* fix(rdf): reclaim Fuseki disk via compaction + upgrade Jena 4.10 → 5.6.0
PR #28117's SPARQL cleanup converged the logical RDF state but never freed
disk: TDB2 deletes only mark blocks free and the journal grows monotonically
until /$/compact runs. RdfIndexApp.clearRdfData() now calls a new
RdfStorageInterface.compactStorage() between clearAll() and reloadOntologies()
so each recreate run reclaims to a fresh dataset directory. JenaFusekiStorage
posts to /$/compact/{dataset}?deleteOld=true and polls /$/tasks/{id} until
finished, with failures logged and swallowed (disk hygiene, not correctness).
Also unifies the Jena classpath: openmetadata-service was on 4.10.0 and
openmetadata-integration-tests on 5.0.0. Both now pin to 5.6.0 via a single
root pom property, dropping the apache-jena-libs BOM in favour of explicit
jena-core/arq/rdfconnection deps (we're a remote-Fuseki client and never
embed TDB; pulling jena-tdb1/2 triggers a Jena 5/6 static-init regression).
Picks up CVE-2025-49656 and CVE-2025-50151 (admin-side fixes shipped in
Jena 5.5.0). Jena 6.x parked: both 6.0.0 and 6.1.0 hit a recursive clinit
bug where TypeMapper.reset reads RDF.dtLangString before RDF.<clinit>
completes.
Fuseki server bumped 4.10/5.0 → 5.6.0 across all in-repo Dockerfiles; the
unmaintained stain/jena-fuseki:* image references in dev compose files
switched to building from docker/rdf-store/Dockerfile, and Testcontainers
moved to secoresearch/fuseki:5.5.0 (maintained, CVE-fixed; the dataset is
created by JenaFusekiStorage.ensureDatasetExists() so the stain-only
FUSEKI_DATASET_1 env var is no longer needed).
* Address transitive vulnerabilities
* Address transitive vulnerabilities
* fix(deps): resolve pyOpenSSL/cryptography conflict and align constraint pins
CI dependency resolution failed because pyOpenSSL~=24.1.0 caps cryptography
at <43, conflicting with the cryptography>=44.0.1 bump. Widens pyOpenSSL to
>=24.3.0 (first version compatible with cryptography 44.x) and aligns the
airflow constraint file pins for cryptography and GitPython with the
upstream setup.py bumps so pip install -c can resolve.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(security): pin libthrift 0.23.0 and exclude Jackson 3.x from jsonschema2pojo-core
- Pin org.apache.thrift:libthrift to 0.23.0 in dependencyManagement.
apache-jena-libs:4.10.0 transitively pulls libthrift:0.19.0 which is
vulnerable to CVE-2026-43869 (fixed in 0.23.0).
- Exclude tools.jackson.core:jackson-core and jackson-databind from
jsonschema2pojo-core in common/pom.xml. jsonschema2pojo-core 1.3.x
switched its internal Jackson to 3.x; the existing exclusion only
covered the legacy com.fasterxml.jackson.core groupId, so 3.0.2 jars
were leaking into the runtime classpath despite our annotator code
using Jackson 2.x exclusively. Removes exposure to:
- GHSA-2m67-wjpj-xhg9
- CVE-2026-29062
- GHSA-72hv-8253-57qq (3.x line)
* chore(security): bump azure-security-keyvault-secrets and simple-java-mail to fix transitive CVEs
- com.azure:azure-security-keyvault-secrets 4.10.0 → 4.10.7
4.10.7 declares azure-core-http-netty 1.16.4, which uses
reactor-netty-http 1.2.16. Replaces the second source path of
reactor-netty-http 1.0.48 in the OM standalone dist.
Fixes CVE-2025-22227 (the azure-kv path).
- org.simplejavamail:simple-java-mail 8.12.2 → 8.12.6
Hygiene bump (4 patch versions). Note: simple-java-mail 8.12.6's
master pom still pins angus-mail to 2.0.3, so the actual angus-mail
fix for CVE-2025-7962 still relies on OM's existing
<angus-mail.version>2.0.4</angus-mail.version> dep-management entry,
which already wins for OM standalone (verified: openmetadata-1.12.7
dist already ships angus-mail-2.0.4.jar).
