)]}' { "log": [ { "commit": "52a638e5b99ac66cb08cb5f066f807383b37d268", "tree": "0649bc421bfac910ac1d5ccd96771ab034c25365", "parents": [ "3d92e924f2a4cc1926d544e885da6167c1dcbf9a" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Wed Jun 17 00:53:38 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Jun 17 00:53:38 2026 +0900" }, "message": "[ZEPPELIN-6428] Add reusable React mount infrastructure and migrate paragraph footer behind a flag\n\n### What is this PR for?\nzeppelin-web-angular ships React islands via Webpack Module Federation (PublishedParagraph pilot). This PR promotes that ad-hoc integration into reusable mount infrastructure and migrates the notebook paragraph footer as its first consumer, behind a `?reactFooter\u003dtrue` query-param gate.\n\n- `share/react-mount/`: `ReactMountDirective`, `ReactRemoteLoaderService`, and a `ReactMountHandle` contract (`mount(element, props)` returning `{ update, unmount }`) so prop changes update the React root in place instead of remounting. `remoteEntry.js` is loaded once per page (cached promise with failure eviction); each directive instance owns an isolated React root.\n- React `ParagraphFooter` component (zeppelin-react) matching the Angular footer\u0027s execution-time and elapsed-time behavior, wrapped in an error boundary.\n- Gate: `?reactFooter\u003dtrue`. Without the flag, rendering is unchanged. With the flag, remote load/mount/update errors — and React render/lifecycle errors caught by the error boundary — fall back to the Angular footer for that paragraph only.\n- Playwright E2E (`react-footer.spec.ts`) and a vitest unit-test harness for zeppelin-react covering the error boundary and the mount contract.\n- Toolchain alignment for `projects/zeppelin-react`: typescript 4.9.5 → 5.9.3 (matching the Angular workspace), \u003cat\u003etypes/node 18 → 22 (matching the node 22 runtime), vitest 4.1.8 — the latter fixes the critical advisory GHSA-5xrq-8626-4rwp flagged by the npm-audit CI job.\n\nThe existing PublishedParagraph pilot remains on its current loader; this PR only types its `container.get()` call. Migrating it to the new directive is a follow-up.\n\n### What type of PR is it?\nImprovement\n\n### Todos\n* [x] Mount infrastructure (`react-mount/`)\n* [x] React `ParagraphFooter` + error boundary\n* [x] `?reactFooter\u003dtrue` gate with per-paragraph Angular fallback\n* [x] Playwright E2E (5 cases incl. load-failure fallback)\n* [x] vitest unit tests (error boundary spec, mount contract)\n* [x] zeppelin-react toolchain alignment (TS 5.9 / \u003cat\u003etypes/node 22 / vitest 4.1.8)\n\n### What is the Jira issue?\n* https://issues.apache.org/jira/browse/ZEPPELIN-6428\n\n### How should this be tested?\nVerified locally:\n* `npx playwright test --project\u003dchromium react-footer` — 5/5 passed against a local Zeppelin server (0.13.0-SNAPSHOT), including the remote-load-failure fallback case.\n* `cd projects/zeppelin-react \u0026\u0026 npm test` — 13/13 vitest unit tests (error boundary behavior, `mount()` contract incl. update/unmount, outdated/elapsed formatting with a pinned clock).\n* `npm audit --audit-level\u003dhigh` exits 0 in `projects/zeppelin-react` (same gate as the npm-audit CI job). One moderate uuid advisory remains via sockjs/webpack-dev-server with no compatible upstream fix; it does not trip the high-level gate.\n* `eslint`/`prettier` clean on changed files; `tsc --noEmit` clean (also covers what the `transpileOnly` webpack build skips).\n\nManual:\n* Open a notebook with `?reactFooter\u003dtrue` → footer renders from React (`data-testid\u003d\"react-paragraph-footer\"`), `remoteEntry.js` requested once.\n* Without the flag → the Angular footer renders as before.\n* Block `remoteEntry.js` in DevTools → the paragraph falls back to the Angular footer with a console diagnostic.\n\nNote on coverage: the React pieces are unit-tested via a new self-contained vitest setup in `projects/zeppelin-react` (vitest 4.1.8). The Angular-side pieces (`ReactMountDirective`, `ReactRemoteLoaderService`) are covered through E2E only, since zeppelin-web-angular has no unit-test harness (zero `.spec.ts` under `src/`, no test target in angular.json). Happy to add Angular unit tests if a harness lands or committers prefer a different approach.\n\n### Screenshots (if appropriate)\nThe React footer is intended to match the existing footer\u0027s rendering (same text and layout; styles ported to a scoped CSS class).\n\n### Questions:\n* Does the license files need to update? Adds `date-fns` (MIT) to `projects/zeppelin-react`\u0027s package.json and lockfile (the Angular app already depends on it), plus dev-only test dependencies (vitest, jsdom, Testing Library). The lockfile diff includes npm peer-flag normalization from `npm install`.\n* Is there breaking changes for older versions? No. The footer change is opt-in via query param; default rendering is unchanged.\n* Does this needs documentation? No user-facing docs; developer docs updated in `projects/zeppelin-react/README.md`.\n\n\nCloses #5266 from tbonelee/ZEPPELIN-6428-react-mount-infrastructure.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "3d92e924f2a4cc1926d544e885da6167c1dcbf9a", "tree": "4b8813a929a28d54ce0bf50d6fd4fdeadc134777", "parents": [ "0c25a6ee09cd43f3b4b1de1218b4e43bd8434b86" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Wed Jun 17 00:52:20 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Jun 17 00:52:20 2026 +0900" }, "message": "[ZEPPELIN-6427] Convert interpreter setting form to typed reactive forms\n\n### What is this PR for?\n\nNumeric interpreter properties edited in the Angular UI are sent as JSON numbers, which Gson deserializes as `Double` (`60000` → `\"60000.0\"`), breaking `Long`/`Integer` parsing in interpreters such as JDBC (ZEPPELIN-6395). The server-side workaround from ZEPPELIN-6131 only covers the update path, not create.\n\nThis PR fixes it on the client by converting `InterpreterItemComponent` from `UntypedFormBuilder` to typed reactive forms:\n\n- Non-checkbox values are sent as strings (like the classic UI); checkbox values stay real booleans, and `\"true\"`/`\"false\"` strings from corrupted data are normalized back on save.\n- New request DTOs mirror the fields `InterpreterOption.java` actually reads; the UI-only `session`/`process` fields (dead since ZEPPELIN-1210) are no longer sent.\n- Fixes wrong `Properties.value`/`type` interface types; response option fields that Gson omits when null are now optional.\n\nAlternative to #5147, which stringifies checkbox booleans too — persisting `\"false\"` makes an unchecked checkbox render as checked on reload. Credit to \u003cat\u003ekevinjmh for the original diagnosis.\n\n### What type of PR is it?\nImprovement\n\n### What is the Jira issue?\nhttps://issues.apache.org/jira/browse/ZEPPELIN-6427 (fixes ZEPPELIN-6395)\n\n### How should this be tested?\n\nNo unit test infra exists in `zeppelin-web-angular` (Playwright e2e only), so verified by `ng build` (strict, 0 errors), lint/prettier, and manually: numeric property saves as `\"60000\"` in `interpreter.json` (create and update), JDBC paragraph runs without `NumberFormatException`, unchecked checkbox stays unchecked after reload, and a regression pass over create/edit/cancel, property and dependency CRUD, and interpreter binding mode options.\n\n### Screenshots (if appropriate)\nN/A\n\n### Questions:\n* Does the license files need to update? No\n* Is there breaking changes for older versions? No\n* Does this needs documentation? No\n\n\nCloses #5265 from tbonelee/ZEPPELIN-6427-typed-interpreter-forms.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "0c25a6ee09cd43f3b4b1de1218b4e43bd8434b86", "tree": "3fbbcc18a19045d0c28f8acc4a33c27a4807c712", "parents": [ "78255fd960234022e4f6149239c43ae963cffa9e" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Wed Jun 17 00:48:44 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Jun 17 00:48:44 2026 +0900" }, "message": "[ZEPPELIN-6426] Remove redundant eslint-disable comments in zeppelin-web-angular\n\n### What is this PR for?\nzeppelin-web-angular has several eslint-disable comments that no longer suppress any violation under the current ESLint configuration (e.g. no-invalid-this, id-blacklist, no-eval, jsdoc/no-types, \u003cat\u003etypescript-eslint/naming-convention, \u003cat\u003eangular-eslint/component-class-suffix). These unused directives are misleading and add noise, so this PR removes them. No functional change.\n\n### What type of PR is it?\nImprovement\n\n### What is the Jira issue?\n* https://issues.apache.org/jira/browse/ZEPPELIN-6426\n\n### How should this be tested?\n* Run `npm run lint` in zeppelin-web-angular and confirm it still passes.\n\n### Questions:\n* Does the license files need to update? No\n* Is there breaking changes for older versions? No\n* Does this needs documentation? No\n\nCloses #5264 from tbonelee/fix-lint.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "78255fd960234022e4f6149239c43ae963cffa9e", "tree": "faad9444d214f463ee3ecdc0cab4472ad1f02070", "parents": [ "e1712ecee5f170ec375b3b4945e061bd2ca73a0d" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri Jun 12 03:38:47 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Jun 12 10:38:47 2026 +0900" }, "message": "Add security threat model and wire AGENTS.md -\u003e SECURITY.md -\u003e THREAT_MODEL.md\n\n**This is a v0 draft proposal for the Zeppelin PMC to review — please correct, reject, or discuss as needed.** The maintainer is the decision-maker; nothing here is a requirement. The threat model does not need to be \"finished\" for anything downstream — it just makes automated security review (and triage of inbound reports) far less noisy.\r\n\r\n**Context.** The ASF Security team is preparing the project for an automated agentic security scan we\u0027re piloting. Those scans run against a threat model that tells the scanner what\u0027s in scope, what\u0027s by-design, and what counts as a real finding — without one, the output buries maintainers in noise. This PR proposes the discoverable model plus the wiring the scanner needs.\r\n\r\n**What\u0027s in this PR:**\r\n- **`THREAT_MODEL.md`** (new) — a v0 security threat model written from Zeppelin\u0027s public docs + codebase, following the [threat-model-producer rubric](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573). Every claim carries a provenance tag: *(documented)* (from your docs/site) or *(inferred)* (our guess from code/docs, for you to confirm / correct / strike). Draft confidence ~18 documented / 24 inferred.\r\n- **`SECURITY.md`** (was an empty file) — disclosure pointer + link to the threat model.\r\n- **`AGENTS.md`** — a `## Security` section so the `AGENTS.md → SECURITY.md → THREAT_MODEL.md` chain resolves for automated tooling. The existing developer guidance is unchanged.\r\n\r\n**The framing to sanity-check first:** Apache Zeppelin runs user notebook code by design, so RBAC (Shiro + notebook ACL + URL ACL + impersonation) is the boundary, **not a sandbox** — a `%sh` command from a run-capable user is the product working, not RCE. The model treats interpreter execution as in-scope only when it crosses an authn/authz or tenant boundary.\r\n\r\n**What we\u0027d need from the PMC:**\r\n1. **§14 wave 1 (the important one):** rule on the insecure defaults — is anonymous-by-default / public-notebooks / impersonation-off the *supported production posture* (a report against it is `VALID`), or a dev-convenience operators are expected to change (`OUT-OF-MODEL: non-default-build`)? This reshapes the whole model.\r\n2. Walk the §14 questions (waves 1–3) — a one-line confirm / correct / strike per question is enough; each *(inferred)* tag becomes *(maintainer)* as you answer.\r\n\r\nIf you\u0027d rather own the drafting yourselves, close the PR and we\u0027ll wait — entirely your call.\r\n\n\nCloses #5268 from potiuk/asf-security/threat-model-2026-06-05.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "e1712ecee5f170ec375b3b4945e061bd2ca73a0d", "tree": "c5f96e14d5bee12a236476300926d37bed3edb3b", "parents": [ "6c13c8edafa9d5b9a747aadc50fb909b0e3268b6" ], "author": { "name": "YONGJAE LEE (이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Tue Jun 09 00:27:12 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Jun 09 00:27:12 2026 +0900" }, "message": "[ZEPPELIN-6429] Focus paragraph editor on clone/insert in New UI\n\n### What is this PR for?\r\nAfter cloning or inserting a paragraph in the New UI, the cursor stays on the wrapper element instead of the editor, so you have to click before typing. This focuses the new paragraph\u0027s editor one tick after `PARAGRAPH_ADDED`, gated to clone/insert initiated by this client so auto-append on run and other clients\u0027 inserts don\u0027t steal focus. It also skips dirty-marking on programmatic editor `setValue` (`isFlush`) so the cloned content isn\u0027t discarded. (The clone *content* loss itself is handled separately in https://github.com/apache/zeppelin/pull/5254#pullrequestreview-4415596876; this covers the *cursor* part.)\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6429\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\nhttps://github.com/user-attachments/assets/2dca9137-3eb3-49c3-bff8-da3429613025\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5267 from voidmatcha/fix/clone-paragraph-cursor-focus-master.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "6c13c8edafa9d5b9a747aadc50fb909b0e3268b6", "tree": "8180805cfbc1971fbbd0da15de61a34b8c954cab", "parents": [ "15966b53d8a96a00fc6f4752516b6edd037b8c1a" ], "author": { "name": "hojeong park", "email": "parkhj062@gmail.com", "time": "Sun Jun 07 14:50:50 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Jun 07 14:50:50 2026 +0900" }, "message": "[ZEPPELIN-6424] Align web-angular README Node.js prerequisite\n\n### What is this PR for?\r\nUpdates the `zeppelin-web-angular` README Node.js prerequisite from v16 to `22.21.1`.\r\n\r\nThis matches the version pinned in `zeppelin-web-angular/.nvmrc` and `zeppelin-web-angular/pom.xml`.\r\n\r\n### What type of PR is it?\r\nDocumentation\r\n\r\n### Todos\r\n* [x] Update the `zeppelin-web-angular` Node.js prerequisite\r\n\r\n### What is the Jira issue?\r\nhttps://issues.apache.org/jira/browse/ZEPPELIN-6424\r\n\r\n### How should this be tested?\r\nDocumentation-only change.\r\n\r\n### Screenshots (if appropriate)\r\nN/A\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? Yes\n\nCloses #5269 from parkhojeong/docs/web-angular-node-prerequisite.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "15966b53d8a96a00fc6f4752516b6edd037b8c1a", "tree": "33f6dcabe0e7ff07c0cc22e1b07cf7796ff8458a", "parents": [ "0539c8a386c198985bd69acefbe8208bcfa12412" ], "author": { "name": "Kalyan", "email": "kalyan.kumar@gmail.com", "time": "Wed Jun 03 07:46:00 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Jun 03 23:46:00 2026 +0900" }, "message": "[ZEPPELIN-4407] Add copy to clipboard (TSV/CSV) for table results\n\n## What is this PR for?\r\n\r\nI\u0027ve seen users downloading CSV and opening in spreadsheet viewer and copying the text. \r\nAdding way to copy CSV/TSV directly. This is orginally implemented by \u003cat\u003eamakaur #3496 but it was closed due to lack of tests. I\u0027m picking it up now. \r\n\r\n\r\n### Changes\r\n\r\n**Angular UI (`zeppelin-web-angular`)**\r\n- `result.component` — paragraph toolbar dropdown: renamed existing items to \"Download as CSV/TSV\", added divider, then \"Copy as TSV\" and \"Copy as CSV\"\r\n- `table-visualization.component` — inner table Export menu: added \"Copy all data as TSV/CSV\" and \"Copy visible data as TSV/CSV\" (mirrors the existing \"Export visible\" scope)\r\n\r\n**Classic AngularJS UI (`zeppelin-web`)**\r\n- `result-chart-selector.html` — same dropdown restructure: Download / divider / Copy\r\n- `result.controller.js` — new `$scope.copyToClipboard(delimiter)` function\r\n\r\n### Behaviour\r\n- Header row (column names) is always included in the copied text\r\n- Cell values containing the delimiter, double-quotes, or newlines are RFC 4180 quoted\r\n- Uses `navigator.clipboard.writeText` with a `document.execCommand(\u0027copy\u0027)` fallback for older browsers\r\n\r\n## What type of PR is it?\r\nFeature\r\n\r\n## What is the Jira issue?\r\nhttps://issues.apache.org/jira/browse/ZEPPELIN-4407\r\n\r\n## How should this be tested?\r\n\r\n1. Run a paragraph that outputs a TABLE (e.g. `%sh printf \"col1\\tcol2\\na\\t1\\nb\\t2\\n\"`)\r\n2. Click the **▾** next to the download button in the paragraph toolbar\r\n3. Verify the menu shows: **Download as CSV**, **Download as TSV**, *(divider)*, **Copy as TSV**, **Copy as CSV**\r\n4. Click **Copy as TSV** → paste into a spreadsheet app or text editor — expect headers + rows, tab-delimited\r\n5. Click **Copy as CSV** → paste → expect headers + rows, comma-delimited\r\n6. Test with a cell value containing a comma, e.g. `\"hello, world\"` → the CSV copy should quote it correctly\r\n\r\n## Tests\r\n\r\n- **Classic UI (Karma/Jasmine):** `zeppelin-web/src/app/notebook/paragraph/result/result.controller.test.js` — 4 new specs covering TSV copy, CSV copy, delimiter quoting, and double-quote escaping\r\n- **Angular UI (Playwright E2E):** `zeppelin-web-angular/e2e/tests/notebook/paragraph/copy-to-clipboard.spec.ts` — 3 new specs (skipped on CI, require a live interpreter)\r\n\r\n## Questions\r\n- Does the license file need update? No\r\n- Is there a breaking change for older versions? No — existing Download as CSV/TSV behaviour is unchanged\r\n- Does this need documentation? No\r\n\r\n## screenshots\r\n\u003cimg width\u003d\"1022\" height\u003d\"766\" alt\u003d\"image\" src\u003d\"https://github.com/user-attachments/assets/2cac3b76-ccb3-4ddc-b5dd-1637a98bfe07\" /\u003e\r\n\r\n\u003cimg width\u003d\"1106\" height\u003d\"797\" alt\u003d\"image\" src\u003d\"https://github.com/user-attachments/assets/9c610ece-042e-422c-b3f8-2b363b87399d\" /\u003e\r\n\n\nCloses #5261 from kkalyan/master.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "0539c8a386c198985bd69acefbe8208bcfa12412", "tree": "8ee4c83c6f6cd9c03b9aeb3c1e3d6e05fdbfacb6", "parents": [ "ef090724d1e29e0d599fed41d3bad4769668f92f" ], "author": { "name": "YONGJAE LEE (이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Wed Jun 03 19:55:46 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Jun 03 19:55:46 2026 +0900" }, "message": "[ZEPPELIN-6422] Stabilize flaky Playwright E2E tests\n\n### What is this PR for?\r\nThree races caused flaky `frontend / run-playwright-e2e-tests`:\r\n\r\n1. Per-test login raced on the shared session cookie under parallel workers -\u003e moved to a single `setup` project + `storageState`.\r\n2. `locator.fill` on Ant modal inputs landed before Angular bound the form-control -\u003e new `BasePage.fillAndVerifyInput()` retries via `expect.toPass` until the input value sticks.\r\n3. Modal/dropdown/theme/logout transitions had no explicit wait -\u003e targeted waits added at each boundary.\r\n\r\nInline comments on the diff for the non-obvious bits.\r\n\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6422\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5262 from voidmatcha/fix/e2e-flaky-final.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@snowcorp.com\u003e" }, { "commit": "ef090724d1e29e0d599fed41d3bad4769668f92f", "tree": "105e0f4cebc05c88f075a4133ec51ee53a573110", "parents": [ "1bcd87198e94c1d46384775d0f22de665ee6e4b6" ], "author": { "name": "YONGJAE LEE (이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Wed Jun 03 15:48:22 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Jun 03 15:48:22 2026 +0900" }, "message": "[ZEPPELIN-6425] Migrate zeppelin-react ESLint config to v9 flat format\n\n### What is this PR for?\r\n\r\nThis regression surfaced after ZEPPELIN-6421 (zeppelin-react lint integration) and ZEPPELIN-6424 (Angular 13 to 21 upgrade) merged in close succession. Each PR passed CI in isolation, but together they broke `npm run lint:react`:\r\n\r\n- ZEPPELIN-6421 added `projects/zeppelin-react/package.json` scripts that use the ESLint 8 `--ext .ts,.tsx` flag and rely on `projects/zeppelin-react/.eslintrc.json`.\r\n- ZEPPELIN-6424 bumped the root install to ESLint 9, which removed `--ext` and dropped `.eslintrc.*` support entirely in favor of flat config (`eslint.config.{js,mjs,cjs}`).\r\n\r\nThe two changes never collided in their own PR CIs because each was tested against a master that didn\u0027t yet contain the other. Once both landed, master\u0027s `frontend / run-playwright-e2e-tests (auth, 3.9)` and `(anonymous, 3.9)` started failing at the `npm lint` step before Playwright ran.\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6425\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5263 from voidmatcha/fix/zeppelin-react-eslint-config.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "1bcd87198e94c1d46384775d0f22de665ee6e4b6", "tree": "7e87f7e0651ba0c9ec22a97337078d85bc323969", "parents": [ "4a551ed2c0f7ac7490fe10c89bb4554bd3dc49c6" ], "author": { "name": "Manhua", "email": "manhua@apache.org", "time": "Wed Jun 03 13:19:20 2026 +0800" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Jun 03 14:19:20 2026 +0900" }, "message": "[ZEPPELIN-6419] Fix clone paragraph content loss caused by shortCircuit seq filtering\n\n### What is this PR for?\r\n**Problem**\r\nWhen cloning a paragraph in zeppelin-web-angular, the cloned paragraph only contains the interpreter binding (e.g., %mysql) but not the actual editor content (e.g., select 1 a, 2 a). The old zeppelin-web handles this correctly.\r\n\r\n**Root Cause Analysis**\r\nThe backend copyParagraph is a two-step operation:\r\n\r\n```\r\n1. insertParagraph() → broadcasts PARAGRAPH_ADDED (empty new paragraph, text\u003d\"%mysql\\n\")\r\n2. updateParagraph() → broadcasts PARAGRAPH (full text\u003d\"%mysql\\nselect 1 a, 2 a\")\r\n```\r\nStep 2\u0027s PARAGRAPH response gets silently discarded by the frontend shortCircuit mechanism in message.ts. The original filter logic compares the currently-sent message sequence number against the received response\u0027s sequence number:\r\n\r\n```ts\r\n// OLD logic — overly aggressive\r\nif (this.lastMsgIdSeqSent \u003e msgIdSeqReceived) {\r\n // \"message is already updated by shortcircuit\" → discard!\r\n return false;\r\n}\r\n```\r\nThe problem: between sending COPY_PARAGRAPH (seq\u003d49) and receiving its PARAGRAPH response, other unrelated messages like EDITOR_SETTING (seq\u003d50) may be sent. This makes lastMsgIdSeqSent (50) \u003e msgIdSeqReceived (49), causing the legitimate PARAGRAPH response for the cloned paragraph to be incorrectly filtered out.\r\n\r\n\u003cimg width\u003d\"807\" height\u003d\"951\" alt\u003d\"image\" src\u003d\"https://github.com/user-attachments/assets/3395e3eb-352c-45f7-96ca-68d3d3f5a983\" /\u003e\r\n\r\n~~**Solution**\r\nReplace the implicit sequence-number comparison with an explicit tracking set (shortCircuitedParagraphMsgIds). Only messages that were explicitly passed to shortCircuit() get filtered — not all messages where lastMsgIdSeqSent \u003e receivedSeq.~~\r\n\r\n**Updated Solution**\r\nDropping the PARAGRAPH msgId compare filter branch when received msg\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### Todos\r\n* [ ] - Task\r\n\r\n### What is the Jira issue?\r\n* Open an issue on Jira https://issues.apache.org/jira/browse/ZEPPELIN/\r\n* Put link here, and add [ZEPPELIN-*Jira number*] in PR title, eg. [ZEPPELIN-533]\r\n\r\n### How should this be tested?\r\n* Strongly recommended: add automated unit tests for any new or changed behavior\r\n* Outline any manual steps to test the PR here.\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update?\r\n* Is there breaking changes for older versions?\r\n* Does this needs documentation?\r\n\n\nCloses #5254 from kevinjmh/ZEPPELIN-6419.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "4a551ed2c0f7ac7490fe10c89bb4554bd3dc49c6", "tree": "a804815d008f716b293ca0846f1cd73433a96668", "parents": [ "1d471c6c59a3fe0fc362619db21d48a8c874064f" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Wed Jun 03 01:08:55 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Jun 03 01:08:55 2026 +0900" }, "message": "[ZEPPELIN-6421] Integrate zeppelin-react lint into root lint script\n\n### What is this PR for?\n`zeppelin-react` has its own ESLint config with rules at `error` level (e.g. `\u003cat\u003etypescript-eslint/no-explicit-any`, `react-hooks/exhaustive-deps`), but its lint script is not wired into the root `npm run lint` of `zeppelin-web-angular`. As a result, Maven\u0027s `npm lint` execution (`zeppelin-web-angular/pom.xml`) does not catch ESLint violations in `zeppelin-react`.\n\n### What changes are proposed?\nMirror the existing `build:react` pattern with `lint:react` / `lint:fix:react` scripts and include them in the root composite `lint` and `lint:fix` scripts. The `postinstall` hook already installs `projects/zeppelin-react/node_modules`, so no extra install step is needed.\n\n### What type of PR is it?\nImprovement\n\n### Todos\n* [x] - Update root lint scripts to include zeppelin-react\n\n### What is the Jira issue?\nhttps://issues.apache.org/jira/browse/ZEPPELIN-6421\n\n### How should this be tested?\nRun `npm run lint` inside `zeppelin-web-angular/` and confirm that zeppelin-react ESLint errors are reported.\n\n### Screenshots (if appropriate)\nN/A\n\n### Questions:\n* Does the licenses files need to update? No\n* Is there breaking changes for older versions? No\n* Does this needs documentation? No\n\nCloses #5258 from tbonelee/ZEPPELIN-6421-lint-react.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "1d471c6c59a3fe0fc362619db21d48a8c874064f", "tree": "254af30e70430d8d388938f3184e2f0604d3089e", "parents": [ "1893e11282400e1d0e5be1f89ef2a93a025026f2" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Wed Jun 03 01:02:16 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Jun 03 01:02:16 2026 +0900" }, "message": "[ZEPPELIN-6423] Reload note when switching notebooks in the Angular UI\n\n### What is this PR for?\nNavigating between notes in the Angular UI changed the URL but left the page showing the previously opened note.\n\nThe note fetch in `NotebookComponent` was bound only to the WebSocket `connectedStatus$` stream (introduced in ZEPPELIN-6387). Because Angular reuses `NotebookComponent` across `:noteId` route changes — so `ngOnInit` does not re-run — and the WebSocket stays connected, selecting another note from the header notebook list never re-fetched the note. The URL/route params updated, but `getNote()` was never called for the new `noteId`, so the page kept rendering the old note.\n\nThis PR drives the fetch from a `combineLatest` of the connection status and the route params, so it fires on **both** a WebSocket (re)connect **and** a `noteId`/`revisionId` change. The reconnect-reload behavior from ZEPPELIN-6387 is preserved; `distinctUntilChanged` on the connection stream avoids a redundant fetch on init.\n\n### What type of PR is it?\nBug Fix\n\n### Todos\n* [x] Re-fetch the note on `noteId`/`revisionId` route changes\n* [x] Preserve WebSocket reconnect-reload behavior\n* [x] Add e2e regression test\n\n### What is the Jira issue?\n* https://issues.apache.org/jira/browse/ZEPPELIN-6423\n\n### How should this be tested?\n* **Automated:** `zeppelin-web-angular/e2e/tests/notebook/main/notebook-navigation.spec.ts` opens one note, then navigates to a second note via the header \"Notebook\" dropdown and asserts the displayed note title (not just the URL) updates. Verified failing before the fix and passing after, against a live backend.\n* **Manual:**\n 1. Open a notebook.\n 2. From the header **Notebook** dropdown, click a different note.\n 3. The page content should switch to the newly selected note (previously it stayed on the old note while the URL changed).\n\n### Screenshots (if appropriate)\nN/A\n\n### Questions:\n* Does the license files need to update? No\n* Is there breaking changes for older versions? No\n* Does this needs documentation? No\n\n\nCloses #5259 from tbonelee/fix/notebook-reload-on-note-switch.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "1893e11282400e1d0e5be1f89ef2a93a025026f2", "tree": "98974edae70d7e3d75e994cb212c8c61ab922571", "parents": [ "3e470121a007616069b6a3c15ea338e450c6f54f" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Wed Jun 03 01:00:13 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Jun 03 01:00:13 2026 +0900" }, "message": "[ZEPPELIN-6424] Upgrade zeppelin-web-angular from Angular 13 to Angular 21\n\n### What is this PR for?\n\n`zeppelin-web-angular` was on Angular 13 (end-of-life). This upgrades it to Angular 21 (latest), one major version at a time so each step stays small and reviewable. The production build, lint, and dev-server are green at every bump.\n\nIncluded:\n- Angular 13 to 21 (framework, CLI, CDK), bumped lock-step one major at a time\n- ng-zorro-antd to 21, adapting to its breaking changes (moved/removed entry points, checkbox / input-number / modal API changes, native CSS animations)\n- Pinned Node 18 to 22 (npm 8 to 10) for the frontend-maven-plugin and `engines`\n- ESLint 8 (eslintrc) to ESLint 9 (flat config)\n- Adopt required modern Angular APIs: built-in control flow (`\u003cat\u003eif/\u003cat\u003efor/\u003cat\u003eswitch`), `provideHttpClient`, explicit zone change detection, `standalone: false` on NgModule declarations, RxJS 7 typing\n\nNo intended functional or UI changes. This is a framework and tooling upgrade only. Commits are grouped per major version (and per concern within a version) so the PR can be reviewed commit by commit.\n\n### What type of PR is it?\nImprovement\n\n### Todos\n* [ ] Reviewer: manual smoke test of notebook / interpreter / job-manager / credential / theme toggle\n\n### What is the Jira issue?\n* https://issues.apache.org/jira/browse/ZEPPELIN-6424\n\n### How should this be tested?\n* `cd zeppelin-web-angular \u0026\u0026 npm ci`\n* Production build: `npm run build:angular` (passes)\n* Lint: `npm run lint` (passes)\n* Dev server: `npm start`, then click through the main screens to confirm they still work: open and run notebook paragraphs (all result types), the interpreter page, job manager, credentials, header dropdowns, and the dark/light theme toggle.\n\n### Screenshots (if appropriate)\nN/A (no intended UI changes).\n\n### Questions:\n* Does the license files need to update? No\n* Is there breaking changes for older versions? No\n* Does this needs documentation? No\n\n\nCloses #5260 from tbonelee/upgrade/angular-21.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "3e470121a007616069b6a3c15ea338e450c6f54f", "tree": "cb9b67f9040755d0eabcf555461b9651ea79d452", "parents": [ "618036ba70a6524432cb11c9c3219d1161c56134" ], "author": { "name": "Kalyan", "email": "kalyan.kumar@gmail.com", "time": "Mon Jun 01 02:03:39 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Jun 01 18:03:39 2026 +0900" }, "message": "[ZEPPELIN-6411] Semantic search for Zeppelin\n\n### What is this PR for?\r\n\r\n Added `EmbeddingSearch` — a new `SearchService` implementation that enables natural language search across Zeppelin notebooks using ONNX-based sentence embeddings (all-MiniLM-L6-v2). \r\nDisabled by default, enabled with `zeppelin.search.semantic.enable \u003d true`.\r\n\r\n **The problem**: \r\nZeppelin\u0027s built-in search uses Lucene\u0027s keyword matching, which works well for exact terms but falls short for the way analysts actually search.\r\n A user looking for \"yesterday\u0027s spending\" gets zero results — even though their notebooks contain SELECT sum(cost) WHERE date \u003d current_date -\r\n interval \u00271\u0027 day. The words don\u0027t match, so Lucene can\u0027t find it.\r\n\r\n This PR adds EmbeddingSearch, an alternative SearchService that uses sentence embeddings (all-MiniLM-L6-v2 via ONNX Runtime) to match by meaning\r\n instead of keywords. It runs entirely in-process with no external services required.\r\n\r\n Beyond semantic matching, EmbeddingSearch addresses other gaps in notebook search:\r\n\r\n - Indexes paragraph output — table results and text output become searchable, not just the code\r\n - Extracts SQL table names — FROM/JOIN references are extracted and used to boost related paragraphs in a two-phase ranking\r\n - Strips interpreter prefixes — %spark.sql, %python etc. are removed so they don\u0027t pollute search results\r\n - Live indexing — new or updated paragraphs are searchable immediately, no restart needed\r\n ### What type of PR is it?\r\n Feature\r\n\r\n ### Todos\r\n - [x] EmbeddingSearch core implementation (ONNX inference, mean pooling, cosine similarity)\r\n - [x] Table name extraction from SQL (FROM/JOIN regex) with two-phase search boosting\r\n - [x] Paragraph output indexing (TABLE, TEXT results)\r\n - [x] Versioned binary persistence (v3 format)\r\n - [x] Live indexing (new paragraphs searchable immediately)\r\n - [x] Angular UI: render search results with separate code/output/tables blocks\r\n - [x] Classic UI: same improvements\r\n - [x] 11 unit tests including semantic validation\r\n - [x] Documentation\r\n\r\n ### What is the Jira issue?\r\n - https://issues.apache.org/jira/browse/ZEPPELIN-6411\r\n\r\n ### How should this be tested?\r\n\r\n **Automated tests:**\r\n ```bash\r\n # Embedding search tests (requires ~86MB model download, one-time)\r\n ZEPPELIN_EMBEDDING_TEST\u003dtrue mvn test -pl zeppelin-zengine -Dtest\u003dEmbeddingSearchTest\r\n\r\n # Verify no regressions to existing Lucene search\r\n mvn test -pl zeppelin-zengine -Dtest\u003dLuceneSearchTest\r\n\r\n Manual testing:\r\n\r\n 1. Set zeppelin.search.semantic.enable \u003d true in zeppelin-site.xml\r\n 2. Restart Zeppelin\r\n 3. Search for natural language queries like:\r\n - \"yesterday\u0027s spending\" (Lucene: 0 results → Semantic: finds spend queries)\r\n - \"how much do drivers earn\" (finds taxi tip analysis)\r\n - \"late deliveries\" (finds shipping performance queries)\r\n - \"airport rides\" (both work — keyword match exists)\r\n ```\r\n\r\n### Screenshots (if appropriate)\r\n Semantic Search with New UI\r\n\u003cimg width\u003d\"867\" height\u003d\"469\" alt\u003d\"image\" src\u003d\"https://github.com/user-attachments/assets/527d0828-0ef5-4528-b064-9c95553aa6ca\" /\u003e\r\n Semantic Search with Classic UI\r\n\u003cimg width\u003d\"865\" height\u003d\"475\" alt\u003d\"image\" src\u003d\"https://github.com/user-attachments/assets/092fa986-46d1-41c0-b2ad-b51c04e3c583\" /\u003e\r\n\r\n\r\n### Questions:\r\n\r\n - Does the license files need to update? \r\n - Yes — NOTICE updated with ONNX Runtime (MIT) and DJL Tokenizers (Apache 2.0) attribution.\r\n - Is there breaking changes for older versions? \r\n - No. Disabled by default. Existing LuceneSearch behavior is unchanged.\n\nCloses #5218 from kkalyan/ZEPPELIN-6411-semantic-search.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "618036ba70a6524432cb11c9c3219d1161c56134", "tree": "2a1907c6fbd6660d8e2b2000dd1a16ed444dad89", "parents": [ "0a76b8109b6a4dd69a6c2ff2316b7c0c3c16f6bf" ], "author": { "name": "Jongyoul Lee", "email": "jongyoul@gmail.com", "time": "Fri May 29 12:40:59 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri May 29 12:40:59 2026 +0900" }, "message": "[MINOR] chore(zeppelin-web-angular): remove @antv/g2plot and migrate to chart.js to fix npm audit (#5257)" }, { "commit": "0a76b8109b6a4dd69a6c2ff2316b7c0c3c16f6bf", "tree": "694dbb059f7054d698e4bf226c644722c48a34f4", "parents": [ "1a6a8e3c4734a605c04476803b08a38e97a5cccb" ], "author": { "name": "Jongyoul Lee", "email": "jongyoul@gmail.com", "time": "Fri May 29 12:30:51 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri May 29 12:30:51 2026 +0900" }, "message": "[ZEPPELIN-6406] Remove deprecated Flink 1.15/1.16/1.17 shims and add Flink 1.19/1.20 support\n\n## Summary\n- Remove deprecated Flink 1.15, 1.16, 1.17 shims and add unified Flink 1.19/1.20 shims\n- Flink 1.19 and 1.20 share a single `Flink119Shims` class (1.20 is the last 1.x LTS, no 1.21 planned)\n- Fix `CatalogStoreHolder` requirement for Flink 1.19+ `CatalogManager.Builder`\n- Fix Scala reflection error (`ImplicitExpressionConversions`) with `bindWithRetry` + explicit imports in `FlinkILoop`\n- Fix stream SQL cancel by registering `executeInsert()` jobs in `JobManager` with `CountDownLatch`-based await\n- Update CI matrix from `[115,116,117]` to `[119,120]`\n- Upgrade `flink.scala.version` from 2.12.7 to 2.12.18\n\n## Test plan\n- [x] `FlinkInterpreterTest` 7/7 passing with `-Pflink-119`\n- [x] `FlinkInterpreterTest` 7/7 passing with `-Pflink-120`\n- [ ] CI pipeline (core.yml) with Flink 119/120 matrix\n- [ ] Integration tests with Flink 1.19/1.20\n\nCloses #5205 from jongyoul/worktree-ZEPPELIN-6406-remove-deprecated-flink.