Preset logo
SUPERSET DEVELOPERS

Apache Superset Community Update: December 2025

Evan Rusackas

Welcome to the December 2025 community update! This month has been absolutely phenomenal for Apache Superset, with 266 pull requests merged from 42 contributors including 19 first-time contributors!

December brought transformative changes to Superset, including a maturing extensions system, important security enhancements, and significant improvements to SQL Lab, dashboards, and chart functionality. The community has been incredibly active, delivering everything from critical bug fixes to exciting new capabilities that will shape how users interact with Superset in 2026 and beyond.

Highlights

Extensions System Maturity

December saw massive progress on the extensions system, making Superset more customizable than ever. The community extensions registry (#36386) now showcases real-world extensions with a beautiful UI featuring company logos and contributor facepiles.

Seven new community extensions were added to the Extensions Registry this month:

ExtensionDescription
SQL Flow Visualizer
SQL Flow Visualizer (#36454)		 Transforms SQL queries into interactive flow diagrams to visualize execution paths
Google Sheets Export
SQL Lab Export to Google Sheets (#36714)		 Export SQL Lab query results directly to Google Sheets
Parquet Export
SQL Lab Export to Parquet (#36755)		 Export SQL Lab query results to Apache Parquet format with Snappy compression
Query Comparison
SQL Lab Query Comparison (#36769)		 Side-by-side comparison of query results with GitHub-style diff visualization
Result Stats
SQL Lab Result Stats (#36796)		 Automatically computes type-aware statistics for query results
SQL Snippets
SQL Snippets (#36797)		 Reusable SQL code snippets for quick insertion of common code blocks
Query Estimator
Query Estimator (#36814)		 Analyzes query execution plans to estimate resource impact and detect performance issues

Security Enhancements

Critical security improvements include configurable hash algorithms for FedRAMP compliance (#36621), allowing deployments to use SHA-256 instead of MD5 for non-cryptographic operations. See the Security Updates section for more details on authentication fixes and dependency updates.

Tell the world you use Superset!

The new "In the Wild" page on the Superset website showcases organizations using Superset, with logos and contributor facepiles. If your company uses Superset, add your organization, GitHub handles, and logo to the INTHEWILD.yaml file!

Dashboard Improvements

Visual and Interaction Enhancements

Several PRs improved the dashboard editing experience. Tab reordering now works reliably with proper state synchronization (#36855), fixing issues where subsequent drag operations used stale state. Tabs inside column containers are now clickable in edit mode (#36528), resolving a frustrating bug where empty drop targets blocked pointer events.

State Management Fixes

Chart state management received significant attention. The dashboard now properly clears chart states when navigating away (#36421), preventing stale data issues. A critical infinite reload loop bug in table charts was fixed (#36686), where clientView state changes were incorrectly triggering continuous re-queries.

Import/Export Improvements

Dashboard imports with the overwrite=True flag now properly replace charts instead of merging them (#36551), making source control workflows more reliable.

SQL Lab Updates

Enhanced Functionality

SQL Lab received numerous improvements this month. The left sidebar was separated from individual editor tabs (#36360), creating a persistent, collapsible panel shared across all tabs. This architectural change also introduced an optional right sidebar for extension contributions.

SQL formatting now properly handles Jinja templates (#36277), processing them server-side before formatting. Query history now displays the most recent queries at the top without requiring page refresh (#36359), and the "View" button for query results was restored (#36540).

Permission Fixes

Missing permissions for the sql_lab role were added (#36263), ensuring users can estimate query costs and format SQL queries. A 404 error when collapsing table schema previews was also resolved (#36858).

Chart Enhancements

Table Chart Improvements

Table charts received extensive updates. The "Export table data with Search box" feature (#36281) now correctly exports only filtered rows, with a restructured export menu showing "Export All Data" vs "Export Current View" options.

Search-filtered totals now update correctly (#36083), with both client-side and server-side pagination properly reflecting filtered data. Cell bars now render correctly for columns containing NULL values (#36819), and boolean conditional formatting was added (#36338) with new operators: isTrue, isFalse, isNull, and isNotNull.

A gradient toggle was added to conditional formatting (#36280), allowing users to choose between gradient-based coloring and solid colors.

Chart-Specific Improvements

Heatmap y-axis sorting now works correctly (#36302), respecting both alphabetical and metric value-based sort orders. ECharts visualizations now properly receive theme overrides (#36389) across 12 chart types that were previously missing the vizType prop.

Country map charts received improved hover tooltips (#36323) with floating popups that follow the cursor, and deck.gl GeoJSON visualizations now support text labels and icons (#36201).

Gauge charts now properly handle cleared min/max values (#36425), reverting to calculated defaults instead of incorrectly setting labels to 0.

Performance & Reliability

Query Performance

Contribution chart cache keys were normalized (#36274), fixing cache misses that triggered unnecessary async jobs. Timeshift temporal column detection was made more reliable (#36309) by prioritizing existing TEMPORAL_RANGE filters.

Error Handling

Global async queries now properly handle aborted requests (#36639), treating them as expected behavior rather than errors. SIP-40 error styles were implemented for Global Async Queries (#36596), preserving rich error information including error_type, level, and extra fields.

Test reliability also improved with fixes for flaky Cypress tests (#36641, #36642) and resolved race conditions in test helpers (#36719).

Security Updates

Authentication & Authorization

JWT authentication was fixed for /api/v1/me endpoints (#36410), properly handling both session-based and JWT-based authentication. The EXCLUDE_USERS_FROM_LISTS configuration now applies to the new /api/v1/security/users/ endpoint (#36742).

