chown -R superset:superset ${SUPERSET_HOME}
 
 # Some bash scripts needed throughout the layers
 COPY --chmod=755 docker/*.sh /app/docker/
@@ -134,11 +133,10 @@ RUN --mount=type=cache,target=/root/.cache/uv \
     . /app/.venv/bin/activate && /app/docker/pip-install.sh --requires-build-essential -r requirements/translations.txt
 
 COPY superset/translations/ /app/translations_mo/
-RUN if [ "$BUILD_TRANSLATIONS" = "true" ]; then \
+RUN if [ "${BUILD_TRANSLATIONS}" = "true" ]; then \
         pybabel compile -d /app/translations_mo | true; \
     fi; \
-    rm -f /app/translations_mo/*/*/*.po; \
-    rm -f /app/translations_mo/*/*/*.json;
+    rm -f /app/translations_mo/*/*/*.[po,json]
 
 ######################################################################
 # Python APP common layer
@@ -173,11 +171,11 @@ RUN mkdir -p \
 ARG INCLUDE_CHROMIUM="false"
 ARG INCLUDE_FIREFOX="false"
 RUN --mount=type=cache,target=${SUPERSET_HOME}/.cache/uv \
-    if [ "$INCLUDE_CHROMIUM" = "true" ] || [ "$INCLUDE_FIREFOX" = "true" ]; then \
+    if [ "${INCLUDE_CHROMIUM}" = "true" ] || [ "${INCLUDE_FIREFOX}" = "true" ]; then \
         uv pip install playwright && \
         playwright install-deps && \
-        if [ "$INCLUDE_CHROMIUM" = "true" ]; then playwright install chromium; fi && \
-        if [ "$INCLUDE_FIREFOX" = "true" ]; then playwright install firefox; fi; \
+        if [ "${INCLUDE_CHROMIUM}" = "true" ]; then playwright install chromium; fi && \
+        if [ "${INCLUDE_FIREFOX}" = "true" ]; then playwright install firefox; fi; \
     else \
         echo "Skipping browser installation"; \
     fi
@@ -263,7 +261,7 @@ COPY requirements/*.txt requirements/
 
 # Copy local packages needed for editable installs in development.txt
 COPY superset-core superset-core
-COPY superset-cli superset-cli
+COPY superset-extensions-cli superset-extensions-cli
 
 # Install Python dependencies using docker/pip-install.sh
 RUN --mount=type=cache,target=${SUPERSET_HOME}/.cache/uv \

GEMINI.md

@@ -1 +1 @@
-LLMS.md
+AGENTS.md

GPT.md

@@ -1 +1 @@
-LLMS.md
+AGENTS.md

Makefile

@@ -91,7 +91,7 @@ js-format:
 	cd superset-frontend; npm run prettier
 
 flask-app:
-	flask run -p 8088 --with-threads --reload --debugger
+	flask run -p 8088 --reload --debugger
 
 node-app:
 	cd superset-frontend; npm run dev-server

RELEASING/Dockerfile.from_local_tarball

@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-FROM python:3.10-slim-bookworm
+FROM python:3.10-slim-trixie
 
 RUN useradd --user-group --create-home --no-log-init --shell /bin/bash superset
 

RELEASING/Dockerfile.from_svn_tarball

@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-FROM python:3.10-slim-bookworm
+FROM python:3.10-slim-trixie
 
 RUN useradd --user-group --create-home --no-log-init --shell /bin/bash superset
 

RELEASING/Dockerfile.make_docs

@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-FROM python:3.10-slim-bookworm
+FROM python:3.10-slim-trixie
 ARG VERSION
 
 RUN git clone --depth 1 --branch ${VERSION} https://github.com/apache/superset.git /superset

RELEASING/Dockerfile.make_tarball

@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-FROM python:3.10-slim-bookworm
+FROM python:3.10-slim-trixie
 
 RUN apt-get update -y
 RUN apt-get install -y \

RELEASING/README.md

@@ -469,6 +469,10 @@ an account first if you don't have one, and reference your username
 while requesting access to push packages.
 
 ```bash
+# Run this first to make sure you are uploading the right version.
+# Pypi does not allow you to delete or retract once uplaoded.
+twine check dist/*
+
 twine upload dist/*
 ```
 
@@ -518,6 +522,8 @@ takes the version (ie `3.1.1`), the git reference (any SHA, tag or branch
 reference), and whether to force the `latest` Docker tag on the
 generated images.
 
+**NOTE:** If the docker image isn't built, you'll need to run this [GH action](https://github.com/apache/superset/actions/workflows/tag-release.yml) where you provide it the tag sha.
+
 ### Npm Release
 
 You might want to publish the latest @superset-ui release to npm

UPDATING.md

@@ -23,6 +23,9 @@ This file documents any backwards-incompatible changes in Superset and
 assists people when migrating to a new version.
 
 ## Next
+- [33055](https://github.com/apache/superset/pull/33055): Upgrades Flask-AppBuilder to 5.0.0. The AUTH_OID authentication type has been deprecated and is no longer available as an option in Flask-AppBuilder. OpenID (OID) is considered a deprecated authentication protocol - if you are using AUTH_OID, you will need to migrate to an alternative authentication method such as OAuth, LDAP, or database authentication before upgrading.
+- [35062](https://github.com/apache/superset/pull/35062): Changed the function signature of `setupExtensions` to `setupCodeOverrides` with options as arguments.
+- [34871](https://github.com/apache/superset/pull/34871): Fixed Jest test hanging issue from Ant Design v5 upgrade. MessageChannel is now mocked in test environment to prevent rc-overflow from causing Jest to hang. Test environment only - no production impact.
 - [34782](https://github.com/apache/superset/pull/34782): Dataset exports now include the dataset ID in their file name (similar to charts and dashboards). If managing assets as code, make sure to rename existing dataset YAMLs to include the ID (and avoid duplicated files).
 - [34536](https://github.com/apache/superset/pull/34536): The `ENVIRONMENT_TAG_CONFIG` color values have changed to support only Ant Design semantic colors. Update your `superset_config.py`:
   - Change `"error.base"` to just `"error"` after this PR

docker-compose-image-tag.yml

@@ -28,6 +28,7 @@ x-superset-image: &superset-image apachesuperset.docker.scarf.sh/apache/superset
 x-superset-volumes:
   &superset-volumes # /app/pythonpath_docker will be appended to the PYTHONPATH in the final container
   - ./docker:/app/docker
+  - ./superset-core:/app/superset-core
   - superset_home:/app/superset_home
 
 services:

docker-compose-light.yml

@@ -71,7 +71,7 @@ x-common-build: &common-build
   context: .
   target: ${SUPERSET_BUILD_TARGET:-dev} # can use `dev` (default) or `lean`
   cache_from:
-    - apache/superset-cache:3.10-slim-bookworm
+    - apache/superset-cache:3.10-slim-trixie
   args:
     DEV_MODE: "true"
     INCLUDE_CHROMIUM: ${INCLUDE_CHROMIUM:-false}
@@ -118,6 +118,8 @@ services:
       POSTGRES_DB: superset_light
       SUPERSET__SQLALCHEMY_EXAMPLES_URI: "duckdb:////app/data/examples.duckdb"
       SUPERSET_CONFIG_PATH: /app/docker/pythonpath_dev/superset_config_docker_light.py
+      GITHUB_HEAD_REF: ${GITHUB_HEAD_REF:-}
+      GITHUB_SHA: ${GITHUB_SHA:-}
 
   superset-init-light:
     build:
@@ -160,8 +162,11 @@ services:
       SCARF_ANALYTICS: "${SCARF_ANALYTICS:-}"
       # configuring the dev-server to use the host.docker.internal to connect to the backend
       superset: "http://superset-light:8088"
+      # Webpack dev server configuration
+      WEBPACK_DEVSERVER_HOST: "${WEBPACK_DEVSERVER_HOST:-127.0.0.1}"
+      WEBPACK_DEVSERVER_PORT: "${WEBPACK_DEVSERVER_PORT:-9000}"
     ports:
-      - "127.0.0.1:${NODE_PORT:-9001}:9000"  # Parameterized port
+      - "${NODE_PORT:-9001}:9000"  # Parameterized port, accessible on all interfaces
     command: ["/app/docker/docker-frontend.sh"]
     env_file:
       - path: docker/.env # default

docker-compose-non-dev.yml

@@ -33,7 +33,7 @@ x-common-build: &common-build
   context: .
   target: dev
   cache_from:
-    - apache/superset-cache:3.10-slim-bookworm
+    - apache/superset-cache:3.10-slim-trixie
 
 services:
   redis:

docker-compose.yml

@@ -29,14 +29,16 @@ x-superset-volumes: &superset-volumes
   # /app/pythonpath_docker will be appended to the PYTHONPATH in the final container
   - ./docker:/app/docker
   - ./superset:/app/superset
+  - ./superset-core:/app/superset-core
   - ./superset-frontend:/app/superset-frontend
   - superset_home:/app/superset_home
   - ./tests:/app/tests
+  - superset_data:/app/data
 x-common-build: &common-build
   context: .
   target: ${SUPERSET_BUILD_TARGET:-dev} # can use `dev` (default) or `lean`
   cache_from:
-    - apache/superset-cache:3.10-slim-bookworm
+    - apache/superset-cache:3.10-slim-trixie
   args:
     DEV_MODE: "true"
     INCLUDE_CHROMIUM: ${INCLUDE_CHROMIUM:-false}
@@ -274,3 +276,5 @@ volumes:
     external: false
   redis:
     external: false
+  superset_data:
+    external: false

docker/apt-install.sh

@@ -18,7 +18,7 @@
 set -euo pipefail
 
 # Ensure this script is run as root
-if [[ $EUID -ne 0 ]]; then
+if [[ ${EUID} -ne 0 ]]; then
   echo "This script must be run as root" >&2
   exit 1
 fi
@@ -42,7 +42,7 @@ echo -e "${GREEN}Installing packages: $@${RESET}"
 apt-get install -yqq --no-install-recommends "$@"
 
 echo -e "${GREEN}Autoremoving unnecessary packages...${RESET}"
-apt-get autoremove -y
+apt-get autoremove -yqq --purge
 
 echo -e "${GREEN}Cleaning up package cache and metadata...${RESET}"
 apt-get clean