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "1a6a8e3c4734a605c04476803b08a38e97a5cccb", "tree": "de7463d217ea4c2bf6e4aa96502420991367d5fd", "parents": [ "7e45d1d3454053e55c96b1700eee37f70ed504db" ], "author": { "name": "Cheng Pan", "email": "chengpan@apache.org", "time": "Mon May 25 19:13:10 2026 +0800" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon May 25 19:13:10 2026 +0800" }, "message": "[ZEPPELIN-6420] Drop Alluxio Interpreter\n\n### What is this PR for?\r\n\r\n[Alluxio Open Source](https://github.com/Alluxio/alluxio) stops development, other projects like Trino, and public cloud vendors like Ali Cloud also remove Alluxio support.\r\n\r\n### What type of PR is it?\r\n\r\nBreaking Change.\r\n\r\n### What is the Jira issue?\r\n\r\nZEPPELIN-6420\r\n\r\n### How should this be tested?\r\n\r\nPass GHA.\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? Yes, updated.\r\n* Is there breaking changes for older versions? Yes, it removes a feature.\r\n* Does this needs documentation? Docs are updated too.\r\n\n\nCloses #5256 from pan3793/ZEPPELIN-6420.\n\nSigned-off-by: Cheng Pan \u003cchengpan@apache.org\u003e" }, { "commit": "7e45d1d3454053e55c96b1700eee37f70ed504db", "tree": "238690c4ee4235156edb434a52459959b72632cd", "parents": [ "c6dcbe666d617393e62a56b601850cba6829af70" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon May 25 03:19:12 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon May 25 03:19:12 2026 +0900" }, "message": "Bump webpack-dev-server from 5.2.3 to 5.2.4 in /zeppelin-web-angular/projects/zeppelin-react\n\nBumps [webpack-dev-server](https://github.com/webpack/webpack-dev-server) from 5.2.3 to 5.2.4.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/webpack/webpack-dev-server/releases\"\u003ewebpack-dev-server\u0027s releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev5.2.4\u003c/h2\u003e\n\u003ch3\u003e\u003ca href\u003d\"https://github.com/webpack/webpack-dev-server/compare/v5.2.3...v5.2.4\"\u003e5.2.4\u003c/a\u003e (2026-05-11)\u003c/h3\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eset Cross-Origin-Resource-Policy header to prevent source code theft over HTTP\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md\"\u003ewebpack-dev-server\u0027s changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch3\u003e\u003ca href\u003d\"https://github.com/webpack/webpack-dev-server/compare/v5.2.3...v5.2.4\"\u003e5.2.4\u003c/a\u003e (2026-05-11)\u003c/h3\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eset Cross-Origin-Resource-Policy header to prevent source code theft over HTTP\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/webpack/webpack-dev-server/commit/fd401308f1cc026262880e2dab810004d6444282\"\u003e\u003ccode\u003efd40130\u003c/code\u003e\u003c/a\u003e chore(release): 5.2.4\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/webpack/webpack-dev-server/commit/ece4f3617bea31fb6d3833f69a32b6c289959a49\"\u003e\u003ccode\u003eece4f36\u003c/code\u003e\u003c/a\u003e chore: update deps (\u003ca href\u003d\"https://redirect.github.com/webpack/webpack-dev-server/issues/5661\"\u003e#5661\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/webpack/webpack-dev-server/commit/a2161442a314a06a97e25d1404d08410cb4e9c51\"\u003e\u003ccode\u003ea216144\u003c/code\u003e\u003c/a\u003e ci: fix test (\u003ca href\u003d\"https://redirect.github.com/webpack/webpack-dev-server/issues/5658\"\u003e#5658\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/webpack/webpack-dev-server/commit/df073c53a8cefb54210b43813fa6ee60364a554e\"\u003e\u003ccode\u003edf073c5\u003c/code\u003e\u003c/a\u003e Merge commit from fork\u003c/li\u003e\n\u003cli\u003eSee full diff in \u003ca href\u003d\"https://github.com/webpack/webpack-dev-server/compare/v5.2.3...v5.2.4\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\nCloses #5253 from dependabot[bot]/dependabot/npm_and_yarn/zeppelin-web-angular/projects/zeppelin-react/webpack-dev-server-5.2.4.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "c6dcbe666d617393e62a56b601850cba6829af70", "tree": "2ebbd30d16329c818367dbaa02f5f19f330c4860", "parents": [ "6a6543fc2809f13c12fa9b73185439d0b79b7b28" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon May 25 02:44:25 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon May 25 02:44:25 2026 +0900" }, "message": "Bump qs and express in /zeppelin-web-angular/projects/zeppelin-react\n\nBumps [qs](https://github.com/ljharb/qs) and [express](https://github.com/expressjs/express). These dependencies needed to be updated together.\nUpdates `qs` from 6.14.2 to 6.15.2\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/ljharb/qs/blob/main/CHANGELOG.md\"\u003eqs\u0027s changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e\u003cstrong\u003e6.15.2\u003c/strong\u003e\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e[Fix] \u003ccode\u003estringify\u003c/code\u003e: skip null/undefined entries in \u003ccode\u003earrayFormat: \u0027comma\u0027\u003c/code\u003e + \u003ccode\u003eencodeValuesOnly\u003c/code\u003e instead of crashing in \u003ccode\u003eencoder\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e[Fix] \u003ccode\u003estringify\u003c/code\u003e: use configured \u003ccode\u003edelimiter\u003c/code\u003e after \u003ccode\u003echarsetSentinel\u003c/code\u003e (\u003ca href\u003d\"https://redirect.github.com/ljharb/qs/issues/555\"\u003e#555\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e[Fix] \u003ccode\u003estringify\u003c/code\u003e: apply \u003ccode\u003eformatter\u003c/code\u003e to encoded key under \u003ccode\u003estrictNullHandling\u003c/code\u003e (\u003ca href\u003d\"https://redirect.github.com/ljharb/qs/issues/554\"\u003e#554\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e[Fix] \u003ccode\u003estringify\u003c/code\u003e: skip null/undefined filter-array entries instead of crashing in \u003ccode\u003eencoder\u003c/code\u003e (\u003ca href\u003d\"https://redirect.github.com/ljharb/qs/issues/551\"\u003e#551\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e[Fix] \u003ccode\u003eparse\u003c/code\u003e: handle nested bracket groups and add regression tests (\u003ca href\u003d\"https://redirect.github.com/ljharb/qs/issues/530\"\u003e#530\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e[readme] fix grammar (\u003ca href\u003d\"https://redirect.github.com/ljharb/qs/issues/550\"\u003e#550\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e[Dev Deps] update \u003ccode\u003e\u003cat\u003eljharb/eslint-config\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e[Tests] add regression tests for keys containing percent-encoded bracket text\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e\u003cstrong\u003e6.15.1\u003c/strong\u003e\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e[Fix] \u003ccode\u003eparse\u003c/code\u003e: \u003ccode\u003eparameterLimit: Infinity\u003c/code\u003e with \u003ccode\u003ethrowOnLimitExceeded: true\u003c/code\u003e silently drops all parameters\u003c/li\u003e\n\u003cli\u003e[Deps] update \u003ccode\u003e\u003cat\u003eljharb/eslint-config\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e[Dev Deps] update \u003ccode\u003e\u003cat\u003eljharb/eslint-config\u003c/code\u003e, \u003ccode\u003eiconv-lite\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e[Tests] increase coverage\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e\u003cstrong\u003e6.15.0\u003c/strong\u003e\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e[New] \u003ccode\u003eparse\u003c/code\u003e: add \u003ccode\u003estrictMerge\u003c/code\u003e option to wrap object/primitive conflicts in an array (\u003ca href\u003d\"https://redirect.github.com/ljharb/qs/issues/425\"\u003e#425\u003c/a\u003e, \u003ca href\u003d\"https://redirect.github.com/ljharb/qs/issues/122\"\u003e#122\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e[Fix] \u003ccode\u003eduplicates\u003c/code\u003e option should not apply to bracket notation keys (\u003ca href\u003d\"https://redirect.github.com/ljharb/qs/issues/514\"\u003e#514\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ljharb/qs/commit/9aca4076fe788338c67cf7e115f0be6bc58d85a8\"\u003e\u003ccode\u003e9aca407\u003c/code\u003e\u003c/a\u003e v6.15.2\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ljharb/qs/commit/5e33d33447ed0bf1ddab9abc41d27dea4687d992\"\u003e\u003ccode\u003e5e33d33\u003c/code\u003e\u003c/a\u003e [Dev Deps] update \u003ccode\u003e\u003cat\u003eljharb/eslint-config\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41\"\u003e\u003ccode\u003e21f80b3\u003c/code\u003e\u003c/a\u003e [Fix] \u003ccode\u003estringify\u003c/code\u003e: skip null/undefined entries in \u003ccode\u003earrayFormat: \u0027comma\u0027\u003c/code\u003e + `e...\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ljharb/qs/commit/a0a81ea2071acce3eff41a040f719ac8f5c4f64c\"\u003e\u003ccode\u003ea0a81ea\u003c/code\u003e\u003c/a\u003e [Fix] \u003ccode\u003estringify\u003c/code\u003e: use configured \u003ccode\u003edelimiter\u003c/code\u003e after \u003ccode\u003echarsetSentinel\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ljharb/qs/commit/e3062f78f5233b338ceeb8e8dfa5a07dea4b32a8\"\u003e\u003ccode\u003ee3062f7\u003c/code\u003e\u003c/a\u003e [Fix] \u003ccode\u003estringify\u003c/code\u003e: apply \u003ccode\u003eformatter\u003c/code\u003e to encoded key under \u003ccode\u003estrictNullHandling\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ljharb/qs/commit/0c180a40adb8c6703fffc85b2ff06ca209f5c1e0\"\u003e\u003ccode\u003e0c180a4\u003c/code\u003e\u003c/a\u003e [Fix] \u003ccode\u003estringify\u003c/code\u003e: skip null/undefined filter-array entries instead of crashi...\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ljharb/qs/commit/3a8b94aec19bd664720f6f6b1e66c4a0dfe4b656\"\u003e\u003ccode\u003e3a8b94a\u003c/code\u003e\u003c/a\u003e [Tests] add regression tests for keys containing percent-encoded bracket text\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ljharb/qs/commit/96755abd357c0e534dd3442a84a04d08864bfe0d\"\u003e\u003ccode\u003e96755ab\u003c/code\u003e\u003c/a\u003e [readme] fix grammar\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ljharb/qs/commit/a419ce5bbfcdb98a299f1a0bb47ea055baef20e6\"\u003e\u003ccode\u003ea419ce5\u003c/code\u003e\u003c/a\u003e [Fix] \u003ccode\u003eparse\u003c/code\u003e: handle nested bracket groups and add regression tests\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ljharb/qs/commit/3f5e1c528c967d915096787efbffa73cf6044170\"\u003e\u003ccode\u003e3f5e1c5\u003c/code\u003e\u003c/a\u003e v6.15.1\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href\u003d\"https://github.com/ljharb/qs/compare/v6.14.2...v6.15.2\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `express` from 4.22.1 to 4.22.2\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/expressjs/express/releases\"\u003eexpress\u0027s releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev4.22.2\u003c/h2\u003e\n\u003ch2\u003eWhat\u0027s Changed\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003efix: restore \u0026gt;20 array parsing for \u003ccode\u003ereq.query\u003c/code\u003e repeated keys (\u003ca href\u003d\"https://github.com/expressjs/express/commit/8d09bfe6d88983da5c3e12cfdd54782c4dc675db\"\u003e\u003ccode\u003e8d09bfe6\u003c/code\u003e\u003c/a\u003e)\n\u003cul\u003e\n\u003cli\u003eThis also unifies array-cap behavior across notations. Indexed notation (\u003ccode\u003ea[0]\u003d...\u003c/code\u003e) was historically capped at qs\u0027s default \u003ccode\u003earrayLimit\u003c/code\u003e of 20 even in older qs versions; after this change it also allows up to 1000 items.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003edeps: qs\u003cat\u003e~6.15.1\u003c/li\u003e\n\u003cli\u003edeps: body-parser\u003cat\u003e~1.20.5\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eNew Contributors\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/suuuuuuminnnnnn\"\u003e\u003ccode\u003e\u003cat\u003e​suuuuuuminnnnnn\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href\u003d\"https://redirect.github.com/expressjs/express/pull/7021\"\u003eexpressjs/express#7021\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/SAY-5\"\u003e\u003ccode\u003e\u003cat\u003e​SAY-5\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href\u003d\"https://redirect.github.com/expressjs/express/pull/7181\"\u003eexpressjs/express#7181\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eFull Changelog\u003c/strong\u003e: \u003ca href\u003d\"https://github.com/expressjs/express/compare/v4.22.1...v4.22.2\"\u003ehttps://github.com/expressjs/express/compare/v4.22.1...v4.22.2\u003c/a\u003e\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/expressjs/express/blob/v4.22.2/History.md\"\u003eexpress\u0027s changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch1\u003e4.22.2 / 2026-05-011\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003efix: restore \u0026gt;20 array parsing for \u003ccode\u003ereq.query\u003c/code\u003e repeated keys (\u003ca href\u003d\"https://github.com/expressjs/express/commit/8d09bfe6d88983da5c3e12cfdd54782c4dc675db\"\u003e\u003ccode\u003e8d09bfe6\u003c/code\u003e\u003c/a\u003e)\n\u003cul\u003e\n\u003cli\u003eThis also unifies array-cap behavior across notations. Indexed notation (\u003ccode\u003ea[0]\u003d...\u003c/code\u003e) was historically capped at qs\u0027s default \u003ccode\u003earrayLimit\u003c/code\u003e of 20 even in older qs versions; after this change it also allows up to 1000 items.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003edeps: qs\u003cat\u003e~6.15.1\u003c/li\u003e\n\u003cli\u003edeps: body-parser\u003cat\u003e~1.20.5\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/expressjs/express/commit/df0abc9333a3398b97b71f6ea7cd77d5ea3e9f97\"\u003e\u003ccode\u003edf0abc9\u003c/code\u003e\u003c/a\u003e 4.22.2\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/expressjs/express/commit/836d36668ea750f78b4373b4de79bbd22634e6ec\"\u003e\u003ccode\u003e836d366\u003c/code\u003e\u003c/a\u003e \u003ccode\u003e4.x\u003c/code\u003e update qs to 6.15.1, body-parser 1.20.5 (\u003ca href\u003d\"https://redirect.github.com/expressjs/express/issues/7224\"\u003e#7224\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/expressjs/express/commit/8d09bfe6d88983da5c3e12cfdd54782c4dc675db\"\u003e\u003ccode\u003e8d09bfe\u003c/code\u003e\u003c/a\u003e fix: restore array parsing for req.query repeated keys (\u003ca href\u003d\"https://redirect.github.com/expressjs/express/issues/7181\"\u003e#7181\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/expressjs/express/commit/d39e8ad1778a0b8a606a5a7b17096d0cc5ec722d\"\u003e\u003ccode\u003ed39e8ad\u003c/code\u003e\u003c/a\u003e deps: body-parser\u003cat\u003e~1.20.4 (\u003ca href\u003d\"https://redirect.github.com/expressjs/express/issues/7021\"\u003e#7021\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/expressjs/express/commit/efe85d9fdc9e3a62f7a1121b4f5f484862298b48\"\u003e\u003ccode\u003eefe85d9\u003c/code\u003e\u003c/a\u003e deps: qs\u003cat\u003e^6.14.1 (\u003ca href\u003d\"https://redirect.github.com/expressjs/express/issues/6972\"\u003e#6972\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/expressjs/express/commit/f62378e1bc776259c0a471476c2dc043a02ac762\"\u003e\u003ccode\u003ef62378e\u003c/code\u003e\u003c/a\u003e 📝 add note to history\u003c/li\u003e\n\u003cli\u003eSee full diff in \u003ca href\u003d\"https://github.com/expressjs/express/compare/v4.22.1...v4.22.2\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\nDependabot will resolve any conflicts with this PR as long as you don\u0027t alter it yourself. You can also trigger a rebase manually by commenting `\u003cat\u003edependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `\u003cat\u003edependabot rebase` will rebase this PR\n- `\u003cat\u003edependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `\u003cat\u003edependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `\u003cat\u003edependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `\u003cat\u003edependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `\u003cat\u003edependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/zeppelin/network/alerts).\n\n\u003c/details\u003e\n\nCloses #5255 from dependabot[bot]/dependabot/npm_and_yarn/zeppelin-web-angular/projects/zeppelin-react/multi-f792d6d6d9.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "6a6543fc2809f13c12fa9b73185439d0b79b7b28", "tree": "2803e3cf57260da0e8215a52a99eb18d63aa40ff", "parents": [ "9da7f2a75593d39e7e6c7dff2d182ca55b243408" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Sun May 24 13:18:11 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun May 24 13:18:11 2026 +0900" }, "message": "Bump org.postgresql:postgresql from 42.7.7 to 42.7.11 in /jdbc\n\nBumps [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) from 42.7.7 to 42.7.11.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/pgjdbc/pgjdbc/releases\"\u003eorg.postgresql:postgresql\u0027s releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev42.7.11\u003c/h2\u003e\n\u003ch2\u003eSecurity\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003efix: Limit SCRAM PBKDF2 iterations accepted from the server.\npgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins.\nSee the \u003ca href\u003d\"https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq\"\u003eSecurity Advisory\u003c/a\u003e for more detail.\nThe following \u003ca href\u003d\"https://nvd.nist.gov/vuln/detail/CVE-2026-42198\"\u003eCVE-2026-42198\u003c/a\u003e has been issued.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eChanges\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003efix: Add sources and javadocs to shaded published lib generation \u003ca href\u003d\"https://github.com/sehrope\"\u003e\u003ccode\u003e\u003cat\u003e​sehrope\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/4043\"\u003e#4043\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eupdate Changelog and website for release of 42.7.11 \u003ca href\u003d\"https://github.com/davecramer\"\u003e\u003ccode\u003e\u003cat\u003e​davecramer\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/4042\"\u003e#4042\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix scram fix location in changelog and update published artifact developer list \u003ca href\u003d\"https://github.com/sehrope\"\u003e\u003ccode\u003e\u003cat\u003e​sehrope\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/4041\"\u003e#4041\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eRestrict test with scram_iterations to v16+ and release notes \u003ca href\u003d\"https://github.com/sehrope\"\u003e\u003ccode\u003e\u003cat\u003e​sehrope\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/4040\"\u003e#4040\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003echore(deps): update ubuntu:24.04 docker digest to 84e77de \u003ca href\u003d\"https://github.com/renovate-bot\"\u003e\u003ccode\u003e\u003cat\u003e​renovate-bot\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/4017\"\u003e#4017\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003etest: add tests for QueryExecutor#getTransactionState \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/4006\"\u003e#4006\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003echore(deps): update actions/create-github-app-token action to v2.2.2 \u003ca href\u003d\"https://github.com/renovate-bot\"\u003e\u003ccode\u003e\u003cat\u003e​renovate-bot\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3983\"\u003e#3983\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: fix flaky CopyBothResponseTest by using WAL flush LSN \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3979\"\u003e#3979\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: fix flaky replication restart tests by waiting for confirmed_flush_lsn \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3975\"\u003e#3975\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003etest: fix flaky LogicalReplicationStatusTest by polling pg_stat_replication \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3974\"\u003e#3974\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003echore: replace Appveyor with ikalnytskyi/action-setup-postgres \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3966\"\u003e#3966\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003etest: move test table creation from \u003ca href\u003d\"https://github.com/BeforeEach\"\u003e\u003ccode\u003e\u003cat\u003e​BeforeEach\u003c/code\u003e\u003c/a\u003e to \u003ca href\u003d\"https://github.com/BeforeAll\"\u003e\u003ccode\u003e\u003cat\u003e​BeforeAll\u003c/code\u003e\u003c/a\u003e \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3967\"\u003e#3967\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eReturn jsonb as PGObject fixes Issue \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3926\"\u003e#3926\u003c/a\u003e \u003ca href\u003d\"https://github.com/davecramer\"\u003e\u003ccode\u003e\u003cat\u003e​davecramer\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3956\"\u003e#3956\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eUpdate docker scripts \u003ca href\u003d\"https://github.com/davecramer\"\u003e\u003ccode\u003e\u003cat\u003e​davecramer\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3958\"\u003e#3958\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eimplement require_auth, this is pretty much how libpq does this. \u003ca href\u003d\"https://github.com/davecramer\"\u003e\u003ccode\u003e\u003cat\u003e​davecramer\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3895\"\u003e#3895\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003edocs: add SCRAM authentication test setup section to TESTING.md \u003ca href\u003d\"https://github.com/emmaeng700\"\u003e\u003ccode\u003e\u003cat\u003e​emmaeng700\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3945\"\u003e#3945\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eAdd RequireServerVersion annotation for tests \u003ca href\u003d\"https://github.com/sehrope\"\u003e\u003ccode\u003e\u003cat\u003e​sehrope\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3939\"\u003e#3939\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e🐛 Bug Fixes\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003efix: ensure extended protocol messages end with Sync message \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3728\"\u003e#3728\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: enable cursor-based fetching in extended protocol when transaction started via SQL command \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3996\"\u003e#3996\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: retry with SSL on IOException when sslMode\u003dALLOW \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3973\"\u003e#3973\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: allow fallback to non-SSL connection when sslMode\u003dprefer and sslResponseTimeout kicks in \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3968\"\u003e#3968\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: catch SecurityException from setContextClassLoader on ForkJoinPool workers \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3962\"\u003e#3962\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: use compareTo for LogSequenceNumber comparison \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3961\"\u003e#3961\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: release COPY lock on IOException to prevent connection hang (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3957\"\u003e#3957\u003c/a\u003e) \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3960\"\u003e#3960\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e🧰 Maintenance\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003estyle: replace \u003ca href\u003d\"https://github.com/exception\"\u003e\u003ccode\u003e\u003cat\u003e​exception\u003c/code\u003e\u003c/a\u003e with \u003ca href\u003d\"https://github.com/throws\"\u003e\u003ccode\u003e\u003cat\u003e​throws\u003c/code\u003e\u003c/a\u003e in getBoolean javadoc \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/4035\"\u003e#4035\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003echore: use \u003ccode\u003e\u003cat\u003e​vlsi/github-actions-random-matrix\u003c/code\u003e npm package \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/4008\"\u003e#4008\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003echore: use tag names for pinning github actions, pin ikalnytskyi/action-setup-postgres \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/4007\"\u003e#4007\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003echore: bump errorprone to 2.48.0 \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/4005\"\u003e#4005\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003etest: add \u003ca href\u003d\"https://github.com/DisableLogger\"\u003e\u003ccode\u003e\u003cat\u003e​DisableLogger\u003c/code\u003e\u003c/a\u003e annotation to suppress expected log warnings in tests \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3971\"\u003e#3971\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003echore: suppress deprecations in test code to reduce build verbosity \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3972\"\u003e#3972\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003echore: replace log warning in ConnectionFactory.closeStream with Throwable.addSuppressed \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3970\"\u003e#3970\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003echore: use greedy pairwise coverage for CI matrix generation \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3965\"\u003e#3965\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003echore: use full version tags in GitHub Actions comments \u003ca href\u003d\"https://github.com/vlsi\"\u003e\u003ccode\u003e\u003cat\u003e​vlsi\u003c/code\u003e\u003c/a\u003e (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3963\"\u003e#3963\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e⬆️ Dependencies\u003c/h2\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md\"\u003eorg.postgresql:postgresql\u0027s changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e[42.7.11] (2026-04-28)\u003c/h2\u003e\n\u003ch3\u003eSecurity\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003efix: Limit SCRAM PBKDF2 iterations accepted from the server.\npgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins.\nSee the \u003ca href\u003d\"https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq\"\u003eSecurity Advisory\u003c/a\u003e for more detail.\nThe following \u003ca href\u003d\"https://nvd.nist.gov/vuln/detail/CVE-2026-42198\"\u003eCVE-2026-42198\u003c/a\u003e has been issued.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003efeat: implement require_auth connection property, aligning with libpq behavior [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3895\"\u003e#3895\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3895\"\u003epgjdbc/pgjdbc#3895\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003echore: replace Appveyor CI with ikalnytskyi/action-setup-postgres [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3966\"\u003e#3966\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3966\"\u003epgjdbc/pgjdbc#3966\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003echore: upgrade Gradle to v9 [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3978\"\u003e#3978\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3978\"\u003epgjdbc/pgjdbc#3978\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eFixed\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003efix: ensure extended protocol messages end with Sync message [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3728\"\u003e#3728\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3728\"\u003epgjdbc/pgjdbc#3728\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: enable cursor-based fetching in extended protocol when transaction started via SQL command [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3996\"\u003e#3996\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3996\"\u003epgjdbc/pgjdbc#3996\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: retry with SSL on IOException when sslMode\u003dALLOW [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3973\"\u003e#3973\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3973\"\u003epgjdbc/pgjdbc#3973\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: make sure the driver honours connectTimeout when retrying the connection [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3968\"\u003e#3968\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3968\"\u003epgjdbc/pgjdbc#3968\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: allow fallback to non-SSL connection when sslMode\u003dprefer and sslResponseTimeout kicks in [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3968\"\u003e#3968\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3968\"\u003epgjdbc/pgjdbc#3968\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: catch SecurityException from setContextClassLoader on ForkJoinPool workers [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3962\"\u003e#3962\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3962\"\u003epgjdbc/pgjdbc#3962\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3961\"\u003e#3961\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3961\"\u003epgjdbc/pgjdbc#3961\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: release COPY lock on IOException to prevent connection hang [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3957\"\u003e#3957\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3957\"\u003epgjdbc/pgjdbc#3957\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: return jsonb as PGObject instead of String [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3956\"\u003e#3956\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3956\"\u003epgjdbc/pgjdbc#3956\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: align SSL key file permission check with libpq [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3952\"\u003e#3952\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3952\"\u003epgjdbc/pgjdbc#3952\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: guard connection closed flag with a reentrant lock to protect against concurrent close [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3905\"\u003e#3905\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3905\"\u003epgjdbc/pgjdbc#3905\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e[42.7.10] (2026-02-11)\u003c/h2\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003echore: Migrate to Shadow 9 \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3931\"\u003ePR 3931\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003estyle: fix empty line before javadoc for checkstyle compliance [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3925\"\u003e#3925\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3925\"\u003epgjdbc/pgjdbc#3925\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003estyle: fix lambda argument indentation for checkstyle compliance [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3922\"\u003e#3922\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3922\"\u003epgjdbc/pgjdbc#3922\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003etest: add autosave\u003dalways|never|conservative and cleanupSavepoints\u003dtrue|false to the randomized CI jobs [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3917\"\u003e#3917\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3917\"\u003epgjdbc/pgjdbc#3917\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eFixed\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003efix: non-standard strings failing test for version 19 [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3934\"\u003e#3934\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3934\"\u003epgjdbc/pgjdbc#3934\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: small issues in ConnectionFactoryImpl [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3929\"\u003e#3929\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3929\"\u003epgjdbc/pgjdbc#3929\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix: process pending responses before fastpath to avoid protocol errors \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3913\"\u003ePR # 3913\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003edoc: use.md, fix typos [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3911\"\u003e#3911\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3911\"\u003epgjdbc/pgjdbc#3911\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003edoc: datasource.md, fix minor formatting issue [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3912\"\u003e#3912\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3912\"\u003epgjdbc/pgjdbc#3912\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003edoc: add the new PGP signing key to the official documentation [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3912\"\u003e#3912\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3813\"\u003epgjdbc/pgjdbc#3813\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eReverted\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eRevert \u0026quot;fix: make all Calendar instances proleptic Gregorian (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3837\"\u003e#3837\u003c/a\u003e) (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3887\"\u003e#3887\u003c/a\u003e)\u0026quot; [PR \u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/3932\"\u003e#3932\u003c/a\u003e](\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/pull/3932\"\u003epgjdbc/pgjdbc#3932\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e[42.7.9] (2026-01-14)\u003c/h2\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/pgjdbc/pgjdbc/commit/78e261ff2a7f16a37bdceb2204f67e484387da2f\"\u003e\u003ccode\u003e78e261f\u003c/code\u003e\u003c/a\u003e fix: Add sources and javadocs to shaded published lib generation\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/pgjdbc/pgjdbc/commit/1e09fa0496377296c9e2ef3bfd2b409945fba17a\"\u003e\u003ccode\u003e1e09fa0\u003c/code\u003e\u003c/a\u003e update Changelog and website for release of 42.7.11 (\u003ca href\u003d\"https://redirect.github.com/pgjdbc/pgjdbc/issues/4042\"\u003e#4042\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/pgjdbc/pgjdbc/commit/d479fa5b8c8c915a441ce1f2448f69f23dd0b66c\"\u003e\u003ccode\u003ed479fa5\u003c/code\u003e\u003c/a\u003e Fix scram fix location in changelog and update published artifact developer l...\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/pgjdbc/pgjdbc/commit/b04fc46af6c207bc7ce9e788fea8c43d18b73d0f\"\u003e\u003ccode\u003eb04fc46\u003c/code\u003e\u003c/a\u003e docs: Add scram max iters fix to changelog\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/pgjdbc/pgjdbc/commit/cf548225b4078db954765339720ffdf3bc94e5a6\"\u003e\u003ccode\u003ecf54822\u003c/code\u003e\u003c/a\u003e test: Disable scram test on older version without scram_iterations GUC\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/pgjdbc/pgjdbc/commit/7dbcc79b2b4adf7b71458c9434d2c43cec7713b9\"\u003e\u003ccode\u003e7dbcc79\u003c/code\u003e\u003c/a\u003e test: Add SCRAM max iteration tests\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/pgjdbc/pgjdbc/commit/c9d41d1332a7426fcef19ff89f2e6b1116429143\"\u003e\u003ccode\u003ec9d41d1\u003c/code\u003e\u003c/a\u003e fix: Limit SCRAM PBKDF2 iterations accepted from the server\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/pgjdbc/pgjdbc/commit/a340cb2b0ae24c0d98ad9dec569200ebb704d6aa\"\u003e\u003ccode\u003ea340cb2\u003c/code\u003e\u003c/a\u003e style: replace \u003ca href\u003d\"https://github.com/exception\"\u003e\u003ccode\u003e\u003cat\u003e​exception\u003c/code\u003e\u003c/a\u003e with \u003ca href\u003d\"https://github.com/throws\"\u003e\u003ccode\u003e\u003cat\u003e​throws\u003c/code\u003e\u003c/a\u003e in getBoolean javadoc\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/pgjdbc/pgjdbc/commit/77837f80c0c20a9f33f9e21b091f4d4552f8e753\"\u003e\u003ccode\u003e77837f8\u003c/code\u003e\u003c/a\u003e fix(deps): update dependency org.openrewrite.rewrite:org.openrewrite.rewrite....