* fix(security): switch libthrift fix from version-pin to exclusion; expand reasoning comments
libthrift (CVE-2026-43869):
Replace the dependencyManagement pin to 0.23.0 with an explicit <exclusion>
on apache-jena-libs. OM's source tree has zero org.apache.thrift imports and
no references to RDF Thrift binary serialization (RDF_THRIFT, ThriftConvert,
RDFFormat.*THRIFT) — the only consumer of libthrift in our dep tree is Jena's
optional RDF Thrift I/O code path, which OM never exercises.
libthrift 0.23.0 was published 2026-05-08 and no Jena release yet ships it
(Jena 6.0.0 and 5.6.0 still ship libthrift 0.22.0, also vulnerable). Pinning
would force a Jena-uncertified libthrift onto code Jena tests with 0.22.0;
excluding the unused JAR is cleaner and self-cleaning when Jena bumps.
Lucene/Solr (also in this dep tree) already excludes libthrift for the same
reason — confirmed via lucene-solr-grandparent pom.
Jackson 3.x exclusion: expanded the comment in common/pom.xml to record the
upstream state (jsonschema2pojo-core 1.3.3 still pins jackson3.version=3.0.2)
and the verification that build succeeds with the exclusion.
* fix(security): mark jsonschema2pojo-core as <optional> instead of maintaining per-dep exclusion list
Per Copilot review on PR #28010 (line 66 of common/pom.xml): jsonschema2pojo-core
is build-time only — the annotator classes that reference it (PasswordAnnotator,
MaskedAnnotator, etc.) are invoked exclusively by the jsonschema2pojo-maven-plugin
at code-gen time, never on the runtime classpath of any deployed service.
Switch from a growing list of <exclusion> entries (which only caught the deps
known at the time each entry was added) to <optional>true</optional>. This stops
jsonschema2pojo-core AND every transitive dep it pulls — current and future —
from propagating to downstream consumers' runtime classpath.
Effect on the GHSA-2m67-wjpj-xhg9 / CVE-2026-29062 / GHSA-72hv-8253-57qq fix:
the jackson-core-3.0.2 / jackson-databind-3.0.2 jars (groupId tools.jackson.core)
no longer leak into the dist via this path. Verified:
$ mvn -pl openmetadata-service dependency:tree -Dincludes='tools.jackson.core:*,org.jsonschema2pojo:*'
(empty)
$ mvn -pl openmetadata-spec -am install -DskipTests
BUILD SUCCESS (annotator code-gen still works — jsonschema2pojo-maven-plugin
pulls jsonschema2pojo-core via its own <dependencies> block,
and adds common.jar there too via openmetadata-spec/pom.xml)
* fix(security): revert libthrift exclusion → pin to 0.23.0; Jena statically references TException
The exclusion broke RDF tests:
RdfInferenceConfigurationTest, RdfPropertyMapperTest,
SparqlBuilderNestedFieldsTest, SqlToSparqlTranslatorTest
fail with `Could not initialize class org.apache.jena.rdf.model.ModelFactory`
and `org/apache/thrift/TException` (NoClassDefFoundError).
Even though OM never calls RDF Thrift I/O directly, several Jena classes
(ModelFactory, PrefixMappingImpl, etc.) statically reference
org.apache.thrift.TException at class-init time. Removing libthrift fails
class loading on the very first use of any Jena Model.
The grep for `org.apache.thrift` in OM source missed this because the
references are in Jena's own bytecode, not OM's source.
Reverting the exclusion. Pinning libthrift to 0.23.0 in dependencyManagement
remains the only available fix:
- No Jena release ships the fix (latest 6.0.0 still uses 0.22.0;
libthrift 0.23.0 was published 2026-05-08).
- Exclusion breaks the build (above).
- Pinning forces the fixed version onto Jena's classpath; libthrift
maintains backwards-compatible binary protocol semantics, so Jena's
runtime usage continues to work. CI will validate.
In-pom comment expanded to record this discovery so the trade-off doesn't
get re-litigated next round.
* chore: shorten security comments in poms
* fix(security): exclude netty-transport-native-epoll from azure-core-http-netty
GHSA-rwm7-x88c-3g2p / CVE-2026-42577 (AWS Inspector reports HIGH). The bug is
in netty 4.2.x epoll; we ship 4.1.x. The advisory's machine-readable
vulnerable_version_range is < 4.2.13.Final (overly broad), which causes
scanners to flag 4.1.x even though the buggy code path was never in 4.1.
Bumping our netty to 4.2.13.Final is blocked by Azure SDK / gRPC / AWS SDK /
reactor-netty all targeting 4.1.x. Instead, exclude the Linux native binding
JAR (the only thing in our tree that is named io.netty:netty-transport-native-epoll)
so the flagged artifact stops shipping in the dist. Netty's standard pattern is
to call Epoll.isAvailable() and fall back to NioEventLoopGroup when the native
binding is absent — the exact same code path already used on macOS/Windows
deployments. netty-transport-classes-epoll (the Java classes, required by
reactor-netty/lettuce/AWS-netty-nio-client bytecode references) stays.