docker/docker-bootstrap.sh

@@ -21,8 +21,15 @@ set -eo pipefail
 # Make python interactive
 if [ "$DEV_MODE" == "true" ]; then
     if [ "$(whoami)" = "root" ] && command -v uv > /dev/null 2>&1; then
-      echo "Reinstalling the app in editable mode"
-      uv pip install -e .
+      # Always ensure superset-core is available
+      echo "Installing superset-core in editable mode"
+      uv pip install --no-deps -e /app/superset-core
+
+      # Only reinstall the main app for non-worker processes
+      if [ "$1" != "worker" ] && [ "$1" != "beat" ]; then
+        echo "Reinstalling the app in editable mode"
+        uv pip install -e .
+      fi
     fi
 fi
 REQUIREMENTS_LOCAL="/app/docker/requirements-local.txt"
@@ -34,7 +41,8 @@ if [ "$CYPRESS_CONFIG" == "true" ]; then
     export SUPERSET__SQLALCHEMY_DATABASE_URI=postgresql+psycopg2://superset:superset@db:5432/superset_cypress
     PORT=8081
 fi
-if [[ "$DATABASE_DIALECT" == postgres* ]] && [ "$(whoami)" = "root" ]; then
+# Skip postgres requirements installation for workers to avoid conflicts
+if [[ "$DATABASE_DIALECT" == postgres* ]] && [ "$(whoami)" = "root" ] && [ "$1" != "worker" ] && [ "$1" != "beat" ]; then
     # older images may not have the postgres dev requirements installed
     echo "Installing postgres requirements"
     if command -v uv > /dev/null 2>&1; then
@@ -72,7 +80,7 @@ case "${1}" in
     ;;
   app)
     echo "Starting web app (using development server)..."
-    flask run -p $PORT --with-threads --reload --debugger --host=0.0.0.0
+    flask run -p $PORT --reload --debugger --without-threads --host=0.0.0.0
     ;;
   app-gunicorn)
     echo "Starting web app..."

docker/pip-install.sh

@@ -38,14 +38,14 @@ for arg in "$@"; do
 done
 
 # Install build-essential if required
-if $REQUIRES_BUILD_ESSENTIAL; then
+if ${REQUIRES_BUILD_ESSENTIAL}; then
   echo "Installing build-essential for package builds..."
   apt-get update -qq \
     && apt-get install -yqq --no-install-recommends build-essential
 fi
 
 # Choose whether to use pip cache
-if $USE_CACHE; then
+if ${USE_CACHE}; then
   echo "Using pip cache..."
   uv pip install "${ARGS[@]}"
 else
@@ -54,7 +54,7 @@ else
 fi
 
 # Remove build-essential if it was installed
-if $REQUIRES_BUILD_ESSENTIAL; then
+if ${REQUIRES_BUILD_ESSENTIAL}; then
   echo "Removing build-essential to keep the image lean..."
   apt-get autoremove -yqq --purge build-essential \
     && apt-get clean \

docker/pythonpath_dev/superset_config.py

@@ -138,7 +138,7 @@ try:
     from superset_config_docker import *  # noqa: F403
 
     logger.info(
-        f"Loaded your Docker configuration at [{superset_config_docker.__file__}]"
+        "Loaded your Docker configuration at [%s]", superset_config_docker.__file__
     )
 except ImportError:
     logger.info("Using default Docker config...")

docs/docs/configuration/alerts-reports.mdx

@@ -12,7 +12,7 @@ Users can configure automated alerts and reports to send dashboards or charts to
 - *Alerts* are sent when a SQL condition is reached
 - *Reports* are sent on a schedule
 
-Alerts and reports are disabled by default. To turn them on, you need to do some setup, described here.
+Alerts and reports are disabled by default. To turn them on, you'll need to change configuration settings and install a suitable headless browser in your environment.
 
 ## Requirements
 
@@ -35,16 +35,14 @@ Screenshots will be taken but no messages actually sent as long as `ALERT_REPORT
 
 #### In your `Dockerfile`
 
-- You must install a headless browser, for taking screenshots of the charts and dashboards. Only Firefox and Chrome are currently supported.
-  > If you choose Chrome, you must also change the value of `WEBDRIVER_TYPE` to `"chrome"` in your `superset_config.py`.
+You'll need to extend the Superset image to include a headless browser. Your options include:
+- Use Playwright with Chrome: this is the recommended approach as of version 4.1.x or greater. A working example of a Dockerfile that installs these tools is provided under "Building your own production Docker image" on the [Docker Builds](/docs/installation/docker-builds#building-your-own-production-docker-image) page. Read the code comments there as you'll also need to change a feature flag in your config.
+- Use Firefox: you'll need to install geckodriver and Firefox.
+- Use Chrome without Playwright: you'll need to install Chrome and set the value of `WEBDRIVER_TYPE` to `"chrome"` in your `superset_config.py`.
 
-Note: All the components required (Firefox headless browser, Redis, Postgres db, celery worker and celery beat) are present in the *dev* docker image if you are following [Installing Superset Locally](/docs/installation/docker-compose/).
-All you need to do is add the required config variables described in this guide (See `Detailed Config`).
+In Superset versions prior to 4.1, users installed Firefox or Chrome and that was documented here.
 
-If you are running a non-dev docker image, e.g., a stable release like `apache/superset:3.1.0`, that image does not include a headless browser.  Only the `superset_worker` container needs this headless browser to browse to the target chart or dashboard.
-You can either install and configure the headless browser - see "Custom Dockerfile" section below - or when deploying via `docker compose`, modify your `docker-compose.yml` file to use a dev image for the worker container and a stable release image for the `superset_app` container.
-
-*Note*: In this context, a "dev image" is the same application software as its corresponding non-dev image, just bundled with additional tools.  So an image like `3.1.0-dev` is identical to `3.1.0` when it comes to stability, functionality, and running in production.  The actual "in-development" versions of Superset - cutting-edge and unstable - are not tagged with version numbers on Docker Hub and will display version `0.0.0-dev` within the Superset UI.
+Only the worker container needs the browser.
 
 ### Slack integration
 
@@ -152,8 +150,8 @@ SMTP_MAIL_FROM = "noreply@youremail.com"
 EMAIL_REPORTS_SUBJECT_PREFIX = "[Superset] " # optional - overwrites default value in config.py of "[Report] "
 
 # WebDriver configuration
-# If you use Firefox, you can stick with default values
-# If you use Chrome, then add the following WEBDRIVER_TYPE and WEBDRIVER_OPTION_ARGS
+# If you use Firefox or Playwright with Chrome, you can stick with default values
+# If you use Chrome and are *not* using Playwright, then add the following WEBDRIVER_TYPE and WEBDRIVER_OPTION_ARGS
 WEBDRIVER_TYPE = "chrome"
 WEBDRIVER_OPTION_ARGS = [
     "--force-device-scale-factor=2.0",
@@ -219,62 +217,6 @@ def alert_dynamic_minimal_interval(**kwargs) -> int:
 ALERT_MINIMUM_INTERVAL = alert_dynamic_minimal_interval
 ```
 
-## Custom Dockerfile
-
-If you're running the dev version of a released Superset image, like `apache/superset:3.1.0-dev`, you should be set with the above.
-
-But if you're building your own image, or starting with a non-dev version, a webdriver (and headless browser) is needed to capture screenshots of the charts and dashboards which are then sent to the recipient.
-Here's how you can modify your Dockerfile to take the screenshots either with Firefox or Chrome.
-
-### Using Firefox
-
-```docker
-FROM apache/superset:3.1.0
-
-USER root
-
-RUN apt-get update && \
-    apt-get install --no-install-recommends -y firefox-esr
-
-ENV GECKODRIVER_VERSION=0.29.0
-RUN wget -q https://github.com/mozilla/geckodriver/releases/download/v${GECKODRIVER_VERSION}/geckodriver-v${GECKODRIVER_VERSION}-linux64.tar.gz && \
-    tar -x geckodriver -zf geckodriver-v${GECKODRIVER_VERSION}-linux64.tar.gz -O > /usr/bin/geckodriver && \
-    chmod 755 /usr/bin/geckodriver && \
-    rm geckodriver-v${GECKODRIVER_VERSION}-linux64.tar.gz
-
-RUN pip install --no-cache gevent psycopg2 redis
-
-USER superset
-```
-
-### Using Chrome
-
-```docker
-FROM apache/superset:3.1.0
-
-USER root
-
-RUN apt-get update && \
-    apt-get install -y wget zip libaio1
-
-RUN export CHROMEDRIVER_VERSION=$(curl --silent https://googlechromelabs.github.io/chrome-for-testing/LATEST_RELEASE_116) && \
-    wget -O google-chrome-stable_current_amd64.deb -q http://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_${CHROMEDRIVER_VERSION}-1_amd64.deb && \
-    apt-get install -y --no-install-recommends ./google-chrome-stable_current_amd64.deb && \
-    rm -f google-chrome-stable_current_amd64.deb
-
-RUN export CHROMEDRIVER_VERSION=$(curl --silent https://googlechromelabs.github.io/chrome-for-testing/LATEST_RELEASE_116) && \
-    wget -q https://storage.googleapis.com/chrome-for-testing-public/${CHROMEDRIVER_VERSION}/linux64/chromedriver-linux64.zip && \
-    unzip -j chromedriver-linux64.zip -d /usr/bin && \
-    chmod 755 /usr/bin/chromedriver && \
-    rm -f chromedriver-linux64.zip
-
-RUN pip install --no-cache gevent psycopg2 redis
-
-USER superset
-```
-
-Don't forget to set `WEBDRIVER_TYPE` and `WEBDRIVER_OPTION_ARGS` in your config if you use Chrome.
-
 ## Troubleshooting
 
 There are many reasons that reports might not be working.  Try these steps to check for specific issues.
@@ -293,9 +235,7 @@ This is the best source of information about the problem.  In a docker compose d
 
 To take a screenshot, the worker visits the dashboard or chart using a headless browser, then takes a screenshot. If you are able to send a chart as CSV or text but can't send as PNG, your problem may lie with the browser.
 
-Superset docker images that have a tag ending with `-dev` have the Firefox headless browser and geckodriver already installed. You can test that these are installed and in the proper path by entering your Superset worker and running `firefox --headless` and then `geckodriver`. Both commands should start those applications.
-
-If you are handling the installation of that software on your own, or wish to use Chromium instead, do your own verification to ensure that the headless browser opens successfully in the worker environment.
+If you are handling the installation of the headless browser on your own, do your own verification to ensure that the headless browser opens successfully in the worker environment.
 
 ### Send a test email
 

docs/docs/configuration/configuring-superset.mdx

@@ -363,110 +363,6 @@ CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
   ]
   ```
 