\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/pgjdbc/pgjdbc/commit/23af03bc839af5217ea141946ae41e648264061c\"\u003e\u003ccode\u003e23af03b\u003c/code\u003e\u003c/a\u003e chore(deps): update actions/checkout action to v6\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href\u003d\"https://github.com/pgjdbc/pgjdbc/compare/REL42.7.7...REL42.7.11\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name\u003dorg.postgresql:postgresql\u0026package-manager\u003dmaven\u0026previous-version\u003d42.7.7\u0026new-version\u003d42.7.11)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don\u0027t alter it yourself. You can also trigger a rebase manually by commenting `\u003cat\u003edependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `\u003cat\u003edependabot rebase` will rebase this PR\n- `\u003cat\u003edependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `\u003cat\u003edependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `\u003cat\u003edependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `\u003cat\u003edependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `\u003cat\u003edependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/zeppelin/network/alerts).\n\n\u003c/details\u003e\n\nCloses #5240 from dependabot[bot]/dependabot/maven/jdbc/org.postgresql-postgresql-42.7.11.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "9da7f2a75593d39e7e6c7dff2d182ca55b243408", "tree": "600a24d6e96f1547d81137ca044387035e02d569", "parents": [ "c30052a90793437988252fa7c6c2b128661a4dc7" ], "author": { "name": "Jongyoul Lee", "email": "jongyoul@gmail.com", "time": "Mon May 18 22:35:51 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon May 18 22:35:51 2026 +0900" }, "message": "[MINOR] Tighten origin and content-type handling in REST/WebSocket layer\n\n## What is this PR for?\n\nApply stricter defaults to the request-handling layer for tighter out-of-the-box behavior:\n\n- `CorsFilter` blocks state-changing methods (POST/PUT/DELETE/PATCH) and cross-origin preflight requests when the `Origin` header is not in the configured allow-list. `Access-Control-Allow-Credentials` is only sent when the `Origin` is allowed.\n- The default value of `zeppelin.server.allowed.origins` changes from `*` to empty so cross-origin browser access must be explicitly enabled. **Operators relying on the previous default need to set this back to `*` or to specific origin(s).** Same-origin / same-host and non-browser clients are unaffected.\n- A new Jersey request filter restricts REST request bodies on state-changing methods to `application/json`, `application/x-www-form-urlencoded`, or `multipart/form-data`; other media types are rejected with `415`.\n- The default `shiro.ini.template` now sets `cookie.sameSite \u003d LAX`.\n- `ZeppelinClient.addParagraph` and `updateParagraph` now send an explicit `Content-Type: application/json` header so they pass the new filter.\n- `CorsUtils.isValidOrigin` normalizes the `Origin` header to lowercase before the allow-list membership check, mirroring how the configured origins are stored, so case differences in the `Origin` header do not produce false rejections.\n- A small `HttpMethods` utility holds the shared `STATE_CHANGING` method set used by both the servlet filter and the Jersey filter.\n\n## What type of PR is it?\n\nImprovement\n\n## Todos\n\n- [ ] CI green\n\n## Questions\n\n- None\n\n## Screenshots (if appropriate)\n\nN/A\n\nCloses #5229 from jongyoul/minor-cors-hardening.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "c30052a90793437988252fa7c6c2b128661a4dc7", "tree": "c68e9ea6d2d46069ac7edeabdc08f210f537ecbc", "parents": [ "8e86d6939a54fd192d5bdec14c238324e66644ba" ], "author": { "name": "Jongyoul Lee", "email": "jongyoul@gmail.com", "time": "Thu May 14 13:55:54 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu May 14 13:55:54 2026 +0900" }, "message": "[MINOR] Reject traversal segments in note and folder paths\n\n## What is this PR for?\n\n`NotebookRepo.buildNoteFileName` composes a filesystem path or object-store key from a user-supplied note path. The previous implementation required only a leading `/` but otherwise concatenated the value verbatim, so a value such as `/../etc/foo` would compose to a location outside the configured notebook root for backends that perform a raw filesystem operation (`FileSystemNotebookRepo`) or build an object key directly from the string (S3 / Azure / GCS).\n\nThis PR centralises a small validation helper at the `NotebookRepo` interface level so every backend gets the same defence, fixes one folder-level path that bypassed `buildNoteFileName`, and adds the missing `normalizeNotePath` call in `NotebookService.renameNote`.\n\n## What type of PR is it?\n\nImprovement\n\n## Todos\n\n* [x] Add `NotebookRepo.rejectTraversalSegments` (URL-decoded, recursive, capped at 5 layers).\n* [x] Call `rejectTraversalSegments` from the default `buildNoteFileName`, so every implementation is covered.\n* [x] Apply it to `FileSystemNotebookRepo`\u0027s folder-level `move` / `remove`, which build the path without going through `buildNoteFileName`.\n* [x] Add the missing `normalizeNotePath` in `NotebookService.renameNote` to match `createNote`, `cloneNote`, and `moveFolder`.\n* [x] `NotebookRepoPathValidationTest` (27): `..`, `.`, URL-encoded variants (`%2e%2e`, `%2E%2E`), double-encoded variants, and an excessive-encoding-layer payload. Realistic note names including Korean characters and `...` inside a segment are accepted.\n\n## What is the Jira issue?\n\nN/A — `[MINOR]` change.\n\n## How should this be tested?\n\n```\n./mvnw install -pl zeppelin-server -am -DskipTests\n./mvnw test -pl zeppelin-server -Dtest\u003d\u0027NotebookRepoPathValidationTest,NotebookServiceTest\u0027 -DfailIfNoTests\u003dfalse\n./mvnw test -pl zeppelin-plugins/notebookrepo/filesystem\n```\n\nAll test sets pass locally.\n\n## Questions\n\n* Does the license files need to update? No\n* Is there breaking changes for older versions? No — existing valid note paths render to byte-identical filenames; only paths containing literal traversal segments now produce a clear `IOException` instead of silently composing to an out-of-root location.\n* Does this needs documentation? No\n\nCloses #5227 from jongyoul/ZEPPELIN-fs-notebook-path.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "8e86d6939a54fd192d5bdec14c238324e66644ba", "tree": "e9ebd0aadd5de7781dcc13118e5a9e57cb7efbb2", "parents": [ "5d1ede4dad1224edac8eaa44f71a53bb5865cd84" ], "author": { "name": "Jongyoul Lee", "email": "jongyoul@gmail.com", "time": "Thu May 14 13:54:55 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu May 14 13:54:55 2026 +0900" }, "message": "[MINOR] Apply proper RFC 4515 / RFC 4514 escaping in LDAP realms\n\n## What is this PR for?\n\n`LdapRealm` and `ActiveDirectoryGroupRealm` build LDAP search filters and DNs by interpolating user-controlled values into format strings. The existing escape utility in `LdapRealm` implements RFC 4514 (Distinguished Name) escaping, which leaves the filter metacharacters `(`, `)` and `*` unchanged. `ActiveDirectoryGroupRealm` uses `String.format` with no escape at all. The two contexts need different rules: filter values follow RFC 4515 § 3 and DN values follow RFC 4514.\n\nThis PR separates the two escape contexts so each substitution site uses the right one.\n\n## What type of PR is it?\n\nImprovement\n\n## Todos\n\n* [x] Add `LdapFilterEncoder.escapeFilterValue` implementing RFC 4515 § 3 (`\\\\`, `(`, `)`, `*`, NUL).\n* [x] Add `expandFilterTemplate` helper in `LdapRealm` that escapes values before substituting into a filter template.\n* [x] Add `expandDnTemplate` helper that uses the existing `escapeAttributeValue` (RFC 4514) for DN substitutions.\n* [x] Route `LdapRealm` filter substitution sites through `expandFilterTemplate`.\n* [x] Route `LdapRealm` DN substitution sites through `expandDnTemplate`.\n* [x] Apply `LdapFilterEncoder.escapeFilterValue` at the two `String.format` filter sites in `ActiveDirectoryGroupRealm`.\n* [x] Wrap admin-configured object class / attribute name values through the same escape utility for defense in depth.\n* [x] Unit tests for `LdapFilterEncoder` (14).\n* [x] 1000-iteration deterministic fuzz test (1005 tests total).\n* [x] Realm-level injection tests with mocked `LdapContext` (20 tests).\n* [x] DN substitution regression tests including Korean username (22 tests).\n\n## What is the Jira issue?\n\nN/A — `[MINOR]` change.\n\n## How should this be tested?\n\n```\n./mvnw test -pl zeppelin-server \\\n -Dtest\u003d\u0027LdapFilterEncoderTest,LdapFilterEncoderFuzzTest,LdapRealmFilterInjectionTest,LdapRealmDnInjectionTest,ActiveDirectoryGroupRealmFilterInjectionTest,LdapRealmTest,RoleMappingLdapRealmTest\u0027 \\\n -DfailIfNoTests\u003dfalse\n```\n\nAll 1068 tests pass locally.\n\n## Questions\n\n* Does the license files need to update? No\n* Is there breaking changes for older versions? No\n* Does this needs documentation? No\n\nCloses #5226 from jongyoul/ZEPPELIN-ldap-injection-fix.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "5d1ede4dad1224edac8eaa44f71a53bb5865cd84", "tree": "be6baa700a7d4c42e805a03d42e9fa34fff1e9d9", "parents": [ "dffe85f79aa659cb6e5f700645914725dcce6de6" ], "author": { "name": "Jongyoul Lee", "email": "jongyoul@gmail.com", "time": "Thu May 14 09:55:36 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu May 14 09:55:36 2026 +0900" }, "message": "[ZEPPELIN-6416] Fix zeppelin-interpreter-shaded leak via zeppelin-jupyter-interpreter scope\n\n### What is this PR for?\n\nFixes a regression that breaks all Selenium integration tests in `zeppelin-integration` (`InterpreterIT`, `AuthenticationIT`, `ZeppelinIT`, `InterpreterModeActionsIT`, `SparkParagraphIT`, `PersonalizeActionsIT`, `ParagraphActionsIT`) on master since the [ZEPPELIN-6355] zengine→server merge. They abort during `MiniZeppelinServer` startup with:\n\n```\njava.lang.ClassCastException: class shaded.org.apache.zeppelin.org.eclipse.aether.repository.RemoteRepository\n cannot be cast to class org.eclipse.aether.repository.RemoteRepository\n (... in unnamed module of loader \u0027app\u0027)\n at org.apache.zeppelin.interpreter.InterpreterSettingManager.\u003cinit\u003e(InterpreterSettingManager.java:186)\n```\n\n#### Scope of impact\n\n* **CI**: `frontend.yml` selenium IT job has been red on every master push since 2026-05-05, blocking PR merges.\n* **Runtime**: *no production impact*. The Zeppelin distribution does not ship `zeppelin-interpreter-shaded.jar` on the server JVM classpath; the two-JVM isolation introduced by [ZEPPELIN-3689] still holds for deployed installations. The leak is confined to `zeppelin-integration`\u0027s test classpath.\n\n#### Root cause\n\n`zeppelin-jupyter-interpreter/pom.xml` re-declared its dependency on `zeppelin-interpreter-shaded` *without scope*, silently overriding the parent\u0027s `\u003cscope\u003eprovided\u003c/scope\u003e` and downgrading it to compile. That made the shaded jar transitive to anyone depending on `zeppelin-jupyter-interpreter` — in particular `spark-interpreter` (because `IPySparkInterpreter` extends `IPythonInterpreter` which extends `JupyterKernelInterpreter`), and onward into `zeppelin-integration`\u0027s test classpath via `\u003cdependency\u003espark-interpreter\u003c/dependency\u003e`.\n\nBoth unshaded `zeppelin-interpreter.jar` and `zeppelin-interpreter-shaded.jar` end up in the same test JVM. Because the shade plugin keeps `org.apache.zeppelin.dep.*` class names un-relocated (per `\u003cexclude\u003eorg/apache/zeppelin/**\u003c/exclude\u003e`) but rewrites their internal `org.eclipse.aether.*` references to `shaded.org.apache.zeppelin.org.eclipse.aether.*`, both jars contain identically-named `Booter` / `Repository` / `DependencyResolver` classes that disagree on the `RemoteRepository` type. Whichever the classloader picks first wins; post-merge the shaded variant wins, so `dependencyResolver.getRepos()` returns shaded `RemoteRepository` instances which fail to cast to the unshaded type expected by `InterpreterSettingManager`.\n\nThe scope-omission has been latent since 2019-12 ([ZEPPELIN-4497]). The [ZEPPELIN-6355] merge changed the dependency-resolution order in `zeppelin-integration`\u0027s test classpath and exposed it.\n\n### What type of PR is it?\n\nBug Fix\n\n### Todos\n\n* [x] Drop the redundant `zeppelin-interpreter-shaded` redeclaration in `zeppelin-jupyter-interpreter/pom.xml` so the parent\u0027s `provided` applies\n* [x] Add `maven-enforcer-plugin` `bannedDependencies` rule on `zeppelin-server` and `zeppelin-integration` to catch any future leak\n* [x] Verify `mvn dependency:tree` is clean for `zeppelin-server` and `zeppelin-integration`\n* [x] Verify the enforcer rule fails as expected when the leak is reintroduced (negative test)\n* [ ] Verify `frontend.yml` selenium IT goes green on this PR\n\n### What is the Jira issue?\n\n* https://issues.apache.org/jira/browse/ZEPPELIN-6416 — this PR\n* https://issues.apache.org/jira/browse/ZEPPELIN-6417 — follow-up: extract `zeppelin-jupyter-kernel-client` library so interpreter modules never depend on the `%jupyter` magic interpreter artifact directly (structural decoupling)\n\n### How should this be tested?\n\n```bash\n# 1. Verify dep tree is clean (no zeppelin-interpreter-shaded)\n./mvnw -pl zeppelin-server dependency:tree -Pintegration -Pspark-scala-2.12 -Pspark-3.5 | grep zeppelin-interpreter-shaded\n./mvnw -pl zeppelin-integration dependency:tree -Pintegration -Pspark-scala-2.12 -Pspark-3.5 | grep zeppelin-interpreter-shaded\n# both should produce no matches\n\n# 2. Verify enforcer rule passes\n./mvnw validate -pl zeppelin-server,zeppelin-integration -Pintegration -Pspark-scala-2.12 -Pspark-3.5\n\n# 3. Negative test: reintroduce the leak (revert the jupyter-interpreter pom hunk) and run #2;\n# enforcer should fail with a BannedDependencies error pointing to ZEPPELIN-6416.\n\n# 4. Full CI: rely on this PR\u0027s frontend.yml run.\n```\n\n### Screenshots (if appropriate)\n\nN/A\n\n### Questions\n\n* Does the license files need to update? **No** — pom-only change.\n* Is there breaking changes for older versions? **No**.\n* Does this needs documentation? **No**.\n\nCloses #5246 from jongyoul/ZEPPELIN-6416-jupyter-shaded-leak-fix.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "dffe85f79aa659cb6e5f700645914725dcce6de6", "tree": "b1d6ea36fb3ef7a257bb7825783d0a28bf795d57", "parents": [ "0a2f85822876e0998d98c6b4dbba3388d59843d6" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon May 11 08:47:45 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon May 11 08:47:45 2026 +0900" }, "message": "Bump the docs-security-updates group across 1 directory with 5 updates\n\nBumps the docs-security-updates group with 5 updates in the /docs directory:\n\n| Package | From | To |\n| --- | --- | --- |\n| [nokogiri](https://github.com/sparklemotion/nokogiri) | `1.15.4` | `1.19.3` |\n| [activesupport](https://github.com/rails/rails) | `7.2.1` | `7.2.3.1` |\n| [addressable](https://github.com/sporkmonger/addressable) | `2.8.7` | `2.9.0` |\n| [faraday](https://github.com/lostisland/faraday) | `2.12.0` | `2.14.1` |\n| [rexml](https://github.com/ruby/rexml) | `3.3.8` | `3.4.2` |\n\n\nUpdates `nokogiri` from 1.15.4 to 1.19.3\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/releases\"\u003enokogiri\u0027s releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev1.19.3 / 2026-04-27\u003c/h2\u003e\n\u003ch3\u003eFixed / Security\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eAddress exponential regex backtracking in CSS selector tokenizer. See \u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx\"\u003eGHSA-c4rq-3m3g-8wgx\u003c/a\u003e for more information.\u003c/li\u003e\n\u003cli\u003e[CRuby] Address memory leak in \u003ccode\u003eXSLT::Stylesheet#transform\u003c/code\u003e. See \u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv\"\u003eGHSA-v2fc-qm4h-8hqv\u003c/a\u003e for more information.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003cpre\u003e\u003ccode\u003e46b89e5d7b9e844c2ee360794240c6ea2a4e6fa0c5892a4ed487db621224b639 nokogiri-1.19.3-aarch64-linux-gnu.gem\r\n8392dfdcd21be7a94dbbe9ccc138dea01b97b24cb2dc02a114ca98bfb1d9a0b7 nokogiri-1.19.3-aarch64-linux-musl.gem\r\n3919d5ffc334ad778a4a9eb88fda7dcb8b1fb58c8a52ac640c6dcd2f038e774f nokogiri-1.19.3-arm-linux-gnu.gem\r\n9ce1cb6346bb9c67b1550eb537aa183ead91e4b6eadb2f36ade02d8dd2a79fb6 nokogiri-1.19.3-arm-linux-musl.gem\r\n71b9bd424b1b7abc18b05052a1a3cfd3627abdca62be280854cc411791357e42 nokogiri-1.19.3-arm64-darwin.gem\r\n40ea6ebf5cf2005dae1dee26dd557d3afb41fb6de6c9764aca8cf06fdb841db1 nokogiri-1.19.3-java.gem\r\n8bb7132cad356c879a1286eaabcb5e68326cb2490317984280fbc62f456d506a nokogiri-1.19.3-x64-mingw-ucrt.gem\r\n77f3fba57d46c53ab31e62fc6c28f705109d1bf6264356c76f132b2be5728d4d nokogiri-1.19.3-x86_64-darwin.gem\r\n2f5078620fe12e83669b5b17311b32532a8153d02eee7ad06948b926d6080976 nokogiri-1.19.3-x86_64-linux-gnu.gem\r\n248c906d2166eca5efb56d52fdee5f9a1f51d69a72e2b64fdac647b4ce39ea3f nokogiri-1.19.3-x86_64-linux-musl.gem\r\n78312cbac32a40c812780d9678221b79d51288eec00054c1a8d15f7ce05960e8 nokogiri-1.19.3.gem\r\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2\u003ev1.19.2 / 2026-03-19\u003c/h2\u003e\n\u003ch3\u003eDependencies\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[JRuby] Saxon-HE is updated to 12.7, from 9.6.0-4. Saxon-HE is a transitive dependency of nu.validator:jing, and this update addresses CVEs in Saxon-HE\u0027s own transitive dependencies JDOM and dom4j. We don\u0027t think this warrants a security release, however we\u0027re cutting a patch release to help users whose security scanners are flagging this. \u003ca href\u003d\"https://redirect.github.com/sparklemotion/nokogiri/issues/3611\"\u003e#3611\u003c/a\u003e \u003ca href\u003d\"https://github.com/flavorjones\"\u003e\u003ccode\u003e\u003cat\u003e​flavorjones\u003c/code\u003e\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eSHA256 Checksums\u003c/h3\u003e\n\u003cpre\u003e\u003ccode\u003ec34d5c8208025587554608e98fd88ab125b29c80f9352b821964e9a5d5cfbd19 nokogiri-1.19.2-aarch64-linux-gnu.gem\r\n7f6b4b0202d507326841a4f790294bf75098aef50c7173443812e3ac5cb06515 nokogiri-1.19.2-aarch64-linux-musl.gem\r\nb7fa1139016f3dc850bda1260988f0d749934a939d04ef2da13bec060d7d5081 nokogiri-1.19.2-arm-linux-gnu.gem\r\n61114d44f6742ff72194a1b3020967201e2eb982814778d130f6471c11f9828c nokogiri-1.19.2-arm-linux-musl.gem\r\n58d8ea2e31a967b843b70487a44c14c8ba1866daa1b9da9be9dbdf1b43dee205 nokogiri-1.19.2-arm64-darwin.gem\r\ne9d67034bc80ca71043040beea8a91be5dc99b662daa38a2bfb361b7a2cc8717 nokogiri-1.19.2-java.gem\r\n8ccf25eea3363a2c7b3f2e173a3400582c633cfead27f805df9a9c56d4852d1a nokogiri-1.19.2-x64-mingw-ucrt.gem\r\n7d9af11fda72dfaa2961d8c4d5380ca0b51bc389dc5f8d4b859b9644f195e7a4 nokogiri-1.19.2-x86_64-darwin.gem\r\nfa8feca882b73e871a9845f3817a72e9734c8e974bdc4fbad6e4bc6e8076b94f nokogiri-1.19.2-x86_64-linux-gnu.gem\r\n93128448e61a9383a30baef041bf1f5817e22f297a1d400521e90294445069a8 nokogiri-1.19.2-x86_64-linux-musl.gem\r\n38fdd8b59db3d5ea9e7dfb14702e882b9bf819198d5bf976f17ebce12c481756 nokogiri-1.19.2.gem\r\n\u003c/code\u003e\u003c/pre\u003e\n\u003cp\u003e\u003cstrong\u003eFull Changelog\u003c/strong\u003e: \u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/compare/v1.19.1...v1.19.2\"\u003ehttps://github.com/sparklemotion/nokogiri/compare/v1.19.1...v1.19.2\u003c/a\u003e\u003c/p\u003e\n\u003ch2\u003ev1.19.1 / 2026-02-16\u003c/h2\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md\"\u003enokogiri\u0027s changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev1.19.3 / 2026-04-27\u003c/h2\u003e\n\u003ch3\u003eFixed / Security\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eAddress exponential regex backtracking in CSS selector tokenizer. See \u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx\"\u003eGHSA-c4rq-3m3g-8wgx\u003c/a\u003e for more information.\u003c/li\u003e\n\u003cli\u003e[CRuby] Address memory leak in \u003ccode\u003eXSLT::Stylesheet#transform\u003c/code\u003e. See \u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv\"\u003eGHSA-v2fc-qm4h-8hqv\u003c/a\u003e for more information.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev1.19.2 / 2026-03-19\u003c/h2\u003e\n\u003ch3\u003eDependencies\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[JRuby] Saxon-HE is updated to 12.7, from 9.6.0-4. Saxon-HE is a transitive dependency of nu.validator:jing, and this update addresses CVEs in Saxon-HE\u0027s own transitive dependencies JDOM and dom4j. We don\u0027t think this warrants a security release, however we\u0027re cutting a patch release to help users whose security scanners are flagging this. \u003ca href\u003d\"https://redirect.github.com/sparklemotion/nokogiri/issues/3611\"\u003e#3611\u003c/a\u003e \u003ca href\u003d\"https://github.com/flavorjones\"\u003e\u003ccode\u003e\u003cat\u003e​flavorjones\u003c/code\u003e\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev1.19.1 / 2026-02-16\u003c/h2\u003e\n\u003ch3\u003eSecurity\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Address unchecked return value from \u003ccode\u003exmlC14NExecute\u003c/code\u003e which was a contributing cause to ruby-saml GHSA-x4h9-gwv3-r4m4. See \u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532\"\u003eGHSA-wx95-c6cv-8532\u003c/a\u003e for more information.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev1.19.0 / 2025-12-28\u003c/h2\u003e\n\u003ch4\u003eRuby\u003c/h4\u003e\n\u003cp\u003eThis release is focused on changes to Ruby version support, and is otherwise functionally identical to v1.18.10.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIntroduce native gem support for Ruby 4.0. \u003ca href\u003d\"https://redirect.github.com/sparklemotion/nokogiri/issues/3590\"\u003e#3590\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eEnd support for Ruby 3.1, for which \u003ca href\u003d\"https://www.ruby-lang.org/en/downloads/branches/\"\u003eupstream support ended 2025-03-26\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eEnd support for JRuby 9.4 (which targets Ruby 3.1 compatibility).\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev1.18.10 / 2025-09-15\u003c/h2\u003e\n\u003ch3\u003eDependencies\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored libxml2 is updated to \u003ca href\u003d\"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.9\"\u003ev2.13.9\u003c/a\u003e. Note that the security fixes published in v2.13.9 were already present in Nokogiri v1.18.9.\u003c/li\u003e\n\u003cli\u003e[CRuby] [Windows and MacOS] Vendored libiconv is updated to \u003ca href\u003d\"https://savannah.gnu.org/news/?id\u003d10703\"\u003ev1.18\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev1.18.9 / 2025-07-20\u003c/h2\u003e\n\u003ch3\u003eSecurity\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See \u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-353f-x4gh-cqq8\"\u003eGHSA-353f-x4gh-cqq8\u003c/a\u003e for more information.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev1.18.8 / 2025-04-21\u003c/h2\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/commit/c139a3da0fe0cae7499a0bafa20f2875877c585b\"\u003e\u003ccode\u003ec139a3d\u003c/code\u003e\u003c/a\u003e version bump to v1.19.3\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/commit/7501a63b9f4246d12516e35b91fed8be34f854c0\"\u003e\u003ccode\u003e7501a63\u003c/code\u003e\u003c/a\u003e fix: backtracking in CSS tokenizer rules (v1.19.x backport) (\u003ca href\u003d\"https://redirect.github.com/sparklemotion/nokogiri/issues/3627\"\u003e#3627\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/commit/03e7968a730a6544ab56a8d6c3e82dd630ad4339\"\u003e\u003ccode\u003e03e7968\u003c/code\u003e\u003c/a\u003e test: skip CSS tokenizer benchmarks on JRuby\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/commit/b984b7e47f622d1aa97d54c16d5cd596c3eb9538\"\u003e\u003ccode\u003eb984b7e\u003c/code\u003e\u003c/a\u003e fix: ReDoS in CSS tokenizer ident rule\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/commit/00926231e28d5a20e5b4873efba36099aea0d5c6\"\u003e\u003ccode\u003e0092623\u003c/code\u003e\u003c/a\u003e fix: ReDoS in CSS tokenizer STRING rule\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/commit/ee17d33aff3adb30c14e71d3d4c8163465acaccf\"\u003e\u003ccode\u003eee17d33\u003c/code\u003e\u003c/a\u003e fix: memory leak in XSLT transform (backport to v1.19.x) (\u003ca href\u003d\"https://redirect.github.com/sparklemotion/nokogiri/issues/3624\"\u003e#3624\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/commit/ce188a395192e3757d8701949afb643dc025084c\"\u003e\u003ccode\u003ece188a3\u003c/code\u003e\u003c/a\u003e doc: update CHANGELOG\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/commit/caeaac41f874f0944f9397c78bf6c1bfac2cb472\"\u003e\u003ccode\u003ecaeaac4\u003c/code\u003e\u003c/a\u003e fix: memory leak in XSLT transform\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/commit/25220bf268c9808e28415563ed7f8ea8d5c332bf\"\u003e\u003ccode\u003e25220bf\u003c/code\u003e\u003c/a\u003e dep(test): test against libxml-ruby v6 (\u003ca href\u003d\"https://redirect.github.com/sparklemotion/nokogiri/issues/3618\"\u003e#3618\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/commit/0caeb21a5c5e9ff45bbede88fb53655f6753bb0e\"\u003e\u003ccode\u003e0caeb21\u003c/code\u003e\u003c/a\u003e doc: add security warnings for untrusted XSLT stylesheets\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href\u003d\"https://github.com/sparklemotion/nokogiri/compare/v1.15.4...v1.19.3\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `activesupport` from 7.2.1 to 7.2.3.1\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/rails/rails/releases\"\u003eactivesupport\u0027s releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e7.2.3.1\u003c/h2\u003e\n\u003ch2\u003eActive Support\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eReject scientific notation in NumberConverter\u003c/p\u003e\n\u003cp\u003e[CVE-2026-33176]\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eJean Boussier\u003c/em\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFix \u003ccode\u003eSafeBuffer#%\u003c/code\u003e to preserve unsafe status\u003c/p\u003e\n\u003cp\u003e[CVE-2026-33170]\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eJean Boussier\u003c/em\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eImprove performance of NumberToDelimitedConverter\u003c/p\u003e\n\u003cp\u003e[CVE-2026-33169]\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eJean Boussier\u003c/em\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eActive Model\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eNo changes.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eActive Record\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eNo changes.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eAction View\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSkip blank attribute names in tag helpers to avoid generating invalid HTML.\u003c/p\u003e\n\u003cp\u003e[CVE-2026-33168]\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eMike Dalessio\u003c/em\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eAction Pack\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eNo changes.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eActive Job\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eNo changes.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/rails/rails/commit/ba76fca032a66f3716ca8a661c9ddb006acaf885\"\u003e\u003ccode\u003eba76fca\u003c/code\u003e\u003c/a\u003e Preparing for 7.2.3.1 release\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/rails/rails/commit/8a379f43ea3e1c62fc7f6eabc1808ae9f74f726d\"\u003e\u003ccode\u003e8a379f4\u003c/code\u003e\u003c/a\u003e Update changelog\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974\"\u003e\u003ccode\u003eb54a4b3\u003c/code\u003e\u003c/a\u003e Improve performance of NumberToDelimitedConverter\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb\"\u003e\u003ccode\u003ec1ad0e8\u003c/code\u003e\u003c/a\u003e Fix \u003ccode\u003eSafeBuffer#%\u003c/code\u003e to preserve unsafe status\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a\"\u003e\u003ccode\u003eebd6be1\u003c/code\u003e\u003c/a\u003e NumberConverter: reject scientific notation\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/rails/rails/commit/4a155f1fd7d4a1887b169eda4983a052fb2e2f13\"\u003e\u003ccode\u003e4a155f1\u003c/code\u003e\u003c/a\u003e Lock some dependencies\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/rails/rails/commit/bb2bdef2925433a0c5db31b873f9faddf2e2e65d\"\u003e\u003ccode\u003ebb2bdef\u003c/code\u003e\u003c/a\u003e Preparing for 7.2.3 release\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/rails/rails/commit/fe41a9fa77412917ea3f228d6a742f31ad21e26d\"\u003e\u003ccode\u003efe41a9f\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href\u003d\"https://redirect.github.com/rails/rails/issues/55840\"\u003e#55840\u003c/a\u003e from zzak/asup-xml-mini-bigdecimal-float-precision\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/rails/rails/commit/12040a3145012fb312eb2d70fc700f4d34a27934\"\u003e\u003ccode\u003e12040a3\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href\u003d\"https://redirect.github.com/rails/rails/issues/55808\"\u003e#55808\u003c/a\u003e from olivier-thatch/fix-enum-sole\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/rails/rails/commit/58630e19ad0fe3c822302ae147ad1f863c95de2e\"\u003e\u003ccode\u003e58630e1\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href\u003d\"https://redirect.github.com/rails/rails/issues/55794\"\u003e#55794\u003c/a\u003e from rails/fix-55513\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href\u003d\"https://github.com/rails/rails/compare/v7.2.1...v7.2.3.1\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `addressable` from 2.8.7 to 2.9.0\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md\"\u003eaddressable\u0027s changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003eAddressable 2.9.0 \u003c!-- raw HTML omitted --\u003e\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003efixes ReDoS vulnerability in Addressable::Template#match (fixes incomplete\nremediation in 2.8.10)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eAddressable 2.8.10 \u003c!-- raw HTML omitted --\u003e\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003efixes ReDoS vulnerability in Addressable::Template#match\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eAddressable 2.8.9 \u003c!-- raw HTML omitted --\u003e\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReduce gem size by excluding test files (\u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/issues/569\"\u003e#569\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eNo need for bundler as development dependency (\u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/issues/571\"\u003e#571\u003c/a\u003e, \u003ca href\u003d\"https://github.com/sporkmonger/addressable/commit/5fc1d93\"\u003e5fc1d93\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eidna/pure: stop building the useless \u003ccode\u003eCOMPOSITION_TABLE\u003c/code\u003e (removes the \u003ccode\u003eAddressable::IDNA::COMPOSITION_TABLE\u003c/code\u003e constant) (\u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/issues/564\"\u003e#564\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/issues/569\"\u003e#569\u003c/a\u003e: \u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/pull/569\"\u003esporkmonger/addressable#569\u003c/a\u003e\n\u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/issues/571\"\u003e#571\u003c/a\u003e: \u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/pull/571\"\u003esporkmonger/addressable#571\u003c/a\u003e\n\u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/issues/564\"\u003e#564\u003c/a\u003e: \u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/pull/564\"\u003esporkmonger/addressable#564\u003c/a\u003e\u003c/p\u003e\n\u003ch2\u003eAddressable 2.8.8 \u003c!-- raw HTML omitted --\u003e\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReplace the \u003ccode\u003eunicode.data\u003c/code\u003e blob by a ruby constant (\u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/issues/561\"\u003e#561\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eAllow \u003ccode\u003epublic_suffix\u003c/code\u003e 7 (\u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/issues/558\"\u003e#558\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/issues/561\"\u003e#561\u003c/a\u003e: \u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/pull/561\"\u003esporkmonger/addressable#561\u003c/a\u003e\n\u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/issues/558\"\u003e#558\u003c/a\u003e: \u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/pull/558\"\u003esporkmonger/addressable#558\u003c/a\u003e\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sporkmonger/addressable/commit/0c3e8589b23d4402903a9b4e1fdeba4e43c52ca4\"\u003e\u003ccode\u003e0c3e858\u003c/code\u003e\u003c/a\u003e Revving version and changelog\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sporkmonger/addressable/commit/91915c1f7aafa3e2c9f42e2f4e21d948c7a861b8\"\u003e\u003ccode\u003e91915c1\u003c/code\u003e\u003c/a\u003e Fixing additional vulnerable paths\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sporkmonger/addressable/commit/a091e39ff02fc321b21dea3a0df585bef2ba3744\"\u003e\u003ccode\u003ea091e39\u003c/code\u003e\u003c/a\u003e Add many more adversarial test cases to ensure we don\u0027t have any ReDoS regres...\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sporkmonger/addressable/commit/463a819665a3b85ce5ce894c90bd7bfa3b9d2e15\"\u003e\u003ccode\u003e463a819\u003c/code\u003e\u003c/a\u003e Regenerate gemspec on newer rubygems\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sporkmonger/addressable/commit/0afcb0b9672bee301e5e96ed850fec05b2fcabb0\"\u003e\u003ccode\u003e0afcb0b\u003c/code\u003e\u003c/a\u003e Improve from O(n^2) to O(n)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sporkmonger/addressable/commit/c87f768f22ab00376ed2f8cb106f59c9d0652d3a\"\u003e\u003ccode\u003ec87f768\u003c/code\u003e\u003c/a\u003e Fix a ReDoS vulnerability in URI template matching\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sporkmonger/addressable/commit/0d7e9b259fb0940d1a85064b04f678a7984409a5\"\u003e\u003ccode\u003e0d7e9b2\u003c/code\u003e\u003c/a\u003e Fix links for 2.8.9 in CHANGELOG (\u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/issues/573\"\u003e#573\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sporkmonger/addressable/commit/e2091200b31553f19248eb871f071852409796f8\"\u003e\u003ccode\u003ee209120\u003c/code\u003e\u003c/a\u003e Update version, gemspec, and CHANGELOG for 2.8.9 (\u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/issues/572\"\u003e#572\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sporkmonger/addressable/commit/387587492b6536748ed12a11c3fdb44a48885f28\"\u003e\u003ccode\u003e3875874\u003c/code\u003e\u003c/a\u003e Reduce gem size by excluding test files (\u003ca href\u003d\"https://redirect.github.com/sporkmonger/addressable/issues/569\"\u003e#569\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/sporkmonger/addressable/commit/3e57cc6018f94231aabb47fd341acd1b40f1e71a\"\u003e\u003ccode\u003e3e57cc6\u003c/code\u003e\u003c/a\u003e CI: back to \u003ccode\u003ewindows-2022\u003c/code\u003e for MRI job\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href\u003d\"https://github.com/sporkmonger/addressable/compare/addressable-2.8.7...addressable-2.9.0\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `faraday` from 2.12.0 to 2.14.1\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/lostisland/faraday/releases\"\u003efaraday\u0027s releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev2.14.1\u003c/h2\u003e\n\u003ch2\u003eSecurity Note\u003c/h2\u003e\n\u003cp\u003eThis release contains a security fix, we recommend all users to upgrade as soon as possible.\nA Security Advisory with more details will be posted shortly.