Verified:
mvn -pl openmetadata-service -am dependency:tree \
-Dincludes='io.netty:netty-transport-native-epoll'
-> empty (was: 4.1.133.Final-linux-x86_64)
* fix(security): align reactor-netty-http dep-mgmt pin to 1.2.16
Per Copilot review on PR #28010 (line 19): the bump of azure-kv to 4.10.7 was
described as bringing reactor-netty-http 1.2.16, but the existing dep-mgmt pin
to 1.2.14 was overriding the transitive (mvn dependency:tree confirmed 1.2.14
was the actual resolved version).
Bump the pin 1.2.14 → 1.2.16 to match what azure-core-http-netty 1.16.4 ships
transitively. Both are above the CVE-2025-22227 fix line (≥ 1.2.8), so this is
a pin-alignment cleanup, not a security delta.
* fix(security): switch jsonschema2pojo-core from <optional> to <scope>provided</scope>
Semantically more correct for a build-time-only dep. The annotator classes
(PasswordAnnotator, MaskedAnnotator, etc.) are invoked only by
jsonschema2pojo-maven-plugin at code-gen time in its own classloader; the
runtime classpath of any deployed service never needs jsonschema2pojo-core.
<scope>provided</scope> says exactly that:
- on compile + test classpath (so annotators compile)
- excluded from runtime / dist packaging by default
- not propagated to downstream consumers
Same scanner outcome as <optional>true</optional> — Jackson 3.x JARs still
don't ship in the dist — but cleaner expression of intent. CVE coverage
unchanged: GHSA-2m67-wjpj-xhg9, CVE-2026-29062, GHSA-72hv-8253-57qq.
Verified:
mvn -pl openmetadata-spec -am install -DskipTests → BUILD SUCCESS
mvn -pl openmetadata-service dependency:tree -Dincludes='tools.jackson.core:*,org.jsonschema2pojo:*' → empty
* fix(security): switch netty-epoll exclusion from dep-mgmt to per-direct-dep
Per Copilot review on PR #28010: the previous parent-pom dep-management entry
for azure-core-http-netty with <exclusion> on netty-transport-native-epoll
did work (verified via mvn dependency:tree — exclusion DOES propagate to
transitive resolution in dep-mgmt), but Copilot raised a concern that pinning
azure-core-http-netty to 1.16.4 would block future Azure SDK bumps if a newer
SDK requires a higher azure-core-http-netty.
Same refactor as already applied to ai-platform PR #669. Remove the parent
dep-mgmt entry; apply per-direct-dep <exclusions> on the 3 azure-* deps that
transitively bring azure-core-http-netty in openmetadata-service:
- azure-security-keyvault-secrets
- azure-identity
- azure-storage-blob
Exclusion now travels with whatever azure-core-http-netty version each SDK
chooses; SDK bumps are no longer blocked by a hardcoded version.
Verified: mvn -pl openmetadata-service dependency:tree -Dincludes='io.netty:netty-transport-native-epoll'
returns empty.
* fix(security): extend netty-epoll exclusion to azure-identity-extensions
Per gitar-bot review on PR #28010: add the netty-transport-native-epoll
<exclusion> to azure-identity-extensions for consistency with the 3 other
azure-* direct deps in openmetadata-service/pom.xml that already have it
(azure-security-keyvault-secrets, azure-identity, azure-storage-blob).
Defensive: today's resolution is already clean because Maven's
nearest-definition rule picks the directly-declared azure-identity:1.15.2
(with our exclusion) over the transitive azure-identity:1.7.1 brought by
azure-identity-extensions:1.0.0. Adding the exclusion here protects against
a future refactor that removes the direct azure-identity declaration.
Verified: mvn -pl openmetadata-service dependency:tree -Dincludes='io.netty:netty-transport-native-epoll'
still returns empty.
---------
Co-authored-by: Shailesh Parmar <shailesh.parmar.webdev@gmail.com>
* chore(security): bump deps to address reported CVEs
- log4j 2.25.3 -> 2.25.4 (CVE-2026-34477/34478/34480)
- jsonschema2pojo 1.2.2 -> 1.3.0 (CVE-2025-3588)
- netty-bom 4.1.132 -> 4.1.133 (netty-codec/transport GHSAs)
- azure-identity 1.14.0 -> 1.15.2 in openmetadata-service to align
with parent dependencyManagement
* fix: bump jsonschema2pojo to 1.3.1 to fix maven-plugin classpath
1.3.0 dropped its declared dep on plexus-utils, breaking the
maven-plugin at runtime with NoClassDefFoundError on
org/codehaus/plexus/util/DirectoryScanner. 1.3.1 restores it.