Guest users in embedded dashboards now use the correct is_active property (#36716) for Flask-AppBuilder v5.0.2 compatibility.

SQL Execution Security

The MCP execute_sql tool was refactored to use the new unified SQL execution API (#36739, #36529), critically fixing a security vulnerability where Row-Level Security (RLS) was not being applied. The implementation now properly applies RLS via AST transformation, checks DML permissions, and validates disallowed functions.

Dependency Updates

Multiple security-focused dependency updates were merged, including:

  • node-forge 1.3.1 → 1.3.2 (#36299, #36300) - addressing CVE-2025-12816, CVE-2025-66031, and CVE-2025-66030
  • jws updates (#36426, #36427, #36428) - requiring non-empty secrets for HMAC algorithms
  • js-yaml 3.14.1 → 3.14.2 (#36711) - fixing prototype pollution vulnerability
  • urllib3 2.5.0 → 2.6.0 (#36526) - addressing CVE-2025-66471

Developer Experience

TypeScript Migration

Significant progress was made on the JavaScript to TypeScript migration, with multiple PRs converting files across dashboard components, utilities, and test files (#36286, #36347, #36713, #36720, #36721).

Extensions System

The extensions CLI received multiple improvements:

  • Automatic .gitignore generation (#36768)
  • Non-interactive mode support (#36308)
  • Pydantic validation for extension configuration (#36767)

Comprehensive documentation was added covering dependencies (#36817), contribution guidelines (#36523), and the community extensions registry.

Docker Development

Docker development was enhanced to support running multiple Superset instances simultaneously (#36751) with automatic port detection and allocation, eliminating conflicts between different clones.

Documentation

The documentation site received significant improvements:

  • Enhanced Matomo analytics tracking (#36743) with comprehensive event tracking
  • Added llms.txt file (#36730) for LLM-friendly documentation indexing
  • Improved badge download reliability (#36715) with retry logic and concurrency handling
  • Restored project badges (#36495) with custom Docusaurus plugin for localized badge images

Database & Configuration

Database Support

Cloudflare D1 database support was added (#36348) through the superset-engine-d1 package. A custom DB2 dialect for sqlglot was implemented (#36365), handling DB2-specific labeled duration syntax.

SQL parsing was improved to handle backtick-quoted identifiers (#36545) when using the "Other" database type, with automatic fallback to MySQL dialect when needed.

Configuration Enhancements

Per-theme custom font URL support was added (#36317), replacing the global CUSTOM_FONT_URLS configuration with a more flexible fontUrls token in theme configurations. The prune_logs Celery task now supports an optional max_rows_per_run parameter (#36313) to prevent database overload.

Subdirectory deployment support was fixed (#35098) for app icons, reports URLs, and SQL Lab navigation.

UI/UX Improvements

Search and Filtering

Password managers no longer trigger autofill on search inputs (#36209) thanks to custom inputName properties. Dashboard filters now properly handle cleared values (#36380), with filters reappearing in the dropdown after being cleared.

Visual Polish

Multiple UI refinements were made:

  • Text with descenders no longer gets cut off (#36531)
  • Button text capitalization was standardized (#36444)
  • Database form margin issues were fixed (#36479)
  • ECharts legends now use scroll mode for horizontal layouts (#36306) to prevent overlap

Storybook Upgrade

Storybook was upgraded from 8.1.11 to 8.6.14 (#36498) with an automated documentation system for extension-compatible UI components, including live code playgrounds and interactive controls.

Dependency Updates

December saw extensive dependency maintenance with over 100 automated dependency updates from Dependabot. Notable updates include:

Frontend:

Backend:

  • Redis 4.x → 5.x (#36593)
  • FastMCP 2.13.x → 2.14.0 (#36594)

Websocket:

Contributors

These updates were made possible by 42 contributors:

Antonio-RiveroMartnez, AoLiGei1221, ChadRosseau, CoffeeWriter, EnxDev, FelipeGLopez, JoshuaJADaniel, LevisNgigi, LuisSanchez, Risheit, SBIN2010, Vitor-Avila, YousufFFFF, alexandrusoare, aminghadersohi, amym-li, betodealmeida, bsovran, cr0fters, danawan0409, declan-zhao, dpgaspar, edison-lhk, eschutho, gabotorresruiz, geido, hainenber, javacatknight, justinpark, kgabryje, michael-s-molina, mistercrunch, mohammadqassim12, msyavuz, phinjensen, rusackas, sadpandajoe, sfirke, shunki-fujita, sjingoi, viksuper555, yousoph

First-Time Contributors

A special welcome to our 19 first-time contributors who made their debut this month!

AoLiGei1221, ChadRosseau, CoffeeWriter, FelipeGLopez, JoshuaJADaniel, LuisSanchez, Risheit, amym-li, bsovran, cr0fters, danawan0409, declan-zhao, edison-lhk, javacatknight, mohammadqassim12, phinjensen, shunki-fujita, sjingoi, viksuper555

We're particularly excited to welcome a group of students from the University of Toronto Scarborough (UTSC) who contributed to Apache Superset as part of a capstone project. Academic-community partnerships like this have an incredible impact on open source software, and we're grateful for all of their contributions!

Get Involved

Interested in contributing to Apache Superset? Here's how to get started:

December 2025 has been an incredible month for Apache Superset, and we're excited to see what the community builds in 2026! Thank you to everyone who contributed code, documentation, bug reports, and feedback. Your efforts make Superset better for everyone.

All the features of Superset (and more) without the hassles of scaling/managing/upgrading, with plenty of time to grow into it. Free for five users, forever.

Subscribe to our blog updates

Receive a weekly digest of new blog posts

Close