\u003c/p\u003e\n\u003ch2\u003eWhat\u0027s Changed\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAdd comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot by \u003ca href\u003d\"https://github.com/Copilot\"\u003e\u003ccode\u003e\u003cat\u003e​Copilot\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/pull/1642\"\u003elostisland/faraday#1642\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAdd RFC document for Options architecture refactoring plan by \u003ca href\u003d\"https://github.com/Copilot\"\u003e\u003ccode\u003e\u003cat\u003e​Copilot\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/pull/1644\"\u003elostisland/faraday#1644\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eBump actions/checkout from 5 to 6 by \u003ca href\u003d\"https://github.com/dependabot\"\u003e\u003ccode\u003e\u003cat\u003e​dependabot\u003c/code\u003e\u003c/a\u003e[bot] in \u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/pull/1655\"\u003elostisland/faraday#1655\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eExplicit top-level namespace reference by \u003ca href\u003d\"https://github.com/c960657\"\u003e\u003ccode\u003e\u003cat\u003e​c960657\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/pull/1657\"\u003elostisland/faraday#1657\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eNew Contributors\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/Copilot\"\u003e\u003ccode\u003e\u003cat\u003e​Copilot\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/pull/1642\"\u003elostisland/faraday#1642\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eFull Changelog\u003c/strong\u003e: \u003ca href\u003d\"https://github.com/lostisland/faraday/compare/v2.14.0...v2.14.1\"\u003ehttps://github.com/lostisland/faraday/compare/v2.14.0...v2.14.1\u003c/a\u003e\u003c/p\u003e\n\u003ch2\u003ev2.14.0\u003c/h2\u003e\n\u003ch2\u003eWhat\u0027s Changed\u003c/h2\u003e\n\u003ch3\u003eNew features ✨\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eUse newer \u003ccode\u003eUnprocessableContent\u003c/code\u003e naming for 422 by \u003ca href\u003d\"https://github.com/tylerhunt\"\u003e\u003ccode\u003e\u003cat\u003e​tylerhunt\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/pull/1638\"\u003elostisland/faraday#1638\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eFixes 🐞\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eConvert strings to UTF-8 by \u003ca href\u003d\"https://github.com/c960657\"\u003e\u003ccode\u003e\u003cat\u003e​c960657\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/pull/1624\"\u003elostisland/faraday#1624\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eFix \u003ccode\u003eResponse#to_hash\u003c/code\u003e when response not finished yet by \u003ca href\u003d\"https://github.com/yykamei\"\u003e\u003ccode\u003e\u003cat\u003e​yykamei\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/pull/1639\"\u003elostisland/faraday#1639\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eMisc/Docs 📄\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eLint: use \u003ccode\u003efilter_map\u003c/code\u003e by \u003ca href\u003d\"https://github.com/olleolleolle\"\u003e\u003ccode\u003e\u003cat\u003e​olleolleolle\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/pull/1637\"\u003elostisland/faraday#1637\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eBump \u003ccode\u003eactions/checkout\u003c/code\u003e from v4 to v5 by \u003ca href\u003d\"https://github.com/dependabot\"\u003e\u003ccode\u003e\u003cat\u003e​dependabot\u003c/code\u003e\u003c/a\u003e[bot] in \u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/pull/1636\"\u003elostisland/faraday#1636\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eFixes documentation by \u003ca href\u003d\"https://github.com/dharamgollapudi\"\u003e\u003ccode\u003e\u003cat\u003e​dharamgollapudi\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/pull/1635\"\u003elostisland/faraday#1635\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eNew Contributors\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/c960657\"\u003e\u003ccode\u003e\u003cat\u003e​c960657\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/pull/1624\"\u003elostisland/faraday#1624\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/dharamgollapudi\"\u003e\u003ccode\u003e\u003cat\u003e​dharamgollapudi\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/pull/1635\"\u003elostisland/faraday#1635\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/tylerhunt\"\u003e\u003ccode\u003e\u003cat\u003e​tylerhunt\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/pull/1638\"\u003elostisland/faraday#1638\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eFull Changelog\u003c/strong\u003e: \u003ca href\u003d\"https://github.com/lostisland/faraday/compare/v2.13.4...v2.14.0\"\u003ehttps://github.com/lostisland/faraday/compare/v2.13.4...v2.14.0\u003c/a\u003e\u003c/p\u003e\n\u003ch2\u003ev2.13.4\u003c/h2\u003e\n\u003ch2\u003eWhat\u0027s Changed\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImprove error handling logic and add missing test coverage by \u003ca href\u003d\"https://github.com/iMacTia\"\u003e\u003ccode\u003e\u003cat\u003e​iMacTia\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/pull/1633\"\u003elostisland/faraday#1633\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eFull Changelog\u003c/strong\u003e: \u003ca href\u003d\"https://github.com/lostisland/faraday/compare/v2.13.3...v2.13.4\"\u003ehttps://github.com/lostisland/faraday/compare/v2.13.3...v2.13.4\u003c/a\u003e\u003c/p\u003e\n\u003ch2\u003ev2.13.3\u003c/h2\u003e\n\u003ch2\u003eWhat\u0027s Changed\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFix type assumption in \u003ccode\u003eFaraday::Error\u003c/code\u003e by \u003ca href\u003d\"https://github.com/iMacTia\"\u003e\u003ccode\u003e\u003cat\u003e​iMacTia\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/pull/1630\"\u003elostisland/faraday#1630\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/lostisland/faraday/commit/16cbd38ef252d25dedf416a4d2510a2f3db10c87\"\u003e\u003ccode\u003e16cbd38\u003c/code\u003e\u003c/a\u003e Version bump to 2.14.1\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc\"\u003e\u003ccode\u003ea6d3a3a\u003c/code\u003e\u003c/a\u003e Merge commit from fork\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/lostisland/faraday/commit/b23f710d28c0dba169470f568df4017a1e8beea7\"\u003e\u003ccode\u003eb23f710\u003c/code\u003e\u003c/a\u003e Explicit top-level namespace reference (\u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/issues/1657\"\u003e#1657\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/lostisland/faraday/commit/49ba4ac3a7359baed634c12a82386f6c8c717ea8\"\u003e\u003ccode\u003e49ba4ac\u003c/code\u003e\u003c/a\u003e Bump actions/checkout from 5 to 6 (\u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/issues/1655\"\u003e#1655\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/lostisland/faraday/commit/51a49bc99d7df6f724d250d64771e1d710576df7\"\u003e\u003ccode\u003e51a49bc\u003c/code\u003e\u003c/a\u003e Ensure Claude reads the guidelines and allow to plan in a gitignored .ai/PLAN...\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/lostisland/faraday/commit/894f65cab8f04bcf35e84a2dfd9fc0286dbce340\"\u003e\u003ccode\u003e894f65c\u003c/code\u003e\u003c/a\u003e Add RFC document for Options architecture refactoring plan (\u003ca href\u003d\"https://redirect.github.com/lostisland/faraday/issues/1644\"\u003e#1644\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/lostisland/faraday/commit/397e3ded0c5166313bb22f1c0221b36b6023fd0f\"\u003e\u003ccode\u003e397e3de\u003c/code\u003e\u003c/a\u003e Add comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot ...\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/lostisland/faraday/commit/d98c65cfc254ea2898386e4359428527122abec3\"\u003e\u003ccode\u003ed98c65c\u003c/code\u003e\u003c/a\u003e Update Faraday-specific AI agent guidelines\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/lostisland/faraday/commit/56c18ecb718e30c5a3a0dea9bd2361912af9013c\"\u003e\u003ccode\u003e56c18ec\u003c/code\u003e\u003c/a\u003e Add AI agent guidelines specific to Faraday repository\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/lostisland/faraday/commit/3201a42957d37efc968ee8834ba9b50ed5dde54a\"\u003e\u003ccode\u003e3201a42\u003c/code\u003e\u003c/a\u003e Version bump to 2.14.0\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href\u003d\"https://github.com/lostisland/faraday/compare/v2.12.0...v2.14.1\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `rexml` from 3.3.8 to 3.4.2\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/ruby/rexml/releases\"\u003erexml\u0027s releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003eREXML 3.4.2 - 2025-08-26\u003c/h2\u003e\n\u003ch3\u003eImprovement\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eImproved performance.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/244\"\u003eGH-244\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/245\"\u003eGH-245\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/246\"\u003eGH-246\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/249\"\u003eGH-249\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/256\"\u003eGH-256\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by NAITOH Jun\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eRaise appropriate exception when failing to match start tag in DOCTYPE\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/247\"\u003eGH-247\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by NAITOH Jun\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eDeprecate accepting array as an element in XPath.match, first and each\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/252\"\u003eGH-252\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by tomoya ishida\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eDon\u0027t call needless encoding_updated\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/259\"\u003eGH-259\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by Sutou Kouhei\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eReuse XPath::match\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/263\"\u003eGH-263\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by pboling\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eCache redundant calls for doctype\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/264\"\u003eGH-264\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by pboling\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eUse Safe Navigation (\u0026amp;.) from Ruby 2.3\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/265\"\u003eGH-265\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by pboling\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eRemove redundant return statements\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/266\"\u003eGH-266\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by pboling\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded XML declaration check \u0026amp; Source#skip_spaces method\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/282\"\u003eGH-282\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by NAITOH Jun\u003c/li\u003e\n\u003cli\u003eReported by Sofi Aberegg\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eFixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eFix docs typo\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/248\"\u003eGH-248\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by James Coleman\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/ruby/rexml/blob/master/NEWS.md\"\u003erexml\u0027s changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e3.4.2 - 2025-08-26 {#version-3-4-2}\u003c/h2\u003e\n\u003ch3\u003eImprovement\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eImproved performance.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/244\"\u003eGH-244\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/245\"\u003eGH-245\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/246\"\u003eGH-246\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/249\"\u003eGH-249\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/256\"\u003eGH-256\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by NAITOH Jun\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eRaise appropriate exception when failing to match start tag in DOCTYPE\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/247\"\u003eGH-247\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by NAITOH Jun\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eDeprecate accepting array as an element in XPath.match, first and each\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/252\"\u003eGH-252\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by tomoya ishida\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eDon\u0027t call needless encoding_updated\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/259\"\u003eGH-259\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by Sutou Kouhei\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eReuse XPath::match\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/263\"\u003eGH-263\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by pboling\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eCache redundant calls for doctype\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/264\"\u003eGH-264\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by pboling\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eUse Safe Navigation (\u0026amp;.) from Ruby 2.3\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/265\"\u003eGH-265\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by pboling\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eRemove redundant return statements\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/266\"\u003eGH-266\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by pboling\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded XML declaration check \u0026amp; Source#skip_spaces method\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/282\"\u003eGH-282\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by NAITOH Jun\u003c/li\u003e\n\u003cli\u003eReported by Sofi Aberegg\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eFixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eFix docs typo\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/248\"\u003eGH-248\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePatch by James Coleman\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ruby/rexml/commit/f36916fe1c66b8cdc1fe482263115625e084d8fe\"\u003e\u003ccode\u003ef36916f\u003c/code\u003e\u003c/a\u003e Add 3.4.2 entry (\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/284\"\u003e#284\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ruby/rexml/commit/5859bdeac792687eaf93d8e8f0b7e3c1e2ed5c23\"\u003e\u003ccode\u003e5859bde\u003c/code\u003e\u003c/a\u003e Added XML declaration check \u0026amp; \u003ccode\u003eSource#skip_spaces\u003c/code\u003e method (\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/282\"\u003e#282\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ruby/rexml/commit/1d876e3bf658b7b4ec7c3372867521695e8eb023\"\u003e\u003ccode\u003e1d876e3\u003c/code\u003e\u003c/a\u003e Bump actions/checkout from 4 to 5 (\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/283\"\u003e#283\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ruby/rexml/commit/c87bda8bb8773da7e5a0faf9f16ff165eb052a35\"\u003e\u003ccode\u003ec87bda8\u003c/code\u003e\u003c/a\u003e Remove ostruct from dev deps (\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/281\"\u003e#281\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ruby/rexml/commit/c60ae027a3c20f359fdf76fa41ae64d22313f482\"\u003e\u003ccode\u003ec60ae02\u003c/code\u003e\u003c/a\u003e Remove bundler from dev deps (\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/277\"\u003e#277\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ruby/rexml/commit/9b084d78708638cedff54743edc0907c4bd6574a\"\u003e\u003ccode\u003e9b084d7\u003c/code\u003e\u003c/a\u003e Fix \u0026amp; Deprecate REXML::Text#text_indent (\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/275\"\u003e#275\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ruby/rexml/commit/04a589a61bf4e366abee8764ee74b03f4aecc4aa\"\u003e\u003ccode\u003e04a589a\u003c/code\u003e\u003c/a\u003e Fix a bug that XPath can\u0027t be used for no document element (\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/268\"\u003e#268\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ruby/rexml/commit/66232eaf680d0937ae59bea285cdb8e4d3d88a93\"\u003e\u003ccode\u003e66232ea\u003c/code\u003e\u003c/a\u003e Remove redundant return statements (\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/266\"\u003e#266\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ruby/rexml/commit/63f3e9772595a64b036953f0ab026d2ea5560a3b\"\u003e\u003ccode\u003e63f3e97\u003c/code\u003e\u003c/a\u003e Use Safe Navigation (\u0026amp;.) from Ruby 2.3 (\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/265\"\u003e#265\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/ruby/rexml/commit/d427fc5914fcc17d7247c5ff9099ee38639d6702\"\u003e\u003ccode\u003ed427fc5\u003c/code\u003e\u003c/a\u003e Avoid redundant calls for doctype (\u003ca href\u003d\"https://redirect.github.com/ruby/rexml/issues/264\"\u003e#264\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href\u003d\"https://github.com/ruby/rexml/compare/v3.3.8...v3.4.2\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\nDependabot will resolve any conflicts with this PR as long as you don\u0027t alter it yourself. You can also trigger a rebase manually by commenting `\u003cat\u003edependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `\u003cat\u003edependabot rebase` will rebase this PR\n- `\u003cat\u003edependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `\u003cat\u003edependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `\u003cat\u003edependabot ignore \u003cdependency name\u003e major version` will close this group update PR and stop Dependabot creating any more for the specific dependency\u0027s major version (unless you unignore this specific dependency\u0027s major version or upgrade to it yourself)\n- `\u003cat\u003edependabot ignore \u003cdependency name\u003e minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency\u0027s minor version (unless you unignore this specific dependency\u0027s minor version or upgrade to it yourself)\n- `\u003cat\u003edependabot ignore \u003cdependency name\u003e` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)\n- `\u003cat\u003edependabot unignore \u003cdependency name\u003e` will remove all of the ignore conditions of the specified dependency\n- `\u003cat\u003edependabot unignore \u003cdependency name\u003e \u003cignore condition\u003e` will remove the ignore condition of the specified dependency and ignore conditions\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/zeppelin/network/alerts).\n\n\u003c/details\u003e\n\nCloses #5244 from dependabot[bot]/dependabot/bundler/docs/docs-security-updates-0f2c7447a1.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "0a2f85822876e0998d98c6b4dbba3388d59843d6", "tree": "505eb3b12213ddd84080480ff89dd8d8127a35bc", "parents": [ "e1e59bc775ef602f9d71a2117cfb4fb1900782c6" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Sun May 10 18:09:27 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun May 10 18:09:27 2026 +0900" }, "message": "Bump fast-uri from 3.1.0 to 3.1.2 in /zeppelin-web-angular/projects/zeppelin-react\n\nBumps [fast-uri](https://github.com/fastify/fast-uri) from 3.1.0 to 3.1.2.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/fastify/fast-uri/releases\"\u003efast-uri\u0027s releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev3.1.2\u003c/h2\u003e\n\u003ch2\u003e⚠️ Security Release\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFix for \u003ca href\u003d\"https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc\"\u003ehttps://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eWhat\u0027s Changed\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eHandle malformed fragment decoding as a parse error by \u003ca href\u003d\"https://github.com/mcollina\"\u003e\u003ccode\u003e\u003cat\u003e​mcollina\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/171\"\u003efastify/fast-uri#171\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eFull Changelog\u003c/strong\u003e: \u003ca href\u003d\"https://github.com/fastify/fast-uri/compare/v3.1.1...v3.1.2\"\u003ehttps://github.com/fastify/fast-uri/compare/v3.1.1...v3.1.2\u003c/a\u003e\u003c/p\u003e\n\u003ch2\u003ev3.1.1\u003c/h2\u003e\n\u003ch2\u003e⚠️ Security Release\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFix for \u003ca href\u003d\"https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6\"\u003ehttps://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eWhat\u0027s Changed\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ebuild(deps-dev): bump tsd from 0.32.0 to 0.33.0 by \u003ca href\u003d\"https://github.com/dependabot\"\u003e\u003ccode\u003e\u003cat\u003e​dependabot\u003c/code\u003e\u003c/a\u003e[bot] in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/148\"\u003efastify/fast-uri#148\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ebuild(deps): bump actions/checkout from 4 to 5 by \u003ca href\u003d\"https://github.com/dependabot\"\u003e\u003ccode\u003e\u003cat\u003e​dependabot\u003c/code\u003e\u003c/a\u003e[bot] in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/149\"\u003efastify/fast-uri#149\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003echore(.npmrc): ignore scripts by \u003ca href\u003d\"https://github.com/Fdawgs\"\u003e\u003ccode\u003e\u003cat\u003e​Fdawgs\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/150\"\u003efastify/fast-uri#150\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ebuild(deps-dev): remove \u003ccode\u003e\u003cat\u003e​fastify/pre-commit\u003c/code\u003e by \u003ca href\u003d\"https://github.com/Fdawgs\"\u003e\u003ccode\u003e\u003cat\u003e​Fdawgs\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/151\"\u003efastify/fast-uri#151\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ebuild(deps): bump actions/setup-node from 4 to 5 by \u003ca href\u003d\"https://github.com/dependabot\"\u003e\u003ccode\u003e\u003cat\u003e​dependabot\u003c/code\u003e\u003c/a\u003e[bot] in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/152\"\u003efastify/fast-uri#152\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eci(ci): add concurrency config by \u003ca href\u003d\"https://github.com/Fdawgs\"\u003e\u003ccode\u003e\u003cat\u003e​Fdawgs\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/153\"\u003efastify/fast-uri#153\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ebuild(deps): bump actions/setup-node from 5 to 6 by \u003ca href\u003d\"https://github.com/dependabot\"\u003e\u003ccode\u003e\u003cat\u003e​dependabot\u003c/code\u003e\u003c/a\u003e[bot] in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/154\"\u003efastify/fast-uri#154\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ebuild(deps): bump actions/checkout from 5 to 6 by \u003ca href\u003d\"https://github.com/dependabot\"\u003e\u003ccode\u003e\u003cat\u003e​dependabot\u003c/code\u003e\u003c/a\u003e[bot] in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/156\"\u003efastify/fast-uri#156\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003echore(license): standardise license notice by \u003ca href\u003d\"https://github.com/Fdawgs\"\u003e\u003ccode\u003e\u003cat\u003e​Fdawgs\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/159\"\u003efastify/fast-uri#159\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003estyle: remove trailing whitespace by \u003ca href\u003d\"https://github.com/Fdawgs\"\u003e\u003ccode\u003e\u003cat\u003e​Fdawgs\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/161\"\u003efastify/fast-uri#161\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eci: remove unused github files by \u003ca href\u003d\"https://github.com/Tony133\"\u003e\u003ccode\u003e\u003cat\u003e​Tony133\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/162\"\u003efastify/fast-uri#162\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003echore: update readme by \u003ca href\u003d\"https://github.com/Tony133\"\u003e\u003ccode\u003e\u003cat\u003e​Tony133\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/164\"\u003efastify/fast-uri#164\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ebuild(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by \u003ca href\u003d\"https://github.com/dependabot\"\u003e\u003ccode\u003e\u003cat\u003e​dependabot\u003c/code\u003e\u003c/a\u003e[bot] in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/165\"\u003efastify/fast-uri#165\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ebuild(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by \u003ca href\u003d\"https://github.com/dependabot\"\u003e\u003ccode\u003e\u003cat\u003e​dependabot\u003c/code\u003e\u003c/a\u003e[bot] in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/166\"\u003efastify/fast-uri#166\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ebuild(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by \u003ca href\u003d\"https://github.com/dependabot\"\u003e\u003ccode\u003e\u003cat\u003e​dependabot\u003c/code\u003e\u003c/a\u003e[bot] in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/167\"\u003efastify/fast-uri#167\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eci: add lock-threads workflow by \u003ca href\u003d\"https://github.com/Fdawgs\"\u003e\u003ccode\u003e\u003cat\u003e​Fdawgs\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/169\"\u003efastify/fast-uri#169\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eNew Contributors\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/Tony133\"\u003e\u003ccode\u003e\u003cat\u003e​Tony133\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/pull/162\"\u003efastify/fast-uri#162\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eFull Changelog\u003c/strong\u003e: \u003ca href\u003d\"https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.1\"\u003ehttps://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.1\u003c/a\u003e\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/fastify/fast-uri/commit/919dd8ea7689fcc220d0d9b71307f5095e723ef9\"\u003e\u003ccode\u003e919dd8e\u003c/code\u003e\u003c/a\u003e Bumped v3.1.2\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/fastify/fast-uri/commit/c65ba573714af6b8e19e481d9444c27bc4355d07\"\u003e\u003ccode\u003ec65ba57\u003c/code\u003e\u003c/a\u003e fixup: linting\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/fastify/fast-uri/commit/6c86c17c3d76fb93aa3700ec6c0fa00faeb97293\"\u003e\u003ccode\u003e6c86c17\u003c/code\u003e\u003c/a\u003e Merge commit from fork\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/fastify/fast-uri/commit/a95158ad308df4d92bbde4eba699ce5165e9f796\"\u003e\u003ccode\u003ea95158a\u003c/code\u003e\u003c/a\u003e Handle malformed fragment decoding without throwing (\u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/issues/171\"\u003e#171\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/fastify/fast-uri/commit/cea547c91c6aae610041b17b75792ca4aa035a6d\"\u003e\u003ccode\u003ecea547c\u003c/code\u003e\u003c/a\u003e Bumped v3.1.1\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/fastify/fast-uri/commit/876ce79b662c3e5015e4e7dffe6f37752ad34f35\"\u003e\u003ccode\u003e876ce79\u003c/code\u003e\u003c/a\u003e Merge commit from fork\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/fastify/fast-uri/commit/dcdf690b71a7bb3a19887ada65a9ab160d83bcc0\"\u003e\u003ccode\u003edcdf690\u003c/code\u003e\u003c/a\u003e ci: add lock-threads workflow (\u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/issues/169\"\u003e#169\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/fastify/fast-uri/commit/c860e6589b1ac346f66e114b4eadb9613768108c\"\u003e\u003ccode\u003ec860e65\u003c/code\u003e\u003c/a\u003e build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (\u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/issues/167\"\u003e#167\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/fastify/fast-uri/commit/9b4c6dc82fde0ca44e674403ece9185d85bb6d5f\"\u003e\u003ccode\u003e9b4c6dc\u003c/code\u003e\u003c/a\u003e build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (\u003ca href\u003d\"https://redirect.github.com/fastify/fast-uri/issues/166\"\u003e#166\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/fastify/fast-uri/commit/85d09a9f7aa76b32c2bb005a90a71e144c361d24\"\u003e\u003ccode\u003e85d09a9\u003c/code\u003e\u003c/a\u003e build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href\u003d\"https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.2\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name\u003dfast-uri\u0026package-manager\u003dnpm_and_yarn\u0026previous-version\u003d3.1.0\u0026new-version\u003d3.1.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don\u0027t alter it yourself. You can also trigger a rebase manually by commenting `\u003cat\u003edependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `\u003cat\u003edependabot rebase` will rebase this PR\n- `\u003cat\u003edependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `\u003cat\u003edependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `\u003cat\u003edependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `\u003cat\u003edependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `\u003cat\u003edependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/zeppelin/network/alerts).\n\n\u003c/details\u003e\n\nCloses #5245 from dependabot[bot]/dependabot/npm_and_yarn/zeppelin-web-angular/projects/zeppelin-react/fast-uri-3.1.2.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "e1e59bc775ef602f9d71a2117cfb4fb1900782c6", "tree": "8512529832d8778fad7fbc24ceb4ce2fd1a43e8a", "parents": [ "cc0145116240cf586351c6d258d6c7c3add3b5c6" ], "author": { "name": "Jongyoul Lee", "email": "jongyoul@gmail.com", "time": "Sun May 10 13:10:24 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun May 10 13:10:24 2026 +0900" }, "message": "[MINOR] Drop ticket value from WebSocket debug log statements\n\n### What is this PR for?\n\nRemoves the WebSocket auth ticket value from three `LOGGER.debug` call sites in `NotebookServer.onMessage`. The ticket is a per-session UUID and adds no debugging value beyond the principal that owns it; emitting the raw value makes it visible to anyone with access to log files or downstream log collectors.\n\nThe three call sites and the change applied to each:\n\n- **RECEIVE block** — drops the `RECEIVE TICKET` column. The remaining `op` / `principal` / `roles` / `data` columns are sufficient to identify the message.\n- **\"no ticket on file\" branch** — logs the principal that has no entry instead of echoing back the rejected ticket.\n- **\"ticket mismatch\" branch** — logs the principal whose ticket did not match, rather than both raw values.\n\n`Message.toString()` does not include the ticket field, so the surrounding `LOGGER.trace(\"RECEIVE MSG \u003d \" + receivedMessage)` already does not leak it.\n\n### What type of PR is it?\n\nImprovement\n\n### What is the Jira issue?\n\nN/A — minor logging hygiene change, no behavioral or API change.\n\n### How should this be tested?\n\nDiff is self-evident. The three changed sites stay on the existing branches; behavior (what is returned to the client, what is rejected) is unchanged. Existing `NotebookServerTest` continues to exercise these paths.\n\n### Screenshots (if appropriate)\n\nN/A\n\n### Questions:\n\n- Does the license files need to update? No\n- Is there breaking changes for older versions? No\n- Does this needs documentation? No\n\nCloses #5228 from jongyoul/ZEPPELIN-ws-ticket-log-redact.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "cc0145116240cf586351c6d258d6c7c3add3b5c6", "tree": "3fa3b0218043e44b713987a54ec73f392b0e0975", "parents": [ "bb6ed268edd89019f6e17fcaf9f40e8b041ca15e" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri May 08 22:29:14 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri May 08 22:29:14 2026 +0900" }, "message": "Bump the alluxio-security-updates group across 1 directory with 2 updates (#5243)\n\nBumps the alluxio-security-updates group with 2 updates in the /alluxio directory: [com.google.guava:guava](https://github.com/google/guava) and [com.google.protobuf:protobuf-java](https://github.com/protocolbuffers/protobuf).\n\n\nUpdates `com.google.guava:guava` from 31.0.1-jre to 32.0.0-jre\n- [Release notes](https://github.com/google/guava/releases)\n- [Commits](https://github.com/google/guava/commits)\n\nUpdates `com.google.protobuf:protobuf-java` from 3.16.1 to 3.25.5\n- [Release notes](https://github.com/protocolbuffers/protobuf/releases)\n- [Commits](https://github.com/protocolbuffers/protobuf/compare/v3.16.1...v3.25.5)\n\n---\nupdated-dependencies:\n- dependency-name: com.google.guava:guava\n dependency-version: 32.0.0-jre\n dependency-type: direct:development\n dependency-group: alluxio-security-updates\n- dependency-name: com.google.protobuf:protobuf-java\n dependency-version: 3.25.5\n dependency-type: direct:development\n dependency-group: alluxio-security-updates\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "bb6ed268edd89019f6e17fcaf9f40e8b041ca15e", "tree": "dc348731f2292677ee1a59452495a2b179119d11", "parents": [ "036c8a05fd9864a195ee1b8b23f7aaa384f3bcbd" ], "author": { "name": "Jongyoul Lee", "email": "jongyoul@gmail.com", "time": "Fri May 08 11:06:30 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri May 08 11:06:30 2026 +0900" }, "message": "[ZEPPELIN-6405] Add AGENTS.md for AI coding agent guidance\n\n## Summary\n\n- Add comprehensive `AGENTS.md` following the [open standard](https://github.com/anthropics/agents-md) to help AI coding agents understand and work effectively with the Zeppelin codebase\n- Covers module architecture, server-interpreter Thrift IPC communication, plugin system with custom classloading, reflection patterns, interpreter lifecycle, and contributing guide\n- Build/test instructions kept concise; focus on deep architectural context\n\n## Test plan\n\n- [ ] Verify `AGENTS.md` renders correctly on GitHub\n- [ ] Verify RAT license check passes (`./mvnw clean org.apache.rat:apache-rat-plugin:check -Prat`)\n\nCloses #5187 from jongyoul/ZEPPELIN-6405-agents-md.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "036c8a05fd9864a195ee1b8b23f7aaa384f3bcbd", "tree": "944b451b55a6bc2a9c997d431cccb391b9e82669", "parents": [ "f6d37d20175f8525854a6613d11f4ab3dc1e27e9" ], "author": { "name": "Jongyoul Lee", "email": "jongyoul@gmail.com", "time": "Tue May 05 21:07:31 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 05 21:07:31 2026 +0900" }, "message": "[ZEPPELIN-6355] Merge zeppelin-zengine to zeppelin-server\n\n### What is this PR for?\nThis PR merges the `zeppelin-zengine` module into `zeppelin-server` to simplify the project architecture. The zengine module contained core engine functionality for notebook management, paragraph execution, and interpreter management, which is tightly coupled with the server. This merge reduces build complexity while preserving all git history using `git mv` for file movements.\n\n**Note:** The previous blocker (maven-shade-plugin corrupting ZeppelinConfiguration string literals) has been resolved by [ZEPPELIN-6400](https://github.com/apache/zeppelin/pull/5167), which moved ZeppelinConfiguration out of `zeppelin-interpreter` into `zeppelin-zengine` and replaced interpreter-side usage with Properties-based configuration.\n\n### What type of PR is it?\nRefactoring\n\n### Todos\n* [x] Move all source files from zeppelin-zengine to zeppelin-server using git mv (192 files)\n* [x] Merge zengine dependencies into zeppelin-server pom.xml\n* [x] Update zeppelin-plugins to depend on zeppelin-server instead of zeppelin-zengine\n* [x] Update zeppelin-interpreter-integration dependencies\n* [x] Update zeppelin-integration dependencies\n* [x] Remove zeppelin-zengine module from root pom.xml\n* [x] Update shell scripts (bin/*.sh, bin/*.cmd)\n* [x] Update GitHub Actions workflows\n* [x] Remove zeppelin-zengine directory\n* [x] Update documentation and code references\n* [x] Add commons-logging exclusions (per reviewer feedback)\n* [ ] Verify CI passes\n\n### What is the Jira issue?\n* ZEPPELIN-6355\n\n### How should this be tested?\n* CI\n\n### Screenshots (if appropriate)\n\n### Questions:\n* Does the license files need to update? No\n* Is there breaking changes for older versions? No\n* Does this needs documentation? No\n\nCloses #5095 from jongyoul/ZEPPELIN-6345.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "f6d37d20175f8525854a6613d11f4ab3dc1e27e9", "tree": "9b5134153098abbbc5af0e94cc4712b392e76fa4", "parents": [ "6353224cd1490f42ac1ea6056ba79ccd8a06c765" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Sat May 02 20:01:03 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sat May 02 20:01:03 2026 +0900" }, "message": "Bump follow-redirects in /zeppelin-web-angular/projects/zeppelin-react (#5222)" }, { "commit": "6353224cd1490f42ac1ea6056ba79ccd8a06c765", "tree": "1503015d7dd1c0859216079f76daa105dc6a17ac", "parents": [ "880f1391167946a6bc5076d6f463ce85d31f93c8" ], "author": { "name": "Gyeongtae Park", "email": "gyeongtae@apache.org", "time": "Thu Apr 23 13:46:02 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Apr 23 13:46:02 2026 +0900" }, "message": "[ZEPPELIN-6403] Fix deprecated auto-activate-base parameter in GitHub Actions\n\n### What is this PR for?\r\nThis PR fixes deprecation warnings in GitHub Actions workflows by replacing the deprecated `auto-activate-base` parameter with `auto-activate` in the `conda-incubator/setup-miniconda\u003cat\u003ev3` action.\r\n\r\nThe `auto-activate-base` parameter has been deprecated in favor of the more clearly named `auto-activate` parameter. This change removes deprecation warnings from GitHub Actions workflow logs while maintaining identical functionality.