From 1460c490956d25dc32e8a0002bfe21d47b748ad3 Mon Sep 17 00:00:00 2001 From: Andrew Kenworthy Date: Mon, 16 Feb 2026 14:41:30 +0100 Subject: [PATCH 1/3] fix(superset): Pin setup-tools for pkg-resources --- superset/Dockerfile | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/superset/Dockerfile b/superset/Dockerfile index 4de89db3a..80f51d66c 100644 --- a/superset/Dockerfile +++ b/superset/Dockerfile @@ -141,7 +141,7 @@ uv pip install --no-cache-dir \ # We bumped this from 21.2.0 to 22.0.0 to fix CVE-2024-1135 # Superset 4.1.0 will contain at least 22.0.0, the bump was done in https://github.com/apache/superset/commit/4f693c6db0dc5c7286a36b8d23e90541943ff13f -# We only want to bump this for the 4.0.x line, as the others already have updated and we don't want to accidentially downgrade the version +# We only want to bump this for the 4.0.x line, as the others already have updated and we do not want to accidentially downgrade the version if [[ "$PRODUCT_VERSION" =~ ^4\.0\..* ]]; then echo "Superset 4.0.x detected, installing gunicorn 22.0.0 to fix CVE-2024-1135" uv pip install gunicorn==22.0.0 @@ -157,6 +157,12 @@ fi uv pip install --no-cache-dir /tmp/opa_authorizer-0.1.0-py3-none-any.whl +# Setuptools 82+ removed pkg_resources, which is still needed by Superset 4.x +# dependencies. Re-pin after all other installs in case newer versions +# have been in by other dependencies. +# See https://setuptools.pypa.io/en/stable/history.html#v82-0-0 +uv pip install --no-cache-dir setuptools==75.2.0 + cyclonedx-py environment --schema-version 1.5 --outfile /stackable/app/superset-${PRODUCT_VERSION}.cdx.json uv pip uninstall cyclonedx-bom From 87eb31eba444f50ab6ac0f1c557d86bd5bfd59e4 Mon Sep 17 00:00:00 2001 From: Andrew Kenworthy Date: Mon, 16 Feb 2026 14:44:16 +0100 Subject: [PATCH 2/3] changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b78191773..a722b6cdb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -66,6 +66,7 @@ All notable changes to this project will be documented in this file. - testing-tools: Re-add `pytest` Python package as well as `diffutils` package ([#1388]). - testing-tools: Move Kerberos packages from testing-tools/hive to parent since they provide `kinit` which is needed in other tests too (ex. HBase). ([#1389]). - hbase: Removed test class from backport HBASE-29797 to HBase version `2.6.3` ([#1426]). +- superset: Pin setup-tools to ensure pkg_resources are installed (needed for `4.1.4` builds) ([#1428]). [#1336]: https://github.com/stackabletech/docker-images/pull/1336 [#1337]: https://github.com/stackabletech/docker-images/pull/1337 @@ -102,6 +103,7 @@ All notable changes to this project will be documented in this file. [#1424]: https://github.com/stackabletech/docker-images/pull/1424 [#1425]: https://github.com/stackabletech/docker-images/pull/1425 [#1426]: https://github.com/stackabletech/docker-images/pull/1426 +[#1428]: https://github.com/stackabletech/docker-images/pull/1428 ## [25.11.0] - 2025-11-07 From 3891e0026695ee94b61108252d72b7b3f6c1e1b9 Mon Sep 17 00:00:00 2001 From: Andrew Kenworthy Date: Mon, 16 Feb 2026 14:45:06 +0100 Subject: [PATCH 3/3] typo --- superset/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/superset/Dockerfile b/superset/Dockerfile index 80f51d66c..2c6f6e5c3 100644 --- a/superset/Dockerfile +++ b/superset/Dockerfile @@ -159,7 +159,7 @@ uv pip install --no-cache-dir /tmp/opa_authorizer-0.1.0-py3-none-any.whl # Setuptools 82+ removed pkg_resources, which is still needed by Superset 4.x # dependencies. Re-pin after all other installs in case newer versions -# have been in by other dependencies. +# have been pulled in by other dependencies. # See https://setuptools.pypa.io/en/stable/history.html#v82-0-0 uv pip install --no-cache-dir setuptools==75.2.0