Skip to content

fix(superset): Pin setup-tools to retain pkg-resources for 4.x #1428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
adwk67 wants to merge 3 commits into
base: main
Choose a base branch
from
+9 −1
Open

fix(superset): Pin setup-tools to retain pkg-resources for 4.x #1428

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1460c49
fix(superset): Pin setup-tools for pkg-resources
adwk67 Feb 16, 2026
87eb31e
changelog
adwk67 Feb 16, 2026
3891e00
typo
adwk67 Feb 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ All notable changes to this project will be documented in this file.
- testing-tools: Re-add `pytest` Python package as well as `diffutils` package ([#1388]).
- testing-tools: Move Kerberos packages from testing-tools/hive to parent since they provide `kinit` which is needed in other tests too (ex. HBase). ([#1389]).
- hbase: Removed test class from backport HBASE-29797 to HBase version `2.6.3` ([#1426]).
- superset: Pin setup-tools to ensure pkg_resources are installed (needed for `4.1.4` builds) ([#1428]).

[#1336]: https://github.com/stackabletech/docker-images/pull/1336
[#1337]: https://github.com/stackabletech/docker-images/pull/1337
Expand Down Expand Up @@ -102,6 +103,7 @@ All notable changes to this project will be documented in this file.
[#1424]: https://github.com/stackabletech/docker-images/pull/1424
[#1425]: https://github.com/stackabletech/docker-images/pull/1425
[#1426]: https://github.com/stackabletech/docker-images/pull/1426
[#1428]: https://github.com/stackabletech/docker-images/pull/1428

## [25.11.0] - 2025-11-07

Expand Down
8 changes: 7 additions & 1 deletion superset/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ uv pip install --no-cache-dir \

# We bumped this from 21.2.0 to 22.0.0 to fix CVE-2024-1135
# Superset 4.1.0 will contain at least 22.0.0, the bump was done in https://github.com/apache/superset/commit/4f693c6db0dc5c7286a36b8d23e90541943ff13f
# We only want to bump this for the 4.0.x line, as the others already have updated and we don't want to accidentially downgrade the version
# We only want to bump this for the 4.0.x line, as the others already have updated and we do not want to accidentially downgrade the version
if [[ "$PRODUCT_VERSION" =~ ^4\.0\..* ]]; then
echo "Superset 4.0.x detected, installing gunicorn 22.0.0 to fix CVE-2024-1135"
uv pip install gunicorn==22.0.0
Expand All @@ -157,6 +157,12 @@ fi

uv pip install --no-cache-dir /tmp/opa_authorizer-0.1.0-py3-none-any.whl

# Setuptools 82+ removed pkg_resources, which is still needed by Superset 4.x
# dependencies. Re-pin after all other installs in case newer versions
# have been pulled in by other dependencies.
# See https://setuptools.pypa.io/en/stable/history.html#v82-0-0
uv pip install --no-cache-dir setuptools==75.2.0

cyclonedx-py environment --schema-version 1.5 --outfile /stackable/app/superset-${PRODUCT_VERSION}.cdx.json
uv pip uninstall cyclonedx-bom

Expand Down