Preset logo
SUPERSET DEVELOPERS

Apache Superset Community Update: February 2026

Evan Rusackas
26 min read
5,058 words

February 2026 was an extraordinary month for the Apache Superset™ community. Forty-eight contributors came together to merge 330 pull requests — a pace that reflects both the project's momentum and the depth of dedication across the contributor base. Whether you're a daily Superset user, an operator running it at scale, or a developer building on top of it, this month's work touched nearly every layer of the stack.

This month's highlights span the full breadth of what makes Superset powerful. On the infrastructure side, Superset gained Progressive Web App (PWA) support, letting users install it as a native desktop application and open data files directly from their OS. The new Global Task Framework brings a unified system for tracking, canceling, and deduplicating long-running background tasks. Dashboards gained a polished auto-refresh system with color-coded status indicators and flicker-free chart updates. The MCP AI integration — Superset's bridge to assistants like Claude — received over a dozen improvements covering safety, correctness, and capability. And the Dataset Folders editor crossed the finish line with a wave of polish PRs completing the drag-and-drop folder management experience.

Beyond the headliners, February was defined by a sustained chart and dashboard quality blitz: fatal error prevention when databases go offline, non-dismissible error banners, N+1 query fixes that slashed API response times from 15 seconds to under 1 second, conditional formatting for strings and entire rows, a cluster of ECharts rendering fixes, and a sweeping security audit that addressed SQL injection vectors, blocklist bypass bugs, and CVE disclosures. Thirteen first-time contributors made their debut this month — welcome, all of you.

Highlights

Progressive Web App Support with File Handling

PR #36191 brings full Progressive Web App support to Superset. Users can now install Superset as a desktop application directly from their browser — and, crucially, register it as a file handler for CSV, XLS/XLSX, and Parquet files at the OS level. Double-clicking a data file will launch Superset and open the upload modal pre-populated with that file's path, creating a seamless data-to-dashboard workflow that eliminates multiple manual steps.

To install, look for the install icon (⊕) in your browser's address bar when visiting your Superset instance, or use the browser menu (in Chrome: ⋮ → Cast, save, and share → Install page as app…; in Edge: ⋯ → Apps → Install this site as an app). Once installed, Superset appears in your OS app launcher and taskbar like any native application — and your OS will offer Superset as an option when opening supported data files.

This is one of those features that sounds simple but represents a meaningful shift in how Superset can fit into a data analyst's daily workflow. Instead of navigating to Superset, finding the upload flow, and locating the file — it's just a double-click.

Global Task Framework

PR #36368 introduces the Global Task Framework (GTF): a unified system for managing long-running background tasks across the entire Superset application. Before GTF, different features (exports, thumbnail generation, async queries) each had their own ad-hoc approach to background work with inconsistent UX. GTF standardizes this with a Task List UI offering progress tracking, cancellation controls, deduplication (so the same task isn't queued twice), and scope-aware visibility so users only see their own tasks.

GTF supports both async execution via Celery and inline synchronous execution, making it useful regardless of whether Celery is deployed. Tasks that register an abort handler get a live Cancel button; tasks without one display a tooltip explaining why cancellation isn't available. Timed-out tasks that had no abort handler registered are shown with a warning indicator, keeping users informed rather than leaving them wondering why a task vanished.

Follow-up PRs in February added dedup key support for atomic SQL tasks (#37820), fixed a missing user_id on task commands that could cause authorization issues (#37867), and improved task base filter performance (#37900).

Dashboard Auto-Refresh with Visual Status Indicators

PR #37459 delivers a comprehensive dashboard auto-refresh system that replaces the old basic interval mechanism with a full-featured, observable refresh lifecycle. A color-coded status dot in the dashboard header tells users exactly what's happening at a glance:

  • Green — all charts refreshed successfully
  • Blue — refresh cycle actively fetching
  • Yellow — refresh is delayed (backend slow)
  • Red — one or more charts errored during refresh
  • White — refresh is paused

Pause and resume controls sit alongside the status indicator, giving users direct control during presentations or when they want to examine a snapshot in detail. An optional tab-visibility pause mode automatically suspends refresh when the browser tab is backgrounded, reducing unnecessary server load. Chart updates are flicker-free, avoiding the jarring blank-then-repopulate pattern of previous implementations.