\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### Todos\r\n* [x] - Replace `auto-activate-base` with `auto-activate` in frontend.yml\r\n* [x] - Replace `auto-activate-base` with `auto-activate` in core.yml\r\n\r\n### What is the Jira issue?\r\n* https://issues.apache.org/jira/browse/ZEPPELIN-6403\r\n\r\n### How should this be tested?\r\n* Verify that GitHub Actions workflows run without deprecation warnings\r\n* Confirm that all conda environment setup steps work correctly\r\n* Check that Python and R interpreters are properly activated in CI jobs\r\n\r\nManual testing:\r\n1. Push the changes to a branch\r\n2. Observe GitHub Actions workflow runs\r\n3. Confirm no deprecation warnings appear in the setup-miniconda steps\r\n4. Verify all jobs complete successfully\r\n\r\n### Screenshots (if appropriate)\r\n\r\n**Before (with deprecation warning):**\r\n\u003cimg width\u003d\"1408\" height\u003d\"486\" alt\u003d\"image\" src\u003d\"https://github.com/user-attachments/assets/fba1149a-074f-4fe2-a8aa-645a822ae5b4\" /\u003e\r\n\r\n### Questions:\r\n* Does the license files need to update? No.\r\n* Is there breaking changes for older versions? No.\r\n* Does this needs documentation? No.\r\n\n\nCloses #5178 from ParkGyeongTae/ZEPPELIN-6403.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "880f1391167946a6bc5076d6f463ce85d31f93c8", "tree": "9286f0a986b0c155ef32b75f770aa157ad59a833", "parents": [ "28e9aa72450cec7dc0c72f7890daba431fd28187" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Thu Apr 23 10:54:39 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Apr 23 10:54:39 2026 +0900" }, "message": "Bump the dev-security-updates group across 1 directory with 2 updates\n\nBumps the dev-security-updates group with 2 updates in the /dev directory: [python-dotenv](https://github.com/theskumar/python-dotenv) and [urllib3](https://github.com/urllib3/urllib3).\n\nUpdates `python-dotenv` from 1.1.1 to 1.2.2\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/theskumar/python-dotenv/releases\"\u003epython-dotenv\u0027s releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev1.2.2\u003c/h2\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eSupport for Python 3.14, including the free-threaded (3.14t) build. (#)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eThe \u003ccode\u003edotenv run\u003c/code\u003e command now forwards flags directly to the specified command by \u003ca href\u003d\"https://github.com/bbc2\"\u003e\u003ccode\u003e\u003cat\u003e​bbc2\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/pull/607\"\u003etheskumar/python-dotenv#607\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eImproved documentation clarity regarding override behavior and the reference page.\u003c/li\u003e\n\u003cli\u003eUpdated PyPy support to version 3.11.\u003c/li\u003e\n\u003cli\u003eDocumentation for FIFO file support.\u003c/li\u003e\n\u003cli\u003eSupport for Python 3.9.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eFixed\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eImproved \u003ccode\u003eset_key\u003c/code\u003e and \u003ccode\u003eunset_key\u003c/code\u003e behavior when interacting with symlinks by \u003ca href\u003d\"https://github.com/bbc2\"\u003e\u003ccode\u003e\u003cat\u003e​bbc2\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311\"\u003e#790c5\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eCorrected the license specifier and added missing Python 3.14 classifiers in package metadata by \u003ca href\u003d\"https://github.com/JYOuyang\"\u003e\u003ccode\u003e\u003cat\u003e​JYOuyang\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/pull/590\"\u003etheskumar/python-dotenv#590\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eBreaking Changes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ccode\u003edotenv.set_key\u003c/code\u003e and \u003ccode\u003edotenv.unset_key\u003c/code\u003e used to follow symlinks in some\nsituations. This is no longer the case. For that behavior to be restored in\nall cases, \u003ccode\u003efollow_symlinks\u003dTrue\u003c/code\u003e should be used.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eIn the CLI, \u003ccode\u003eset\u003c/code\u003e and \u003ccode\u003eunset\u003c/code\u003e used to follow symlinks in some situations. This\nis no longer the case.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ccode\u003edotenv.set_key\u003c/code\u003e, \u003ccode\u003edotenv.unset_key\u003c/code\u003e and the CLI commands \u003ccode\u003eset\u003c/code\u003e and \u003ccode\u003eunset\u003c/code\u003e\nused to reset the file mode of the modified .env file to \u003ccode\u003e0o600\u003c/code\u003e in some\nsituations. This is no longer the case: The original mode of the file is now\npreserved. Is the file needed to be created or wasn\u0027t a regular file, mode\n\u003ccode\u003e0o600\u003c/code\u003e is used.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eMisc\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eskip 000 permission tests for root user by \u003ca href\u003d\"https://github.com/burnout-projects\"\u003e\u003ccode\u003e\u003cat\u003e​burnout-projects\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/pull/561\"\u003etheskumar/python-dotenv#561\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eBump actions/checkout from 5 to 6 in the github-actions group by \u003ca href\u003d\"https://github.com/dependabot\"\u003e\u003ccode\u003e\u003cat\u003e​dependabot\u003c/code\u003e\u003c/a\u003e[bot] in \u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/pull/593\"\u003etheskumar/python-dotenv#593\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAdd Windows testing to CI by \u003ca href\u003d\"https://github.com/bbc2\"\u003e\u003ccode\u003e\u003cat\u003e​bbc2\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/pull/604\"\u003etheskumar/python-dotenv#604\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eImprove workflow efficiency with best practices by \u003ca href\u003d\"https://github.com/theskumar\"\u003e\u003ccode\u003e\u003cat\u003e​theskumar\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/pull/609\"\u003etheskumar/python-dotenv#609\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eRemove the use of \u003ccode\u003esh\u003c/code\u003e in tests by \u003ca href\u003d\"https://github.com/bbc2\"\u003e\u003ccode\u003e\u003cat\u003e​bbc2\u003c/code\u003e\u003c/a\u003e in \u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/pull/612\"\u003etheskumar/python-dotenv#612\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eNew Contributors\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/JYOuyang\"\u003e\u003ccode\u003e\u003cat\u003e​JYOuyang\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/pull/590\"\u003etheskumar/python-dotenv#590\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/burnout-projects\"\u003e\u003ccode\u003e\u003cat\u003e​burnout-projects\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/pull/561\"\u003etheskumar/python-dotenv#561\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/cpackham-atlnz\"\u003e\u003ccode\u003e\u003cat\u003e​cpackham-atlnz\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/pull/597\"\u003etheskumar/python-dotenv#597\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eFull Changelog\u003c/strong\u003e: \u003ca href\u003d\"https://github.com/theskumar/python-dotenv/compare/v1.2.1...v1.2.2\"\u003ehttps://github.com/theskumar/python-dotenv/compare/v1.2.1...v1.2.2\u003c/a\u003e\u003c/p\u003e\n\u003ch2\u003ev1.2.1\u003c/h2\u003e\n\u003ch2\u003eWhat\u0027s Changed\u003c/h2\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md\"\u003epython-dotenv\u0027s changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e[1.2.2] - 2026-03-01\u003c/h2\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eSupport for Python 3.14, including the free-threaded (3.14t) build. (\u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/issues/588\"\u003e#588\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eThe \u003ccode\u003edotenv run\u003c/code\u003e command now forwards flags directly to the specified command by [\u003ca href\u003d\"https://github.com/bbc2\"\u003e\u003ccode\u003e\u003cat\u003e​bbc2\u003c/code\u003e\u003c/a\u003e] in \u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/issues/607\"\u003e#607\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eImproved documentation clarity regarding override behavior and the reference page.\u003c/li\u003e\n\u003cli\u003eUpdated PyPy support to version 3.11.\u003c/li\u003e\n\u003cli\u003eDocumentation for FIFO file support.\u003c/li\u003e\n\u003cli\u003eDropped Support for Python 3.9.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eFixed\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eImproved \u003ccode\u003eset_key\u003c/code\u003e and \u003ccode\u003eunset_key\u003c/code\u003e behavior when interacting with symlinks by [\u003ca href\u003d\"https://github.com/bbc2\"\u003e\u003ccode\u003e\u003cat\u003e​bbc2\u003c/code\u003e\u003c/a\u003e] in [790c5c0]\u003c/li\u003e\n\u003cli\u003eCorrected the license specifier and added missing Python 3.14 classifiers in package metadata by [\u003ca href\u003d\"https://github.com/JYOuyang\"\u003e\u003ccode\u003e\u003cat\u003e​JYOuyang\u003c/code\u003e\u003c/a\u003e] in \u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/issues/590\"\u003e#590\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eBreaking Changes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ccode\u003edotenv.set_key\u003c/code\u003e and \u003ccode\u003edotenv.unset_key\u003c/code\u003e used to follow symlinks in some\nsituations. This is no longer the case. For that behavior to be restored in\nall cases, \u003ccode\u003efollow_symlinks\u003dTrue\u003c/code\u003e should be used.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eIn the CLI, \u003ccode\u003eset\u003c/code\u003e and \u003ccode\u003eunset\u003c/code\u003e used to follow symlinks in some situations. This\nis no longer the case.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ccode\u003edotenv.set_key\u003c/code\u003e, \u003ccode\u003edotenv.unset_key\u003c/code\u003e and the CLI commands \u003ccode\u003eset\u003c/code\u003e and \u003ccode\u003eunset\u003c/code\u003e\nused to reset the file mode of the modified .env file to \u003ccode\u003e0o600\u003c/code\u003e in some\nsituations. This is no longer the case: The original mode of the file is now\npreserved. Is the file needed to be created or wasn\u0027t a regular file, mode\n\u003ccode\u003e0o600\u003c/code\u003e is used.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e[1.2.1] - 2025-10-26\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMove more config to \u003ccode\u003epyproject.toml\u003c/code\u003e, removed \u003ccode\u003esetup.cfg\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eAdd support for reading \u003ccode\u003e.env\u003c/code\u003e from FIFOs (Unix) by [\u003ca href\u003d\"https://github.com/sidharth-sudhir\"\u003e\u003ccode\u003e\u003cat\u003e​sidharth-sudhir\u003c/code\u003e\u003c/a\u003e] in \u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/issues/586\"\u003e#586\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e[1.2.0] - 2025-10-26\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade build system to use PEP 517 \u0026amp; PEP 518 to use \u003ccode\u003ebuild\u003c/code\u003e and \u003ccode\u003epyproject.toml\u003c/code\u003e by [\u003ca href\u003d\"https://github.com/EpicWink\"\u003e\u003ccode\u003e\u003cat\u003e​EpicWink\u003c/code\u003e\u003c/a\u003e] in \u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/issues/583\"\u003e#583\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAdd support for Python 3.14 by [\u003ca href\u003d\"https://github.com/23f3001135\"\u003e\u003ccode\u003e\u003cat\u003e​23f3001135\u003c/code\u003e\u003c/a\u003e] in \u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/issues/579\"\u003e#579\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAdd support for disabling of \u003ccode\u003eload_dotenv()\u003c/code\u003e using \u003ccode\u003ePYTHON_DOTENV_DISABLED\u003c/code\u003e env var. by [\u003ca href\u003d\"https://github.com/matthewfranglen\"\u003e\u003ccode\u003e\u003cat\u003e​matthewfranglen\u003c/code\u003e\u003c/a\u003e] in \u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/issues/569\"\u003e#569\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/theskumar/python-dotenv/commit/36004e0e34be7665ff2b11a8a4005144f76f176d\"\u003e\u003ccode\u003e36004e0\u003c/code\u003e\u003c/a\u003e Bump version: 1.2.1 → 1.2.2\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/theskumar/python-dotenv/commit/eb202520e5933c9daf42501e1e42fdb0144002c8\"\u003e\u003ccode\u003eeb20252\u003c/code\u003e\u003c/a\u003e docs: update changelog for v1.2.2\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311\"\u003e\u003ccode\u003e790c5c0\u003c/code\u003e\u003c/a\u003e Merge commit from fork\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/theskumar/python-dotenv/commit/43340da220fb4ca4f95357bbe21a3c7f8f1278b1\"\u003e\u003ccode\u003e43340da\u003c/code\u003e\u003c/a\u003e Remove the use of \u003ccode\u003esh\u003c/code\u003e in tests (\u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/issues/612\"\u003e#612\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/theskumar/python-dotenv/commit/09d7cee32459e7abdcb5c9d8122a552589c06a9c\"\u003e\u003ccode\u003e09d7cee\u003c/code\u003e\u003c/a\u003e docs: clarify override behavior and document FIFO support (\u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/issues/610\"\u003e#610\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/theskumar/python-dotenv/commit/c8de2887c00198c22842c5ae5e92d1747467363c\"\u003e\u003ccode\u003ec8de288\u003c/code\u003e\u003c/a\u003e ci: improve workflow efficiency with best practices (\u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/issues/609\"\u003e#609\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/theskumar/python-dotenv/commit/7bd9e3dbfedc0983ad7d56d5570013035242bdf4\"\u003e\u003ccode\u003e7bd9e3d\u003c/code\u003e\u003c/a\u003e Add Windows testing to CI (\u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/issues/604\"\u003e#604\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/theskumar/python-dotenv/commit/1baaf04f336072e0ee324d5df9563ec767f14f81\"\u003e\u003ccode\u003e1baaf04\u003c/code\u003e\u003c/a\u003e Drop Python 3.9 support and update to PyPy 3.11 (\u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/issues/608\"\u003e#608\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/theskumar/python-dotenv/commit/4a22cf8993804aeede0c20b75bb1a29d3a99e9dc\"\u003e\u003ccode\u003e4a22cf8\u003c/code\u003e\u003c/a\u003e ci: enable testing on Python 3.14t (free-threaded) (\u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/issues/588\"\u003e#588\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/theskumar/python-dotenv/commit/e2e8e776b42e382ae38b44d3982dd649e7507dd4\"\u003e\u003ccode\u003ee2e8e77\u003c/code\u003e\u003c/a\u003e Fix license specifier (\u003ca href\u003d\"https://redirect.github.com/theskumar/python-dotenv/issues/597\"\u003e#597\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href\u003d\"https://github.com/theskumar/python-dotenv/compare/v1.1.1...v1.2.2\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `urllib3` from 2.5.0 to 2.6.3\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/urllib3/urllib3/releases\"\u003eurllib3\u0027s releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e2.6.3\u003c/h2\u003e\n\u003ch2\u003e🚀 urllib3 is fundraising for HTTP/2 support\u003c/h2\u003e\n\u003cp\u003e\u003ca href\u003d\"https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support\"\u003eurllib3 is raising ~$40,000 USD\u003c/a\u003e to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects \u003ca href\u003d\"https://opencollective.com/urllib3\"\u003eplease consider contributing financially\u003c/a\u003e to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.\u003c/p\u003e\n\u003cp\u003eThank you for your support.\u003c/p\u003e\n\u003ch2\u003eChanges\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by \u003ca href\u003d\"https://github.com/D47A\"\u003e\u003ccode\u003e\u003cat\u003e​D47A\u003c/code\u003e\u003c/a\u003e, 8.9 High, GHSA-38jv-5279-wg99)\u003c/li\u003e\n\u003cli\u003eStarted treating \u003ccode\u003eRetry-After\u003c/code\u003e times greater than 6 hours as 6 hours by default. (\u003ca href\u003d\"https://redirect.github.com/urllib3/urllib3/issues/3743\"\u003eurllib3/urllib3#3743\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFixed \u003ccode\u003eurllib3.connection.VerifiedHTTPSConnection\u003c/code\u003e on Emscripten. (\u003ca href\u003d\"https://redirect.github.com/urllib3/urllib3/issues/3752\"\u003eurllib3/urllib3#3752\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e2.6.2\u003c/h2\u003e\n\u003ch2\u003e🚀 urllib3 is fundraising for HTTP/2 support\u003c/h2\u003e\n\u003cp\u003e\u003ca href\u003d\"https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support\"\u003eurllib3 is raising ~$40,000 USD\u003c/a\u003e to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects \u003ca href\u003d\"https://opencollective.com/urllib3\"\u003eplease consider contributing financially\u003c/a\u003e to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.\u003c/p\u003e\n\u003cp\u003eThank you for your support.\u003c/p\u003e\n\u003ch2\u003eChanges\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFixed \u003ccode\u003eHTTPResponse.read_chunked()\u003c/code\u003e to properly handle leftover data in the decoder\u0027s buffer when reading compressed chunked responses. (\u003ca href\u003d\"https://redirect.github.com/urllib3/urllib3/issues/3734\"\u003eurllib3/urllib3#3734\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e2.6.1\u003c/h2\u003e\n\u003ch2\u003e🚀 urllib3 is fundraising for HTTP/2 support\u003c/h2\u003e\n\u003cp\u003e\u003ca href\u003d\"https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support\"\u003eurllib3 is raising ~$40,000 USD\u003c/a\u003e to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects \u003ca href\u003d\"https://opencollective.com/urllib3\"\u003eplease consider contributing financially\u003c/a\u003e to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.\u003c/p\u003e\n\u003cp\u003eThank you for your support.\u003c/p\u003e\n\u003ch2\u003eChanges\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRestore previously removed \u003ccode\u003eHTTPResponse.getheaders()\u003c/code\u003e and \u003ccode\u003eHTTPResponse.getheader()\u003c/code\u003e methods. (\u003ca href\u003d\"https://redirect.github.com/urllib3/urllib3/issues/3731\"\u003e#3731\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e2.6.0\u003c/h2\u003e\n\u003ch2\u003e🚀 urllib3 is fundraising for HTTP/2 support\u003c/h2\u003e\n\u003cp\u003e\u003ca href\u003d\"https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support\"\u003eurllib3 is raising ~$40,000 USD\u003c/a\u003e to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects \u003ca href\u003d\"https://opencollective.com/urllib3\"\u003eplease consider contributing financially\u003c/a\u003e to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.\u003c/p\u003e\n\u003cp\u003eThank you for your support.\u003c/p\u003e\n\u003ch2\u003eSecurity\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFixed a security issue where streaming API could improperly handle highly compressed HTTP content (\u0026quot;decompression bombs\u0026quot;) leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by \u003ca href\u003d\"https://github.com/Cycloctane\"\u003e\u003ccode\u003e\u003cat\u003e​Cycloctane\u003c/code\u003e\u003c/a\u003e, 8.9 High, GHSA-2xpw-w6gg-jr37)\u003c/li\u003e\n\u003cli\u003eFixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the \u003ccode\u003eContent-Encoding\u003c/code\u003e header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by \u003ca href\u003d\"https://github.com/illia-v\"\u003e\u003ccode\u003e\u003cat\u003e​illia-v\u003c/code\u003e\u003c/a\u003e, 8.9 High, GHSA-gm62-xv2j-4w53)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cblockquote\u003e\n\u003cp\u003e[!IMPORTANT]\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIf urllib3 is not installed with the optional \u003ccode\u003eurllib3[brotli]\u003c/code\u003e extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using \u003ccode\u003eurllib3[brotli]\u003c/code\u003e to install a compatible Brotli package automatically.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/urllib3/urllib3/blob/main/CHANGES.rst\"\u003eurllib3\u0027s changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch1\u003e2.6.3 (2026-01-07)\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003eFixed a high-severity security issue where decompression-bomb safeguards of\nthe streaming API were bypassed when HTTP redirects were followed.\n(\u003ccode\u003eGHSA-38jv-5279-wg99 \u0026lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99\u0026gt;\u003c/code\u003e__)\u003c/li\u003e\n\u003cli\u003eStarted treating \u003ccode\u003eRetry-After\u003c/code\u003e times greater than 6 hours as 6 hours by\ndefault. (\u003ccode\u003e[#3743](https://github.com/urllib3/urllib3/issues/3743) \u0026lt;https://github.com/urllib3/urllib3/issues/3743\u0026gt;\u003c/code\u003e__)\u003c/li\u003e\n\u003cli\u003eFixed \u003ccode\u003eurllib3.connection.VerifiedHTTPSConnection\u003c/code\u003e on Emscripten.\n(\u003ccode\u003e[#3752](https://github.com/urllib3/urllib3/issues/3752) \u0026lt;https://github.com/urllib3/urllib3/issues/3752\u0026gt;\u003c/code\u003e__)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e2.6.2 (2025-12-11)\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003eFixed \u003ccode\u003eHTTPResponse.read_chunked()\u003c/code\u003e to properly handle leftover data in\nthe decoder\u0027s buffer when reading compressed chunked responses.\n(\u003ccode\u003e[#3734](https://github.com/urllib3/urllib3/issues/3734) \u0026lt;https://github.com/urllib3/urllib3/issues/3734\u0026gt;\u003c/code\u003e__)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e2.6.1 (2025-12-08)\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003eRestore previously removed \u003ccode\u003eHTTPResponse.getheaders()\u003c/code\u003e and\n\u003ccode\u003eHTTPResponse.getheader()\u003c/code\u003e methods.\n(\u003ccode\u003e[#3731](https://github.com/urllib3/urllib3/issues/3731) \u0026lt;https://github.com/urllib3/urllib3/issues/3731\u0026gt;\u003c/code\u003e__)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e2.6.0 (2025-12-05)\u003c/h1\u003e\n\u003ch2\u003eSecurity\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFixed a security issue where streaming API could improperly handle highly\ncompressed HTTP content (\u0026quot;decompression bombs\u0026quot;) leading to excessive resource\nconsumption even when a small amount of data was requested. Reading small\nchunks of compressed data is safer and much more efficient now.\n(\u003ccode\u003eGHSA-2xpw-w6gg-jr37 \u0026lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37\u0026gt;\u003c/code\u003e__)\u003c/li\u003e\n\u003cli\u003eFixed a security issue where an attacker could compose an HTTP response with\nvirtually unlimited links in the \u003ccode\u003eContent-Encoding\u003c/code\u003e header, potentially\nleading to a denial of service (DoS) attack by exhausting system resources\nduring decoding. The number of allowed chained encodings is now limited to 5.\n(\u003ccode\u003eGHSA-gm62-xv2j-4w53 \u0026lt;https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53\u0026gt;\u003c/code\u003e__)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e.. caution::\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIf urllib3 is not installed with the optional \u003ccode\u003eurllib3[brotli]\u003c/code\u003e extra, but\nyour environment contains a Brotli/brotlicffi/brotlipy package anyway, make\nsure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to\nbenefit from the security fixes and avoid warnings. Prefer using\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/urllib3/urllib3/commit/0248277dd7ac0239204889ca991353ad3e3a1ddc\"\u003e\u003ccode\u003e0248277\u003c/code\u003e\u003c/a\u003e Release 2.6.3\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b\"\u003e\u003ccode\u003e8864ac4\u003c/code\u003e\u003c/a\u003e Merge commit from fork\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/urllib3/urllib3/commit/70cecb27ca99d56aaaeb63ac27ee270ef2b24c5c\"\u003e\u003ccode\u003e70cecb2\u003c/code\u003e\u003c/a\u003e Fix Scorecard issues related to vulnerable dev dependencies (\u003ca href\u003d\"https://redirect.github.com/urllib3/urllib3/issues/3755\"\u003e#3755\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/urllib3/urllib3/commit/41f249abe1ef3e20768588969c4035aba060a359\"\u003e\u003ccode\u003e41f249a\u003c/code\u003e\u003c/a\u003e Move \u0026quot;v2.0 Migration Guide\u0026quot; to the end of the table of contents (\u003ca href\u003d\"https://redirect.github.com/urllib3/urllib3/issues/3747\"\u003e#3747\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/urllib3/urllib3/commit/fd4dffd2fc544166b76151a2fa3d7b7c0eab540c\"\u003e\u003ccode\u003efd4dffd\u003c/code\u003e\u003c/a\u003e Patch \u003ccode\u003eVerifiedHTTPSConnection\u003c/code\u003e for Emscripten (\u003ca href\u003d\"https://redirect.github.com/urllib3/urllib3/issues/3752\"\u003e#3752\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/urllib3/urllib3/commit/13f0bfd55e4468fe1ea9c6f809d3a87b0f93ebab\"\u003e\u003ccode\u003e13f0bfd\u003c/code\u003e\u003c/a\u003e Handle massive values in Retry-After when calculating time to sleep for (\u003ca href\u003d\"https://redirect.github.com/urllib3/urllib3/issues/3743\"\u003e#3743\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/urllib3/urllib3/commit/8c480bf87bcefd321b3a1ae47f04e908b6b2ed7b\"\u003e\u003ccode\u003e8c480bf\u003c/code\u003e\u003c/a\u003e Bump actions/upload-artifact from 5.0.0 to 6.0.0 (\u003ca href\u003d\"https://redirect.github.com/urllib3/urllib3/issues/3748\"\u003e#3748\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/urllib3/urllib3/commit/4b40616e959c0a2c466e8075f2a785a9f99bb0c1\"\u003e\u003ccode\u003e4b40616\u003c/code\u003e\u003c/a\u003e Bump actions/cache from 4.3.0 to 5.0.1 (\u003ca href\u003d\"https://redirect.github.com/urllib3/urllib3/issues/3750\"\u003e#3750\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/urllib3/urllib3/commit/82b8479663d037d220c883f1584dd01a43bb273b\"\u003e\u003ccode\u003e82b8479\u003c/code\u003e\u003c/a\u003e Bump actions/download-artifact from 6.0.0 to 7.0.0 (\u003ca href\u003d\"https://redirect.github.com/urllib3/urllib3/issues/3749\"\u003e#3749\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/urllib3/urllib3/commit/34284cb01700bb7d4fdd472f909e22393e9174e2\"\u003e\u003ccode\u003e34284cb\u003c/code\u003e\u003c/a\u003e Mention experimental features in the security policy (\u003ca href\u003d\"https://redirect.github.com/urllib3/urllib3/issues/3746\"\u003e#3746\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href\u003d\"https://github.com/urllib3/urllib3/compare/2.5.0...2.6.3\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\nDependabot will resolve any conflicts with this PR as long as you don\u0027t alter it yourself. You can also trigger a rebase manually by commenting `\u003cat\u003edependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `\u003cat\u003edependabot rebase` will rebase this PR\n- `\u003cat\u003edependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `\u003cat\u003edependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `\u003cat\u003edependabot ignore \u003cdependency name\u003e major version` will close this group update PR and stop Dependabot creating any more for the specific dependency\u0027s major version (unless you unignore this specific dependency\u0027s major version or upgrade to it yourself)\n- `\u003cat\u003edependabot ignore \u003cdependency name\u003e minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency\u0027s minor version (unless you unignore this specific dependency\u0027s minor version or upgrade to it yourself)\n- `\u003cat\u003edependabot ignore \u003cdependency name\u003e` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)\n- `\u003cat\u003edependabot unignore \u003cdependency name\u003e` will remove all of the ignore conditions of the specified dependency\n- `\u003cat\u003edependabot unignore \u003cdependency name\u003e \u003cignore condition\u003e` will remove the ignore condition of the specified dependency and ignore conditions\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/zeppelin/network/alerts).\n\n\u003c/details\u003e\n\nCloses #5219 from dependabot[bot]/dependabot/pip/dev/dev-security-updates-768b7d9b01.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "28e9aa72450cec7dc0c72f7890daba431fd28187", "tree": "efd14bd41da1e1f8b92056947d5c847d4455efb2", "parents": [ "16ab7ff0f179596c55e50d6cbe513a51d841009c" ], "author": { "name": "Jongyoul Lee", "email": "jongyoul@gmail.com", "time": "Mon Apr 20 11:33:44 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Apr 20 11:33:44 2026 +0900" }, "message": "[MINOR] chore(.github): group dependabot security updates by path\n\n### What is this PR for?\nGroup Dependabot security updates by exact path so the current burst of one-off security PRs can be regenerated as grouped PRs instead.\n\nThis configuration intentionally keeps non-security version updates disabled with `open-pull-requests-limit: 0`, so it only affects grouped security updates and does not start regular version-update PRs for these directories.\n\nCovered paths:\n- `/docs`\n- `/zeppelin-web`\n- `/zeppelin-web-angular`\n- `/dev`\n- `/`\n- `/alluxio`\n- `/bigquery`\n- `/elasticsearch`\n- `/flink/flink-scala-2.12`\n- `/livy`\n- `/rlang`\n- `/shell`\n- `/spark/interpreter`\n- `/spark/spark-scala-parent`\n- `/zeppelin-interpreter`\n- `/zeppelin-plugins/launcher/docker`\n- `/zeppelin-plugins/launcher/k8s-standard`\n- `/zeppelin-plugins/notebookrepo/s3`\n\nFirst time? Check out the contributing guide - https://zeppelin.apache.org/contribution/contributions.html\n\n### What type of PR is it?\nImprovement\n\n### Todos\n* [x] Add `.github/dependabot.yml` for the targeted directories\n* [x] Verify the configured directory names match the repository\n* [x] Expand coverage to the remaining open Dependabot security-update paths\n* [x] Clarify that the config is intentionally security-updates-only\n\n### What is the Jira issue?\nNone. Minor maintenance change.\n\n### How should this be tested?\n* Confirm `.github/dependabot.yml` is valid YAML.\n* Confirm each configured directory exists in the repository.\n* After merge, verify Dependabot opens grouped security update PRs for the listed paths.\n\n### Screenshots (if appropriate)\nN/A\n\n### Questions:\n* Does the license files need to update? No.\n* Is there breaking changes for older versions? No.\n* Does this needs documentation? No.\n\n\nCloses #5213 from jongyoul/minor/dependabot-security-groups.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "16ab7ff0f179596c55e50d6cbe513a51d841009c", "tree": "bfd121bdea26f8b2158a688236c14e12b9019c78", "parents": [ "8092916424b9c0adb8e83e0692aa9078fce690ea" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Thu Apr 16 14:58:07 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Apr 16 14:58:07 2026 +0900" }, "message": "Bump uri from 0.13.1 to 0.13.3 in /docs (#5132)\n\nBumps [uri](https://github.com/ruby/uri) from 0.13.1 to 0.13.3.\n- [Release notes](https://github.com/ruby/uri/releases)\n- [Commits](https://github.com/ruby/uri/compare/v0.13.1...v0.13.3)\n\n---\nupdated-dependencies:\n- dependency-name: uri\n dependency-version: 0.13.3\n dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "8092916424b9c0adb8e83e0692aa9078fce690ea", "tree": "dc48ca93887140bfc5a1b2ea72e95a9b61334748", "parents": [ "931a84ea3fa3a13d4d6ed491d2f7036071451f6f" ], "author": { "name": "Jongyoul Lee", "email": "jongyoul@gmail.com", "time": "Sun Apr 12 23:42:46 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Apr 12 23:42:46 2026 +0900" }, "message": "[MINOR] chore(zeppelin-web-angular): refresh lockfile to remediate npm audit findings\n\n### What is this PR for?\nRefresh `package-lock.json` in `zeppelin-web-angular` to remediate npm audit findings.\nRan `npm audit fix` on the latest master to resolve vulnerabilities that can be fixed without breaking changes.\n\n### What type of PR is it?\nBug Fix / Improvement\n\n### Todos\n\n### What is the Jira issue?\n\n### How should this be tested?\n- `cd zeppelin-web-angular \u0026\u0026 npm audit` should show fewer vulnerabilities\n\n### Screenshots (if appropriate)\n\n### Questions:\n* Does the license files need to update? No\n* Is there breaking changes for older versions? No\n* Does this needs documentation? No\n\nCloses #5208 from jongyoul/copilot/fix-npm-audit-issues.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "931a84ea3fa3a13d4d6ed491d2f7036071451f6f", "tree": "29e9867198708168ccc244c9d7a279d71af21030", "parents": [ "4e40c113124fe94c0402f4563e6d33dd1a8fa700" ], "author": { "name": "Jongyoul Lee", "email": "jongyoul@gmail.com", "time": "Sat Apr 11 20:35:21 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sat Apr 11 20:35:21 2026 +0900" }, "message": "[ZEPPELIN-6409][ZEPPELIN-6400] Fix Selenium integration test flakiness after\n\n## Summary\n\n- **`authenticationUser()`**: Replace `sleep(1000)` with explicit wait for the navbar user dropdown to appear (proves login succeeded and AngularJS digest is done), then force-dismiss any lingering Bootstrap modal backdrop via jQuery\n- **`logoutUser()`**: Use `clickableWait()` instead of raw `findElement()` for robust element interaction; wrap modal close button in try-catch\n- **`testAngularRunParagraph()`**: Fix race condition where `waitForParagraph(\"FINISHED\")` matched the *previous* run\u0027s state. Use `stalenessOf` to detect paragraph output refresh, then `visibilityWait` for the new element, and JavaScript click to bypass ng-click overlay issues\n\n## Context\n\nAfter ZEPPELIN-6400 moved `ZeppelinConfiguration` from `zeppelin-interpreter` to `zeppelin-zengine`, `RemoteInterpreterServer.init()` changed from loading config via `ZeppelinConfiguration.load()` + overlay to pure `Properties`-based initialization. This subtle timing change in interpreter startup exposed pre-existing Selenium test flakiness in the `test-selenium-with-spark-module-for-spark-3-5` CI job.\n\nThe CI failures were:\n- `InterpreterModeActionsIT.testPerUserIsolatedAction` — `ElementClickInterceptedException` because login modal was still visible when clicking the navigation dropdown\n- `ZeppelinIT.testAngularRunParagraph` — `TimeoutException` due to race condition: after re-running an Angular paragraph, the old output element was matched before the new one rendered\n\n## Test plan\n\n- [x] CI: `frontend.yml` — `test-selenium-with-spark-module-for-spark-3-5` job passes\n- [x] CI: `frontend.yml` — All other E2E jobs remain green (Playwright auth failure is unrelated Firefox keyboard shortcut flakiness)\n\nCloses #5209 from jongyoul/ZEPPELIN-6409-fix-selenium-tests.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "4e40c113124fe94c0402f4563e6d33dd1a8fa700", "tree": "b6dd46123b9aaf062b462ae18aabf62e36ec09fd", "parents": [ "6f6df4cdbf02aa2f8b9731adfe926228aedb9b15" ], "author": { "name": "조형준", "email": "ryuu.public@gmail.com", "time": "Tue Apr 07 12:56:41 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 07 12:56:41 2026 +0900" }, "message": "[ZEPPELIN-6410] Fix typo in PythonInterpreter comment: \"sever\" to \"server\"\n\n### What is this PR for?\r\nFix a typo in `PythonInterpreter.java` where the comment reads \"sever\" instead of \"server\".\r\n\r\n### What type of PR is it?\r\nImprovement\r\n\r\n### Todos\r\n* [x] Fix typo: \"sever\" → \"server\"\r\n\r\n### What is the Jira issue?\r\n* https://issues.apache.org/jira/browse/ZEPPELIN-6410\r\n\r\n### How should this be tested?\r\n* No functional change — comment-only fix. Visual inspection is sufficient.\r\n\r\n### Screenshots (if appropriate)\r\nN/A\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\n\nCloses #5210 from xxxxxxjun/fix-zeppelin-6410.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "6f6df4cdbf02aa2f8b9731adfe926228aedb9b15", "tree": "b50ded4dbb49fef017377f190e2539725a23552a", "parents": [ "b4193a072eda5dacae9a7ce29140aa38c21b5c75" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Sun Apr 05 21:49:32 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Apr 05 21:49:32 2026 +0900" }, "message": "Bump requests from 2.32.5 to 2.33.0 in /dev (#5196)\n\nBumps [requests](https://github.com/psf/requests) from 2.32.5 to 2.33.0.