1.3.3 has a separate regression (IndexOutOfBoundsException in
ValidRule), so 1.3.1 is the right pin.
* fix(security): upgrade Java dependencies to resolve CRITICAL and HIGH CVEs
- jetty-http: 12.1.6 → 12.1.7 (HTTP Request Smuggling, CRITICAL)
- bcpkix/bcprov/bcutil-jdk18on: 1.80 → 1.84 (Crypto Signature Bypass + Timing Attack)
- postgresql: 42.7.7 → 42.7.11 (SCRAM-SHA-256 DoS)
- httpcore5-h2: pinned to 5.3.5 (HTTP/2 stream reset DoS)
- commons-compress: pinned to 1.26.0 (Infinite Loop DoS)
- jackson-core: 2.18.6 → 2.19.0 (async parser resource exhaustion)
- maven-shade-plugin: 3.5.1 → 3.6.0 (supports Java 22 MR-JAR in jackson-core 2.19.0)
- openapi-generator template override: jackson-version 2.17.1 → 2.19.0 in generated swagger pom
* fix(security): upgrade spring-web 6.2.11 → 6.2.18
* fix(security): align jackson-dataformat-yaml, feign, gson, logback versions
- jackson-dataformat-yaml: 2.17.2 → ${jackson.version} (2.19.0)
- feign-core: 13.2.1 → 13.5 (in openapi-gen template)
- gson: 2.10.1 → 2.11.0 (in openapi-gen template)
- logback-classic: 1.3.13 → 1.5.25 (in openapi-gen template)
* fix(security): use jackson 2.18.7 — highest clean 2.x with full ecosystem
2.19.0-2.21.0 all carry a HIGH (CVSS 8.7) vulnerability per Sonatype.
2.18.7 is the latest clean patch where all Jackson modules are released.
* fix(security): remove hardcoded jackson 2.17.2 override in k8s-operator, inherit 2.18.7 from root
* fix(security): upgrade gson 2.11.0 → 2.13.1 (Medium CVE)
* fix(security): replace 436-line pom.mustache with minimal stub
The openapi-generator-maven-plugin writes target/generated-sources/swagger/pom.xml
at build time with hardcoded jackson 2.17.1. Snyk --all-projects picks up every
pom.xml on disk and flags it as HIGH.
The generated pom.xml is never packaged into any JAR or Docker image — it is a
generator artefact. The actual runtime jackson version comes from the module pom
inheriting jackson.version=2.18.7 from the root. Replace the 436-line verbatim
upstream template (maintained just to change 2 version lines) with a 10-line
coordinate-only stub. The generated pom.xml will have no <dependencies> block,
so Snyk finds nothing to flag.
Bumps io.netty:netty-bom from 4.1.129.Final to 4.1.132.Final to fix:
- CVE-2026-33870: HTTP Request Smuggling in netty-codec-http (HIGH 8.7)
- CVE-2026-33871: HTTP/2 DoS via CONTINUATION frame flood in netty-codec-http2 (HIGH 8.7)
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* Fix Metrics collection; reduce no.of metrics; improve slow request logging
* Move sync calls to search & rdf to async
* Improve slow request tracking
* Improve slow request tracking
* Add clear breakdown in slow request
* Batch TestCaseRepository calls
* Batch API calls
* Initial Implementation of ReadEngine
* Improvements with ReadEngine/WriteEngine
* Improvements with ReadEngine/WriteEngine
* Improvements with ReadEngine/WriteEngine
* Improve by removing unnecessary ser/de
* Additional improvements with PatchFieldsPlanner
* Further performance improvements
* Further performance improvements
* Address comments
* Merge from main
* Address comments
* Address comments
* Address latest feedback - 2/21
* fix merge conflict
* Address Slow Request review
* Address the comments
* Address comments; Fix tests
* Fixes to the failing tests
* Fix bugs in tests
* Fix checkstyle
* Address playwright tests
* Fix tests
* Fix bugs
* Fix tests
* address comments
* Fix issues from playwright
* Fix playwright tests
* Fix tests for playwright
* Address comments
* Fix glossary test
* fix checkstyle
* Fix playwright issues
* Fix playwright issues - incrementalChagneDesc
* Restore ApprovalTaskWorkflow in GlossaryTerm and TestCase repositories
The slow_request branch accidentally removed entity-specific ApprovalTaskWorkflow
overrides, causing the generic parent to use checkUpdatedByTaskAssignee instead of
checkUpdatedByReviewer. This broke Glossary approval and TestCase approval Playwright tests.