Dataset Folders Editor

PR #36239 adds a full-featured dataset folders editor behind the DATASET_FOLDERS feature flag, allowing users to organize metrics and columns into hierarchical folder structures. The editor supports drag-and-drop reordering, real-time search and filtering, and virtualized rendering to handle datasets with hundreds of entries without UI sluggishness.

February saw extensive follow-up polish on this feature:

  • Search now expands collapsed folders to reveal matches (#38188)
  • Drag overlay positioning corrected (#38274)
  • Entire folder blocks can now be dragged as a unit (#38122)
  • Selection counter added (#38270)
  • Badge count display fixed (#38100)
  • Search now matches verbose names in addition to internal keys (#38101)
  • Warning toasts when items are dropped outside valid folder targets (#38257, #38304)
  • Default folder positions now persist correctly (#38105)
  • Shift-select behavior fixed (#38255)
  • Nested folder dragging stabilized (#38275)
  • Stale refs cleaned up on folder deletion (#38302)

MCP Service: AI-Powered Chart and Dashboard Interactions

The Model Context Protocol (MCP) service — Superset's bridge to AI assistants like Claude — received major improvements throughout February, making it more robust, safer, and significantly more capable.

Safety and correctness were prioritized first: response size guards prevent overwhelming LLM context windows (#37200), dataset validation ensures chart tools only operate on valid datasources (#37185), DATE_TRUNC is now prevented from being applied to non-temporal columns (#37433), and HTML-escaped ampersands in chart titles were fixed (#37186). Runtime validation warnings are now treated as informational rather than errors (#37214), and a broad exception handler at the outermost tool level (#38254) prevents unexpected errors from crashing MCP sessions.

Capability expansions followed: unsaved state is now supported for both Explore and Dashboard tools (#37183), chart type coverage for get_chart_data was broadened (#37969), multi-statement SQL execution is supported (#37968), LIKE/IN filter operators were added (#38071), the x_axis column is now included in query context for series charts with group_by (#37639), and database_name was added as a filter column for list_datasets (#37865), making dataset discovery easier for AI agents in multi-database environments. A new config toggle (#37617) lets operators disable the parse_request decorator for custom request handling.

Observability and diagnostics rounded out the improvements: event logger instrumentation (#37859), dynamic feature availability via menus (#37964), current user identity exposed in get_instance_info (#37967), and improved JWT error diagnostics (#37972). Column name normalization (#37187) and dashboard chart placement fixes (#37970) addressed subtle correctness bugs that could confuse AI tool calls. Eager loading was added to get_info tools (#38129) to prevent N+1 query timeouts, and unsupported thumbnail/preview URLs were removed from MCP schemas (#38109) to reduce confusion for AI integrations.

If you're interested in Superset's MCP integration — whether you're building on it, experimenting with AI-assisted analytics, or just curious — come join us in the #project-mcp channel on the Apache Superset Slack.

Dashboard Improvements

Fatal Error Prevention When Database Is Unavailable

PR #37576 fixes a significant usability regression: when one of a dashboard's databases had a connection problem, the entire dashboard would show a full-page 500 error, making it appear completely broken even if only one chart was affected. Now the dashboard loads successfully and displays granular per-chart error messages, so users can see which charts are affected while still interacting with those that aren't.

Improved Chart Error Display

PR #37939 tackles a frustrating debugging experience: charts that encountered backend failures during datasource metadata loading would show an infinite spinner instead of communicating what went wrong. Now error messages are displayed immediately in a scrollable container sized to the chart's dimensions, so long error messages don't get truncated.

Chart Errors Made Non-Dismissible

PR #38014 removes the close button from chart error banners on both dashboards and the explore view. Previously, a user could dismiss an error banner, leaving behind an empty chart with no visible explanation — a particularly confusing experience for dashboard viewers who didn't trigger the error themselves. Errors now persist until the underlying issue is resolved.