-### Keycloak-Specific Configuration using Flask-OIDC
-
-If you are using Keycloak as OpenID Connect 1.0 Provider, the above configuration based on [`Authlib`](https://authlib.org/) might not work. In this case using [`Flask-OIDC`](https://pypi.org/project/flask-oidc/) is a viable option.
-
-Make sure the pip package [`Flask-OIDC`](https://pypi.org/project/flask-oidc/) is installed on the webserver. This was successfully tested using version 2.2.0. This package requires [`Flask-OpenID`](https://pypi.org/project/Flask-OpenID/) as a dependency.
-
-The following code defines a new security manager.  Add it to a new file named `keycloak_security_manager.py`, placed in the same directory as your `superset_config.py` file.
-
-```python
-from flask_appbuilder.security.manager import AUTH_OID
-from superset.security import SupersetSecurityManager
-from flask_oidc import OpenIDConnect
-from flask_appbuilder.security.views import AuthOIDView
-from flask_login import login_user
-from urllib.parse import quote
-from flask_appbuilder.views import ModelView, SimpleFormView, expose
-from flask import (
-    redirect,
-    request
-)
-import logging
-
-class OIDCSecurityManager(SupersetSecurityManager):
-
-    def __init__(self, appbuilder):
-        super(OIDCSecurityManager, self).__init__(appbuilder)
-        if self.auth_type == AUTH_OID:
-            self.oid = OpenIDConnect(self.appbuilder.get_app)
-        self.authoidview = AuthOIDCView
-
-class AuthOIDCView(AuthOIDView):
-
-    @expose('/login/', methods=['GET', 'POST'])
-    def login(self, flag=True):
-        sm = self.appbuilder.sm
-        oidc = sm.oid
-
-        @self.appbuilder.sm.oid.require_login
-        def handle_login():
-            user = sm.auth_user_oid(oidc.user_getfield('email'))
-
-            if user is None:
-                info = oidc.user_getinfo(['preferred_username', 'given_name', 'family_name', 'email'])
-                user = sm.add_user(info.get('preferred_username'), info.get('given_name'), info.get('family_name'),
-                                   info.get('email'), sm.find_role('Gamma'))
-
-            login_user(user, remember=False)
-            return redirect(self.appbuilder.get_url_for_index)
-
-        return handle_login()
-
-    @expose('/logout/', methods=['GET', 'POST'])
-    def logout(self):
-        oidc = self.appbuilder.sm.oid
-
-        oidc.logout()
-        super(AuthOIDCView, self).logout()
-        redirect_url = request.url_root.strip('/') + self.appbuilder.get_url_for_login
-
-        return redirect(
-            oidc.client_secrets.get('issuer') + '/protocol/openid-connect/logout?redirect_uri=' + quote(redirect_url))
-```
-
-Then add to your `superset_config.py` file:
-
-```python
-from keycloak_security_manager import OIDCSecurityManager
-from flask_appbuilder.security.manager import AUTH_OID, AUTH_REMOTE_USER, AUTH_DB, AUTH_LDAP, AUTH_OAUTH
-import os
-
-AUTH_TYPE = AUTH_OID
-SECRET_KEY: 'SomethingNotEntirelySecret'
-OIDC_CLIENT_SECRETS =  '/path/to/client_secret.json'
-OIDC_ID_TOKEN_COOKIE_SECURE = False
-OIDC_OPENID_REALM: '<myRealm>'
-OIDC_INTROSPECTION_AUTH_METHOD: 'client_secret_post'
-CUSTOM_SECURITY_MANAGER = OIDCSecurityManager
-
-# Will allow user self registration, allowing to create Flask users from Authorized User
-AUTH_USER_REGISTRATION = True
-
-# The default user self registration role
-AUTH_USER_REGISTRATION_ROLE = 'Public'
-```
-
-Store your client-specific OpenID information in a file called `client_secret.json`. Create this file in the same directory as `superset_config.py`:
-
-```json
-{
-    "<myOpenIDProvider>": {
-        "issuer": "https://<myKeycloakDomain>/realms/<myRealm>",
-        "auth_uri": "https://<myKeycloakDomain>/realms/<myRealm>/protocol/openid-connect/auth",
-        "client_id": "https://<myKeycloakDomain>",
-        "client_secret": "<myClientSecret>",
-        "redirect_uris": [
-            "https://<SupersetWebserver>/oauth-authorized/<myOpenIDProvider>"
-  ],
-        "userinfo_uri": "https://<myKeycloakDomain>/realms/<myRealm>/protocol/openid-connect/userinfo",
-        "token_uri": "https://<myKeycloakDomain>/realms/<myRealm>/protocol/openid-connect/token",
-        "token_introspection_uri": "https://<myKeycloakDomain>/realms/<myRealm>/protocol/openid-connect/token/introspect"
-  }
-}
-```
-
 ## LDAP Authentication
 
 FAB supports authenticating user credentials against an LDAP server.

docs/docs/configuration/databases.mdx

@@ -67,7 +67,7 @@ are compatible with Superset.
 | [IBM Netezza Performance Server](/docs/configuration/databases#ibm-netezza-performance-server) | `pip install nzalchemy`                                                            | `netezza+nzpy://<UserName>:<DBPassword>@<Database Host>/<Database Name>`                                                                               |
 | [MySQL](/docs/configuration/databases#mysql)                            | `pip install mysqlclient`                                                          | `mysql://<UserName>:<DBPassword>@<Database Host>/<Database Name>`                                                                                      |
 | [OceanBase](/docs/configuration/databases#oceanbase)                    | `pip install oceanbase_py`                                                         | `oceanbase://<UserName>:<DBPassword>@<Database Host>/<Database Name>`                                                                                      |
-| [Oracle](/docs/configuration/databases#oracle)                          | `pip install cx_Oracle`                                                            | `oracle://<username>:<password>@<hostname>:<port>`                                                                                                                                            |
+| [Oracle](/docs/configuration/databases#oracle)                          | `pip install oracledb`                                                            | `oracle://<username>:<password>@<hostname>:<port>`                                                                                                                                            |
 | [Parseable](/docs/configuration/databases#parseable)                    | `pip install sqlalchemy-parseable`                                                 | `parseable://<UserName>:<DBPassword>@<Database Host>/<Stream Name>`                                                                                    |
 | [PostgreSQL](/docs/configuration/databases#postgres)                    | `pip install psycopg2`                                                             | `postgresql://<UserName>:<DBPassword>@<Database Host>/<Database Name>`                                                                                 |
 | [Presto](/docs/configuration/databases#presto)                          | `pip install pyhive`                                                               | `presto://{username}:{password}@{hostname}:{port}/{database}`                                                                                                                                            |

docs/docs/configuration/sql-templating.mdx

@@ -10,8 +10,15 @@ version: 1
 ## Jinja Templates
 
 SQL Lab and Explore supports [Jinja templating](https://jinja.palletsprojects.com/en/2.11.x/) in queries.
-To enable templating, the `ENABLE_TEMPLATE_PROCESSING` [feature flag](/docs/configuration/configuring-superset#feature-flags) needs to be enabled in
-`superset_config.py`. When templating is enabled, python code can be embedded in virtual datasets and
+To enable templating, the `ENABLE_TEMPLATE_PROCESSING` [feature flag](/docs/configuration/configuring-superset#feature-flags) needs to be enabled in `superset_config.py`.
+
+> #### ⚠️ Security Warning
+>
+> While powerful, this feature executes template code on the server. Within the Superset security model, this is **intended functionality**, as users with permissions to edit charts and virtual datasets are considered **trusted users**.
+>
+> If you grant these permissions to untrusted users, this feature can be exploited as a **Server-Side Template Injection (SSTI)** vulnerability. Do not enable `ENABLE_TEMPLATE_PROCESSING` unless you fully understand and accept the associated security risks.
+
+When templating is enabled, python code can be embedded in virtual datasets and
 in Custom SQL in the filter and metric controls in Explore. By default, the following variables are
 made available in the Jinja context:
 

docs/docs/configuration/theming.mdx

@@ -7,7 +7,7 @@ version: 1
 # Theming Superset
 
 :::note
-apache-superset>=6.0
+`apache-superset>=6.0`
 :::
 
 Superset now rides on **Ant Design v5's token-based theming**.
@@ -165,6 +165,206 @@ Or in the CRUD interface theme JSON:
 
 This feature works with the stock Docker image - no custom build required!
 