- GlossaryTermRepository: restore ApprovalTaskWorkflow with checkUpdatedByReviewer
- TestCaseRepository: restore ApprovalTaskWorkflow, preDelete guard, updateReviewers
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Fix base ApprovalTaskWorkflow to use reviewer check instead of task assignee
The centralized ApprovalTaskWorkflow in EntityRepository was using
checkUpdatedByTaskAssignee instead of checkUpdatedByReviewer, breaking
approval workflows for all entity types. Added verifyReviewer() as a
top-level static method on EntityRepository and restored missing
updateReviewers() and preDelete IN_REVIEW guards in DataContract,
DataProduct, Metric, and Tag repositories. Removed now-redundant
entity-specific ApprovalTaskWorkflow overrides from GlossaryTerm and
TestCase repositories.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Fix regression introduced in backend tests; make the playwright tests stable
* Stabilize the playwright tests
* Stabilize the playwright tests
* Improve playwright tests
* Improve playwright tests
* Fix team playwrights
* Fix merge from main
* Fix playwrigt tests
* Fix playwright tests
* Batch domain/data product asset counts into single ES aggregation queries
Replace N individual ES count queries with single aggregation query per
entity type. Domain counts roll up child counts to parent domains.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Improve Playwright test reliability and expand CI shards
Add polling waits for async ES indexing, fix lineage edge selectors,
use API-based setup for domain/data product widget tests, and expand
CI from 6 to 8 shards with dedicated graph/landing projects.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Playwright: Improve test reliability with response checks and guards
- Add API response status checks in create() for Domain, DataProduct,
Glossary, TableClass, and UserClass — silent API failures now throw
immediately with status code and response body
- Add guards in selectDataProduct() and addAssetsToDataProduct() for
undefined name/fqn — clear error messages instead of cryptic
"locator.fill: value: expected string, got undefined"
- Fix GlossaryPermissions double navigation — remove redundant
redirectToHomePage + sidebarClick before glossary.visitEntityPage()
- Increase OnlineUsers timeout from 5s to 15s for CI resource pressure
- Increase Tour badge timeout from 10s to 20s
- Fix visitGlossaryPage: wait for loader before clicking menuitem
- Remove chromium testIgnore for graph/landing/stateful test files
(these must run in chromium project for 6-shard CI workflow)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Playwright: Remove all networkidle waits and improve CI reliability
- Remove ~780 networkidle waits across 144 test/utility files — these
hang or resolve prematurely under CI load causing false negatives
- Add polling.ts with waitForSearchIndexed and waitForPageLoaded helpers
- Convert checkAssetsCount and search functions to expect.poll() for
async ES indexing tolerance
- Increase expect timeout to 15s for CI environments
- Split CI into 8 shards with dedicated projects (stateful/graph/landing)
to reduce thread contention
- Fix GITHUB_STEP_SUMMARY size overflow (base64 screenshots → table)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Playwright: Fix genuine test failures from networkidle removal
- GlossaryPagination: Fix waitForResponse race conditions - register
listener BEFORE the triggering action, add **/ URL prefix
- LanguageOverride: Fix selector from getByText('EN') to
getByText('English - EN') matching actual dropdown text
- NestedColumnsExpandCollapse: Fix URL glob pattern, use dispatchEvent
to avoid inner Link navigation, add waitForResponse for filtered search
- lineage.ts: Revert dragConnection hover approach that broke React
Flow connection mode, keep direct dispatchEvent
- customizeLandingPage.ts: Remove waitForURL that hangs after page.goto
- Teams.spec.ts: Add isJoinable: false for private team creation
- UserDetails.spec.ts: Revert Escape/clickOutside save flow that
dismissed edit mode before saving roles
- Users.spec.ts: Revert Data Consumer permissions test to original
simple approach using fixtures
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Playwright: Relax OnlineUsers activity time assertion
The "Online now" exact match fails under CI load because the activity
timestamp may show as "X seconds ago" or "X minutes ago" by the time
the page renders. Changed to accept any recent activity format.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Playwright: Fix 4 genuine test failures from CI run
1. saveCustomizeLayoutPage: Use response predicate matching both
POST (create) and PUT (update) patterns instead of glob that
only matched updates. Fixes 180s timeout in drag-and-drop test
when layout doesn't exist yet (fullyParallel=true).
2. GlossaryMiscOperations: Add test.slow(true) — test does 9
sequential page navigations that exceed the 60s timeout.