Dashboard Performance: N+1 Query Fixes

February delivered a coordinated set of backend performance fixes that dramatically improve dashboard and chart list response times.

PR #37895 identified a severe N+1 query pattern in the chart list API: response times of ~15 seconds with thumbnail_url vs. under 1 second without it, caused by resolving datasources individually per chart. PR #37899 followed up by fixing the root cause in the Slice.datasource property, which was executing a raw database query on every access. PR #38015 further optimizes by skipping thumbnail_url computation entirely when loading a single dashboard.

PR #37941 tackles a related bottleneck in embedded dashboards: Row Level Security filter lookups for dashboard digest computation were executing hundreds of per-datasource queries. The fix batches these into a single query — critical for embedded use cases using guest tokens, where this computation happens on every authentication.

PR #38079 addresses a subtle non-determinism bug: the dashboard thumbnail cache hit rate was only 4.3% because Python's set iteration order varies across Gunicorn workers, causing the same dashboard to hash differently depending on which worker processed the request. Sorting datasources and charts before hashing makes the cache key deterministic and dramatically improves hit rates.

Dashboard Virtualization Deferred Loading

PR #37452 introduces a DASHBOARD_VIRTUALIZATION_DEFER_DATA feature flag (default: off) that defers data queries for off-screen charts until they scroll into view. On dashboards with many charts, this eliminates a burst of simultaneous backend requests at load time that can overwhelm database connections.

Other Dashboard Fixes

  • PR #37260 fixes world map charts losing filter indicator icons after a page refresh, addressing backend cache invalidation, malformed filter labels, and broken "Clear all" behavior
  • PR #37807 fixes newly created tabs not appearing in the filter Scoping tab during dashboard edit mode
  • PR #37904 fixes unreachable drop zones inside tabbed layouts that made it impossible to place charts in certain tab positions
  • PR #37529 fixes dashboard "Export as Example" failing when Superset is deployed under a URL prefix (e.g., /superset/)
  • PR #37983 fixes a home page crash when users lack permission to view certain datasets

Force Refresh with Global Async Queries

PR #37845 fixes force-refreshing charts when Global Async Queries (GAQ) is enabled: previously, force refresh requests weren't properly bypassing the cache or initiating async jobs. The fix ensures force refresh returns HTTP 202 as expected. PR #38089 addresses a related issue where charts with cache_timeout = -1 (caching fully disabled) would receive 404 errors under async queries — they now correctly fall back to synchronous execution.

Chart Enhancements & Fixes

Conditional Formatting Expansions

Three PRs this month significantly expand conditional formatting capabilities:

PR #35863 extends pivot table conditional formatting to support string-based row and column headers, not just numeric values. A centralized getCellColor() helper makes the logic reusable and consistent across the chart.

PR #35897 adds column selection and formatting object types (ENTIRE_ROW, BACKGROUND_COLOR, TEXT_COLOR, CELL_BAR) to table chart conditional formatting, enabling far more expressive data visualization directly in tabular views:

PR #37894 fixes conditional formatting incorrectly coloring empty cells (null, undefined, NaN). Blank values were being coerced to 0, causing them to match numeric rules and receive colors they shouldn't. Empty cells are now correctly left unformatted.

Annotation Label Merging at Same Timestamp

PR #37164 fixes overlapping labels when multiple annotations share the same timestamp on ECharts Timeseries charts. Previously, annotations at the same time produced stacked, illegible labels. They are now grouped and joined with newlines into a single readable label.

ECharts Timeseries Tooltip Restored After Drill Menu

PR #37284 fixes ECharts tooltips disappearing after a user opened and closed the drill context menu. The onClose callback was not always being called when the dropdown closed, leaving the tooltip suppressed. The fix ensures onClose fires reliably on all close paths.

Negative Stacked Bar Label Positioning

PR #37405 fixes labels on negative-value stacked bar charts that were rendering outside the chart area entirely. Labels now appear inside bars at the edge with WCAG AA contrast ratios, keeping negative-value data legible without layout overflow.