+## ECharts Configuration Overrides
+
+:::note
+Available since Superset 6.0
+:::
+
+Superset provides fine-grained control over ECharts visualizations through theme-level configuration overrides. This allows you to customize the appearance and behavior of all ECharts-based charts without modifying individual chart configurations.
+
+### Global ECharts Overrides
+
+Apply settings to all ECharts visualizations using `echartsOptionsOverrides`:
+
+```python
+THEME_DEFAULT = {
+    "token": {
+        "colorPrimary": "#2893B3",
+        # ... other Ant Design tokens
+    },
+    "echartsOptionsOverrides": {
+        "grid": {
+            "left": "10%",
+            "right": "10%",
+            "top": "15%",
+            "bottom": "15%"
+        },
+        "tooltip": {
+            "backgroundColor": "rgba(0, 0, 0, 0.8)",
+            "borderColor": "#ccc",
+            "textStyle": {
+                "color": "#fff"
+            }
+        },
+        "legend": {
+            "textStyle": {
+                "fontSize": 14,
+                "fontWeight": "bold"
+            }
+        }
+    }
+}
+```
+
+### Chart-Specific Overrides
+
+Target specific chart types using `echartsOptionsOverridesByChartType`:
+
+```python
+THEME_DEFAULT = {
+    "token": {
+        "colorPrimary": "#2893B3",
+        # ... other tokens
+    },
+    "echartsOptionsOverridesByChartType": {
+        "echarts_pie": {
+            "legend": {
+                "orient": "vertical",
+                "right": 10,
+                "top": "center"
+            }
+        },
+        "echarts_timeseries": {
+            "xAxis": {
+                "axisLabel": {
+                    "rotate": 45,
+                    "fontSize": 12
+                }
+            },
+            "dataZoom": [{
+                "type": "slider",
+                "show": True,
+                "start": 0,
+                "end": 100
+            }]
+        },
+        "echarts_bubble": {
+            "grid": {
+                "left": "15%",
+                "bottom": "20%"
+            }
+        }
+    }
+}
+```
+
+### UI Configuration
+
+You can also configure ECharts overrides through the theme CRUD interface:
+
+```json
+{
+  "token": {
+    "colorPrimary": "#2893B3"
+  },
+  "echartsOptionsOverrides": {
+    "grid": {
+      "left": "10%",
+      "right": "10%"
+    },
+    "tooltip": {
+      "backgroundColor": "rgba(0, 0, 0, 0.8)"
+    }
+  },
+  "echartsOptionsOverridesByChartType": {
+    "echarts_pie": {
+      "legend": {
+        "orient": "vertical",
+        "right": 10
+      }
+    }
+  }
+}
+```
+
+### Override Precedence
+
+The system applies overrides in the following order (last wins):
+
+1. **Base ECharts theme** - Default Superset styling
+2. **Plugin options** - Chart-specific configurations
+3. **Global overrides** - `echartsOptionsOverrides`
+4. **Chart-specific overrides** - `echartsOptionsOverridesByChartType[chartType]`
+
+This ensures chart-specific overrides take precedence over global ones.
+
+### Common Chart Types
+
+Available chart types for `echartsOptionsOverridesByChartType`:
+
+- `echarts_timeseries` - Time series/line charts
+- `echarts_pie` - Pie and donut charts
+- `echarts_bubble` - Bubble/scatter charts
+- `echarts_funnel` - Funnel charts
+- `echarts_gauge` - Gauge charts
+- `echarts_radar` - Radar charts
+- `echarts_boxplot` - Box plot charts
+- `echarts_treemap` - Treemap charts
+- `echarts_sunburst` - Sunburst charts
+- `echarts_graph` - Network/graph charts
+- `echarts_sankey` - Sankey diagrams
+- `echarts_heatmap` - Heatmaps
+- `echarts_mixed_timeseries` - Mixed time series
+
+### Best Practices
+
+1. **Start with global overrides** for consistent styling across all charts
+2. **Use chart-specific overrides** for unique requirements per visualization type
+3. **Test thoroughly** as overrides use deep merge - nested objects are combined, but arrays are completely replaced
+4. **Document your overrides** to help team members understand custom styling
+5. **Consider performance** - complex overrides may impact chart rendering speed
+
+### Example: Corporate Branding
+
+```python
+# Complete corporate theme with ECharts customization
+THEME_DEFAULT = {
+    "token": {
+        "colorPrimary": "#1B4D3E",
+        "fontFamily": "Corporate Sans, Arial, sans-serif"
+    },
+    "echartsOptionsOverrides": {
+        "grid": {
+            "left": "8%",
+            "right": "8%",
+            "top": "12%",
+            "bottom": "12%"
+        },
+        "textStyle": {
+            "fontFamily": "Corporate Sans, Arial, sans-serif"
+        },
+        "title": {
+            "textStyle": {
+                "color": "#1B4D3E",
+                "fontSize": 18,
+                "fontWeight": "bold"
+            }
+        }
+    },
+    "echartsOptionsOverridesByChartType": {
+        "echarts_timeseries": {
+            "xAxis": {
+                "axisLabel": {
+                    "color": "#666",
+                    "fontSize": 11
+                }
+            }
+        },
+        "echarts_pie": {
+            "legend": {
+                "textStyle": {
+                    "fontSize": 12
+                },
+                "itemGap": 20
+            }
+        }
+    }
+}
+```
+
+This feature provides powerful theming capabilities while maintaining the flexibility of ECharts' extensive configuration options.
+
 ## Advanced Features
 
 - **System Themes**: Manage system-wide default and dark themes via UI or configuration

docs/docs/contributing/development.mdx

@@ -620,10 +620,10 @@ See [how tos](/docs/contributing/howtos#linting)
 
 :::tip
 `act` compatibility of Superset's GHAs is not fully tested. Running `act` locally may or may not
-work for different actions, and may require fine tunning and local secret-handling.
+work for different actions, and may require fine tuning and local secret-handling.
 For those more intricate GHAs that are tricky to run locally, we recommend iterating
 directly on GHA's infrastructure, by pushing directly on a branch and monitoring GHA logs.
-For more targetted iteration, see the `gh workflow run --ref {BRANCH}` subcommand of the GitHub CLI.
+For more targeted iteration, see the `gh workflow run --ref {BRANCH}` subcommand of the GitHub CLI.
 :::
 
 For automation and CI/CD, Superset makes extensive use of GitHub Actions (GHA). You
@@ -631,7 +631,7 @@ can find all of the workflows and other assets under the `.github/` folder. This
 
 - running the backend unit test suites (`tests/`)
 - running the frontend test suites (`superset-frontend/src/**.*.test.*`)
-- running our Cypress end-to-end tests (`superset-frontend/cypress-base/`)
+- running our Playwright end-to-end tests (`superset-frontend/playwright/`) and legacy Cypress tests (`superset-frontend/cypress-base/`)
 - linting the codebase, including all Python, Typescript and Javascript, yaml and beyond
 - checking for all sorts of other rules conventions
 
@@ -747,6 +747,26 @@ To run a single test file:
 npm run test -- path/to/file.js
 ```
 
+#### Known Issues and Workarounds
+
+**Jest Test Hanging (MessageChannel Issue)**
+
+If Jest tests hang with "Jest did not exit one second after the test run has completed", this is likely due to the MessageChannel issue from rc-overflow (Ant Design v5 components).
+
+**Root Cause**: `rc-overflow@1.4.1` creates MessageChannel handles for responsive overflow detection that remain open after test completion.
+
+**Current Workaround**: MessageChannel is mocked as undefined in `spec/helpers/jsDomWithFetchAPI.ts`, forcing rc-overflow to use requestAnimationFrame fallback.
+
+**To verify if still needed**: Remove the MessageChannel mocking lines and run `npm test -- --shard=4/8`. If tests hang, the workaround is still required.
+
+**Future removal conditions**: This workaround can be removed when:
+- rc-overflow updates to properly clean up MessagePorts in test environments
+- Jest updates to handle MessageChannel/MessagePort cleanup better
+- Ant Design switches away from rc-overflow
+- We switch away from Ant Design v5
+
+**See**: [PR #34871](https://github.com/apache/superset/pull/34871) for full technical details.
+
 ### Debugging Server App
 
 #### Local

docs/docs/contributing/guidelines.mdx

@@ -130,7 +130,7 @@ Committers may also update title to reflect the issue/PR content if the author-p
 
 If the PR passes CI tests and does not have any `need:` labels, it is ready for review, add label `review` and/or `design-review`.
 
-If an issue/PR has been inactive for >=30 days, it will be closed. If it does not have any status label, add `inactive`.
+If an issue/PR has been inactive for at least 30 days, it will be closed. If it does not have any status label, add `inactive`.
 
 When creating a PR, if you're aiming to have it included in a specific release, please tag it with the version label. For example, to have a PR considered for inclusion in Superset 1.1 use the label `v1.1`.
 

docs/docs/contributing/howtos.mdx

@@ -225,21 +225,57 @@ npm run test -- path/to/file.js
 
 ### E2E Integration Testing
 
-For E2E testing, we recommend that you use a `docker compose` backend
+**Note: We are migrating from Cypress to Playwright. Use Playwright for new tests.**
+
+#### Playwright (Recommended - NEW)
+
+For E2E testing with Playwright, use the same `docker compose` backend:
 
 ```bash
 CYPRESS_CONFIG=true docker compose up --build
 ```
-`docker compose` will get to work and expose a Cypress-ready Superset app.
-This app uses a different database schema (`superset_cypress`) to keep it isolated from
-your other dev environmen(s)t, a specific set of examples, and a set of configurations that
-aligns with the expectations within the end-to-end tests.  Also note that it's served on a
-different port than the default port for the backend (`8088`).
 
-Now in another terminal, let's get ready to execute some Cypress commands. First, tell cypress
-to connect to the Cypress-ready Superset backend.
+The backend setup is identical - this exposes a test-ready Superset app on port 8081 with isolated database schema (`superset_cypress`), test data, and configurations.
 
+Now in another terminal, run Playwright tests:
+
+```bash
+# Navigate to frontend directory (Playwright config is here)
+cd superset-frontend
+
+# Run all Playwright tests
+npm run playwright:test
+# or: npx playwright test
+
+# Run with interactive UI for debugging
+npm run playwright:ui
+# or: npx playwright test --ui
+
+# Run in headed mode (see browser)
+npm run playwright:headed
+# or: npx playwright test --headed
+
+# Run specific test file
+npx playwright test tests/auth/login.spec.ts
+
+# Run with debug mode (step through tests)
+npm run playwright:debug tests/auth/login.spec.ts
+# or: npx playwright test --debug tests/auth/login.spec.ts
+
+# Generate test report
+npx playwright show-report
 ```
+
+Configuration is in `superset-frontend/playwright.config.ts`. Base URL is automatically set to `http://localhost:8088` but will use `PLAYWRIGHT_BASE_URL` if provided.
+
+#### Cypress (DEPRECATED - will be removed in Phase 5)
+
+:::warning
+Cypress is being phased out in favor of Playwright. Use Playwright for all new tests.
+:::
+
+```bash
+# Set base URL for Cypress
 CYPRESS_BASE_URL=http://localhost:8081
 ```
 
@@ -627,7 +663,7 @@ feature flag to `true`, you can add the following line to the PR body/descriptio
 FEATURE_TAGGING_SYSTEM=true
 ```
 