3. DomainDataProductsWidgets "Assign Widgets": Add test.slow(true)
— calls addAndVerifyWidget twice, each with multiple navigations.
4. DomainFilterQueryFilter: Add waitForAllLoadersToDisappear before
clicking domain-dropdown after search operations that trigger
page re-renders.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Playwright: Fix AutoPilot test — reload page after API status poll
The AutoPilot status banner never appeared because:
1. checkAutoPilotStatus polls the workflow API directly via apiContext
(outside the browser), not through page network requests
2. The UI uses WebSocket for live updates, but the socket connection
is only established when the page loads with status=RUNNING
3. Since the page loaded before the workflow started, the socket was
never connected, so the UI never received the completion event
Fix: reload the page after checkAutoPilotStatus confirms the workflow
finished, so the UI renders with the current state. Also increase the
banner visibility timeout to 30s for CI environments.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Playwright: Fix flaky tests — entity collisions, missing cleanup, expect timeout
- Replace Date.now() with uuid() for entity names in CustomProperties tests
to prevent collisions when parallel workers execute within the same millisecond
- Fix FollowingWidget: move shared adminUser create/delete to top-level
base.beforeAll/afterAll to prevent duplicate user creation across 11
parallel test.describe blocks
- Add missing afterAll cleanup to OnlineUsers, Metric, CustomPropertyAdvanceSearch,
and CustomProperties tests to prevent entity/user leaks between runs
- Replace hardcoded metric name in MetricSearch with uuid-based name
- Add global expect timeout of 15s (up from 5s default) for CI resilience
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Fix Playwright CI: include UI in build-once Maven build
The build-once optimization (#26423) used -DonlyBackend -pl !openmetadata-ui
which produces a tar.gz without the compiled React app. The Docker container
starts but cannot serve the login page, causing auth.setup.ts to timeout
on all 6 shards waiting for input[id="email"] to appear.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Fix CodeQL security warnings
- Replace Math.random() with crypto.randomUUID() for test data generation
- Escape backslash characters in CSS selectors for glossary FQN values
- Use page.getByTestId() instead of raw CSS selectors in entity utils
- Increase RSA key size from 512 to 2048 bits in JwtFilterTest
- Skip archive entries containing '..' in JsonUtils.getResourcesFromJarFile
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Playwright: Fix user cleanup to prevent 'Email Already Exists' failures
- Glossary.spec.ts: Fix typo user3.create→delete in afterAll, add missing adminUser.delete
- Teams.spec.ts: Add afterAll cleanup hooks for 3 nested describe blocks that were missing them (EditUser, DataConsumer, Owner)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Playwright: Add afterAll cleanup hooks and fix test reliability
- InputOutputPorts.spec.ts: Add afterAll for domain/tables/topics/dashboards
- Users.spec.ts: Add top-level afterAll for all shared entities
- Entity.spec.ts: Add afterAll for shared + per-entity-type cleanup
- Pagination.spec.ts: Add afterAll for 13 describe blocks (services, DBs, etc.)
- DataProductRename.spec.ts: Add afterAll cleanup
- TestCaseIncidentPermissions.spec.ts: Add afterAll for users/roles/policies/table
- ImpactAnalysis.spec.ts: Add afterAll for all 7 entity types
- NestedColumnsExpandCollapse.spec.ts: Add afterAll for 4 describe blocks
- DataProductPermissions.spec.ts: Add afterAll cleanup
- ServiceEntityPermissions.spec.ts: Add afterAll for testUser + per-entity
- ServiceForm.spec.ts: Add afterAll for adminUser
- domain.ts: Replace waitForTimeout(2000) with proper loader/tab waits
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Trigger Playwright CI
* Playwright: Fix 2 failures and 26 flaky tests with proper waits
Fix remaining 2 genuine failures:
- DomainDataProductsWidgets: add test.slow(true) for ES indexing lag
- Users.spec.ts: add test.slow(true) and loader waits for owner search
Fix 26 flaky tests by addressing 5 root cause patterns:
- Response listener after trigger: MetricCustomUnitFlow, DomainUIInteractions
- Missing loader wait after navigation: 16 tests across CustomizeDetailPage,
DataProductPersonaCustomization, DataContracts, ExploreTree, and others
- Element not rendered after API response: EntityVersionPages, ODCSImportExport
- DOM not settled after loader: Domains nested rename
- Permission cache propagation: GlossaryPermissions
Shared utility improvements:
- waitForPatchResponse uses entity-specific URL pattern
- openColumnDetailPanel accepts entityEndpoint param with API response wait
- Entity.spec.ts uses dynamic entity.endpoint instead of hardcoded tables
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Playwright: Fix addOwner retry to wait for search API response
The owner search retry loop was refilling the search input but not
waiting for the API response before checking item visibility. This
caused the poll to repeatedly check stale/empty results.