X-Axis Date Labels No Longer Disappear When Rotated

PR #37755 untangles three interrelated ECharts bugs that caused rotated x-axis date labels to clip at the chart boundary, produce phantom duplicate labels, or disappear entirely due to overly aggressive overlap detection. The fix uses conditional hideOverlap disabling, removes showMaxLabel overrides, and adds dynamic right-side padding to accommodate the rotated label footprint.

Heatmap Normalization Fix

PR #37208 fixes the Heatmap plugin failing to render when "Normalized" mode was enabled. The normalized rendering path expected 4-dimensional data arrays [xIndex, yIndex, metricValue, rankValue], but the data was being constructed incorrectly. The fix properly builds these arrays, restoring the color gradient normalization feature.

Formula Annotations with Dataset Column Labels

PR #37522 fixes formula annotations appearing in the chart legend but not rendering as a line on ECharts timeseries charts when the X-axis column had a dataset-level label applied. The annotation lookup was using the display label to find the column, but the data key was the original column name — the fix reconciles these two identifiers.

Cross-Filter on Bar Charts Without Dimensions

PR #37407 enables X-axis-based cross-filtering on bar charts that have no "Dimensions" configured. Previously, clicking a bar did nothing when no dimension columns were set, silently swallowing the interaction. This is now handled by falling back to X-axis values for the filter context.

Saved Metrics Search by Display Label

PR #37136 fixes the saved metrics dropdown to search by both the metric's internal key and its human-readable verbose_name. Previously, searching for a metric by the name you'd see in the UI returned no results, requiring users to know the underlying key.

Row Limit Warning for Server-Paginated Tables

PR #37112 fixes the row limit warning icon missing from table charts when Server Pagination is enabled. The icon was being conditionally suppressed in the paginated code path despite the limit still applying.

Other Chart Fixes

  • PR #37669 fixes scatter plot ad-hoc metrics for the point size dimension, which previously only worked with saved metrics
  • PR #37716 fixes World Map country highlights persisting after moving the mouse away
  • PR #37169 adds a single-metric constraint option to the Matrixify chart for single-KPI use cases; PR #37176 ensures existing charts with dynamic group-by migrate correctly
  • PR #37561 prevents time grain dashboard filters from altering timestamps in Raw Records table mode
  • PR #37893 fixes a case-sensitivity bug where renaming a temporal column caused time grain aggregation settings to be silently lost
  • PR #37174 fixes table rows overlapping pagination in the DrillBy modal by making pagination stickiness configurable
  • PR #36993 sets ECharts default axis margins to 0, with automatic expansion to 30 when a title is added — eliminating wasted whitespace in untitled charts
  • PR #37532 removes the "Stream" stacking style option from Bar charts, where it produced incorrect renders
  • PR #37808 fixes unwanted vertical lines appearing in Treemap category sections
  • PR #38030 fixes three World Map chart bugs: right-click context menu errors, "0 rows" display on legacy charts, and broken country tooltips
  • PR #38279 fixes boolean column values rendering as blank cells in AG Grid Table (Table V2), now correctly displaying as checkboxes
  • PR #37036 fixes multiline cell content displaying as a single line in the Cell Content modal
  • PR #37611 removes an irrelevant dataset field from Deck.gl Layer Visibility Display controls
  • PR #38173 adds the missing currencyformatter.js dependency to the Handlebars chart plugin, fixing runtime errors when rendering currency values

SQL Lab & Data Exploration

SQL Lab Bug Fixes and UI Polish

PR #37760 resolves several SQL Lab usability issues that had crept in: the Save Query and Save Dataset buttons were missing on initial load, the "Run selection" feature was broken, a generic folder icon was replaced with a semantically appropriate pushpin icon for "Pin to result panel", and toolbar alignment was tightened up. Small fixes, but high-frequency pain points for SQL Lab power users.