\n- [Release notes](https://github.com/psf/requests/releases)\n- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)\n- [Commits](https://github.com/psf/requests/compare/v2.32.5...v2.33.0)\n\n---\nupdated-dependencies:\n- dependency-name: requests\n dependency-version: 2.33.0\n dependency-type: direct:production\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "b4193a072eda5dacae9a7ce29140aa38c21b5c75", "tree": "cb4fd7f30aacac1ea1f217e37252393af7734818", "parents": [ "705110aa120fb9180425252c755d499cf086f5ff" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Sun Apr 05 14:59:14 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Apr 05 14:59:14 2026 +0900" }, "message": "[ZEPPELIN-6384] Fix dropdown menu item links not clickable in full area\n\n### What is this PR for?\r\n\r\n#### Summary\r\n\r\n- Fixed dropdown menu items in header where only text was clickable instead of the full item area\r\n- Changed routerLinkActive to nzMatchRouter for proper NG-ZORRO integration\r\n- Added CSS pseudo-element to expand clickable area of anchor tags\r\n\r\n#### Cause\r\n\r\n- Likely due to NG-ZORRO dropdown menu item anchor tag style changes that reduced the clickable area to just the text content.\r\n\r\n#### Changes\r\n\r\n- Updated `header.component.html`: Replace `routerLinkActive` with `nzMatchRouter` directive\r\n- Updated `global.less`: Add `::before` pseudo-element to `.ant-dropdown-menu-item \u003e a` to expand clickable area using absolute positioning\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### What is the Jira issue?\r\nhttps://issues.apache.org/jira/browse/ZEPPELIN-6384\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5124 from tbonelee/fix-dropdown-link.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "705110aa120fb9180425252c755d499cf086f5ff", "tree": "661a19cfde3292a72d6aef52bc878a0f109d95d3", "parents": [ "5e9847b3f510bb6590aeecf8fad98d725f99e4c9" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Sun Apr 05 14:57:50 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Apr 05 14:57:50 2026 +0900" }, "message": "[ZEPPELIN-6387] Fix WebSocket reconnection not reloading note in Angular UI\n\n### What is this PR for?\r\nFixes an issue where WebSocket reconnection in the new Angular UI (zeppelin-web-angular) does not reload the current note, causing \"Note is null\" errors when attempting to run paragraphs after reconnection.\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### What is the Jira issue?\r\nhttps://issues.apache.org/jira/browse/ZEPPELIN-6387\r\n\r\n### How should this be tested?\r\n\r\n1. Open any notebook in the new Angular UI.\r\n2. Trigger a WebSocket timeout by switching to another browser tab or window and leaving the Zeppelin tab in the background for a few minutes.\r\n - Even without interacting with the browser, you can confirm that the WebSocket has reconnected by checking the server logs.\r\n3. Allow the system to automatically reconnect.\r\n4. Try running any paragraph → It should fail before this PR and succeed after applying this PR.\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5129 from tbonelee/websocket-reconnection.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "5e9847b3f510bb6590aeecf8fad98d725f99e4c9", "tree": "e090171c8a39dff2bdd8ec442d070d7347716a24", "parents": [ "076676aa87f92b052619691c2788bd53771a266e" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Sat Apr 04 21:05:47 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sat Apr 04 21:05:47 2026 +0900" }, "message": "[ZEPPELIN-6358] Add E2E test coverage for notebook components\n\n### What is this PR for?\r\nThis is the final PR in the series derived from #5101.\r\n\r\nNotebook features had zero E2E coverage. This adds 20 spec files (~3500 lines).\r\n\r\n**Notebook core**\r\n- `notebook-container` — structure, action bar presence, sidebar width constraints, paragraph grid layout, extension area\r\n- `action-bar-functionality` — run all, code/output toggle, clear output, clone/export/reload, collaboration mode, revision controls, scheduler, settings group\r\n- `notebook-keyboard-shortcuts` — full ShortcutsMap coverage (Monaco editor; serial because Monaco holds focus state between tests — isolating via `beforeEach` wasn\u0027t viable)\r\n- `sidebar-functionality` — TOC panel, file tree panel, open/close state transitions\r\n- `paragraph-functionality` — edit mode, run/cancel, dynamic forms, footer DOM presence\r\n\r\n**Share features**\r\n- `folder-rename` — hover context menu, rename modal, validation, delete confirmation, folder merge on name collision\r\n- `note-rename` — inline title editing, enter/blur/escape flows, empty name rejection, special characters\r\n- `note-toc` — panel open/close, empty state message, toggle button attributes, repeated toggle\r\n\r\n#### Pulled in test failure fixes from #5180 \r\n- Cleaned up `about-zeppelin-modal` and `note-create-modal` specs and models\r\n- Added missing aria attributes and `data-testid` selectors to `action-bar.component.html`\r\n- Bumped `flatted` 3.3.3 → 3.4.1 (npm audit)\r\n\r\n\r\n### What type of PR is it?\r\nImprovement\r\nFeature\r\nDocumentation\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6358\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5181 from dididy/e2e/notebook-final.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "076676aa87f92b052619691c2788bd53771a266e", "tree": "b71a12c6e653aec8cf5e7600a277282d17dde1c8", "parents": [ "cd8ba63f1c03245ed2cac81b745ecd44795ca420" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Sat Apr 04 21:04:45 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sat Apr 04 21:04:45 2026 +0900" }, "message": "[ZEPPELIN-6358] Remove anti-patterns of E2E and tidy test suite\n\n### What is this PR for?\r\nApplied the [`e2e-reviewer`](https://github.com/dididy/e2e-skills) skill on the existing E2E suite. The skill does static analysis — it catches tests that can never actually fail, silent skips, swallowed errors in POM methods, that kind of thing.\r\n\r\nFindings and fixes:\r\n\r\n- `home-page-enhanced-functionality.spec.ts` was mostly duplicating `home-page-elements` and `home-page-note-operations` → deleted and merged\r\n- `toBeGreaterThanOrEqual(0)` and `toBeAttached()` on static elements were always passing → replaced with assertions that can fail\r\n- `if (isVisible) { expect() }` patterns silently skip when something breaks → removed or converted to `test.skip`\r\n- Several POM methods had `.catch(() \u003d\u003e {})` with no comment → removed; kept the intentional ones and marked with `// JUSTIFIED:`\r\n- `document.querySelector` in `page.evaluate()` → swapped for Playwright locator API\r\n- Added `aria-label` / `data-testid` to action bar HTML; a few tests were breaking on DOM structure changes\r\n- Renamed a handful of tests whose names didn\u0027t match what they actually tested; dropped the ones that only called `toBeVisible()`\r\n\r\n\r\n### What type of PR is it?\r\nImprovement\r\nRefactoring\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6358\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5180 from dididy/tidy-e2e.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "cd8ba63f1c03245ed2cac81b745ecd44795ca420", "tree": "e60c8bace72e368ee19517c4f839791ce2b62c08", "parents": [ "221c0c5c3d5adb7056a212fc44316362a63ea140" ], "author": { "name": "Jongyoul Lee", "email": "jongyoul@gmail.com", "time": "Mon Mar 30 18:06:24 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Mar 30 18:06:24 2026 +0900" }, "message": "[ZEPPELIN-6404] Fix empty response body handling in merge_pr.py\n\n## Summary\n\n- Fix `JSONDecodeError` when JIRA transition API returns empty response body\n- Return empty dict `{}` instead of attempting to parse empty string\n\n## Context\n\nAfter merging PR #5183, the JIRA resolve step crashed with `JSONDecodeError: Expecting value: line 1 column 1`. The JIRA transition API returns HTTP 204 (No Content) on success, but `_http()` unconditionally called `json.loads()` on the empty body.\n\n## Test plan\n\n- [x] Verified JIRA transition actually succeeded despite the error\n- [ ] Run `python3 dev/merge_pr.py --pr \u003cnumber\u003e --resolve-jira --dry-run` to verify no regression\n\nCloses #5199 from jongyoul/ZEPPELIN-6404-fix-empty-response.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "221c0c5c3d5adb7056a212fc44316362a63ea140", "tree": "05eaa5f94c0e1ad2062b0af39ca0b3bf23c50485", "parents": [ "394e24575ca7542f354940185a4a2c68b79b9630" ], "author": { "name": "Jongyoul Lee", "email": "jongyoul@gmail.com", "time": "Mon Mar 30 13:37:10 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Mar 30 13:37:10 2026 +0900" }, "message": "[ZEPPELIN-6404] Rewrite merge PR script in Python with no external dependencies\n\n## Summary\n\n- Rewrite `dev/merge_zeppelin_pr.py` as a single-file Python CLI (`dev/merge_pr.py`)\n- No external dependencies — uses only Python 3 built-in libraries (`urllib`, `json`, `subprocess`, `argparse`, `re`)\n- Runs directly with `python3 dev/merge_pr.py --pr \u003cnumber\u003e [flags]`\n- Non-interactive, AI-agent friendly design\n\n## Motivation\n\nThe existing Python merge script (`dev/merge_zeppelin_pr.py`) requires a Python virtual environment with dependencies (`jira`, `python-dotenv`), and is interactive (prompts for user input). This makes it difficult to use from CI/CD or AI agent workflows.\n\nThe new version:\n- Requires only Python 3 (no venv, no pip install)\n- All flags are CLI arguments — no interactive prompts\n- Single file, ~450 lines, zero external dependencies\n- Instance-based design (`MergePR` class)\n\n## Usage\n\n```bash\n# Dry run (shows PR info without merging)\npython3 dev/merge_pr.py --pr 5167 --dry-run\n\n# Merge and resolve JIRA\npython3 dev/merge_pr.py --pr 5167 --resolve-jira --fix-versions 0.13.0\n\n# Merge and cherry-pick into release branches\npython3 dev/merge_pr.py --pr 5167 --release-branches branch-0.12,branch-0.11\n```\n\n## Flags\n\n| Flag | Description |\n|------|-------------|\n| `--pr` | Pull request number (required) |\n| `--target` | Target branch (default: PR base branch) |\n| `--fix-versions` | JIRA fix version(s), comma-separated |\n| `--release-branches` | Release branch(es) to cherry-pick into, comma-separated |\n| `--resolve-jira` | Resolve associated JIRA issue(s) |\n| `--dry-run` | Show what would be done without making changes |\n| `--push-remote` | Git remote for pushing (default: `apache`) |\n\nTokens are read from environment variables: `GITHUB_OAUTH_KEY`, `JIRA_ACCESS_TOKEN`.\n\n## Test Plan\n\n- [x] `python3 dev/merge_pr.py --help` — shows usage\n- [x] `python3 dev/merge_pr.py --pr 5167 --dry-run` — fetches PR info correctly\n- [ ] Full merge test with a real PR\n- [ ] Cherry-pick into release branch test\n- [ ] JIRA resolution test\n\nCloses #5183 from jongyoul/ZEPPELIN-6404-go-merge-cli-v2.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "394e24575ca7542f354940185a4a2c68b79b9630", "tree": "f1031abec4675e1c6ab60828c38f8bbfa62cdeb4", "parents": [ "5c35ad9ba2033419bf7e9e0343751d1ce2a360b0" ], "author": { "name": "Jongyoul Lee", "email": "jongyoul@gmail.com", "time": "Tue Mar 17 14:12:55 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Mar 17 14:12:55 2026 +0900" }, "message": "[ZEPPELIN-6400] Remove ZeppelinConfiguration dependency from zeppelin-interpreter module\n\n## Summary\n\n- **Move `ZeppelinConfiguration` from `zeppelin-interpreter` to `zeppelin-zengine`** so it is no longer included in the shaded interpreter JAR. This prevents the Maven shade plugin from corrupting config string literals, which caused classpath-order-dependent configuration loading failures.\n- **Replace `ZeppelinConfiguration` usage in `zeppelin-interpreter` with `Properties`-based configuration** across `InterpreterLauncher`, `LifecycleManager`, `RecoveryStorage`, `DependencyResolver`, and all launcher plugins (Docker, K8s, YARN, Flink).\n- **Update callers** in `zeppelin-zengine`, `zeppelin-server`, `flink`, and `markdown` interpreter modules.\n- **Fix `TimeoutLifecycleManager` to parse time unit suffixes** (e.g., `\"10s\"`, `\"1000ms\"`) by adding `parseTimeValue()`. Previously, `Long.parseLong(\"10s\")` threw `NumberFormatException`, causing the `TimeoutLifecycleManagerTest.testTimeout_2` to enter an infinite loop and hang CI for 6 hours.\n- **Fix flaky `PersonalizeActionsIT.testGraphAction` Selenium test** by using `clickAndWait()` instead of `clickableWait().click()`, allowing the UI to update before assertion.\n\n## Motivation\n\n`ZeppelinConfiguration` in `zeppelin-interpreter` gets processed by the Maven shade plugin, which corrupts string literals (e.g., `org.apache.zeppelin` → `unshaded.org.apache.zeppelin`). This causes config keys to mismatch at runtime depending on classpath ordering. Moving it to `zeppelin-zengine` (which is not shaded) permanently eliminates this class of bugs.\n\nAs discussed by the community: *\"ZeppelinConfiguration belongs to the Zeppelin server, and the Zeppelin interpreter should really only work on a HashMap with ConfigKey and ConfigValue.\"*\n\n## Changes\n\n| Area | Change |\n|------|--------|\n| `zeppelin-interpreter` (core) | Remove `ZeppelinConfiguration` imports; use `Properties` for config |\n| `InterpreterLauncher` | `ZeppelinConfiguration zConf` → `Properties zProperties` |\n| `LifecycleManager` / `RecoveryStorage` | Constructor takes `Properties` instead of `ZeppelinConfiguration` |\n| `TimeoutLifecycleManager` | Add `parseTimeValue()` to handle time unit suffixes (`\"10s\"`, `\"1000ms\"`) |\n| `DependencyResolver` | Accept individual config values instead of `ZeppelinConfiguration` |\n| Launcher plugins (7 files) | Updated to `Properties`-based API |\n| `zeppelin-zengine` | `PluginManager` passes derived values (absolute paths) via Properties |\n| `ZeppelinConfiguration.java` | Moved from `zeppelin-interpreter` → `zeppelin-zengine` |\n| `PersonalizeActionsIT` | Fix flaky `testGraphAction` by waiting for UI update after click |\n\n## Future Work\n\nSome logic was duplicated during this refactoring to keep `zeppelin-interpreter` independent of `ZeppelinConfiguration`:\n\n- `TimeoutLifecycleManager.parseTimeValue()` duplicates `ZeppelinConfiguration.timeUnitToMill()` — both parse time strings like `\"10s\"` or `\"1000ms\"` via `Duration.parse(\"PT\" + value)`. A shared utility in `zeppelin-common` could consolidate this in the future.\n- Config key strings (e.g., `\"zeppelin.interpreter.lifecyclemanager.timeout.threshold\"`) are now hardcoded as plain strings in `zeppelin-interpreter` rather than referencing `ConfVars` enum constants. If config key management becomes an issue, a lightweight key constants class could be introduced.\n\n## Test Plan\n\n- [x] CI: `core.yml` - Core module tests (including `TimeoutLifecycleManagerTest`)\n- [x] CI: `core.yml` - Interpreter tests (Spark, Flink)\n- [x] CI: `frontend.yml` - E2E tests (Playwright + Selenium)\n- [x] CI: `quick.yml` - RAT license check\n- [x] Verify shaded JAR does not contain `ZeppelinConfiguration`\n\nCloses #5167 from jongyoul/ZEPPELIN-6400-remove-zepconf-from-interpreter.\n\nSigned-off-by: Jongyoul Lee \u003cjongyoul@gmail.com\u003e" }, { "commit": "5c35ad9ba2033419bf7e9e0343751d1ce2a360b0", "tree": "d03d4a5b298648a8f22f180ffae5b7eac4b22083", "parents": [ "c9fa525692911908fde47bf5fb9c3d8388220751" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Tue Mar 10 00:23:27 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Mar 10 00:23:27 2026 +0900" }, "message": "[ZEPPELIN-6358] Fix notebook UI bugs and add aria attributes and test IDs for selectors #5101\n\n### What is this PR for?\r\nThis PR fixes several notebook-related UI issues and improves testability and accessibility.\r\n\r\n### Changes\r\n- Fix an issue where the search menu trigger did not work correctly.\r\n- Prevent folder renaming when the input is empty by disabling the confirm button.\r\n- Add accessibility (ARIA) attributes and test-specific attributes to improve usability and E2E test stability.\r\n\r\n### What type of PR is it?\r\nBug Fix\r\nRefactoring\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6358\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No \r\n\n\nCloses #5133 from dididy/e2e/notebook-bug.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "c9fa525692911908fde47bf5fb9c3d8388220751", "tree": "7d822332e9c3f9ae1f5f4be91041cf5fabf3c46c", "parents": [ "1be5c3e70428eb757b9577f40a1a90f7ca82fce1" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon Mar 09 23:54:57 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Mar 09 23:54:57 2026 +0900" }, "message": "Bump immutable from 4.3.7 to 4.3.8 in /zeppelin-web-angular\n\nBumps [immutable](https://github.com/immutable-js/immutable-js) from 4.3.7 to 4.3.8.\n- [Release notes](https://github.com/immutable-js/immutable-js/releases)\n- [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/immutable-js/immutable-js/compare/v4.3.7...v4.3.8)\n\n---\nupdated-dependencies:\n- dependency-name: immutable\n dependency-version: 4.3.8\n dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "1be5c3e70428eb757b9577f40a1a90f7ca82fce1", "tree": "d3d3bcf36a181001610e5017b1e305f81f472b7d", "parents": [ "08fa86aeab2ccb4837c5b2d19820115acb206672" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Mon Mar 09 23:20:44 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Mar 09 23:20:44 2026 +0900" }, "message": "[ZEPPELIN-6397] Bump Testcontainers version to 1.21.4\n\n### What is this PR for?\r\n\r\nThis PR bumps the testcontainers minor/patch versions.\r\n\r\n\u003cimg width\u003d\"2156\" height\u003d\"124\" alt\u003d\"image\" src\u003d\"https://github.com/user-attachments/assets/1db7118f-98f8-490f-863c-dc9eecc6e7dd\" /\u003e\r\n\r\nThe interpreter-test-non-core job has been failing intermittently. Based on the error pattern, this appears related to a compatibility issue between older Testcontainers versions and newer Docker Engine APIs (see: https://github.com/testcontainers/testcontainers-java/issues/11212).\r\n\r\nTestcontainers released a patch to address this, so this PR updates Testcontainers to 1.21.4 (release notes: https://github.com/testcontainers/testcontainers-java/releases/tag/1.21.4).\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### What is the Jira issue?[\r\n* Open an issue on Jira https://issues.apache.org/jira/browse/ZEPPELIN-6397\r\n\r\n### How should this be tested?\r\nCheck `interpreter-test-non-core` job.\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5159 from tbonelee/bump-testcontainers-neo4j.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "08fa86aeab2ccb4837c5b2d19820115acb206672", "tree": "a01b364f9fe4ca2f01f70900605724b8b7e4a3da", "parents": [ "aaa52286a36e18ee9747546a5c2089d50a402a9a" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Mon Mar 09 23:18:36 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Mar 09 23:18:36 2026 +0900" }, "message": "[ZEPPELIN-6401] Resolve all npm audit vulnerabilities in zeppelin-react\n\n### What is this PR for?\r\nResolved all 16 npm audit vulnerabilities (8 high, 6 moderate, 2 low) in zeppelin-web-angular/projects/zeppelin-react.\r\n\r\nDirect dependency upgrades:\r\n- webpack 5.88.0 → 5.105.4 (moderate: DOM Clobbering XSS, SSRF)\r\n- webpack-dev-server 4.15.0 → 5.2.3 (moderate: source code theft vulnerability)\r\n- \u003cat\u003eantv/g2plot 2.4.35 → 2.3.32 (high: XSS, Path Traversal)\r\n - g2plot 2.4.35 pulls in fmin → rollup\u003cat\u003e2.x as transitive dependency, which has 2 high severity vulnerabilities\r\n - g2plot 2.3.32 does not depend on fmin, so rollup is removed entirely\r\n - No API breaking changes — Column, Line, Pie, Scatter all available in 2.3.32\r\n- xlsx 0.18.5 → replaced with xlsx-js-style 1.2.0 (high: Prototype Pollution, ReDoS)\r\n - All versions of xlsx on npm are vulnerable with no patched version available\r\n - xlsx-js-style is an API-compatible community fork with the vulnerabilities fixed\r\n- \u003cat\u003etypes/xlsx 0.0.36 → removed (no longer needed after xlsx replacement)\r\n\r\nTransitive dependency fixes (via npm audit fix):\r\n- lodash 4.17.21 → 4.17.23 (moderate: Prototype Pollution)\r\n- lodash-es 4.17.21 → 4.17.23 (moderate: Prototype Pollution)\r\n- node-forge 1.3.1 → 1.3.3 (high: ASN.1 vulnerabilities)\r\n- serialize-javascript — resolved via webpack upgrade (high: RCE, dep removed in newer terser-webpack-plugin)\r\n- qs/express/body-parser — audit fix (moderate: DoS)\r\n- ajv — audit fix (moderate: ReDoS)\r\n\r\nConstraints:\r\n- Node 18 environment maintained (serialize-javascript 7.x requires Node \u003e\u003d 20, resolved by upgrading webpack instead)\r\n\r\nVerification:\r\n- npm audit → 0 vulnerabilities\r\n- npm run build → success\r\n\r\nRelated Dependabot PRs (redundant, to be closed):\r\n- #5168, #5169, #5170, #5171, #5172, #5173\r\n\r\n\r\n### What type of PR is it?\r\nHot Fix\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6401\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\n\nCloses #5176 from dididy/fix/zeppelin-react-audit.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "aaa52286a36e18ee9747546a5c2089d50a402a9a", "tree": "a7237253d1e3b8bbcd9438fa8f5d75cf4fdd7c6f", "parents": [ "4bde6b27dd8f0b6a79479a84532759d358bc2bd9" ], "author": { "name": "Gyeongtae Park", "email": "gyeongtae@apache.org", "time": "Mon Mar 09 22:24:30 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Mar 09 22:24:30 2026 +0900" }, "message": "[ZEPPELIN-6402] Update copyright year to 2026 in NOTICE file\n\n### What is this PR for?\r\nThis PR updates the copyright year range in the NOTICE file from 2015-2025 to 2015-2026 to reflect ongoing development and contributions in 2026.\r\n\r\n### What type of PR is it?\r\nDocumentation\r\n\r\n### Todos\r\n* [x] - Update copyright year in NOTICE file\r\n\r\n### What is the Jira issue?\r\n* https://issues.apache.org/jira/browse/ZEPPELIN-6402\r\n\r\n### How should this be tested?\r\n* Verify that the NOTICE file contains the updated copyright year range \"2015 - 2026\"\r\n* Confirm that no other changes were made to the NOTICE file\r\n\r\n### Screenshots (if appropriate)\r\nN/A\r\n\r\n### Questions:\r\n* Does the license files need to update? No.\r\n* Is there breaking changes for older versions? No.\r\n* Does this needs documentation? No.\n\nCloses #5177 from ParkGyeongTae/ZEPPELIN-6402.\n\nSigned-off-by: ParkGyeongTae \u003cgyeongtae@apache.org\u003e" }, { "commit": "4bde6b27dd8f0b6a79479a84532759d358bc2bd9", "tree": "fc3636f05fd02011791e5cfef0ade3a84bceeddd", "parents": [ "c3ccd9b4dd40eac2fc7500ae15b71cbee9384cd5" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Sat Mar 07 01:30:16 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sat Mar 07 01:30:16 2026 +0900" }, "message": "[ZEPPELIN-6371] Convert published paragraph rendering to Micro Frontend(Angular to React) in New UI\n\n### What is this PR for?\r\n\r\n[Micro Frontend Migration(Angular to React) Proposal](https://cwiki.apache.org/confluence/display/ZEPPELIN/Micro+Frontend+Migration%28Angular+to+React%29+Proposal)\r\n\r\n---\r\n\r\n#### Summary\r\n\r\n* Implement React-based micro-frontend architecture using Module Federation.\r\n* Convert published paragraph component to support React rendering.\r\n* Add environment-based configuration for development and production builds.\r\n\r\n#### Changes\r\n\r\n**1. React Micro-Frontend Project Setup**\r\n\r\n* Created new React project at `projects/zeppelin-react/`.\r\n* Configured Webpack Module Federation for micro-frontend architecture.\r\n* Set up React 18 with TypeScript support.\r\n\r\n**2. Component Implementation**\r\n\r\n*New React Components:*\r\n\r\n* `PublishedParagraph`: Main entry point for published paragraph rendering.\r\n* `SingleResultRenderer`: Template for rendering single paragraph results.\r\n\r\n*Renderers:*\r\n\r\n* `HTMLRenderer`: Renders HTML content with sanitization.\r\n* `TextRenderer`: Renders plain text with ANSI support.\r\n* `ImageRenderer`: Renders image outputs.\r\n\r\n*Visualizations:*\r\n\r\n* `TableVisualization`: Table rendering with sorting, filtering, and export.\r\n* `VisualizationControls`: Control panel for table operations.\r\n\r\n*Common Components:*\r\n\r\n* `Loading`: Loading state indicator.\r\n* `Empty`: Empty state display.\r\n\r\n**3. Angular Integration**\r\n\r\n* `paragraph.component.ts`: Added React widget loading logic via Module Federation.\r\n* `paragraph.component.html`: Added React container element.\r\n* `environment.ts` / `environment.prod.ts`: Added `reactRemoteEntryUrl` configuration.\r\n\r\n * Development: `http://localhost:3001/remoteEntry.js`\r\n * Production: `/assets/react/remoteEntry.js`\r\n\r\n**4. Build Configuration**\r\n\r\n* `angular.json`: Copy React build output to `/assets/react/`.\r\n* `webpack.config.js`: Configured Module Federation plugin:\r\n\r\n * Dev server: port 3001\r\n * CORS headers for cross-origin requests\r\n * Environment-specific `publicPath`\r\n* `proxy.conf.js`: Updated proxy configuration.\r\n\r\n**5. Package**\r\n\r\n* Added React and React-DOM dependencies.\r\n* Added Webpack and Module Federation plugins.\r\n* Added Ant Design for React UI components.\r\n* Added \u003cat\u003eantv/g2plot for data visualization (also used in Angular version with G2).\r\n\r\n#### License\r\nThis PR uses several open-source libraries. The `xlsx` (v0.18.5) and `typescript` (v4.6.4) packages are licensed under **Apache-2.0**, while all other dependencies and devDependencies (such as `react`, `react-dom`, `antd`, `\u003cat\u003eant-design/icons`, etc.) are licensed under **MIT**. The MIT license is more permissive than Apache-2.0, so including MIT-licensed packages does not violate Apache-2.0 terms. All packages may be used commercially, and license notices should be included when distributing the project.\r\n\r\n#### Technical Details\r\n\r\n**Module Federation Configuration**\r\n\r\n```ts\r\n// Development: http://localhost:3001/remoteEntry.js\r\n// Production: /assets/react/remoteEntry.js\r\n\r\nnew ModuleFederationPlugin({\r\n name: \u0027reactApp\u0027,\r\n filename: \u0027remoteEntry.js\u0027,\r\n exposes: {\r\n \u0027./PublishedParagraph\u0027: \u0027./src/pages/PublishedParagraph\u0027\r\n }\r\n})\r\n```\r\n\r\n#### Usage\r\n\r\n* Render published paragraph with React:\r\n `/notebook/{noteId}/paragraph/{paragraphId}?react\u003dtrue`\r\n\r\n### What type of PR is it?\r\nImprovement\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6371\r\n\r\n### How should this be tested?\r\n\r\n```sh\r\n// Start Zeppelin Server\r\n./mvnw clean install -DskipTests\r\n./mvnw clean package -DskipTests\r\n./bin/zeppelin-daemon.sh start\r\n\r\n// Start Zeppelin New UI Client\r\ncd zeppelin-web-angular\r\nnvm use\r\nnpm i\r\nnpm run start\r\n```\r\n\r\n#### TextRenderer\r\nhttp://localhost:4200/#/notebook/2EYDJKFFY/paragraph/20180118-122136_1299905608?react\u003dtrue\r\n\r\n#### TableVisualization\r\nhttp://localhost:4200/#/notebook/2EYDJKFFY/paragraph/20180118-122136_1299905608?react\u003dtrue\r\n\r\n#### ImageRenderer\r\nhttp://localhost:4200/#/notebook/2F1S9ZY8Z/paragraph/20180117-220535_590781730?react\u003dtrue\r\n\r\n#### HTMLRenderer - Table\r\nhttp://localhost:4200/#/notebook/2F1S9ZY8Z/paragraph/paragraph_1580885453474_1167659991?react\u003dtrue\r\n\r\n#### HTMLRenderer - Script(Bokeh JS)\r\nhttp://localhost:4200/#/notebook/2F1S9ZY8Z/paragraph/paragraph_1580885707198_-1652524072?react\u003dtrue\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5111 from dididy/feature/micro-frontend.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "c3ccd9b4dd40eac2fc7500ae15b71cbee9384cd5", "tree": "fff4b4bc007df54d01796632fc6046654737ef97", "parents": [ "cf766dbcbc0373be73424b0ce8859d5bb747c948" ], "author": { "name": "Prabhjyot Singh", "email": "prabhjyotsingh@gmail.com", "time": "Sun Mar 01 08:54:45 2026 -0500" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Mar 01 22:54:45 2026 +0900" }, "message": "[ZEPPELIN-6162] Implement revisions comparator for New UI\n\n### What is this PR for?\r\nPort the revision comparison feature from the legacy AngularJS UI to the new Angular 13 frontend. Users can now select two revisions and view paragraph-by-paragraph diffs with color-coded additions and deletions.\r\n\r\n\r\n### What type of PR is it?\r\nImprovement\r\n\r\n\r\n### What is the Jira issue?\r\n* https://issues.apache.org/jira/browse/ZEPPELIN-6162\r\n\r\n### How should this be tested?\r\n* Strongly recommended: add automated unit tests for any new or changed behavior\r\n* Outline any manual steps to test the PR here.\r\n\r\n### Screenshots (if appropriate)\r\n![ZEPPELIN-6162](https://github.com/user-attachments/assets/483c05e1-9fa0-4347-8f50-21d0fbd90db2)\r\n\r\n\r\n### Questions:\r\n* Does the license files need to update? no\r\n* Is there breaking changes for older versions? no\r\n* Does this needs documentation? no\r\n\n\nCloses #5155 from prabhjyotsingh/ZEPPELIN-6162.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "cf766dbcbc0373be73424b0ce8859d5bb747c948", "tree": "77abb807807f10c311db891501ee597f695d6599", "parents": [ "776e29c89f4e1d47a89bd09c9a467acb0dce3767" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Thu Feb 26 09:52:16 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Feb 26 09:52:16 2026 +0900" }, "message": "[ZEPPELIN-6373] Add E2E tests about share area\n\n### What is this PR for?\r\nABOUT_ZEPPELIN:\u0027src/app/share/about-zeppelin/about-zeppelin.component\u0027,\r\nCODE_EDITOR:\u0027src/app/share/code-editor/code-editor.component\u0027,\r\nFOLDER_RENAME:\u0027src/app/share/folder-rename/folder-rename.component\u0027,\r\nHEADER:\u0027src/app/share/header/header.component\u0027,\r\nNODE_LIST:\u0027src/app/share/node-list/node-list.component\u0027,\r\nNOTE_CREATE:\u0027src/app/share/note-create/note-create.component\u0027,\r\nNOTE_IMPORT:\u0027src/app/share/note-import/note-import.component\u0027,\r\nNOTE_RENAME:\u0027src/app/share/note-rename/note-rename.component\u0027,\r\nNOTE_TOC:\u0027src/app/share/note-toc/note-toc.component\u0027,\r\nPAGE_HEADER:\u0027src/app/share/page-header/page-header.component\u0027,\r\nRESIZE_HANDLE:\u0027src/app/share/resize-handle/resize-handle.component\u0027,\r\nSHORTCUT:\u0027src/app/share/shortcut/shortcut.component\u0027,\r\nSPIN:\u0027src/app/share/spin/spin.component\u0027,\r\nTHEME_TOGGLE:\u0027src/app/share/theme-toggle/theme-toggle.component\u0027\r\n\r\n### What type of PR is it?\r\nImprovement\r\n*Please leave your type of PR only*\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6373\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No \r\n\n\nCloses #5114 from dididy/e2e/share.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "776e29c89f4e1d47a89bd09c9a467acb0dce3767", "tree": "4623f8025002a80538275655cfd0d9222ad269bf", "parents": [ "1662cbdaf057d375d34cf911cb5a96a03744cd71" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Thu Feb 26 00:19:36 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Feb 26 00:19:36 2026 +0900" }, "message": "[ZEPPELIN-6398] Fix Selenium-based integration tests\n\n### What is this PR for?\r\n\r\nSelenium-based integration tests have been failing recently. \r\n\r\nThere were several issues:\r\n\r\n- The Chrome/Edge driver had a bug related to calling window.maximize(). Since a fixed window size is sufficient for our tests, I replaced it with a method that sets a fixed window size instead.\r\n- The element wait logic was not properly separated by intent, which caused unintended test failures. I refactored the wait methods to distinguish between presence, visibility, and clickability.\r\n- Browser built-in features such as the password manager could trigger alert dialogs that block test execution, so these have been disabled.\r\n\r\nPreviously, we switched to EdgeDriver (also Chromium-based) to work around the window.maximize() bug, but the same issue occurred. Therefore, I reverted back to ChromeDriver.\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### What is the Jira issue?\r\n\r\nhttps://issues.apache.org/jira/browse/ZEPPELIN-6398\r\n\r\n### How should this be tested?\r\n- Check `test-selenium-with-spark-module-for-spark-3-5` job\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5160 from tbonelee/fix-selenium-edge.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "1662cbdaf057d375d34cf911cb5a96a03744cd71", "tree": "e904e7d41d5c28fc89c16d5fe838f192dcdd439d", "parents": [ "8251dc4e013cde02879d186240155da8f996bdb7" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Sun Feb 22 20:40:14 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Feb 22 20:40:14 2026 +0900" }, "message": "[ZEPPELIN-6358] simplify utils, promote POM usage, and consolidate base logic from #5101\n\n### What is this PR for?\r\n\r\n### PR Description\r\n\r\nThis PR improves the readability and maintainability of the E2E notebook tests.\r\n\r\n- Removed over-abstracted util and wrapper methods\r\n- Moved test logic from util files into the test cases\r\n- Simplified page objects to focus on direct UI interactions\r\n- Consolidated shared logic into a base page class\r\n\r\nAs a result, the tests are clearer, flatter, and easier to maintain.\r\n\r\n### What type of PR is it?\r\nRefactoring\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6358\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5131 from dididy/e2e/notebook-edited.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "8251dc4e013cde02879d186240155da8f996bdb7", "tree": "a172af97f7144ae60e1ee9da41671fc1aeb192c2", "parents": [ "a041703dd76d6cee15a8c9c4bc6ad6d0d4767ebf" ], "author": { "name": "SeungYoung Oh", "email": "seung-00@naver.com", "time": "Thu Jan 22 15:49:09 2026 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Jan 22 15:49:09 2026 +0900" }, "message": "[ZEPPELIN-6366] Separate WebSocket max message size into a dedicated REST API\n\n### What is this PR for?\r\nCurrently, configuration data is fetched through both REST API and WebSocket channels. However, the WebSocket path does not perform permission checks, and the only required data from it is the WebSocket max message size. \r\n\r\nI extracted the websocket max message size field into a dedicated REST API, to improve security and simplify configuration handling.\r\n\r\n### What type of PR is it?\r\nImprovement\r\n\r\n### Todos\r\n* [ ] #5060\r\n\r\n### What is the Jira issue?\r\n* Open an issue on Jira https://issues.apache.org/jira/browse/ZEPPELIN/6366\r\n\r\n### How should this be tested?\r\n- Check the configuration page (/configuration)\r\n- Check the notebook page (/notebook/{notebook_id})\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? N\r\n* Is there breaking changes for older versions? Y\r\n* Does this needs documentation? N\r\n\n\nCloses #5099 from seung-00/feature/ZEPPELIN-6366.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "a041703dd76d6cee15a8c9c4bc6ad6d0d4767ebf", "tree": "006c073f4cff0287c08e99dae5f31517f54aac1c", "parents": [ "27be0623c26becee3643f3504ec159604e940519" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Sun Dec 28 21:25:38 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Dec 28 21:25:38 2025 +0900" }, "message": "[ZEPPELIN-6358] Seperate environment config and shared utilities from #5101\n\n### What is this PR for?\r\nIn #5101, the amount of changes became too large, and a committer suggested splitting it into smaller parts. Since the updates related to the common test environment and shared utility functions have already proven to be stable, I separated those pieces into this dedicated PR.\r\n\r\nThis PR includes only the **safe, standalone changes** that improve the shared E2E environment and utilities.\r\n\r\n#### [Summary of Changes]\r\n* **Refined and separated E2E test environment setup**\r\n * Improved global setup/teardown\r\n * CI: using ZEPPELIN_E2E_TEST_NOTEBOOK_DIR\r\n * To use `ZEPPELIN_E2E_TEST_NOTEBOOK_DIR` locally, the server has to be restarted at least once, which feels a bit odd to enforce during E2E test execution. To make things less messy from a UI perspective, I reorganized the structure so that all tests are collected under `E2E_TEST_FOLDER` instead.\r\n\r\n * Added folder/notebook initialization and cleanup logic\r\n * you can run it standalone with this command:`npm run e2e:cleanup`(automatically run this once the tests are finished)\r\n\r\n* **Extracted shared utilities and constants**\r\n * Added common E2E constant (e.g., `E2E_TEST_FOLDER`)\r\n * Introduced cleanup utilities to ensure stable post-test state\r\n\r\n* **Updated GitHub Actions (`frontend.yml`)**\r\n * Added environment variables(for python interpreter), notebook repo initialization, and cleanup steps\r\n * Due to potential storage and cost concerns, I shortened the retention period for the `Playwright report` from 30 days to 3 days\r\n\r\n* **Updated Playwright / ESLint configurations**\r\n * ts to cjs\r\n\r\n### What type of PR is it?