Fix: await search response and loader detach in each retry iteration.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Playwright: Fix owner listitem selector — remove exact match
The owner selection list items include avatar initials (e.g., "G") in their
accessible name, making exact: true fail since the accessible name is
"G UserName" not just "UserName". Switching to substring matching fixes
the Users.spec.ts persistent failure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Playwright: Fix 10 remaining flaky tests with proper waits
- ColumnLevelTests: loader wait after visiting test case panel
- DataQualityPermissions: loader wait after visiting test suite page
- IncidentManagerDateFilter: loader wait after page reload
- InputOutputPorts: wait for warning alert before asserting
- Lineage: replace 5 hardcoded waitForTimeout(500) with loader waits
- CustomizeDetailPage: dialog close waits, fix missing await on expect
- DataProductPersonaCustomization: loader wait + modal visibility check
- GlossaryPermissions: increase permission propagation wait, loader wait
- GlossaryHierarchy: loader waits after modal close and glossary select
- ExploreTree: loader waits after API response before UI interaction
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Fix CodeQL security alerts: incomplete escaping and Zip Slip
1. entity.ts: Use JSON.stringify().slice(1,-1) for proper escaping of
both backslashes and double quotes in filter values, replacing the
incomplete .replace(/"/g, '\\"') approach.
2. JsonUtils.java: Strengthen Zip Slip protection by normalizing paths
via Paths.get().normalize() and rejecting entries starting with "/"
or resolving to parent traversal after normalization.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Fix tests
* Fix tests
* Fix recordChange field name mismatches and CodeQL alert
- ServiceEntityRepository: recordChange("ingestionAgent") → "ingestionRunner"
to match the JSON property name. The shouldCompare() gate in PATCH flow
was silently dropping ingestionRunner changes because the field name
didn't match patchedFields.
- DataContractRepository: compareAndUpdate("status") → "entityStatus"
to match the JSON property name, same root cause.
- JsonUtils: Simplify Zip Slip check to string-based validation to
satisfy CodeQL taint analysis.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Remove serial mode from Users.spec.ts to prevent cascade failures
A single flaky test failure was causing ~19 tests across 5 unrelated
describe blocks to be skipped. Matches main branch behavior (parallel).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Playwright: Fix flaky tests — missing awaits, hardcoded waits, silent catches
- DataProductPersonaCustomization: add missing await on expect() calls
- TestCaseIncidentPermissions: poll for incident creation instead of one-shot query
- TestCaseResultPermissions: add loader wait after Data Quality tab click
- GlossaryPermissions: replace waitForTimeout(3000) with toPass() retry
- BulkImport: remove 4 unnecessary waitForTimeout calls
- importUtils/testCases: replace waitForTimeout(500) with grid visibility assert
- GlossaryAssets: add loader wait, remove silent .catch(() => false) pattern
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Fix CodeQL Zip Slip alert with Path.normalize() sanitization
CodeQL doesn't recognize String.contains("..") as proper Zip Slip
mitigation. Use Path.normalize() + isAbsolute/startsWith checks which
CodeQL's taint analysis model understands.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Fix Playwright flaky tests: modal visibility, toast race, query card assertion
- DataProductPersonaCustomization: wait for dialog close before clicking add-widget-button
- entity.ts restoreEntity: dismiss stale toast before restore to avoid race condition
- QueryEntity: replace page.$$() with auto-retrying expect().toBeVisible()
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Fix flaky TableResourceIT by preventing parallel multi-domain rule mutation
Both test_multipleDomainInheritance (TableResourceIT) and
test_csvImportEntityRuleValidation (DatabaseServiceResourceIT) toggle
the global "Multiple Domains are not allowed" rule. When running
concurrently, one overwrites the other's setting causing spurious
failures. Add @ResourceLock("MULTI_DOMAIN_RULE") to serialize only
these two tests while keeping all others concurrent.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Mohit Yadav <105265192+mohityadav766@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix: add iterative bisection on 413 and TaggedOperation refactor in bulk index sinks
* fix: align JUnit 5 versions via BOM to fix local test discovery
* fix: pass ReportDataType via constructor to CreateReportDataProcessor
* Add support for Dropwizard 5.0 and Jetty 12.1.x
* Dropwizard 5x and Jetty 12.1 upgrade
* Fix test behavior
* Fix rdf tests
* revert enableVirtualThreads
* fix tests
* Fix Tests
* Fix tests
* Switch to jersey-jetty-connector for Jetty 12 compatibility
- Replace jersey-apache-connector with jersey-jetty-connector
- Jersey 3.1.4+ jersey-jetty-connector supports Jetty 12.0.x+
- Use JettyConnectorProvider and JettyHttpClientSupplier for HTTP client
- Keep reasonable timeouts (30s connect, 2min read) to prevent CI hangs
- Set SYNC_LISTENER_RESPONSE_MAX_SIZE for large responses
This fixes the 1,093 InterruptedException test failures caused by
using the default Jersey client (HttpURLConnection-based) which doesn't
handle concurrent test execution properly.