Data Preview Query Limit and Decimal Fix

PR #37614 fixes two SQL Lab issues: data preview queries now respect the configured row limit (previously they could return unbounded results), and Decimal values no longer cause TypeErrors in the results handler.

SQL Autocomplete Restored in Explore

PR #37699 fixes SQL autocomplete suggestions not appearing in the Explore view's "Custom SQL" tab for dimensions and filters. A .map() transformation was stripping the keyword metadata that Ace Editor's autocomplete engine requires, causing the suggestion list to silently come up empty.

Excel Export Index Column Removed

PR #38176 fixes a long-standing bug where Excel exports included an unwanted index column containing sequential row numbers. The fix adds index=False to the df.to_excel() call, making Excel export behavior consistent with CSV exports (and closing three separate issues: #32113, #22981, #29717).

Datasource Editor Pagination

PR #37555 addresses a critical performance issue in the datasource (dataset) editor: opening the metrics tab with 100+ entries could cause 15+ second browser freezes caused by 700 parallel webpack chunk requests firing simultaneously. The fix adds server-side pagination (default 25 items per page) and search/filter inputs to all three tabs (metrics, columns, calculated columns). As a bonus, the datasource editor modal is now resizable and draggable.

Other SQL Lab & Data Fixes

  • PR #37652 fixes SQL Lab showing an indefinite progress bar when a query returned zero rows — it now cleanly displays "no results"
  • PR #37979 fixes datetime_to_epoch incorrectly handling timezone-aware datetimes — replace(tzinfo=pytz.utc) was relabeling rather than converting; the fix uses astimezone(pytz.utc)
  • PR #37621 fixes calculated columns not appearing in the currency code dropdown in the dataset editor

Native Filters & Dashboard Filters

PR #36985 fixes the Time Column native filter being silently ignored for legacy charts like Country Map — these charts continued querying the dataset's default column instead of the user-selected one, making time column filters appear broken for any dashboard mixing modern and legacy chart types.

PR #37855 fixes dependent (cascading) child native filters failing to restore their saved values when a dashboard is opened via a URL with filter state parameters. Shared dashboard links that included cascading filter state would load with child filters blank instead of populated.

Additional filter fixes:

  • PR #37358 fixes filter names not updating in the sidebar in real time as users type
  • PR #37802 fixes the refresh icon drifting downward when validation errors appear in native filter configuration

Theming & UI Improvements

IBM Plex Mono for Code and Numbers

PR #37366 replaces Fira Code with IBM Plex Mono as the monospace font throughout Superset — code editors, SQL displays, and numerical readouts. IBM Plex Mono provides more stable character widths for number-heavy displays and better overall readability in data contexts.

Theme Validation and Error Recovery

PR #37378 adds comprehensive validation to Superset's theming system. Previously, a malformed custom theme could crash the application at runtime with no recovery path. The fix introduces: save-time token validation to prevent bad themes from being persisted, real-time error feedback in the theme editor UI, and multi-tier runtime fallbacks that gracefully recover from broken themes without taking down the application.

Owner Selector Email Display

PR #37906 enhances all owner selector dropdowns across Superset — dashboards, charts, datasets, alerts/reports — to display each owner's email address as secondary text and enable email-based search. In organizations with many users sharing similar names, this makes finding the right owner unambiguous.

Database Error Messages Now Scrollable

PR #37709 fixes verbose database error messages overflowing their toast container. Long error messages from database drivers are now displayed in scrollable containers with styled scrollbars, keeping the UI intact while preserving the full error text.