-Simarly, it's possible to disable feature flags with:
+Similarly, it's possible to disable feature flags with:
 
 ```
 FEATURE_TAGGING_SYSTEM=false

docs/docs/installation/docker-builds.mdx

@@ -86,8 +86,6 @@ USER root
 ENV PLAYWRIGHT_BROWSERS_PATH=/usr/local/share/playwright-browsers
 
 # Install packages using uv into the virtual environment
-# Superset started using uv after the 4.1 branch; if you are building from apache/superset:4.1.x or an older version,
-# replace the first two lines with RUN pip install \
 RUN . /app/.venv/bin/activate && \
     uv pip install \
     # install psycopg2 for using PostgreSQL metadata store - could be a MySQL package if using that backend:

docs/docs/installation/docker-compose.mdx

@@ -282,5 +282,5 @@ address.
 When running `docker compose up`, docker will build what is required behind the scene, but
 may use the docker cache if assets already exist. Running `docker compose build` prior to
 `docker compose up` or the equivalent shortcut `docker compose up --build` ensures that your
-docker images matche the definition in the repository. This should only apply to the main
+docker images match the definition in the repository. This should only apply to the main
 docker-compose.yml file (default) and not to the alternative methods defined above.

docs/package.json

@@ -35,7 +35,7 @@
     "@emotion/core": "^10.0.27",
     "@emotion/react": "^11.13.3",
     "@emotion/styled": "^10.0.27",
-    "@mdx-js/react": "^3.1.0",
+    "@mdx-js/react": "^3.1.1",
     "@saucelabs/theme-github-codeblock": "^0.3.0",
     "@storybook/addon-docs": "^8.6.11",
     "@storybook/blocks": "^8.6.11",
@@ -50,7 +50,7 @@
     "@storybook/theming": "^8.6.11",
     "@superset-ui/core": "^0.20.4",
     "antd": "^5.26.7",
-    "caniuse-lite": "^1.0.30001707",
+    "caniuse-lite": "^1.0.30001739",
     "docusaurus-plugin-less": "^2.0.2",
     "json-bigint": "^1.0.0",
     "less": "^4.4.0",
@@ -65,7 +65,7 @@
     "storybook": "^8.6.11",
     "swagger-ui-react": "^5.27.1",
     "tinycolor2": "^1.4.2",
-    "ts-loader": "^9.5.2"
+    "ts-loader": "^9.5.4"
   },
   "devDependencies": {
     "@docusaurus/module-type-aliases": "^3.8.1",
@@ -73,14 +73,14 @@
     "@eslint/js": "^9.32.0",
     "@types/react": "^19.1.8",
     "@typescript-eslint/eslint-plugin": "^8.37.0",
-    "@typescript-eslint/parser": "^8.37.0",
-    "eslint": "^9.32.0",
+    "@typescript-eslint/parser": "^8.42.0",
+    "eslint": "^9.34.0",
     "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-prettier": "^5.5.3",
     "eslint-plugin-react": "^7.37.5",
     "globals": "^16.3.0",
     "prettier": "^3.6.2",
-    "typescript": "~5.8.3",
+    "typescript": "~5.9.2",
     "typescript-eslint": "^8.39.0",
     "webpack": "^5.101.0"
   },

docs/static/resources/openapi.json

@@ -962,8 +962,11 @@
       "ChartDataDatasource": {
         "properties": {
           "id": {
-            "description": "Datasource id",
-            "type": "integer"
+            "description": "Datasource id/uuid",
+            "oneOf": [
+              { "type": "integer" },
+              { "type": "string" }
+            ]
           },
           "type": {
             "description": "Datasource type",

docs/versioned_docs/version-6.0.0/configuration/configuring-superset.mdx

@@ -363,110 +363,6 @@ CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
   ]
   ```
 
-### Keycloak-Specific Configuration using Flask-OIDC
-
-If you are using Keycloak as OpenID Connect 1.0 Provider, the above configuration based on [`Authlib`](https://authlib.org/) might not work. In this case using [`Flask-OIDC`](https://pypi.org/project/flask-oidc/) is a viable option.
-
-Make sure the pip package [`Flask-OIDC`](https://pypi.org/project/flask-oidc/) is installed on the webserver. This was successfully tested using version 2.2.0. This package requires [`Flask-OpenID`](https://pypi.org/project/Flask-OpenID/) as a dependency.
-
-The following code defines a new security manager.  Add it to a new file named `keycloak_security_manager.py`, placed in the same directory as your `superset_config.py` file.
-
-```python
-from flask_appbuilder.security.manager import AUTH_OID
-from superset.security import SupersetSecurityManager
-from flask_oidc import OpenIDConnect
-from flask_appbuilder.security.views import AuthOIDView
-from flask_login import login_user
-from urllib.parse import quote
-from flask_appbuilder.views import ModelView, SimpleFormView, expose
-from flask import (
-    redirect,
-    request
-)
-import logging
-
-class OIDCSecurityManager(SupersetSecurityManager):
-
-    def __init__(self, appbuilder):
-        super(OIDCSecurityManager, self).__init__(appbuilder)
-        if self.auth_type == AUTH_OID:
-            self.oid = OpenIDConnect(self.appbuilder.get_app)
-        self.authoidview = AuthOIDCView
-
-class AuthOIDCView(AuthOIDView):
-
-    @expose('/login/', methods=['GET', 'POST'])
-    def login(self, flag=True):
-        sm = self.appbuilder.sm
-        oidc = sm.oid
-
-        @self.appbuilder.sm.oid.require_login
-        def handle_login():
-            user = sm.auth_user_oid(oidc.user_getfield('email'))
-
-            if user is None:
-                info = oidc.user_getinfo(['preferred_username', 'given_name', 'family_name', 'email'])
-                user = sm.add_user(info.get('preferred_username'), info.get('given_name'), info.get('family_name'),
-                                   info.get('email'), sm.find_role('Gamma'))
-
-            login_user(user, remember=False)
-            return redirect(self.appbuilder.get_url_for_index)
-
-        return handle_login()
-
-    @expose('/logout/', methods=['GET', 'POST'])
-    def logout(self):
-        oidc = self.appbuilder.sm.oid
-
-        oidc.logout()
-        super(AuthOIDCView, self).logout()
-        redirect_url = request.url_root.strip('/') + self.appbuilder.get_url_for_login
-
-        return redirect(
-            oidc.client_secrets.get('issuer') + '/protocol/openid-connect/logout?redirect_uri=' + quote(redirect_url))
-```
-
-Then add to your `superset_config.py` file:
-
-```python
-from keycloak_security_manager import OIDCSecurityManager
-from flask_appbuilder.security.manager import AUTH_OID, AUTH_REMOTE_USER, AUTH_DB, AUTH_LDAP, AUTH_OAUTH
-import os
-
-AUTH_TYPE = AUTH_OID
-SECRET_KEY: 'SomethingNotEntirelySecret'
-OIDC_CLIENT_SECRETS =  '/path/to/client_secret.json'
-OIDC_ID_TOKEN_COOKIE_SECURE = False
-OIDC_OPENID_REALM: '<myRealm>'
-OIDC_INTROSPECTION_AUTH_METHOD: 'client_secret_post'
-CUSTOM_SECURITY_MANAGER = OIDCSecurityManager
-
-# Will allow user self registration, allowing to create Flask users from Authorized User
-AUTH_USER_REGISTRATION = True
-
-# The default user self registration role
-AUTH_USER_REGISTRATION_ROLE = 'Public'
-```
-
-Store your client-specific OpenID information in a file called `client_secret.json`. Create this file in the same directory as `superset_config.py`:
-
-```json
-{
-    "<myOpenIDProvider>": {
-        "issuer": "https://<myKeycloakDomain>/realms/<myRealm>",
-        "auth_uri": "https://<myKeycloakDomain>/realms/<myRealm>/protocol/openid-connect/auth",
-        "client_id": "https://<myKeycloakDomain>",
-        "client_secret": "<myClientSecret>",
-        "redirect_uris": [
-            "https://<SupersetWebserver>/oauth-authorized/<myOpenIDProvider>"
-  ],
-        "userinfo_uri": "https://<myKeycloakDomain>/realms/<myRealm>/protocol/openid-connect/userinfo",
-        "token_uri": "https://<myKeycloakDomain>/realms/<myRealm>/protocol/openid-connect/token",
-        "token_introspection_uri": "https://<myKeycloakDomain>/realms/<myRealm>/protocol/openid-connect/token/introspect"
-  }
-}
-```
-
 ## LDAP Authentication
 
 FAB supports authenticating user credentials against an LDAP server.

docs/versioned_docs/version-6.0.0/contributing/development.mdx

@@ -620,10 +620,10 @@ See [how tos](/docs/contributing/howtos#linting)
 
 :::tip
 `act` compatibility of Superset's GHAs is not fully tested. Running `act` locally may or may not
-work for different actions, and may require fine tunning and local secret-handling.
+work for different actions, and may require fine tuning and local secret-handling.
 For those more intricate GHAs that are tricky to run locally, we recommend iterating
 directly on GHA's infrastructure, by pushing directly on a branch and monitoring GHA logs.
-For more targetted iteration, see the `gh workflow run --ref {BRANCH}` subcommand of the GitHub CLI.
+For more targeted iteration, see the `gh workflow run --ref {BRANCH}` subcommand of the GitHub CLI.
 :::
 
 For automation and CI/CD, Superset makes extensive use of GitHub Actions (GHA). You

docs/versioned_docs/version-6.0.0/contributing/howtos.mdx

@@ -232,7 +232,7 @@ CYPRESS_CONFIG=true docker compose up --build
 ```
 `docker compose` will get to work and expose a Cypress-ready Superset app.
 This app uses a different database schema (`superset_cypress`) to keep it isolated from
-your other dev environmen(s)t, a specific set of examples, and a set of configurations that
+your other dev environment(s), a specific set of examples, and a set of configurations that
 aligns with the expectations within the end-to-end tests.  Also note that it's served on a
 different port than the default port for the backend (`8088`).
 
@@ -627,7 +627,7 @@ feature flag to `true`, you can add the following line to the PR body/descriptio
 FEATURE_TAGGING_SYSTEM=true
 ```
 