* Fix: Start Jetty HttpClient before use
Jetty 12 HttpClient implements LifeCycle and must be explicitly
started with httpClient.start() before use. This fixes the 163
InterruptedException test failures.
* Fix: Force jetty-client to 12.1.1 for jersey-jetty-connector
jersey-jetty-connector brings transitive jetty-client:12.0.22 but
Dropwizard 5.0 uses Jetty 12.1.1. The ClientConnector.newTransport()
API changed between 12.0.x and 12.1.x, causing NoSuchMethodError.
Fix: Exclude transitive jetty-client and add explicit 12.1.x dependency.
* Use Java 11+ HttpClient connector for tests (jersey-jnh-connector)
Switch from the broken jersey-jetty-connector (incompatible with Jetty 12.1.x)
to jersey-jnh-connector which uses Java's built-in java.net.http.HttpClient.
This connector:
- Natively supports all HTTP methods including PATCH
- Works with Java 21
- No external dependencies required
- Avoids compatibility issues with Jetty versions
* Use Apache HttpClient 5.x connector for tests (jersey-apache5-connector)
Switch from jersey-jetty-connector (incompatible with Jetty 12.1.x)
to jersey-apache5-connector which uses Apache HttpClient 5.x.
This connector:
- Supports all HTTP methods including PATCH
- Lenient with empty PUT request bodies
- Has proper timeout support to prevent indefinite hangs
- Works with Jetty 12.1.x
* Fix tests
* Fix docker compose
* Fix tests
* Fix tests - make url compatible
* Add URL parsing
* Fix URL decode
* fix tests
* fix test
* fix tests
* Fix integration with new dropwizard-5x changes
---------
Co-authored-by: Karan Hotchandani <33024356+karanh37@users.noreply.github.com>
Co-authored-by: karanh37 <karanh37@gmail.com>
Co-authored-by: Mohit Yadav <105265192+mohityadav766@users.noreply.github.com>
* Add Parallel tests using the new SDK
* Make tests faster and use new SDK
* Add SDK based parallel tests
* Add SDK based parallel tests
* Fix from main
* Add Fluen APIs for Tests
* Add Fluen APIs for Tests
* Add missing Fluent APIs for SDK
* Add missing Fluent APIs for SDK - Data Contracts
* Migrate all the integration tests to new module
* Migrate all the integration tests to new module
* Improve pagination test performance
* Fix tests
* Migration Complete
* Fix the code styling; add github workflows, fix tags parallel issues
* Update migration tracker, address flaky tests
* Address comments
* rename env -> bootstrap for java package
* Fix YAML syntax in playwright-sso-tests.yml and update integration test workflows
* Fix: Upgrade MCP SDK to 0.14.0 for protocol 2025-06-18 support (#23982)
* spotless fix
* Add mcp-json-jackson2 dependency for SDK 0.14.0, MCP SDK 0.14.0 split JSON functionality into separate module. JacksonMcpJsonMapper is required for McpServer and McpUtils.
* Complete Maven Central Publishing Migration to Central Portal
* switch to latest 0.9.0 release of central-publishing-maven-plugin
* Remove distributionManagement section when using central-publishing-maven-plugin
---------
Co-authored-by: Pere Miquel Brull <peremiquelbrull@gmail.com>
* Remove CSS comments from email notification envelope
* Add markdown & HTML processing dependencies
* Notification channel foundation & channel renderers
* Implement core logic for the notification templates engine
* Test core logic for the notification templates engine
* fix: upgrade Spring Framework to 6.1.15 for security vulnerability
- Upgrades spring-beans, spring-core, spring-expression from 6.1.14 to 6.1.15
- Addresses security vulnerability detected by Snyk
- Patch release with no breaking changes
* fix: resolve critical security vulnerabilities in dependencies
* Upgrade Mcp to 0.11.2
Use stateless Mcp Servlet
* Add Test for Load Testing and Improve Search Response
* Fixed Glossary And Patch Test
* Add user tests
* Fix failing load test