Alerts & Reports Fixes

  • PR #37037 makes the Screenshot Width field visible when "Send as PDF" format is selected, fixing confusion about PDF dimensions
  • PR #38054 fixes the filter dropdown in report editing showing raw native filter IDs instead of user-friendly names
  • PR #38093 fixes the "Apply another dashboard filter" button label being invisible in Firefox's light mode
  • PR #38084 fixes a validation gap where report schedules could be updated with an invalid database reference

Additional UI Polish

  • PR #37897 standardizes action button ordering across all CRUD list views to a consistent Edit → Delete pattern, keeping destructive actions last
  • PR #37714 fixes a false positive "unsaved changes" modal when navigating away from a newly created, unmodified chart
  • PR #37708 fixes the info tooltip icon in the Save Chart modal rendering below the label instead of inline
  • PR #37581 adds tooltips and aria-pressed attributes to ListView card/list toggle buttons
  • PR #38010 fixes invisible tooltip text in the Calendar Heatmap plugin in both light and dark modes
  • PR #38095 fixes non-owner users being unable to favorite charts they had read access to
  • PR #38075 adds visible labels for encrypted fields in the database connection UI
  • PR #38121 fixes link-style button styling to properly use the colorLink design token
  • PR #38117 prevents the theme object from being incorrectly forwarded to the ReactAce code editor
  • PR #38123 fixes a scrollbar issue in the dataset modal's folders tab

Security

SQL Table Blocklist and Validation Bypass Fix

PR #37411 fixes three security vulnerabilities in Superset's SQL validation layer:

  1. An engine mismatch bug where validate_sql_query used "sqlite" instead of the actual database backend for blocklist lookups — meaning PostgreSQL, MySQL, and MSSQL-specific restrictions were silently bypassed.
  2. A new system-table blocklist preventing queries against sensitive tables like pg_stat_activity and pg_roles.
  3. Stronger DML detection using AST analysis via sqlglot instead of fragile string matching, closing potential bypass paths through comment injection or whitespace manipulation.

SECRET_KEY Lazy Resolution

PR #37982 fixes a critical bug in the re-encrypt-secrets command where EncryptedType captured the SECRET_KEY at model import time. During key rotation, this caused the command to silently re-encrypt data using the old key rather than the new one. The fix resolves the key lazily on every operation.

Other Security Fixes

  • PR #38177 fixes guest token and CSRF token endpoints failing with 422 errors after PyJWT >= 2.10 introduced strict sub claim type enforcement
  • PR #37553 updates jsPDF to v4.0.0 to address CVE-2025-68428 (path traversal)
  • PR #37981 upgrades d3-color to 3.1.0 and moves eslint-plugin-i18n-strings to dev dependencies, achieving zero production frontend vulnerabilities
  • PR #37676 patches a security vulnerability in the Storybook development dependency
  • PR #38278 documents the batch of CVEs published February 24, 2026, including four CVEs fixed in version 6.0.0

Embedded Superset

Disable Logout in Embedded Contexts

PR #37537 introduces a DISABLE_EMBEDDED_SUPERSET_LOGOUT feature flag that hides the logout button when Superset runs embedded in an iframe. This prevents confusion in applications where authentication is managed by the parent app via SSO — clicking "Logout" inside an embedded Superset frame would have signed users out of a session they expected to persist.

Login Redirect Fix for Subdirectory Deployments

PR #37942 fixes login redirects producing 404 errors in subdirectory deployments. The next= query parameter was missing the SUPERSET_APP_ROOT prefix, causing redirects to drop into the root path. PR #38284 follows up with support for specifying app_root directly in superset_config.py for deployments that need programmatic control.

Internationalization

Language Pack Race Condition Fixed

PR #36893 fixes a race condition where the UI displayed in English even when a non-English language was configured. ReactDOM.render() was executing before the translation bundle finished loading; the fix awaits initPreamble() before rendering to ensure translations are available at first paint.

100+ Additional Frontend Strings Now Translatable

PR #37776 wraps approximately 100 user-visible strings across 37 files with the t() translation function — covering aria-labels, placeholders, tooltips, button text, and error messages. PR #33940 similarly fixes hardcoded English strings in the Radar chart label position dropdown. A new lint rule (checkUntranslatedStrings) now automatically catches untranslated strings in JSX props during development, preventing future regressions.

Spanish Translation Corruption Fixed

PR #37717 removes approximately 27 lines of accidentally-embedded LLM analysis output from the Spanish translation file that was causing pybabel compile to fail and breaking the Spanish locale entirely.