\r\nImprovement\r\nRefactoring\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6358\r\n\r\n### How should this be tested?\r\n```sh\r\ncd zeppelin-web-angular\r\nnvm use\r\nnpm run start\r\nnpm run e2e\r\nnpm run e2e:cleanup\r\n```\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5128 from dididy/e2e/notebook-base.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "27be0623c26becee3643f3504ec159604e940519", "tree": "24a440906ab3b4155b3a6aeebb333f6bcb25b6f1", "parents": [ "88521103ffcafee094705f3df6f30fde5c1ea21a" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Dec 09 13:37:51 2025 +0800" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Dec 09 13:37:51 2025 +0800" }, "message": "Bump Jersey from 3.1.9 to 3.1.10\n\nFix CVE-2025-12383\n" }, { "commit": "88521103ffcafee094705f3df6f30fde5c1ea21a", "tree": "2b6cd2eebbeeb1a3821922af0da4098a823608ef", "parents": [ "43ea5a4351ddaa9829216c6901b93fe750c82b8d" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Tue Dec 02 17:47:38 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Dec 02 17:47:38 2025 +0900" }, "message": "[ZEPPELIN-6382] Add configuration to remove unused variables, parameters, and imports for New UI\n\n### What is this PR for?\r\n- Enforced unused-variable checks via ESLint (\u003cat\u003etypescript-eslint/no-unused-vars).\r\n- Activated strict TypeScript checks in E2E tests (noUnusedLocals, noUnusedParameters).\r\n- Apply eslint, tsc\r\n\r\n### What type of PR is it?\r\nImprovement\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6382\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5123 from dididy/fix/unused-part.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "43ea5a4351ddaa9829216c6901b93fe750c82b8d", "tree": "a20bb31472479b52e29559927eaa2336115c0ccf", "parents": [ "7e944d479b17b8481d39f01617e2e35b9bcf208a" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Nov 28 13:23:47 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Nov 28 13:23:47 2025 +0900" }, "message": "Bump node-forge from 1.3.1 to 1.3.2 in /zeppelin-web-angular\n\nBumps [node-forge](https://github.com/digitalbazaar/forge) from 1.3.1 to 1.3.2.\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md\"\u003enode-forge\u0027s changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e1.3.2 - 2025-11-25\u003c/h2\u003e\n\u003ch3\u003eSecurity\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eHIGH\u003c/strong\u003e: ASN.1 Validator Desynchronization\n\u003cul\u003e\n\u003cli\u003eAn Interpretation Conflict (CWE-436) vulnerability in node-forge versions\n1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1\nstructures to desynchronize schema validations, yielding a semantic\ndivergence that may bypass downstream cryptographic verifications and\nsecurity decisions.\u003c/li\u003e\n\u003cli\u003eReported by Hunter Wodzenski.\u003c/li\u003e\n\u003cli\u003eCVE ID: \u003ca href\u003d\"https://www.cve.org/CVERecord?id\u003dCVE-2025-12816\"\u003eCVE-2025-12816\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eGHSA ID: \u003ca href\u003d\"https://github.com/digitalbazaar/forge/security/advisories/GHSA-5gfm-wpxj-wjgq\"\u003eGHSA-5gfm-wpxj-wjgq\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHIGH\u003c/strong\u003e: ASN.1 Unbounded Recursion\n\u003cul\u003e\n\u003cli\u003eAn Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions\n1.3.1 and below enables remote, unauthenticated attackers to craft deep\nASN.1 structures that trigger unbounded recursive parsing. This leads to a\nDenial-of-Service (DoS) via stack exhaustion when parsing untrusted DER\ninputs.\u003c/li\u003e\n\u003cli\u003eReported by Hunter Wodzenski.\u003c/li\u003e\n\u003cli\u003eCVE ID: \u003ca href\u003d\"https://www.cve.org/CVERecord?id\u003dCVE-2025-66031\"\u003eCVE-2025-66031\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eGHSA ID: \u003ca href\u003d\"https://github.com/digitalbazaar/forge/security/advisories/GHSA-554w-wpv2-vw27\"\u003eGHSA-554w-wpv2-vw27\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMODERATE\u003c/strong\u003e: ASN.1 OID Integer Truncation\n\u003cul\u003e\n\u003cli\u003eAn Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1\nand below enables remote, unauthenticated attackers to craft ASN.1\nstructures containing OIDs with oversized arcs. These arcs may be decoded\nas smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the\nbypass of downstream OID-based security decisions.\u003c/li\u003e\n\u003cli\u003eReported by Hunter Wodzenski.\u003c/li\u003e\n\u003cli\u003eCVE ID: \u003ca href\u003d\"https://www.cve.org/CVERecord?id\u003dCVE-2025-66030\"\u003eCVE-2025-66030\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eGHSA ID: \u003ca href\u003d\"https://github.com/digitalbazaar/forge/security/advisories/GHSA-65ch-62r8-g69g\"\u003eGHSA-65ch-62r8-g69g\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eFixed\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC\nverification bypass due to missing macData enforcement and improper\nasn1.validate routine.\u003c/li\u003e\n\u003cli\u003e[asn1] Add \u003ccode\u003efromDer()\u003c/code\u003e max recursion depth check.\n\u003cul\u003e\n\u003cli\u003eAdd a \u003ccode\u003easn1.maxDepth\u003c/code\u003e global configurable maximum depth of 256.\u003c/li\u003e\n\u003cli\u003eAdd a \u003ccode\u003easn1.fromDer()\u003c/code\u003e per-call \u003ccode\u003emaxDepth\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNOTE\u003c/strong\u003e: The default maximum is assumed to be higher than needed for valid\ndata. If this assumption is false then this could be a breaking change.\nPlease file an issue if there are use cases that need a higher maximum.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNOTE\u003c/strong\u003e: The per-call \u003ccode\u003emaxDepth\u003c/code\u003e parameter has not been exposed up through\nall of the API stack due to the complexities involved. Please file an issue\nif there are use cases that require this instead of changing the default\nmaximum.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e[asn1] Improve OID handling.\n\u003cul\u003e\n\u003cli\u003eError on parsed OID values larger than \u003ccode\u003e2**32 - 1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eError on DER OID values larger than \u003ccode\u003e2**53 - 1 \u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/digitalbazaar/forge/commit/235ad3e70e4fdfdca4fdeb662dfba6588e2c38bd\"\u003e\u003ccode\u003e235ad3e\u003c/code\u003e\u003c/a\u003e Release 1.3.2.\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/digitalbazaar/forge/commit/25982441171dc9815c87d3d886c5c8a1d092b334\"\u003e\u003ccode\u003e2598244\u003c/code\u003e\u003c/a\u003e Update changelog.\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/digitalbazaar/forge/commit/0032dd0be8b6fb1b1092ef754d1dde91c10a95ad\"\u003e\u003ccode\u003e0032dd0\u003c/code\u003e\u003c/a\u003e Fix typos.\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/digitalbazaar/forge/commit/d75e08d255559ae401d9368346cacefde306e6df\"\u003e\u003ccode\u003ed75e08d\u003c/code\u003e\u003c/a\u003e Run new security test.\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/digitalbazaar/forge/commit/a5ce91d03df4dcfc025b74a5b7f50389942d49c9\"\u003e\u003ccode\u003ea5ce91d\u003c/code\u003e\u003c/a\u003e Update changelog formatting.\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/digitalbazaar/forge/commit/4652de6ddd833392e52d99b37abbbda76817c0b7\"\u003e\u003ccode\u003e4652de6\u003c/code\u003e\u003c/a\u003e Cleanups.\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/digitalbazaar/forge/commit/eb932d94fbd88655f46ac7a94a8e13e7ed8597f7\"\u003e\u003ccode\u003eeb932d9\u003c/code\u003e\u003c/a\u003e Fix typo.\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/digitalbazaar/forge/commit/db6954ba4b4440831a5112dea5d37ef68a28b878\"\u003e\u003ccode\u003edb6954b\u003c/code\u003e\u003c/a\u003e Fix style.\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/digitalbazaar/forge/commit/afbf7d8e0812014da134caa5a064cf55d1f61847\"\u003e\u003ccode\u003eafbf7d8\u003c/code\u003e\u003c/a\u003e Align error message style.\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/digitalbazaar/forge/commit/6607445859637442cf586eaa7fa06e99a2a8ae0b\"\u003e\u003ccode\u003e6607445\u003c/code\u003e\u003c/a\u003e Revert minor changes.\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href\u003d\"https://github.com/digitalbazaar/forge/compare/v1.3.1...v1.3.2\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name\u003dnode-forge\u0026package-manager\u003dnpm_and_yarn\u0026previous-version\u003d1.3.1\u0026new-version\u003d1.3.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don\u0027t alter it yourself. You can also trigger a rebase manually by commenting `\u003cat\u003edependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `\u003cat\u003edependabot rebase` will rebase this PR\n- `\u003cat\u003edependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `\u003cat\u003edependabot merge` will merge this PR after your CI passes on it\n- `\u003cat\u003edependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `\u003cat\u003edependabot cancel merge` will cancel a previously requested merge and block automerging\n- `\u003cat\u003edependabot reopen` will reopen this PR if it is closed\n- `\u003cat\u003edependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `\u003cat\u003edependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `\u003cat\u003edependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `\u003cat\u003edependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `\u003cat\u003edependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/zeppelin/network/alerts).\n\n\u003c/details\u003e\n\nCloses #5121 from dependabot[bot]/dependabot/npm_and_yarn/zeppelin-web-angular/node-forge-1.3.2.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "7e944d479b17b8481d39f01617e2e35b9bcf208a", "tree": "c8e5da0b2753a8c78c0a820957837427768283e4", "parents": [ "3e56d81b808620a2ee04889cd282e2d248028efe" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Thu Nov 27 23:00:44 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Nov 27 23:00:44 2025 +0900" }, "message": "Bump js-yaml in /zeppelin-web-angular\n\nBumps and [js-yaml](https://github.com/nodeca/js-yaml). These dependencies needed to be updated together.\nUpdates `js-yaml` from 3.14.1 to 3.14.2\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md\"\u003ejs-yaml\u0027s changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e[3.14.2] - 2025-11-15\u003c/h2\u003e\n\u003ch3\u003eSecurity\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eBackported v4.1.1 fix to v3\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e[4.1.1] - 2025-11-12\u003c/h2\u003e\n\u003ch3\u003eSecurity\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eFix prototype pollution issue in yaml merge (\u0026lt;\u0026lt;) operator.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e[4.1.0] - 2021-04-15\u003c/h2\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eTypes are now exported as \u003ccode\u003eyaml.types.XXX\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEvery type now has \u003ccode\u003eoptions\u003c/code\u003e property with original arguments kept as they were\n(see \u003ccode\u003eyaml.types.int.options\u003c/code\u003e as an example).\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eSchema.extend()\u003c/code\u003e now keeps old type order in case of conflicts\n(e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as \u003ccode\u003eabcd\u003c/code\u003e instead of \u003ccode\u003ecbad\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e[4.0.0] - 2021-01-03\u003c/h2\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eCheck \u003ca href\u003d\"https://github.com/nodeca/js-yaml/blob/master/migrate_v3_to_v4.md\"\u003emigration guide\u003c/a\u003e to see details for all breaking changes.\u003c/li\u003e\n\u003cli\u003eBreaking: \u0026quot;unsafe\u0026quot; tags \u003ccode\u003e!!js/function\u003c/code\u003e, \u003ccode\u003e!!js/regexp\u003c/code\u003e, \u003ccode\u003e!!js/undefined\u003c/code\u003e are\nmoved to \u003ca href\u003d\"https://github.com/nodeca/js-yaml-js-types\"\u003ejs-yaml-js-types\u003c/a\u003e package.\u003c/li\u003e\n\u003cli\u003eBreaking: removed \u003ccode\u003esafe*\u003c/code\u003e functions. Use \u003ccode\u003eload\u003c/code\u003e, \u003ccode\u003eloadAll\u003c/code\u003e, \u003ccode\u003edump\u003c/code\u003e\ninstead which are all now safe by default.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eyaml.DEFAULT_SAFE_SCHEMA\u003c/code\u003e and \u003ccode\u003eyaml.DEFAULT_FULL_SCHEMA\u003c/code\u003e are removed, use\n\u003ccode\u003eyaml.DEFAULT_SCHEMA\u003c/code\u003e instead.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eyaml.Schema.create(schema, tags)\u003c/code\u003e is removed, use \u003ccode\u003eschema.extend(tags)\u003c/code\u003e instead.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e!!binary\u003c/code\u003e now always mapped to \u003ccode\u003eUint8Array\u003c/code\u003e on load.\u003c/li\u003e\n\u003cli\u003eReduced nesting of \u003ccode\u003e/lib\u003c/code\u003e folder.\u003c/li\u003e\n\u003cli\u003eParse numbers according to YAML 1.2 instead of YAML 1.1 (\u003ccode\u003e01234\u003c/code\u003e is now decimal,\n\u003ccode\u003e0o1234\u003c/code\u003e is octal, \u003ccode\u003e1:23\u003c/code\u003e is parsed as string instead of base60).\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003edump()\u003c/code\u003e no longer quotes \u003ccode\u003e:\u003c/code\u003e, \u003ccode\u003e[\u003c/code\u003e, \u003ccode\u003e]\u003c/code\u003e, \u003ccode\u003e(\u003c/code\u003e, \u003ccode\u003e)\u003c/code\u003e except when necessary, \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/470\"\u003e#470\u003c/a\u003e, \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/557\"\u003e#557\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eLine and column in exceptions are now formatted as \u003ccode\u003e(X:Y)\u003c/code\u003e instead of\n\u003ccode\u003eat line X, column Y\u003c/code\u003e (also present in compact format), \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/332\"\u003e#332\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eCode snippet created in exceptions now contains multiple lines with line numbers.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003edump()\u003c/code\u003e now serializes \u003ccode\u003eundefined\u003c/code\u003e as \u003ccode\u003enull\u003c/code\u003e in collections and removes keys with\n\u003ccode\u003eundefined\u003c/code\u003e in mappings, \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/571\"\u003e#571\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003edump()\u003c/code\u003e with \u003ccode\u003eskipInvalid\u003dtrue\u003c/code\u003e now serializes invalid items in collections as null.\u003c/li\u003e\n\u003cli\u003eCustom tags starting with \u003ccode\u003e!\u003c/code\u003e are now dumped as \u003ccode\u003e!tag\u003c/code\u003e instead of \u003ccode\u003e!\u0026lt;!tag\u0026gt;\u003c/code\u003e, \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/576\"\u003e#576\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eCustom tags starting with \u003ccode\u003etag:yaml.org,2002:\u003c/code\u003e are now shorthanded using \u003ccode\u003e!!\u003c/code\u003e, \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/258\"\u003e#258\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eAdded \u003ccode\u003e.mjs\u003c/code\u003e (es modules) support.\u003c/li\u003e\n\u003cli\u003eAdded \u003ccode\u003equotingType\u003c/code\u003e and \u003ccode\u003eforceQuotes\u003c/code\u003e options for dumper to configure\nstring literal style, \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/290\"\u003e#290\u003c/a\u003e, \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/529\"\u003e#529\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eAdded \u003ccode\u003estyles: { \u0027!!null\u0027: \u0027empty\u0027 }\u003c/code\u003e option for dumper\n(serializes \u003ccode\u003e{ foo: null }\u003c/code\u003e as \u0026quot;\u003ccode\u003efoo: \u003c/code\u003e\u0026quot;), \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/570\"\u003e#570\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/nodeca/js-yaml/commit/9963d366dfbde0c69722452bcd40b41e7e4160a0\"\u003e\u003ccode\u003e9963d36\u003c/code\u003e\u003c/a\u003e 3.14.2 released\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/nodeca/js-yaml/commit/10d3c8e70a6888543f5cdb656bb39f73e0ea77c1\"\u003e\u003ccode\u003e10d3c8e\u003c/code\u003e\u003c/a\u003e dist rebuild\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266\"\u003e\u003ccode\u003e5278870\u003c/code\u003e\u003c/a\u003e fix prototype pollution in merge (\u0026lt;\u0026lt;) (\u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/731\"\u003e#731\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eSee full diff in \u003ca href\u003d\"https://github.com/nodeca/js-yaml/compare/3.14.1...3.14.2\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `js-yaml` from 4.1.0 to 4.1.1\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href\u003d\"https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md\"\u003ejs-yaml\u0027s changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e[3.14.2] - 2025-11-15\u003c/h2\u003e\n\u003ch3\u003eSecurity\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eBackported v4.1.1 fix to v3\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e[4.1.1] - 2025-11-12\u003c/h2\u003e\n\u003ch3\u003eSecurity\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eFix prototype pollution issue in yaml merge (\u0026lt;\u0026lt;) operator.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e[4.1.0] - 2021-04-15\u003c/h2\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eTypes are now exported as \u003ccode\u003eyaml.types.XXX\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEvery type now has \u003ccode\u003eoptions\u003c/code\u003e property with original arguments kept as they were\n(see \u003ccode\u003eyaml.types.int.options\u003c/code\u003e as an example).\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eSchema.extend()\u003c/code\u003e now keeps old type order in case of conflicts\n(e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as \u003ccode\u003eabcd\u003c/code\u003e instead of \u003ccode\u003ecbad\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e[4.0.0] - 2021-01-03\u003c/h2\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eCheck \u003ca href\u003d\"https://github.com/nodeca/js-yaml/blob/master/migrate_v3_to_v4.md\"\u003emigration guide\u003c/a\u003e to see details for all breaking changes.\u003c/li\u003e\n\u003cli\u003eBreaking: \u0026quot;unsafe\u0026quot; tags \u003ccode\u003e!!js/function\u003c/code\u003e, \u003ccode\u003e!!js/regexp\u003c/code\u003e, \u003ccode\u003e!!js/undefined\u003c/code\u003e are\nmoved to \u003ca href\u003d\"https://github.com/nodeca/js-yaml-js-types\"\u003ejs-yaml-js-types\u003c/a\u003e package.\u003c/li\u003e\n\u003cli\u003eBreaking: removed \u003ccode\u003esafe*\u003c/code\u003e functions. Use \u003ccode\u003eload\u003c/code\u003e, \u003ccode\u003eloadAll\u003c/code\u003e, \u003ccode\u003edump\u003c/code\u003e\ninstead which are all now safe by default.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eyaml.DEFAULT_SAFE_SCHEMA\u003c/code\u003e and \u003ccode\u003eyaml.DEFAULT_FULL_SCHEMA\u003c/code\u003e are removed, use\n\u003ccode\u003eyaml.DEFAULT_SCHEMA\u003c/code\u003e instead.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eyaml.Schema.create(schema, tags)\u003c/code\u003e is removed, use \u003ccode\u003eschema.extend(tags)\u003c/code\u003e instead.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e!!binary\u003c/code\u003e now always mapped to \u003ccode\u003eUint8Array\u003c/code\u003e on load.\u003c/li\u003e\n\u003cli\u003eReduced nesting of \u003ccode\u003e/lib\u003c/code\u003e folder.\u003c/li\u003e\n\u003cli\u003eParse numbers according to YAML 1.2 instead of YAML 1.1 (\u003ccode\u003e01234\u003c/code\u003e is now decimal,\n\u003ccode\u003e0o1234\u003c/code\u003e is octal, \u003ccode\u003e1:23\u003c/code\u003e is parsed as string instead of base60).\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003edump()\u003c/code\u003e no longer quotes \u003ccode\u003e:\u003c/code\u003e, \u003ccode\u003e[\u003c/code\u003e, \u003ccode\u003e]\u003c/code\u003e, \u003ccode\u003e(\u003c/code\u003e, \u003ccode\u003e)\u003c/code\u003e except when necessary, \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/470\"\u003e#470\u003c/a\u003e, \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/557\"\u003e#557\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eLine and column in exceptions are now formatted as \u003ccode\u003e(X:Y)\u003c/code\u003e instead of\n\u003ccode\u003eat line X, column Y\u003c/code\u003e (also present in compact format), \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/332\"\u003e#332\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eCode snippet created in exceptions now contains multiple lines with line numbers.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003edump()\u003c/code\u003e now serializes \u003ccode\u003eundefined\u003c/code\u003e as \u003ccode\u003enull\u003c/code\u003e in collections and removes keys with\n\u003ccode\u003eundefined\u003c/code\u003e in mappings, \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/571\"\u003e#571\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003edump()\u003c/code\u003e with \u003ccode\u003eskipInvalid\u003dtrue\u003c/code\u003e now serializes invalid items in collections as null.\u003c/li\u003e\n\u003cli\u003eCustom tags starting with \u003ccode\u003e!\u003c/code\u003e are now dumped as \u003ccode\u003e!tag\u003c/code\u003e instead of \u003ccode\u003e!\u0026lt;!tag\u0026gt;\u003c/code\u003e, \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/576\"\u003e#576\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eCustom tags starting with \u003ccode\u003etag:yaml.org,2002:\u003c/code\u003e are now shorthanded using \u003ccode\u003e!!\u003c/code\u003e, \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/258\"\u003e#258\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eAdded \u003ccode\u003e.mjs\u003c/code\u003e (es modules) support.\u003c/li\u003e\n\u003cli\u003eAdded \u003ccode\u003equotingType\u003c/code\u003e and \u003ccode\u003eforceQuotes\u003c/code\u003e options for dumper to configure\nstring literal style, \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/290\"\u003e#290\u003c/a\u003e, \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/529\"\u003e#529\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eAdded \u003ccode\u003estyles: { \u0027!!null\u0027: \u0027empty\u0027 }\u003c/code\u003e option for dumper\n(serializes \u003ccode\u003e{ foo: null }\u003c/code\u003e as \u0026quot;\u003ccode\u003efoo: \u003c/code\u003e\u0026quot;), \u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/570\"\u003e#570\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/nodeca/js-yaml/commit/9963d366dfbde0c69722452bcd40b41e7e4160a0\"\u003e\u003ccode\u003e9963d36\u003c/code\u003e\u003c/a\u003e 3.14.2 released\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/nodeca/js-yaml/commit/10d3c8e70a6888543f5cdb656bb39f73e0ea77c1\"\u003e\u003ccode\u003e10d3c8e\u003c/code\u003e\u003c/a\u003e dist rebuild\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266\"\u003e\u003ccode\u003e5278870\u003c/code\u003e\u003c/a\u003e fix prototype pollution in merge (\u0026lt;\u0026lt;) (\u003ca href\u003d\"https://redirect.github.com/nodeca/js-yaml/issues/731\"\u003e#731\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eSee full diff in \u003ca href\u003d\"https://github.com/nodeca/js-yaml/compare/3.14.1...3.14.2\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\nDependabot will resolve any conflicts with this PR as long as you don\u0027t alter it yourself. You can also trigger a rebase manually by commenting `\u003cat\u003edependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `\u003cat\u003edependabot rebase` will rebase this PR\n- `\u003cat\u003edependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `\u003cat\u003edependabot merge` will merge this PR after your CI passes on it\n- `\u003cat\u003edependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `\u003cat\u003edependabot cancel merge` will cancel a previously requested merge and block automerging\n- `\u003cat\u003edependabot reopen` will reopen this PR if it is closed\n- `\u003cat\u003edependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `\u003cat\u003edependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `\u003cat\u003edependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `\u003cat\u003edependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `\u003cat\u003edependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/zeppelin/network/alerts).\n\n\u003c/details\u003e\n\nCloses #5120 from dependabot[bot]/dependabot/npm_and_yarn/zeppelin-web-angular/multi-75e6bc5210.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "3e56d81b808620a2ee04889cd282e2d248028efe", "tree": "bdd567b4a67e3044a1eabf36636de9788dc22512", "parents": [ "66b1617c5b7053ae65551a247eea501222c3cf4c" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Tue Nov 11 21:49:07 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Nov 11 21:49:07 2025 +0900" }, "message": "[ZEPPELIN-6375] Add auto-reconnect for abnormal WebSocket closures in new UI\n\n### What is this PR for?\r\nThis PR adds automatic WebSocket reconnection for non-normal connection closures to the Angular UI (`zeppelin-web-angular`), matching the behavior of the legacy AngularJS UI.\r\n\r\nPreviously, when the WebSocket connection was closed abnormally (e.g., due to network issues, server timeouts, or browser tab throttling), the Angular UI would not attempt to reconnect, leaving users with a broken connection and requiring a manual page refresh.\r\n\r\nThis fix monitors WebSocket close events and automatically reconnects when the close code is not 1000 (Normal Closure).\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### Todos\r\n* [x] - Add reconnection logic for non-normal close codes\r\n\r\n### What is the Jira issue?\r\nhttps://issues.apache.org/jira/browse/ZEPPELIN-6375\r\n- Another related issue: https://issues.apache.org/jira/browse/ZEPPELIN-6374\r\n\r\n### How should this be tested?\r\n\r\n1. Start Zeppelin server locally\r\n2. Open a notebook in the new UI\r\n3. Test abnormal closure scenarios:\r\n - e.g., **Tab throttling**: Leave the tab inactive for 2+ minutes (If you could watch the logs for `ZeppelinServer`, then you could check the timeout disconnect right away.).\r\n4. Verify that:\r\n - WebSocket automatically reconnects after idle timeout.\r\n - Console shows \"WebSocket closed unexpectedly. Reconnecting...\".\r\n - Notebook operations work after reconnection and connection status icon remain green color.\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5116 from tbonelee/fix-websocket.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "66b1617c5b7053ae65551a247eea501222c3cf4c", "tree": "c3fef573a3ccc4733a7ebd8b7018092fd374e204", "parents": [ "4882e07f09df985e5272e591f55f24ce1a2faeb0" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Nov 11 21:24:14 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Nov 11 21:24:14 2025 +0900" }, "message": "Bump com.nimbusds:nimbus-jose-jwt from 9.37.2 to 9.37.4 in /zeppelin-server\n\nBumps [com.nimbusds:nimbus-jose-jwt](https://bitbucket.org/connect2id/nimbus-jose-jwt) from 9.37.2 to 9.37.4.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href\u003d\"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/2432c09121add9fe6b2db9173131dd777939bfee\"\u003e\u003ccode\u003e2432c09\u003c/code\u003e\u003c/a\u003e [maven-release-plugin] prepare for next development iteration\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/fa9737c49f1ae706d8929abfcb6f346b04275e03\"\u003e\u003ccode\u003efa9737c\u003c/code\u003e\u003c/a\u003e Bumps Tink and BC deps\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/431f492225d8812cc6e57c6ebe1363e2fab2baba\"\u003e\u003ccode\u003e431f492\u003c/code\u003e\u003c/a\u003e [maven-release-plugin] prepare release 9.37.3\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874acec3b51c6222861c\"\u003e\u003ccode\u003ef7fb882\u003c/code\u003e\u003c/a\u003e Backports fixes to issues \u003ca href\u003d\"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583\"\u003e#583\u003c/a\u003e, \u003ca href\u003d\"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/577\"\u003e#577\u003c/a\u003e, \u003ca href\u003d\"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/547\"\u003e#547\u003c/a\u003e, \u003ca href\u003d\"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/549\"\u003e#549\u003c/a\u003e, \u003ca href\u003d\"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/557\"\u003e#557\u003c/a\u003e, \u003ca href\u003d\"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/574\"\u003e#574\u003c/a\u003e, updates JSONObj...\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/ee7f3f9093c833987c67a67e574581e61240dfb0\"\u003e\u003ccode\u003eee7f3f9\u003c/code\u003e\u003c/a\u003e Fixes HTML markup error in JavaDoc overview.html\u003c/li\u003e\n\u003cli\u003e\u003ca href\u003d\"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/392252c7a8f2e0c089f6537be32c440ea4e32ed1\"\u003e\u003ccode\u003e392252c\u003c/code\u003e\u003c/a\u003e [maven-release-plugin] prepare release 9.37.4\u003c/li\u003e\n\u003cli\u003eSee full diff in \u003ca href\u003d\"https://bitbucket.org/connect2id/nimbus-jose-jwt/branches/compare/9.37.4..9.37.2\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name\u003dcom.nimbusds:nimbus-jose-jwt\u0026package-manager\u003dmaven\u0026previous-version\u003d9.37.2\u0026new-version\u003d9.37.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don\u0027t alter it yourself. You can also trigger a rebase manually by commenting `\u003cat\u003edependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `\u003cat\u003edependabot rebase` will rebase this PR\n- `\u003cat\u003edependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `\u003cat\u003edependabot merge` will merge this PR after your CI passes on it\n- `\u003cat\u003edependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `\u003cat\u003edependabot cancel merge` will cancel a previously requested merge and block automerging\n- `\u003cat\u003edependabot reopen` will reopen this PR if it is closed\n- `\u003cat\u003edependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `\u003cat\u003edependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `\u003cat\u003edependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `\u003cat\u003edependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `\u003cat\u003edependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/zeppelin/network/alerts).\n\n\u003c/details\u003e\n\nCloses #5023 from dependabot[bot]/dependabot/maven/zeppelin-server/com.nimbusds-nimbus-jose-jwt-9.37.4.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "4882e07f09df985e5272e591f55f24ce1a2faeb0", "tree": "2bcc673e7c0a157a503d394c86f1c1ef665acbbd", "parents": [ "bf62a2a25f460aaaa4794f82a0b52553187eeb7f" ], "author": { "name": "PJ Fanning", "email": "pjfanning@users.noreply.github.com", "time": "Tue Nov 11 05:28:33 2025 +0100" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Nov 11 13:28:33 2025 +0900" }, "message": "[ZEPPELIN-6204] do not allow init params in JDBC URLs for H2\n\n### What is this PR for?\r\nZEPPELIN-6204\r\n\r\nSlight tidy of the existing disallow list for strings in JDBC urls so that they are checked against just the query params and not the hostname in the URL. \r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### Todos\r\n* [ ] - Task\r\n\r\n### What is the Jira issue?\r\n* Open an issue on Jira https://issues.apache.org/jira/browse/ZEPPELIN/\r\n* Put link here, and add [ZEPPELIN-*Jira number*] in PR title, eg. [ZEPPELIN-533]\r\n\r\n### How should this be tested?\r\n* Strongly recommended: add automated unit tests for any new or changed behavior\r\n* Outline any manual steps to test the PR here.\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? no\r\n* Is there breaking changes for older versions? no\r\n* Does this needs documentation? no\r\n\n\nCloses #4949 from pjfanning/ZEPPELIN-6204-jdbc.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "bf62a2a25f460aaaa4794f82a0b52553187eeb7f", "tree": "10b76886925e2fa6f18da1745cbe3535dcfe799d", "parents": [ "b27925599deb4045aeca7fa273291a6997354ae5" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Tue Nov 04 00:15:55 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Nov 04 00:15:55 2025 +0900" }, "message": "[HOTFIX] @playwright/test 1.56.1 to 1.55.1\n\n### What is this PR for?\r\nhttps://github.com/apache/zeppelin/pull/5111#issuecomment-3480683038\r\n\r\n#5108\r\nAfter upgrading Playwright to the latest version(1.53.2 to 1.56.1), several test cases started failing on WebKit. The issue was resolved by rolling back to the previous minor version(1.55.1).\r\n\r\n[related issue]\r\nhttps://github.com/microsoft/playwright/issues/37766\r\n\r\n### What type of PR is it?\r\nHot Fix\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5115 from dididy/fix/e2e.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "b27925599deb4045aeca7fa273291a6997354ae5", "tree": "142ff1d652dc7b808fbf9f6948294f3ec2a47275", "parents": [ "8432cf66e73b39d003b169cd86d8604e871349e6" ], "author": { "name": "Yuijin Kim(yuikim)", "email": "106499310+kmularise@users.noreply.github.com", "time": "Sun Oct 26 17:19:03 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Oct 26 17:19:03 2025 +0900" }, "message": "[ZEPPELIN-6365] Add E2E tests about Notebook Repositories (/notebook-repos)\n\n### What is this PR for?\r\nAddition of Notebook Repositories E2E tests for New UI\r\n\r\n---\r\n\r\nPAGES.WORKSPACE.NOTEBOOK_REPOS\r\n\r\n→ src/app/pages/workspace/notebook-repos/notebook-repos.component\r\n\r\nPAGES.WORKSPACE.NOTEBOOK_REPOS_ITEM\r\n\r\n→ src/app/pages/workspace/notebook-repos/item/item.component\r\n\r\n\r\n### What type of PR is it?\r\nImprovement\r\n\r\n\r\n### Todos\r\n* [X] - add Notebook Repositories E2E test\r\n\r\n### What is the Jira issue?\r\n[ZEPPELIN-6365](https://issues.apache.org/jira/secure/RapidBoard.jspa?rapidView\u003d632\u0026view\u003ddetail\u0026selectedIssue\u003dZEPPELIN-6365)\r\n\r\n### How should this be tested?\r\nby E2E test CLI\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5105 from kmularise/ZEPPELIN-6365.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "8432cf66e73b39d003b169cd86d8604e871349e6", "tree": "1754873fb81fb56c740e731c7295acd705166d5f", "parents": [ "358f9e54713d108d2ee0fd78d580a6de8b3cbe5c" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Sun Oct 26 17:16:13 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Oct 26 17:16:13 2025 +0900" }, "message": "[ZEPPELIN-6359] Add E2E tests about Home/Dashboard Page for New UI\n\n### What is this PR for?\r\nAddition and improvement of Home/Dashboard-related E2E tests for New UI\r\n\r\n---\r\n\r\nPAGES.WORKSPACE.HOME\r\n\r\n→ src/app/pages/workspace/home/home.component\r\n\r\nPAGES.WORKSPACE.MAIN\r\n\r\n→ src/app/pages/workspace/workspace.component\r\n\r\n### What type of PR is it?\r\nImprovement\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6359\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5102 from dididy/e2e/home.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "358f9e54713d108d2ee0fd78d580a6de8b3cbe5c", "tree": "b53ed0db82d9144707d3491e4e15d8a48822b14e", "parents": [ "0a768bcc07a4b691df51eda8f26cc013e8773612" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Sun Oct 26 17:08:00 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Oct 26 17:08:00 2025 +0900" }, "message": "[ZEPPELIN-6349] Bump Angular from 9 to 13\n\n### What is this PR for?\r\n\r\nThis PR bumps Angular from 9 to 13 and updates related dependencies in zeppelin-web-angular.\r\n\r\nIt addresses:\r\n- https://issues.apache.org/jira/browse/ZEPPELIN-6349\r\n- https://issues.apache.org/jira/browse/ZEPPELIN-6227 (except the custom TSLint rules)\r\n\r\nI removed the zeppelin-helium and helium-vis-example projects in this PR. The Angular rewrite of Helium was never completed, it’s currently unused, and it introduced circular-dependency-related stack overflows during the application build. Given that, removing these modules is the safer choice.\r\n\r\n#### Principal version updates\r\n- angular: 9 -\u003e 13\r\n- ansi_up: 4 -\u003e 6\r\n- date-fns: 2 -\u003e 3\r\n- tslib: 1 -\u003e 2\r\n- lint-staged: 8 -\u003e 15\r\n- typescript: 3.8 -\u003e 4.6\r\n\r\n### What type of PR is it?