-Simarly, it's possible to disable feature flags with:
+Similarly, it's possible to disable feature flags with:
 
 ```
 FEATURE_TAGGING_SYSTEM=false

docs/versioned_docs/version-6.0.0/installation/docker-compose.mdx

@@ -282,5 +282,5 @@ address.
 When running `docker compose up`, docker will build what is required behind the scene, but
 may use the docker cache if assets already exist. Running `docker compose build` prior to
 `docker compose up` or the equivalent shortcut `docker compose up --build` ensures that your
-docker images matche the definition in the repository. This should only apply to the main
+docker images match the definition in the repository. This should only apply to the main
 docker-compose.yml file (default) and not to the alternative methods defined above.

docs/yarn.lock

@@ -2433,10 +2433,10 @@
     minimatch "^3.1.2"
     strip-json-comments "^3.1.1"
 
-"@eslint/js@9.33.0", "@eslint/js@^9.32.0":
-  version "9.33.0"
-  resolved "https://registry.yarnpkg.com/@eslint/js/-/js-9.33.0.tgz#475c92fdddab59b8b8cab960e3de2564a44bf368"
-  integrity sha512-5K1/mKhWaMfreBGJTwval43JJmkip0RmM+3+IuqupeSKNC/Th2Kc7ucaq5ovTSra/OOKB9c58CGSz3QMVbWt0A==
+"@eslint/js@9.34.0", "@eslint/js@^9.32.0":
+  version "9.34.0"
+  resolved "https://registry.yarnpkg.com/@eslint/js/-/js-9.34.0.tgz#fc423168b9d10e08dea9088d083788ec6442996b"
+  integrity sha512-EoyvqQnBNsV1CWaEJ559rxXL4c8V92gxirbawSmVUOWXlsRxxQXl6LmCpdUblgxgSkDIqKnhzba2SjRTI/A5Rw==
 
 "@eslint/object-schema@^2.1.6":
   version "2.1.6"
@@ -2598,10 +2598,10 @@
     unist-util-visit "^5.0.0"
     vfile "^6.0.0"
 
-"@mdx-js/react@^3.0.0", "@mdx-js/react@^3.1.0":
-  version "3.1.0"
-  resolved "https://registry.yarnpkg.com/@mdx-js/react/-/react-3.1.0.tgz#c4522e335b3897b9a845db1dbdd2f966ae8fb0ed"
-  integrity sha512-QjHtSaoameoalGnKDT3FoIl4+9RwyTmo9ZJGBdLOks/YOiWHoRDI3PUwEzOE7kEmGcV3AFcp9K6dYu9rEuKLAQ==
+"@mdx-js/react@^3.0.0", "@mdx-js/react@^3.1.1":
+  version "3.1.1"
+  resolved "https://registry.yarnpkg.com/@mdx-js/react/-/react-3.1.1.tgz#24bda7fffceb2fe256f954482123cda1be5f5fef"
+  integrity sha512-f++rKLQgUVYDAtECQ6fn/is15GkEH9+nZPM3MS0RcxVqoTfawHvDlSCH7JbMhAM6uJ32v3eXLvLmLvjGu7PTQw==
   dependencies:
     "@types/mdx" "^2.0.0"
 
@@ -4102,7 +4102,7 @@
     natural-compare "^1.4.0"
     ts-api-utils "^2.1.0"
 
-"@typescript-eslint/parser@8.40.0", "@typescript-eslint/parser@^8.37.0":
+"@typescript-eslint/parser@8.40.0":
   version "8.40.0"
   resolved "https://registry.yarnpkg.com/@typescript-eslint/parser/-/parser-8.40.0.tgz#1bc9f3701ced29540eb76ff2d95ce0d52ddc7e69"
   integrity sha512-jCNyAuXx8dr5KJMkecGmZ8KI61KBUhkCob+SD+C+I5+Y1FWI2Y3QmY4/cxMCC5WAsZqoEtEETVhUiUMIGCf6Bw==
@@ -4113,6 +4113,17 @@
     "@typescript-eslint/visitor-keys" "8.40.0"
     debug "^4.3.4"
 
+"@typescript-eslint/parser@^8.42.0":
+  version "8.42.0"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/parser/-/parser-8.42.0.tgz#20ea66f4867981fb5bb62cbe1454250fc4a440ab"
+  integrity sha512-r1XG74QgShUgXph1BYseJ+KZd17bKQib/yF3SR+demvytiRXrwd12Blnz5eYGm8tXaeRdd4x88MlfwldHoudGg==
+  dependencies:
+    "@typescript-eslint/scope-manager" "8.42.0"
+    "@typescript-eslint/types" "8.42.0"
+    "@typescript-eslint/typescript-estree" "8.42.0"
+    "@typescript-eslint/visitor-keys" "8.42.0"
+    debug "^4.3.4"
+
 "@typescript-eslint/project-service@8.40.0":
   version "8.40.0"
   resolved "https://registry.yarnpkg.com/@typescript-eslint/project-service/-/project-service-8.40.0.tgz#1b7ba6079ff580c3215882fe75a43e5d3ed166b9"
@@ -4122,6 +4133,15 @@
     "@typescript-eslint/types" "^8.40.0"
     debug "^4.3.4"
 
+"@typescript-eslint/project-service@8.42.0":
+  version "8.42.0"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/project-service/-/project-service-8.42.0.tgz#636eb3418b6c42c98554dce884943708bf41a583"
+  integrity sha512-vfVpLHAhbPjilrabtOSNcUDmBboQNrJUiNAGoImkZKnMjs2TIcWG33s4Ds0wY3/50aZmTMqJa6PiwkwezaAklg==
+  dependencies:
+    "@typescript-eslint/tsconfig-utils" "^8.42.0"
+    "@typescript-eslint/types" "^8.42.0"
+    debug "^4.3.4"
+
 "@typescript-eslint/scope-manager@8.40.0":
   version "8.40.0"
   resolved "https://registry.yarnpkg.com/@typescript-eslint/scope-manager/-/scope-manager-8.40.0.tgz#2fbfcc8643340d8cd692267e61548b946190be8a"
@@ -4130,11 +4150,24 @@
     "@typescript-eslint/types" "8.40.0"
     "@typescript-eslint/visitor-keys" "8.40.0"
 
+"@typescript-eslint/scope-manager@8.42.0":
+  version "8.42.0"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/scope-manager/-/scope-manager-8.42.0.tgz#36016757bc85b46ea42bae47b61f9421eddedde3"
+  integrity sha512-51+x9o78NBAVgQzOPd17DkNTnIzJ8T/O2dmMBLoK9qbY0Gm52XJcdJcCl18ExBMiHo6jPMErUQWUv5RLE51zJw==
+  dependencies:
+    "@typescript-eslint/types" "8.42.0"
+    "@typescript-eslint/visitor-keys" "8.42.0"
+
 "@typescript-eslint/tsconfig-utils@8.40.0", "@typescript-eslint/tsconfig-utils@^8.40.0":
   version "8.40.0"
   resolved "https://registry.yarnpkg.com/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.40.0.tgz#8e8fdb9b988854aedd04abdde3239c4bdd2d26e4"
   integrity sha512-jtMytmUaG9d/9kqSl/W3E3xaWESo4hFDxAIHGVW/WKKtQhesnRIJSAJO6XckluuJ6KDB5woD1EiqknriCtAmcw==
 
+"@typescript-eslint/tsconfig-utils@8.42.0", "@typescript-eslint/tsconfig-utils@^8.42.0":
+  version "8.42.0"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.42.0.tgz#21a3e74396fd7443ff930bc41b27789ba7e9236e"
+  integrity sha512-kHeFUOdwAJfUmYKjR3CLgZSglGHjbNTi1H8sTYRYV2xX6eNz4RyJ2LIgsDLKf8Yi0/GL1WZAC/DgZBeBft8QAQ==
+
 "@typescript-eslint/type-utils@8.40.0":
   version "8.40.0"
   resolved "https://registry.yarnpkg.com/@typescript-eslint/type-utils/-/type-utils-8.40.0.tgz#a7e4a1f0815dd0ba3e4eef945cc87193ca32c422"
@@ -4146,11 +4179,16 @@
     debug "^4.3.4"
     ts-api-utils "^2.1.0"
 
-"@typescript-eslint/types@8.40.0", "@typescript-eslint/types@^8.40.0":
+"@typescript-eslint/types@8.40.0":
   version "8.40.0"
   resolved "https://registry.yarnpkg.com/@typescript-eslint/types/-/types-8.40.0.tgz#0b580fdf643737aa5c01285314b5c6e9543846a9"
   integrity sha512-ETdbFlgbAmXHyFPwqUIYrfc12ArvpBhEVgGAxVYSwli26dn8Ko+lIo4Su9vI9ykTZdJn+vJprs/0eZU0YMAEQg==
 
+"@typescript-eslint/types@8.42.0", "@typescript-eslint/types@^8.40.0", "@typescript-eslint/types@^8.42.0":
+  version "8.42.0"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/types/-/types-8.42.0.tgz#ae15c09cebda20473772902033328e87372db008"
+  integrity sha512-LdtAWMiFmbRLNP7JNeY0SqEtJvGMYSzfiWBSmx+VSZ1CH+1zyl8Mmw1TT39OrtsRvIYShjJWzTDMPWZJCpwBlw==
+
 "@typescript-eslint/typescript-estree@8.40.0":
   version "8.40.0"
   resolved "https://registry.yarnpkg.com/@typescript-eslint/typescript-estree/-/typescript-estree-8.40.0.tgz#295149440ce7da81c790a4e14e327599a3a1e5c9"
@@ -4167,6 +4205,22 @@
     semver "^7.6.0"
     ts-api-utils "^2.1.0"
 
+"@typescript-eslint/typescript-estree@8.42.0":
+  version "8.42.0"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/typescript-estree/-/typescript-estree-8.42.0.tgz#593c3af87d4462252c0d7239d1720b84a1b56864"
+  integrity sha512-ku/uYtT4QXY8sl9EDJETD27o3Ewdi72hcXg1ah/kkUgBvAYHLwj2ofswFFNXS+FL5G+AGkxBtvGt8pFBHKlHsQ==
+  dependencies:
+    "@typescript-eslint/project-service" "8.42.0"
+    "@typescript-eslint/tsconfig-utils" "8.42.0"
+    "@typescript-eslint/types" "8.42.0"
+    "@typescript-eslint/visitor-keys" "8.42.0"
+    debug "^4.3.4"
+    fast-glob "^3.3.2"
+    is-glob "^4.0.3"
+    minimatch "^9.0.4"
+    semver "^7.6.0"
+    ts-api-utils "^2.1.0"
+
 "@typescript-eslint/utils@8.40.0":
   version "8.40.0"
   resolved "https://registry.yarnpkg.com/@typescript-eslint/utils/-/utils-8.40.0.tgz#8d0c6430ed2f5dc350784bb0d8be514da1e54054"
@@ -4185,6 +4239,14 @@
     "@typescript-eslint/types" "8.40.0"
     eslint-visitor-keys "^4.2.1"
 
+"@typescript-eslint/visitor-keys@8.42.0":
+  version "8.42.0"
+  resolved "https://registry.yarnpkg.com/@typescript-eslint/visitor-keys/-/visitor-keys-8.42.0.tgz#87c6caaa1ac307bc73a87c1fc469f88f0162f27e"