Developer Experience & Code Quality

Documentation Site Restructured

PR #38196 splits the Superset documentation into three clearly delineated sections: user docs (/user-docs/), admin docs (/admin-docs/), and developer docs (/developer-docs/), with homepage wayfinding cards to guide visitors to the right section without requiring familiarity with the project structure.

Storybook Consolidated with Source Code

PR #37771 eliminates the superset-ui-demo package and co-locates 84+ Storybook stories with their source code across plugins and core packages. Chart stories were enhanced with interactive controls, fixed data payloads, and OpenStreetMap tiles (eliminating the Mapbox API key requirement for local development).

React Hot Loader Replaced with React Refresh

PR #36433 removes the deprecated react-hot-loader package and migrates to React Refresh for hot module replacement (HMR). This eliminates persistent deprecation warnings in development builds and simplifies the webpack configuration significantly.

SQL Lab Extensions API

PR #37642 enhances the SQL Lab extensions API, enabling richer plugin and extension integrations with the SQL editor experience. PR #38127 simplifies the registerEditorProvider API, making it easier for third-party plugins to extend the SQL editor. PR #38098 adds editors to ContributionConfig and additional properties to EditorKeyword, enabling extensions to register custom chart configuration options.

Extensions Framework Improvements

PR #37856 refactors the extensions contribution schema from flat dot-notation keys to properly nested object structures. PR #38200 adds a mandatory publisher field to extension metadata, establishing organizational namespacing (e.g., acme-corp.dashboard-widgets). PR #38167 fixes naming conventions for hyphenated extension IDs. PR #38217 makes LOCAL_EXTENSIONS loading resilient to individual failures, so a broken extension doesn't block the rest from loading.

Other Developer Experience Improvements

  • PR #37787 migrates Jest-related linting rules from ESLint to oxlint across 263 files
  • PRs #37883#37887 enforce stricter frontend linting rules across four batches, promoting warnings to errors and adding jest/expect-expect assertions
  • PR #37588 replaces babel-loader with swc-loader in the docs build pipeline, eliminating OOM crashes
  • PR #37404 adds JSON-LD structured data, OpenGraph/Twitter meta tags, and sitemap priorities to the docs site
  • PR #38106 skips service worker compilation during dev builds, improving startup time
  • PR #38125 migrates to react-icons, achieving ~50% reduction in bundled icon size
  • PR #38218 fixes Codecov coverage uploads by switching to OIDC token-based authentication

Backend Infrastructure

New Database Support

PR #37590 adds native database engine specs for Apache Phoenix (HBase SQL layer) and Apache IoTDB (time-series database). PR #37589 documents Supabase, AlloyDB, and Neon as PostgreSQL-compatible databases. PR #37949 relaxes the sqlalchemy-utils lower bound for Apache Doris (PyDoris) compatibility.

Apache Phoenix Apache IoTDB Supabase AlloyDB Neon

Select Star Refactor to Avoid SSH Tunnels

PR #35540 refactors select_star across database engine specs to accept a Dialect object instead of a full SQLAlchemy Engine. Since select_star only builds SQL strings and never opens actual connections, this eliminates unnecessary SSH tunnel creation for databases configured with SSH tunnels — a meaningful performance and resource improvement for tunnel-heavy deployments.

Role Management N+1 Fix

PR #37235 fixes two backend performance issues in role management: a "Request Line is too large" HTTP error when editing roles with hundreds of users (fixed by filtering via rel_m_m rather than passing user IDs in the URL), and N+1 queries when loading role relationships.

BigQuery and ClickHouse Fixes

PR #38281 fixes an AttributeError: 'Engine' object has no attribute 'identifier_preparer' crash when loading partitioned BigQuery table metadata. PR #38282 removes a long-standing _mutate_label workaround in the ClickHouse connector that was needed to work around a bug now fixed in clickhouse-connect v0.13.0.

Other Backend Fixes

  • PR #37637 adds default resource requests/limits for Helm chart init containers, preventing deployment issues in Kubernetes clusters with resource quotas
  • PR #36240 updates sqlalchemy-utils from 0.38.3 to 0.42.0, enabling Python 3.11–3.13 compatibility
  • PR #37841 upgrades sqlglot from 27.15.2 to 28.10.0
  • PR #37782 upgrades PostgreSQL from version 16 to 17 across Docker configurations, Helm charts, and documentation
  • PR #37577 fixes example data loading failing when PREVENT_UNSAFE_DB_CONNECTIONS is enabled
  • PR #37670 fixes Docker dev builds failing due to accidental shell command substitutions in the frontend build script
  • PR #37455 fixes metric currency configuration failing validation due to legacy stringified JSON values

Test Coverage Improvements

February saw significant investment in test infrastructure across the codebase. sadpandajoe led a substantial testing effort: PR #36681 adds 118+ RTL tests for DatasetList; PR #36684 adds 12 new Playwright E2E tests for the Dataset List page; PR #37557 adds 23 tests for the example loading pipeline; PR #37866 adds 5 Playwright E2E tests for the Chart List page; PR #37813 migrates Chart List tests from Cypress to RTL; and PR #36012 refactors filter configuration utilities with 32 unit tests.

Dependency Updates

February included routine maintenance across dozens of packages. Highlights by category:

Frontend major updates: use-query-params v1 to v2 (#36997, with migration throughout the codebase), query-string v6 to v9 (#37545), d3-format v1 to v3 (#37442, including a Unicode minus sign fix), jsdom v27 to v28 (#37688), react-resize-detector v7 to v9 (#37741), ol (OpenLayers) v7 to v10 (#37961), mapbox-gl v3.18 to v3.19 (#38264), deck.gl and luma.gl coordinated upgrade to ~9.2.6 (#37718), jsPDF v3 to v4 for CVE fix (#37553).

Frontend security/bug fixes: d3-color upgraded to eliminate production vulnerabilities (#37981), minimatch security patches (#38228, #38282), ajv 6.12.6 to 6.14.0 ReDoS fix (#38131, #38132).

Backend: elasticsearch-dbapi bumped to 0.2.12 for urllib3 2.x compatibility (#37758), sqlglot 27.15.2 to 28.10.0 (#37841), pillow 11.3.0 to 12.1.1 with security fix (#37935), clickhouse-connect minimum bumped to 0.13.0 (#38280).

Dozens of additional tooling updates (@swc/core, oxlint 1.42→1.50, webpack 5.94→5.105.3, @typescript-eslint, Storybook 8.6.x) and React ecosystem version pins for React 17 compatibility were also merged.

Contributors

This release was made possible by 48 contributors who merged 330 pull requests in February 2026. A sincere thank you to everyone who contributed code, reviews, documentation, and testing!

Abhishekmishra2808, andy-clapson, DamianPendrak, deuspt, EnxDev, JCelento, LevisNgigi, LuisSanchez, Nancy-Chauhan, RealGreenDragon, retrry, Rohan5commit, SBIN2010, Ujjwaljain16, VanessaGiannoni, Vitor-Avila, alexandrusoare, amaannawab923, aminghadersohi, betodealmeida, bikashbarua, dpgaspar, eschutho, gabotorresruiz, hainenber, ionik0, jaymasiwal, joe-clickhouse, justinpark, kgabryje, madhushreeag, manojshetty2004, massucattoj, michael-s-molina, msyavuz, qf-jonathan, rad-pat, ramiroaquinoromero, richardfogaca, rinimisinii, rusackas, sadpandajoe, sha174n, tt-a1i, tzercin, villebro, vncsalencar, wuqicyber

First-Time Contributors

A special welcome to these contributors making their first pull request to Apache Superset:

Get Involved

Apache Superset is a community-driven project and we'd love your help. Whether you're fixing bugs, adding features, improving documentation, or simply using Superset and filing issues — every contribution matters.

All the features of Superset (and more) without the hassles of scaling/managing/upgrading, with plenty of time to grow into it. Free for five users, forever.

Subscribe to our blog updates

Receive a weekly digest of new blog posts

Close