+  integrity sha512-3WbiuzoEowaEn8RSnhJBrxSwX8ULYE9CXaPepS2C2W3NSA5NNIvBaslpBSBElPq0UGr0xVJlXFWOAKIkyylydQ==
+  dependencies:
+    "@typescript-eslint/types" "8.42.0"
+    eslint-visitor-keys "^4.2.1"
+
 "@ungap/structured-clone@^1.0.0":
   version "1.3.0"
   resolved "https://registry.yarnpkg.com/@ungap/structured-clone/-/structured-clone-1.3.0.tgz#d06bbb384ebcf6c505fde1c3d0ed4ddffe0aaff8"
@@ -4704,9 +4766,9 @@ available-typed-arrays@^1.0.7:
     possible-typed-array-names "^1.0.0"
 
 axios@^1.9.0:
-  version "1.11.0"
-  resolved "https://registry.yarnpkg.com/axios/-/axios-1.11.0.tgz#c2ec219e35e414c025b2095e8b8280278478fdb6"
-  integrity sha512-1Lx3WLFQWm3ooKDYZD1eXmoGO9fxYQjrycfHFC8P0sCfQVXyROp0p9PFWBehewBOdCwHc+f/b8I0fMto5eSfwA==
+  version "1.12.0"
+  resolved "https://registry.yarnpkg.com/axios/-/axios-1.12.0.tgz#11248459be05a5ee493485628fa0e4323d0abfc3"
+  integrity sha512-oXTDccv8PcfjZmPGlWsPSwtOJCZ/b6W5jAMCNcfwJbCzDckwG0jrYJFaWH1yvivfCXjVzV/SPDEhMB3Q+DSurg==
   dependencies:
     follow-redirects "^1.15.6"
     form-data "^4.0.4"
@@ -5020,10 +5082,10 @@ caniuse-api@^3.0.0:
     lodash.memoize "^4.1.2"
     lodash.uniq "^4.5.0"
 
-caniuse-lite@^1.0.0, caniuse-lite@^1.0.30001702, caniuse-lite@^1.0.30001707, caniuse-lite@^1.0.30001735:
-  version "1.0.30001735"
-  resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001735.tgz#ba658fd3fd24a4106fd68d5ce472a2c251494dbe"
-  integrity sha512-EV/laoX7Wq2J9TQlyIXRxTJqIw4sxfXS4OYgudGxBYRuTv0q7AM6yMEpU/Vo1I94thg9U6EZ2NfZx9GJq83u7w==
+caniuse-lite@^1.0.0, caniuse-lite@^1.0.30001702, caniuse-lite@^1.0.30001735, caniuse-lite@^1.0.30001739:
+  version "1.0.30001739"
+  resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001739.tgz#b34ce2d56bfc22f4352b2af0144102d623a124f4"
+  integrity sha512-y+j60d6ulelrNSwpPyrHdl+9mJnQzHBr08xm48Qno0nSk4h3Qojh+ziv2qE6rXf4k3tadF4o1J/1tAbVm1NtnA==
 
 ccount@^2.0.0:
   version "2.0.1"
@@ -6713,10 +6775,10 @@ eslint-visitor-keys@^4.2.1:
   resolved "https://registry.yarnpkg.com/eslint-visitor-keys/-/eslint-visitor-keys-4.2.1.tgz#4cfea60fe7dd0ad8e816e1ed026c1d5251b512c1"
   integrity sha512-Uhdk5sfqcee/9H/rCOJikYz67o0a2Tw2hGRPOG2Y1R2dg7brRe1uG0yaNQDHu+TO/uQPF/5eCapvYSmHUjt7JQ==
 
-eslint@^9.32.0:
-  version "9.33.0"
-  resolved "https://registry.yarnpkg.com/eslint/-/eslint-9.33.0.tgz#cc186b3d9eb0e914539953d6a178a5b413997b73"
-  integrity sha512-TS9bTNIryDzStCpJN93aC5VRSW3uTx9sClUn4B87pwiCaJh220otoI0X8mJKr+VcPtniMdN8GKjlwgWGUv5ZKA==
+eslint@^9.34.0:
+  version "9.34.0"
+  resolved "https://registry.yarnpkg.com/eslint/-/eslint-9.34.0.tgz#0ea1f2c1b5d1671db8f01aa6b8ce722302016f7b"
+  integrity sha512-RNCHRX5EwdrESy3Jc9o8ie8Bog+PeYvvSR8sDGoZxNFTvZ4dlxUB3WzQ3bQMztFrSRODGrLLj8g6OFuGY/aiQg==
   dependencies:
     "@eslint-community/eslint-utils" "^4.2.0"
     "@eslint-community/regexpp" "^4.12.1"
@@ -6724,7 +6786,7 @@ eslint@^9.32.0:
     "@eslint/config-helpers" "^0.3.1"
     "@eslint/core" "^0.15.2"
     "@eslint/eslintrc" "^3.3.1"
-    "@eslint/js" "9.33.0"
+    "@eslint/js" "9.34.0"
     "@eslint/plugin-kit" "^0.3.5"
     "@humanfs/node" "^0.16.6"
     "@humanwhocodes/module-importer" "^1.0.1"
@@ -13139,10 +13201,10 @@ ts-dedent@^2.0.0, ts-dedent@^2.2.0:
   resolved "https://registry.yarnpkg.com/ts-dedent/-/ts-dedent-2.2.0.tgz#39e4bd297cd036292ae2394eb3412be63f563bb5"
   integrity sha512-q5W7tVM71e2xjHZTlgfTDoPF/SmqKG5hddq9SzR49CH2hayqRKJtQ4mtRlSxKaJlR/+9rEM+mnBHf7I2/BQcpQ==
 
-ts-loader@^9.5.2:
-  version "9.5.2"
-  resolved "https://registry.yarnpkg.com/ts-loader/-/ts-loader-9.5.2.tgz#1f3d7f4bb709b487aaa260e8f19b301635d08020"
-  integrity sha512-Qo4piXvOTWcMGIgRiuFa6nHNm+54HbYaZCKqc9eeZCLRy3XqafQgwX2F7mofrbJG3g7EEb+lkiR+z2Lic2s3Zw==
+ts-loader@^9.5.4:
+  version "9.5.4"
+  resolved "https://registry.yarnpkg.com/ts-loader/-/ts-loader-9.5.4.tgz#44b571165c10fb5a90744aa5b7e119233c4f4585"
+  integrity sha512-nCz0rEwunlTZiy6rXFByQU1kVVpCIgUpc/psFiKVrUwrizdnIbRFu8w7bxhUF0X613DYwT4XzrZHpVyMe758hQ==
   dependencies:
     chalk "^4.1.0"
     enhanced-resolve "^5.0.0"
@@ -13269,10 +13331,10 @@ typescript-eslint@^8.39.0:
     "@typescript-eslint/typescript-estree" "8.40.0"
     "@typescript-eslint/utils" "8.40.0"
 
-typescript@~5.8.3:
-  version "5.8.3"
-  resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.8.3.tgz#92f8a3e5e3cf497356f4178c34cd65a7f5e8440e"
-  integrity sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ==
+typescript@~5.9.2:
+  version "5.9.2"
+  resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.9.2.tgz#d93450cddec5154a2d5cabe3b8102b83316fb2a6"
+  integrity sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==
 
 ufo@^1.5.4:
   version "1.6.1"

helm/superset/Chart.yaml

@@ -29,7 +29,7 @@ maintainers:
   - name: craig-rueda
     email: craig@craigrueda.com
     url: https://github.com/craig-rueda
-version: 0.15.0 # See [README](https://github.com/apache/superset/blob/master/helm/superset/README.md#versioning) for version details.
+version: 0.15.1 # See [README](https://github.com/apache/superset/blob/master/helm/superset/README.md#versioning) for version details.
 dependencies:
   - name: postgresql
     version: 13.4.4

helm/superset/README.md

@@ -23,7 +23,7 @@ NOTE: This file is generated by helm-docs: https://github.com/norwoodj/helm-docs
 
 # superset
 
-![Version: 0.15.0](https://img.shields.io/badge/Version-0.15.0-informational?style=flat-square)
+![Version: 0.15.1](https://img.shields.io/badge/Version-0.15.1-informational?style=flat-square)
 
 Apache Superset is a modern, enterprise-ready business intelligence web application
 
@@ -203,6 +203,7 @@ On helm this can be set on `extraSecretEnv.SUPERSET_SECRET_KEY` or `configOverri
 | supersetNode.connections.db_name | string | `"superset"` |  |
 | supersetNode.connections.db_pass | string | `"superset"` |  |
 | supersetNode.connections.db_port | string | `"5432"` |  |
+| supersetNode.connections.db_type | string | `"postgresql"` | Database type for Superset metadata (Supported types: "postgresql", "mysql") |
 | supersetNode.connections.db_user | string | `"superset"` |  |
 | supersetNode.connections.redis_cache_db | string | `"1"` |  |
 | supersetNode.connections.redis_celery_db | string | `"0"` |  |

helm/superset/templates/_helpers.tpl

@@ -96,7 +96,18 @@ CACHE_CONFIG = {
 }
 DATA_CACHE_CONFIG = CACHE_CONFIG
 
-SQLALCHEMY_DATABASE_URI = f"postgresql+psycopg2://{env('DB_USER')}:{env('DB_PASS')}@{env('DB_HOST')}:{env('DB_PORT')}/{env('DB_NAME')}"
+
+if os.getenv("SQLALCHEMY_DATABASE_URI"):
+    SQLALCHEMY_DATABASE_URI = os.getenv("SQLALCHEMY_DATABASE_URI")
+else:
+    {{- if eq .Values.supersetNode.connections.db_type "postgresql" }}
+    SQLALCHEMY_DATABASE_URI = f"postgresql+psycopg2://{os.getenv('DB_USER')}:{os.getenv('DB_PASS')}@{os.getenv('DB_HOST')}:{os.getenv('DB_PORT')}/{os.getenv('DB_NAME')}"
+    {{- else if eq .Values.supersetNode.connections.db_type "mysql" }}
+    SQLALCHEMY_DATABASE_URI = f"mysql+mysqldb://{os.getenv('DB_USER')}:{os.getenv('DB_PASS')}@{os.getenv('DB_HOST')}:{os.getenv('DB_PORT')}/{os.getenv('DB_NAME')}"
+    {{- else }}
+    {{ fail (printf "Unsupported database type: %s. Please use 'postgresql' or 'mysql'." .Values.supersetNode.connections.db_type) }}
+    {{- end }}
+
 SQLALCHEMY_TRACK_MODIFICATIONS = True
 
 class CeleryConfig:

helm/superset/values.yaml

@@ -289,6 +289,8 @@ supersetNode:
       enabled: false
       ssl_cert_reqs: CERT_NONE
     # You need to change below configuration incase bringing own PostgresSQL instance and also set postgresql.enabled:false
+    # -- Database type for Superset metadata (Supported types: "postgresql", "mysql")
+    db_type: "postgresql"
     db_host: "{{ .Release.Name }}-postgresql"
     db_port: "5432"
     db_user: superset

pyproject.toml

@@ -35,7 +35,8 @@ classifiers = [
     "Programming Language :: Python :: 3.12",
 ]
 dependencies = [
-    "apache-superset-core>=0.0.1, <0.2",
+    # no bounds for apache-superset-core until we have a stable version
+    "apache-superset-core",
     "backoff>=1.8.0",
     "celery>=5.3.6, <6.0.0",
     "click>=8.0.3",
@@ -47,7 +48,7 @@ dependencies = [
     "cryptography>=42.0.4, <45.0.0",
     "deprecation>=2.1.0, <2.2.0",
     "flask>=2.2.5, <3.0.0",
-    "flask-appbuilder>=4.8.0, <5.0.0",
+    "flask-appbuilder>=5.0.0,<6",
     "flask-caching>=2.1.0, <3",
     "flask-compress>=1.13, <2.0",
     "flask-talisman>=1.0.0, <2.0",
@@ -68,13 +69,14 @@ dependencies = [
     "markdown>=3.0",
     # marshmallow>=4 has issues: https://github.com/apache/superset/issues/33162
     "marshmallow>=3.0, <4",
+    "marshmallow-union>=0.1",
     "msgpack>=1.0.0, <1.1",
     "nh3>=0.2.11, <0.3",
     "numpy>1.23.5, <2.3",
     "packaging",
     # --------------------------
     # pandas and related (wanting pandas[performance] without numba as it's 100+MB and not needed)
-    "pandas[excel]>=2.0.3, <2.1",
+    "pandas[excel]>=2.0.3, <2.2",
     "bottleneck", # recommended performance dependency for pandas, see https://pandas.pydata.org/docs/getting_started/install.html#performance-dependencies-recommended
     # --------------------------
     "parsedatetime",
@@ -82,11 +84,12 @@ dependencies = [
     "pgsanity",
     "Pillow>=11.0.0, <12",
     "polyline>=2.0.0, <3.0",
+    "pydantic>=2.8.0",
     "pyparsing>=3.0.6, <4",
     "python-dateutil",
     "python-dotenv", # optional dependencies for Flask but required for Superset, see https://flask.palletsprojects.com/en/stable/installation/#optional-dependencies
     "python-geohash",
-    "pyarrow>=16.1.0, <17", # before upgrading pyarrow, check that all db dependencies support this, see e.g. https://github.com/apache/superset/pull/34693
+    "pyarrow>=16.1.0, <19", # before upgrading pyarrow, check that all db dependencies support this, see e.g. https://github.com/apache/superset/pull/34693
     "pyyaml>=6.0.0, <7.0.0",
     "PyJWT>=2.4.0, <3.0",
     "redis>=4.6.0, <5.0",
@@ -97,7 +100,7 @@ dependencies = [
     "slack_sdk>=3.19.0, <4",
     "sqlalchemy>=1.4, <2",
     "sqlalchemy-utils>=0.38.3, <0.39",
-    "sqlglot>=27.3.0, <28",
+    "sqlglot>=27.15.2, <28",
     # newer pandas needs 0.9+
     "tabulate>=0.9.0, <1.0",
     "typing-extensions>=4, <5",
@@ -122,8 +125,8 @@ cockroachdb = ["cockroachdb>=0.3.5, <0.4"]
 crate = ["sqlalchemy-cratedb>=0.40.1, <1"]
 databend = ["databend-sqlalchemy>=0.3.2, <1.0"]
 databricks = [
-    "databricks-sql-connector>=2.0.2, <3",
-    "sqlalchemy-databricks>=0.2.0",
+    "databricks-sql-connector==4.1.2",
+    "databricks-sqlalchemy==1.0.5",
 ]
 db2 = ["ibm-db-sa>0.3.8, <=0.4.0"]
 denodo = ["denodo-sqlalchemy~=1.0.6"]
@@ -192,7 +195,8 @@ doris = ["pydoris>=1.0.0, <2.0.0"]
 oceanbase = ["oceanbase_py>=0.0.1"]
 ydb = ["ydb-sqlalchemy>=0.1.2"]
 development = [
-    "apache-superset-cli>=0.0.1, <0.2",
+    # no bounds for apache-superset-extensions-cli until a stable version
+    "apache-superset-extensions-cli",
     "docker",
     "flask-testing",
     "freezegun",
@@ -224,8 +228,8 @@ documentation = "https://superset.apache.org/docs/intro"
 combine_as_imports = true
 include_trailing_comma = true
 line_length = 88
-known_first_party = "superset, apache-superset-core, apache-superset-cli"
-known_third_party = "alembic, apispec, backoff, celery, click, colorama, cron_descriptor, croniter, cryptography, dateutil, deprecation, flask, flask_appbuilder, flask_babel, flask_caching, flask_compress, flask_jwt_extended, flask_login, flask_migrate, flask_sqlalchemy, flask_talisman, flask_testing, flask_wtf, freezegun, geohash, geopy, holidays, humanize, isodate, jinja2, jwt, markdown, markupsafe, marshmallow, msgpack, nh3, numpy, pandas, parameterized, parsedatetime, pgsanity, polyline, prison, progress, pyarrow, sqlalchemy_bigquery, pyhive, pyparsing, pytest, pytest_mock, pytz, redis, requests, selenium, setuptools, shillelagh, simplejson, slack, sqlalchemy, sqlalchemy_utils, typing_extensions, urllib3, werkzeug, wtforms, wtforms_json, yaml"
+known_first_party = "superset, apache-superset-core, apache-superset-extensions-cli"
+known_third_party = "alembic, apispec, backoff, celery, click, colorama, cron_descriptor, croniter, cryptography, dateutil, deprecation, flask, flask_appbuilder, flask_babel, flask_caching, flask_compress, flask_jwt_extended, flask_login, flask_migrate, flask_sqlalchemy, flask_talisman, flask_testing, flask_wtf, freezegun, geohash, geopy, holidays, humanize, isodate, jinja2, jwt, markdown, markupsafe, marshmallow, marshmallow-union, msgpack, nh3, numpy, pandas, parameterized, parsedatetime, pgsanity, polyline, prison, progress, pyarrow, sqlalchemy_bigquery, pyhive, pyparsing, pytest, pytest_mock, pytz, redis, requests, selenium, setuptools, shillelagh, simplejson, slack, sqlalchemy, sqlalchemy_utils, typing_extensions, urllib3, werkzeug, wtforms, wtforms_json, yaml"
 multi_line_output = 3
 order_by_type = false
 
@@ -310,6 +314,7 @@ select = [
     "E",
     "F",
     "F",
+    "G",
     "I",
     "N",
     "PT",
@@ -325,6 +330,7 @@ ignore = [
     "PT006",
     "T201",
     "N999",
+    "G201",
 ]
 extend-select = ["I"]
 
@@ -430,4 +436,4 @@ pyxlsb = "1"  # GPL
 
 [tool.uv.sources]
 apache-superset-core = { path = "./superset-core", editable = true }
-apache-superset-cli = { path = "./superset-cli", editable = true }
+apache-superset-extensions-cli = { path = "./superset-extensions-cli", editable = true }

requirements/base.txt

@@ -6,6 +6,8 @@ alembic==1.15.2
     # via flask-migrate
 amqp==5.3.1
     # via kombu
+annotated-types==0.7.0
+    # via pydantic
 apispec==6.6.1
     # via
     #   -r requirements/base.in
@@ -114,11 +116,11 @@ flask==2.3.3
     #   flask-session
     #   flask-sqlalchemy
     #   flask-wtf
-flask-appbuilder==4.8.0
+flask-appbuilder==5.0.0
     # via
     #   apache-superset (pyproject.toml)
     #   apache-superset-core
-flask-babel==2.0.0
+flask-babel==3.1.0
     # via flask-appbuilder
 flask-caching==2.3.1
     # via apache-superset (pyproject.toml)
@@ -158,6 +160,7 @@ greenlet==3.1.1
     # via
     #   apache-superset (pyproject.toml)
     #   shillelagh
+    #   sqlalchemy
 gunicorn==23.0.0
     # via apache-superset (pyproject.toml)
 h11==0.16.0
@@ -219,10 +222,13 @@ marshmallow==3.26.1
     #   apache-superset (pyproject.toml)
     #   flask-appbuilder
     #   marshmallow-sqlalchemy
+    #   marshmallow-union
 marshmallow-sqlalchemy==1.4.0
     # via
     #   -r requirements/base.in
     #   flask-appbuilder
+marshmallow-union==0.1.15
+    # via apache-superset (pyproject.toml)
 mdurl==0.1.2
     # via markdown-it-py
 msgpack==1.0.8
@@ -261,7 +267,7 @@ packaging==25.0
     #   limits
     #   marshmallow
     #   shillelagh
-pandas==2.0.3
+pandas==2.1.4
     # via apache-superset (pyproject.toml)
 paramiko==3.5.1
     # via
@@ -293,6 +299,10 @@ pyasn1-modules==0.4.2
     # via google-auth
 pycparser==2.22
     # via cffi
+pydantic==2.11.7
+    # via apache-superset (pyproject.toml)
+pydantic-core==2.33.2
+    # via pydantic
 pygments==2.19.1
     # via rich
 pyjwt==2.10.1
@@ -385,7 +395,7 @@ sqlalchemy-utils==0.38.3
     # via
     #   apache-superset (pyproject.toml)
     #   flask-appbuilder
-sqlglot==27.3.0
+sqlglot==27.15.2
     # via apache-superset (pyproject.toml)
 sshtunnel==0.4.0
     # via apache-superset (pyproject.toml)
@@ -403,10 +413,15 @@ typing-extensions==4.14.0
     #   alembic
     #   cattrs
     #   limits
+    #   pydantic
+    #   pydantic-core
     #   pyopenssl
     #   referencing
     #   selenium
     #   shillelagh
+    #   typing-inspection
+typing-inspection==0.4.1
+    # via pydantic
 tzdata==2025.2
     # via
     #   kombu

requirements/development.in

@@ -17,4 +17,4 @@
 # under the License.
 #
 -e .[development,bigquery,druid,duckdb,gevent,gsheets,mysql,postgres,presto,prophet,trino,thumbnails]
--e ./superset-cli[test]
+-e ./superset-extensions-cli[test]