\r\nChore\r\n\r\n### Todos\r\n* [x] - Bump Angular version (Used angular cli)\r\n* [x] - Migrate TSLint to ESLint (Used `\u003cat\u003eangular-eslint/schematics:convert-tslint-to-eslint`)\r\n* [x] - Fix deprecated code usages\r\n* [x] - Bump other minor dependencies\r\n* [x] - Remove `zeppelin-helium` and `helium-vis-example`\r\n\r\n### What is the Jira issue?\r\n\r\n[ZEPPELIN-6349](https://issues.apache.org/jira/browse/ZEPPELIN-6349)\r\n\r\n### How should this be tested?\r\n- Run E2E tests\r\n- Manual tests across various pages\r\n- Verify `serve` (dev server), `build`, and `lint` work as expected\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5109 from tbonelee/upgrade-web-angular.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "0a768bcc07a4b691df51eda8f26cc013e8773612", "tree": "d75d5186e16e09a14ac0dbf5796b66d8b7238825", "parents": [ "33f35dcf3c0b0b1caf9572210ab7eeb163f4628b" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Fri Oct 24 13:01:44 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Oct 24 13:01:44 2025 +0900" }, "message": "[ZEPPELIN-6370] Upgrade playwright and change the method of installing Playwright browsers\n\n### What is this PR for?\r\nhttps://github.com/apache/zeppelin/pull/5107\r\nhttps://github.com/apache/zeppelin/actions/runs/18662031473/job/53204596550?pr\u003d5107\r\n\r\nIn the Playwright E2E tests of the above bump PR, the following issue occurred:\r\n```\r\nError: browserType.launch: Executable doesn\u0027t exist at /home/runner/.cache/ms-playwright/webkit-2215/pw_run.sh\r\n```\r\n\r\nThis issue seems to be caused by the Playwright browser installation step being version-locked in `zeppelin-web-angular/pom.xml`\u0027s playwright-install execution.\r\n\r\nInstead of managing it in `pom.xml`, it would be better to add it to the `postinstall` script in `zeppelin-web-angular/package.json`, so that Playwright browsers are automatically installed when running `npm install`, either in CI and on a local environment. This PR addresses that change.\r\n\r\n61ff629c48f5f0cc552fa8a9b87d3e665b8601ea\r\n\r\nIncluding the CI caching procedure as above, it seems optimized as previous approach(pom.xml).\r\n\r\n### What type of PR is it?\r\nImprovement\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6370\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5108 from dididy/e2e/upgrade-playwright.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "33f35dcf3c0b0b1caf9572210ab7eeb163f4628b", "tree": "f9f02c886f031bae6500912088d60d63eccf25ff", "parents": [ "a03dcbcefc4e6d36993fd537d41626e27eb8e05a" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Sun Oct 19 20:47:46 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Oct 19 20:47:46 2025 +0900" }, "message": "[ZEPPELIN-6356] Fix ZeppelinClientIntegrationTest\n\n### What is this PR for?\r\n\r\nAfter #5090, we started hiding unhandled error details from clients, which caused some tests that depended on those details to fail. The afffected cases are note imports/creations that should fail when the target note path already exists.\r\n\r\nThis PR introduces a `ConflictException` and updates `NotebookRestApi` to return HTTP 409 (Conflict) when `NotebookService` throws or returns `NotePathAlreadyExistsException`.\r\n\r\nI chose to do this exception-to-HTTP mapping in `NotebookRestApi` because `NotebookService` is also used outside REST contexts, and assigning HTTP status codes belongs in the REST layer.\r\n\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### What is the Jira issue?\r\nhttps://issues.apache.org/jira/browse/ZEPPELIN-6356\r\n\r\n### How should this be tested?\r\n- Check if `zeppelin-integration-test` and other tests pass\r\n\r\n### Screenshots (if appropriate)\r\n\r\n\u003cimg width\u003d\"1609\" height\u003d\"100\" alt\u003d\"image\" src\u003d\"https://github.com/user-attachments/assets/a445f36c-0267-42df-a75e-9f9f05f94964\" /\u003e\r\n\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5097 from tbonelee/fix-client-integration-test.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "a03dcbcefc4e6d36993fd537d41626e27eb8e05a", "tree": "4059d70164dda936ef7710e33f22edcbdde23d36", "parents": [ "6f9ae32a37f4998b6845eba5761e84da14dfaa7f" ], "author": { "name": "Yuijin Kim(yuikim)", "email": "106499310+kmularise@users.noreply.github.com", "time": "Wed Oct 15 21:55:56 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Oct 15 14:55:56 2025 +0200" }, "message": "[ZEPPELIN-6354] Remove repo.hortonworks.com\n\n### What is this PR for?\r\nThis PR removes the Hortonworks repository from the `vendor-repo` Maven profile in the root pom.xml. The Hortonworks repository\u0027s SSL certificate has recently expired, and since Hortonworks was acquired by Cloudera, maintaining a separate repository entry is no longer necessary.\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### Todos\r\n* [x] - Remove Hortonworks repository from vendor-repo profile\r\n* [x] - Verify that vendor-repo profile is not used in CI/CD pipelines\r\n* [x] - Confirm no dependencies explicitly require Hortonworks repository\r\n\r\n### What is the Jira issue?\r\n* [ZEPPELIN-6354](https://issues.apache.org/jira/browse/ZEPPELIN-6354)\r\n\r\n### How should this be tested?\r\n* Verify that the build completes successfully without the Hortonworks repository:\r\n ```bash\r\n ./mvnw clean install -DskipTests\r\n ```\r\n* Confirm that the vendor-repo profile (if manually activated) still works with Cloudera repository:\r\n ```bash\r\n ./mvnw clean install -DskipTests -Pvendor-repo\r\n ```\r\n* Check that no dependencies are downloaded from the Hortonworks repository during build\r\n\r\n### Screenshots (if appropriate)\r\nN/A\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\r\n### Additional Notes:\r\n- The `vendor-repo` profile is not currently used in any GitHub Actions workflows\r\n- Cloudera repository is retained in the profile for potential vendor-specific artifacts\r\n- Future consideration: The entire `vendor-repo` profile could be removed if not needed, as CI/CD pipelines don\u0027t use it\r\n\r\n\n\nCloses #5103 from kmularise/ZEPPELIN-6354.\n\nSigned-off-by: Philipp Dallig \u003cphilipp.dallig@gmail.com\u003e" }, { "commit": "6f9ae32a37f4998b6845eba5761e84da14dfaa7f", "tree": "64abb6da7817af9f85227869b3182529c523d116", "parents": [ "f1f671394dc742ec35ede32be039850cdf8a1145" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Fri Oct 10 20:25:34 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Oct 10 20:25:34 2025 +0900" }, "message": "[ZEPPELIN-6324] Auto-Run Paragraph When Accessed via \"Link This Paragraph\"\n\n### What is this PR for?\r\nSince this PR depends on the test utilities introduced in #5098, please review only 348a257f7f215b2631f9dabc43b37bbc1f381bde commit.\r\nI’ll rebase once #5098 is merged.\r\n\r\n**Summary** \r\nThis PR improves the behavior when accessing a published paragraph via **\"Link This Paragraph\"** that has never been executed.\r\n\r\n**Background** \r\nCurrently, if a paragraph has not been run and therefore has no result, nothing is displayed when accessing its shared link. \r\nThis can be confusing to users. \r\nWhile it would make sense to automatically execute the paragraph, running it immediately might cause **side effects** (e.g., updates to external databases). \r\nTo address this, the PR introduces a confirmation step before execution — an idea originally suggested by **CHANHO LEE (Committer)**.\r\n\r\n**Changes** \r\n- Adds a **confirmation modal** when accessing a published paragraph that has no results. \r\n - Asks the user whether to execute the paragraph. \r\n - Only runs the paragraph upon user confirmation. \r\n- Adds **comprehensive E2E tests** to verify the functionality.\r\n\r\n### What type of PR is it?\r\nBug Fix\r\nImprovement\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6324\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5100 from dididy/fix/publish-paragraph-auto-run.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "f1f671394dc742ec35ede32be039850cdf8a1145", "tree": "618e46c068c6aedce0dfd856ac921d228f9be2c2", "parents": [ "8ef350e8b9738e2c98142be1faf69ec4eb0ced29" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Thu Oct 09 16:35:37 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Oct 09 16:35:37 2025 +0900" }, "message": "[ZEPPELIN-6330] Redirect to home with error if shared paragraph(or note) doesn’t exist\n\n### What is this PR for?\r\n\r\nIf a user accesses a shared link (via **“Link this paragraph”**) for a paragraph that does not exist, it now **redirects to the home screen** and **displays an error modal** indicating that the paragraph does not exist. Added tests to cover this behavior.\r\n\r\n---\r\n\r\n**Correct button text in Create Note modal** - db87e51\r\n```\r\n \u003cnz-form-label\u003e\r\n \u003cng-container *ngIf\u003d\"cloneNote; else importTpl\"\u003eClone Note\u003c/ng-container\u003e\r\n \u003cng-template #importTpl\u003eNote Name\u003c/ng-template\u003e\r\n \u003c/nz-form-label\u003e\r\n ...\r\n \u003cbutton nz-button nzType\u003d\"primary\" (click)\u003d\"createNote()\"\u003e\r\n \u003cng-container *ngIf\u003d\"cloneNote; else importTpl\"\u003eClone\u003c/ng-container\u003e\r\n \u003cng-template #importTpl\u003eCreate\u003c/ng-template\u003e\r\n \u003c/button\u003e\r\n```\r\n\r\n- There was an issue where importTpl was duplicated, causing the \"Note Name\" to be overridden on the \"Create\" button. Renamed button\u0027s importTpl to importTplBtn to fix this.\r\n\r\n---\r\n\r\n**App component related E2E test updates** - daf6045\r\n- Updated tests for the App component to ensure verify correct behavior under various scenarios.\r\n\r\n---\r\n\r\n**Add create new note precedure when it\u0027s empty** - 94933a4\r\nAdded a notebook test utility for creating a new note and a common utility that creates a note if none exists, which can be used in multiple places. \r\n- zeppelin-web-angular/e2e/models/notebook.util.ts\r\n- zeppelin-web-angular/e2e/utils.ts\r\n\r\n\r\n### What type of PR is it?\r\nBug Fix\r\nImprovement\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6330\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5098 from dididy/fix/link-paragraph-invalid-url.\n\nSigned-off-by: Chan Lee \u003cchanho0325@gmail.com\u003e" }, { "commit": "8ef350e8b9738e2c98142be1faf69ec4eb0ced29", "tree": "91a80d80637681230cb2c9825a1c2e1cbdd47184", "parents": [ "3ad1a2c486398a39db29dd82ff0a3e617a6e346a" ], "author": { "name": "hyeyoon Jung", "email": "jeonghy95@gmail.com", "time": "Tue Oct 07 20:13:13 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Oct 07 20:13:13 2025 +0900" }, "message": "[ZEPPELIN-6279] Add Search/Highlight keyword feature for Code Editor\n\n### What is this PR for?\r\nThis PR is a re-implementation of the Search and Replace UI, a feature that was available in the Classic UI.\r\nThe core search and highlighting logic has been fully rewritten to work with the Monaco Editor, which replaces the legacy Ace Editor library. \r\n\r\n### What type of PR is it?\r\nFeature\r\n\r\n### Todos\r\n* [ ] - Replace and Replace All features are not implemented yet.\r\n* [ ] - The feature to display the total counts and the current index is not implemented yet.\r\n\r\n### What is the Jira issue?\r\n* [ZEPPELIN-6279](https://issues.apache.org/jira/browse/ZEPPELIN-6279)\r\n\r\n### How should this be tested?\r\n**Manual Testing**\r\n* Check out the PR branch and check if search and highlight feature works. \r\n\r\n### Screenshots (if appropriate)\r\n\u003cimg width\u003d\"972\" height\u003d\"280\" alt\u003d\"image\" src\u003d\"https://github.com/user-attachments/assets/5e9f0ff1-c796-4e59-8e91-40f3fe1a2ce8\" /\u003e\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5079 from grcenneat/feat/ZEPPELIN-6279.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "3ad1a2c486398a39db29dd82ff0a3e617a6e346a", "tree": "44746bb388731dec3735dc1d921d2ebe8b87ce51", "parents": [ "9aac655ef9fce3cdb91f4fac3dbc4a6fff9c3d1e" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Tue Oct 07 11:45:39 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Oct 07 11:45:39 2025 +0900" }, "message": "[ZEPPELIN-6351] Close modals only on their own user actions\n\n### What is this PR for?\r\nOn the home page, an open modal (e.g., `Import Note`, `Create New Note`) closes when a  `NOTES_INFO` message is received.\r\n\r\nThis is unexpected and makes running parallel E2E tests that create new notes unreliable.\r\n\r\n#### Root cause\r\nBoth modals treated any `NOTES_INFO` message as the result of *their* own submit action.\r\nSince `NOTES_INFO` message is broadcast for various events, this led to false positives.\r\n\r\n#### Fix\r\nClose modals only in response to messages addressed to the submitting client: `IMPORT_NOTE` and `NEW_NOTE`. The server already sends `NEW_NOTE` (used by the old UI), but not `IMPORT_NOTE`. I added a server-sent `IMPORT_NOTE` and replaced `broadcastNote(note)` with sending `IMPORT_NOTE` only to the caller. The previously broadcast `NOTE` is mainly useful to users already on that note page; for a newly imported note, no user is on that page yet, so the broadcast is unnecessary.\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### What is the Jira issue?\r\n[[ZEPPELIN-6351]](https://issues.apache.org/jira/browse/ZEPPELIN-6351)\r\n\r\n### How should this be tested?\r\n- Open two browser windows (A and B).\r\n- In A, open a modal (e.g., Import Note or Create New Note).\r\n- In B, perform a submit that triggers a note update. Verify the modal in A does not close.\r\n- In A, submit the modal. Verify it closes and the note list updates.\r\n\r\n### Screenshots (if appropriate)\r\n\r\n#### [AS-IS]\r\n\r\nhttps://github.com/user-attachments/assets/a38a8334-81d3-45ae-9264-755143df9041\r\n\r\n#### [TO-BE]\r\n\r\n\r\nhttps://github.com/user-attachments/assets/b5e9148a-2a2a-441c-a389-aa1f558a025d\r\n\r\n\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5092 from tbonelee/fix-modal-close.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "9aac655ef9fce3cdb91f4fac3dbc4a6fff9c3d1e", "tree": "18a655d6080135c2ae15224161341a28b77d7ba4", "parents": [ "6dd68c3f9702554c4c7afde68795885e7c985c3e" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Tue Oct 07 11:44:34 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Oct 07 11:44:34 2025 +0900" }, "message": "[ZEPPELIN-6332] Unify keyboard event handling between Angular and Monaco editor\n\n### What is this PR for?\r\n\r\nKeyboard event handling logic is currently split between in `paragraph.component.ts`(Angular) and `code-editor.component.ts` (Monaco editor) in new UI.\r\n\r\nSince both Angular and the Monaco editor capture key events, the auctual handler depends on where the focus is.\r\n\r\nRefactoring this logic would improve cohesion and type safety, making the code more readable and less prone to bugs.\r\n\r\n#### Changes\r\n\r\n##### Extracted keybinding logic into a separate module\r\n- Keybinding logic involves low-level event handling details, but it is not a core responsibility of the components.\r\n- To improve separation of concerns and reusability, I extracted the logic into a dedicated module: `\u003cat\u003ezeppelin/key-binding`.\r\n\r\n##### Added a keybinding coverter\r\n- Introduced a converter from Angular keybindings to Monaco editor keybindings.\r\n- This allows keybindings defined once in `shortcuts-map.ts` to be reused for both Angular and Monaco editor handlers.\r\n\r\n##### Unified keybinding handling in a single class\r\n- Initialization of keybinding handlers for both Angular and Monaco editor is now managed by a new `KeyBinder` class.\r\n- A `KeyBinder` instance is created in each `ParagraphComponent`.\r\n- Angular handlers are registerd during `ParagraphComponent` initialization, while Monaco handlers are registered when the editor is initialized (triggered by the `initKeyBindings` emitter in `NotebookParagraphCodeEditorComponent`).\r\n- All handlers simpley emit the appropriate action key to an RxJS `Subject` within `KeyBinder`.\r\n\r\n##### Categorized handler for each action between Angular and Monaco editor at type level.\r\n- All actions are mapped to corresponding handler method name via `ParagraphActionToHandlerName`. Each actions must be explicitly specified as a key at the type level, and each value must be one of the method names from `NotebookParagraphKeyboardEventHandler`.\r\n- The `MonacoKeyboardEventHandler` type defines method names for some actions, while the rest are defined in `AngularKeyboardEventHandler`. Both are subtypes of `NotebookParagraphKeyboardEventHandler` and the methods in each type are mutually exclusive.\r\n- `NotebookParagraphCodeEditorComponent` implements the Monaco handler, and `ParagraphComponent` implements the Angular handler.\r\n- Both handler implementation receives an `action` parameter via` handleKeyEvent(action, event)`, then look up the corresponding method in `ParagraphActionToHandlerName` using the `action` value.\r\n\r\n\r\n### What type of PR is it?\r\nRefactoring\r\n\r\n### What is the Jira issue?\r\n[ZEPPELIN-6332](https://issues.apache.org/jira/browse/ZEPPELIN-6332)\r\n\r\n### How should this be tested?\r\nSince E2E tests are not added, we could check key shortcuts manually while running Zeppelin.\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5080 from tbonelee/override-default-keybindings.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "6dd68c3f9702554c4c7afde68795885e7c985c3e", "tree": "3790454406d09e4464c1878e306333cb59e084b7", "parents": [ "89aecde0ed381d5ff6c68ed299c1562e675445e5" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Tue Oct 07 11:43:09 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Oct 07 11:43:09 2025 +0900" }, "message": "[ZEPPELIN-6327] Fix wrong order of the arguments for Visualization components\n\n### What is this PR for?\r\nVisualizations are not working because the constructor arguments were passed in the wrong order.\r\nSince using `any` made this error hard to detect, I replaced it with specific types.\r\n(Related to #5053)\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### What is the Jira issue?\r\nhttps://issues.apache.org/jira/browse/ZEPPELIN-6327\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5074 from tbonelee/fix-argument-order.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "89aecde0ed381d5ff6c68ed299c1562e675445e5", "tree": "33c443b0bfad0381bb74be6b61bfa84e71236136", "parents": [ "94f1d8175fbfeab64c85ab5d8eca087ada8b4e5c" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Mon Oct 06 10:44:58 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Oct 06 10:44:58 2025 +0900" }, "message": "[ZEPPELIN-6357] Fixed missing login prerequisite in each test\n\n### What is this PR for?\r\nhttps://github.com/apache/zeppelin/actions/runs/18239525409/job/51939323284?pr\u003d5095\r\n\r\nI recently found that the `run-playwright-e2e-tests (auth)` step wasn’t running properly during the New UI\u0027s E2E tests. \r\nThe root cause was that the tests required a setup (tear-up) process. \r\nSince handling login in `globalSetup` within `playwright.config` made it difficult to account for all browser contexts, \r\nI added a method([performLoginIfRequired](https://github.com/apache/zeppelin/pull/5096/files#diff-10918824923e3beebfd460fdab4db4ee063a0f1ee10c49bb5829e459e3af31f3R164-R196)) in `utils` to perform the login when a `shiro.ini` file exists, and made each test execute it in `beforeEach`.\r\n\r\nDuring this process, I also merged the `helper` into `utils`, as they essentially served the same purpose.\r\n\r\n### What type of PR is it?\r\nBug Fix\r\nImprovement\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6357\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5096 from dididy/fix/login-tearup.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "94f1d8175fbfeab64c85ab5d8eca087ada8b4e5c", "tree": "032b2e1bd40984a0884ca529757f879600945118", "parents": [ "eee7ebb6887ed6d1e1881396222628a7d2ca9bf8" ], "author": { "name": "Dongmin Cha", "email": "40655807+chadongmin@users.noreply.github.com", "time": "Sun Oct 05 17:09:37 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Oct 05 17:09:37 2025 +0900" }, "message": "[ZEPPELIN-6352] Prevent information disclosure in WebApplicationExceptionMapper\n\n### What is this PR for?\r\n This PR fixes a security vulnerability in `WebApplicationExceptionMapper` that exposes sensitive information through exception serialization. When exceptions occur, the current implementation\r\n serializes the entire exception object to JSON and returns it to clients, potentially leaking stack traces, internal paths, class names, and other sensitive details. This PR replaces the detailed\r\n exception response with a generic error message while maintaining proper server-side logging for debugging purposes.\r\n\r\n ### What type of PR is it?\r\n Improvement\r\n\r\n ### Todos\r\n * [x] - Replace exception serialization with generic error message\r\n * [x] - Maintain server-side error logging\r\n\r\n ### What is the Jira issue?\r\n * https://issues.apache.org/jira/browse/ZEPPELIN-6352\r\n\r\n ### How should this be tested?\r\n * **Automated testing**: Unit tests should verify that non-WebApplicationExceptions return a generic error message instead of detailed exception information\r\n * **Manual testing**:\r\n 1. Trigger an exception in the application\r\n 2. Verify that the client receives only the generic error message: `{\"status\":\"error\",\"message\":\"Internal server error\"}`\r\n 3. Check server logs to confirm the full exception details are still logged\r\n\r\n ### Screenshots (if appropriate)\r\n N/A\r\n\r\n ### Questions:\r\n * Does the license files need to update? **No**\r\n * Is there breaking changes for older versions? **No** - Only changes the error response format for better security\r\n * Does this needs documentation? **No**\r\n\n\nCloses #5090 from chadongmin/ZEPPELIN-6352.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "eee7ebb6887ed6d1e1881396222628a7d2ca9bf8", "tree": "8a14a9b5ec99c52c47cdd7a42c991317a806e6cf", "parents": [ "190ecd6a2febd58616e0fdbb2686fbd2b2ea7e7a" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Sun Oct 05 17:03:06 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Oct 05 17:03:06 2025 +0900" }, "message": "[ZEPPELIN-6323] Apply dark mode to the new UI\n\n### What is this PR for?\r\nThis PR adds dark mode support and system theme integration for the Zeppelin New UI. There were multiple demands such as [ZEPPELIN-5062](https://issues.apache.org/jira/browse/ZEPPELIN-5602) and [ZEPPELIN-4024](https://issues.apache.org/jira/browse/ZEPPELIN-4024).\r\n\r\n#### Example: Follow system theme + other parts\r\n\r\nhttps://github.com/user-attachments/assets/2159d54e-6403-4f80-91f0-3f66a93881e1\r\n\r\n#### Example: Change with button + notebook\r\n\r\n\r\nhttps://github.com/user-attachments/assets/59bdf1bc-86a3-42e1-a3d0-1d89d955ed7d\r\n\r\n\r\n#### Automatic System Theme Detection \u0026 Sync \r\n- Automatically detect OS-level dark/light mode settings \r\n- Real-time detection and application of system theme changes \r\n- Theme cycle pattern: `auto(system) → opposite theme → original theme → auto` \r\n\r\n#### Comprehensive Dark Mode UI Support \r\n- Applied dark mode styles across all major components \r\n- Added dark mode overrides for Ant Design components \r\n- Full Monaco Editor dark theme support \r\n- Consistent color scheme and visual hierarchy \r\n\r\n#### Enhanced User Experience \r\n- Eliminated FOUC (Flash of Unstyled Content) with logic handled in `index.html` \r\n- Easy theme switching via a toggle button \r\n- Persisted user preferences in local storage \r\n- Theme state maintained after page reloads \r\n\r\nWith dark mode support and system theme integration, Zeppelin delivers a modern, user-friendly experience. Users can either rely on system theme settings for automatic adaptation or manually select their preferred theme. \r\n\r\n### What type of PR is it?\r\nImprovement\r\n\r\n### Todos\r\n* [ ] I created a dark mode [background image](https://github.com/dididy/zeppelin/blob/5d078a40c17e0561202e809da0761016516b86f2/zeppelin-web-angular/src/assets/images/bg-dark.png) used for login and loading with ChatGPT, but I need to verify whether there are any copyright issues.\r\n* [ ] Due to the limited environment setup, I wasn’t able to check all the cases where graphs are rendered. I think we can leave this as a follow-up issue to work on later.\r\n\r\n### What is the Jira issue?\r\n* [[ZEPPELIN-6323](https://issues.apache.org/jira/browse/ZEPPELIN-6323)]\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5078 from dididy/feat/darkmode.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "190ecd6a2febd58616e0fdbb2686fbd2b2ea7e7a", "tree": "e4498bc65983f709ad72e6347265f26372996613", "parents": [ "7c7b00fa78dab19b16fee8b55458f69ef127a0e9" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Sat Oct 04 10:49:52 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sat Oct 04 10:49:52 2025 +0900" }, "message": "[ZEPPELIN-6336] Enable Conditional Login Test Based on shiro.ini Presence in Zeppelin\n\n### What is this PR for?\r\nCurrently, Zeppelin(zeppelin-web-angular)’s E2E authentication tests require the presence of a `shiro.ini` file to run. \r\nHowever, in certain build or CI environments, this file may not exist. \r\nIn such cases, login tests may fail or behave unpredictably. \r\n\r\nTo improve flexibility, the test framework should support both scenarios: \r\n- **Auth mode (`shiro.ini` exists)** → Run all tests, including authentication/login tests \r\n- **Anonymous mode (`shiro.ini` does not exist)** → Skip authentication/login tests, but run all other tests \r\n\r\n#### 1. GitHub Actions Workflow (Matrix Mode)\r\n- Added `strategy.matrix.mode: [anonymous, auth]`\r\n- In `auth` mode, copy `shiro.ini.template → shiro.ini`\r\n- In `anonymous` mode, skip `shiro.ini` setup to simulate a no-auth environment\r\n\r\n#### 2. Playwright Global Setup / Teardown\r\n- **`global-setup.ts`**\r\n - Added `LoginTestUtil.isShiroEnabled()` to detect presence of `shiro.ini`\r\n - If enabled → load credentials \u0026 run login tests \r\n - If disabled → skip login tests, log message \r\n- **`global-teardown.ts`**\r\n - Added environment cleanup (e.g., reset cache)\r\n\r\n#### 3. Authentication Utility (`login-page.util.ts`)\r\n- `isShiroEnabled()`: Checks if `shiro.ini` is accessible via `fs.access`\r\n- `getTestCredentials()`: Parses credentials only when `shiro.ini` exists\r\n- `resetCache()`: Clears cached values between test runs\r\n\r\n#### 4. Test Code Updates\r\n- **`app.spec.ts`** \r\n - Conditionally checks whether login page or workspace should be visible, based on `isShiroEnabled()`\r\n- **Other Playwright tests** \r\n - Authentication-related tests are skipped when `shiro.ini` is not present\r\n\r\n### What type of PR is it?\r\nImprovement\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6336\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5088 from dididy/fix/ZEPPELIN-6336.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "7c7b00fa78dab19b16fee8b55458f69ef127a0e9", "tree": "7c09f23528b899286b49329ee8979b4af2ee82be", "parents": [ "5484bebb6e988d474787147d725f7db17d619d91" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Sat Oct 04 00:01:38 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sat Oct 04 00:01:38 2025 +0900" }, "message": "[CI-HOTFIX] Remove not allowed action in Selenium test\n\nI attempted to create a related JIRA issue, but the Apache JIRA site isn\u0027t working for an hour. Therefore, I’m proceeding without creating the issue.\r\n\r\n### What is this PR for?\r\nCurrently, our CI workflow uses browser-actions/setup-edge\u003cat\u003ev1 to install Microsoft Edge. However, this action is not allowed in the apache/zeppelin repository because only actions from approved/verified sources can be used.\r\n\r\n\u003cimg width\u003d\"2109\" height\u003d\"241\" alt\u003d\"image\" src\u003d\"https://github.com/user-attachments/assets/28b0e90a-ffaf-41b4-9c25-495088a20963\" /\u003e\r\n\r\nTo resolve this, I removed the external action and replace it with a direct installation step.\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n\r\n### How should this be tested?\r\n- Check if CI works\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5093 from tbonelee/remove-not-allowed-action.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "5484bebb6e988d474787147d725f7db17d619d91", "tree": "55ae9ee9e057333f2bf4b59954ef975c0e4e2abd", "parents": [ "3d1ee7c6bfeb178d853e8f67af97f0c2b326da96" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Fri Oct 03 23:46:01 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Oct 03 23:46:01 2025 +0900" }, "message": "[ZEPPELIN-6339] Fix - Anonymous users can access /login in the New UI, unlike the Classic UI\n\n### What is this PR for?\r\n#### [Classic UI]\r\n\r\nhttps://github.com/user-attachments/assets/9ae01649-5525-4310-b467-4dc96f205987\r\n\r\n\r\n#### [As-Is]\r\n\r\n\r\nhttps://github.com/user-attachments/assets/654ce13a-1770-4c61-bc4c-c9cc09ba397d\r\n\r\n\r\n#### [To-Be]\r\n\r\n\r\nhttps://github.com/user-attachments/assets/9c8140e3-ff7f-4698-af93-8ae6859f6dee\r\n\r\nAnonymous users were able to access /login in the New UI, unlike the Classic UI.\r\nThis has been restricted, and I have added tests to cover the change.\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6339\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No \r\n\n\nCloses #5087 from dididy/fix/login-issue.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "3d1ee7c6bfeb178d853e8f67af97f0c2b326da96", "tree": "72f155167bc9636e9bb3700d6fcaaebdd7a7c0df", "parents": [ "25ec6ed966db56ea04d995d16b77fb553665dd26" ], "author": { "name": "ChanHo Lee", "email": "chanho0325@gmail.com", "time": "Thu Oct 02 19:35:20 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Oct 02 19:35:20 2025 +0900" }, "message": "[ZEPPELIN-6350] Fix Selenium test by Replacing Firefox with Edge\n\n### What is this PR for?\r\nThis PR stabilizes the `test-selenium...` job by switching the Selenium browser from Firefox to Microsoft Edge.\r\nIn #4941, we worked around a Linux ChromeDriver issue (https://github.com/SeleniumHQ/selenium/issues/15358) by moving from Chrome to Firefox, but that workaround also seems to be not working well.\r\n\r\nI use Edge driver instead, since it does not have flakiness like Firefox driver and is more aligned with Chrome since it is also based on Chromium.\r\n\r\nLimitation: The root cause of Firefox browser failures has not been fully analyzed.\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### What is the Jira issue?\r\n[[ZEPPELIN-6350]](https://issues.apache.org/jira/browse/ZEPPELIN-6350)\r\n\r\n### How should this be tested?\r\n- Check `test-selenium...` job in `frontend`\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5089 from tbonelee/fix-selenium-test.\n\nSigned-off-by: Chan Lee \u003cchanho0325@gmail.com\u003e" }, { "commit": "25ec6ed966db56ea04d995d16b77fb553665dd26", "tree": "b94e24896db1aefd6d677b099397a8beb4435f94", "parents": [ "f4f822d05c59aa941a697cb34ccdd3b37dd1a795" ], "author": { "name": "ChanHo Lee", "email": "chanho0325@gmail.com", "time": "Thu Oct 02 19:34:17 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Oct 02 19:34:17 2025 +0900" }, "message": "[ZEPPELIN-6353] Migrate Windows build CI from AppVeyor to GitHub Actions\n\n### What is this PR for?\r\n\r\n#### Background\r\n\r\n- Windows build/test currently runs on AppVeyor.\r\n\r\n#### Problem\r\n\r\n- AppVeyor jobs are hard for individual contributors to reproduce and debug.\r\n - Hard to debug failing Windows build test.\r\n- Maintaining a separate CI provider increases overhead.\r\n\r\n#### Proposal\r\n\r\n- Port the Windows build/test job to GitHub Actions with feature parity.\r\n\r\n#### Benefits\r\n\r\n- Single CI platform, easier contributor workflows, simpler maintenance.\r\n\r\n#### Definition of Done\r\n\r\nAll Windows checks run on GitHub Actions and pass consistently.\r\nAppVeyor is removed from required checks and configuration.\r\n\r\n\r\n### What type of PR is it?\r\nCI\r\n\r\n### Todos\r\n- [x] Add a Windows workflow on GitHub Actions (build).\r\n- [x] Ensure caching/artifacts.\r\n- [ ] Disable AppVeyor from repository settings after GA workflow is green and stable.\r\n\r\n### What is the Jira issue?\r\n[[ZEPPELIN-6353]](https://issues.apache.org/jira/browse/ZEPPELIN-6353)\r\n\r\n### How should this be tested?\r\n- Check `windows-build` job in `core`\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5091 from tbonelee/migrate-windows-build.\n\nSigned-off-by: Chan Lee \u003cchanho0325@gmail.com\u003e" }, { "commit": "f4f822d05c59aa941a697cb34ccdd3b37dd1a795", "tree": "4a3d1313b7586fac034b8b9a69f4205fd857b7ce", "parents": [ "8fd90cf8f6a92ad58454023a88ca0468839da3aa" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Mon Sep 29 12:13:37 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Sep 29 12:13:37 2025 +0900" }, "message": "[ZEPPELIN-6233] Upgraded the Node.js version of zeppelin-web-angular from 16 to 18\n\n### What is this PR for?\r\nUpgraded the Node.js version of zeppelin-web-angular from **16.20.2** to **18.20.8**\r\n\r\n#### [[zeppelin-web-angular/package.json](https://github.com/apache/zeppelin/compare/master...dididy:zeppelin:test/node18?expand\u003d1#diff-c7de4df5c0afd29d2acd136879ab99f0fec5aeb696a4423885124e93bd1a986f)]\r\nOpenSSL legacy provider: Added NODE_OPTIONS\u003d\u0027--openssl-legacy-provider\u0027 to maintain compatibility with libraries that rely on legacy cryptographic algorithms, which are no longer enabled by default in Node 18 (OpenSSL 3).\r\n\r\nI upgraded Husky from version 3 to version 9 and added `\"prepare\": \"husky\"` to the `package.json`. In Husky v9, the `prepare` script runs automatically when a user executes `npm install`, which ensures that Git hooks are installed without any additional manual steps. Unlike `postinstall`, which runs after package installation, `prepare` runs during the installation process, so the hooks are ready immediately after `npm install`.\r\n\r\nHusky\u0027s Git hook management has moved from `package.json` to the `.husky/` directory. All hook scripts that were previously defined in `package.json` have been migrated to individual files under `.husky/`, following the new Husky v9 structure. This change ensures a clearer separation of configuration and hook scripts and aligns with the recommended setup for Husky v9.\r\n\r\n#### [[zeppelin-web-angular/proxy.conf.js](https://github.com/apache/zeppelin/compare/master...dididy:zeppelin:test/node18?expand\u003d1#diff-2a24ea2db081bdc01ecadf2293530e5997cdd179f9dc47820627776fc1b5e591)]\r\nUpdated the proxy target from `localhost` to `127.0.0.1` following the Node.js 18 upgrade.\r\n\r\nIn Node.js 18, `localhost` may resolve to IPv6 (`::1`) first, which can cause connection issues with servers bound to IPv4 (`127.0.0.1`). \r\nUsing `127.0.0.1` ensures a consistent IPv4 connection and improves stability.\r\n\r\n\r\n### What type of PR is it?\r\nImprovement\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\nZEPPELIN-6233\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5086 from dididy/test/node18.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "8fd90cf8f6a92ad58454023a88ca0468839da3aa", "tree": "3fbe3bec2f415b9b9666b545199abdb45dccc15f", "parents": [ "ae68cf57413c0848bd958201a6121a9fabc0365b" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Sun Sep 28 12:50:19 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Sep 28 12:50:19 2025 +0900" }, "message": "[ZEPPELIN-6338] Allow separate frontend modules to use different Node/NPM versions\n\n### What is this PR for?\r\nMoved the `node.version` and `npm.version` properties from the parent `pom.xml` to each module\u0027s `pom.xml`.\r\nThis allows `zeppelin-web` and `zeppelin-web-angular` to manage their Node/NPM versions independently.\r\n\r\nNote: Each module installs and manages its own Node/NPM, so this change simply makes that independence explicit without adding extra maintenance burden or increasing package size.\r\n\r\n### What type of PR is it?\r\nImprovement\r\n\r\n\r\n### What is the Jira issue?\r\nhttps://issues.apache.org/jira/browse/ZEPPELIN-6338\r\n\r\n### How should this be tested?\r\nCheck CIs if Node and npm is installed for both modules.\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5084 from tbonelee/update-nodejs.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "ae68cf57413c0848bd958201a6121a9fabc0365b", "tree": "2b7f7e648feb24b2d59b7acbeaca5646baf10b8b", "parents": [ "80ff51cdf580b5718c0c531096aa75c2c03b62d2" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Sat Sep 27 13:57:47 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sat Sep 27 13:57:47 2025 +0900" }, "message": "[ZEPPELIN-6328] Enable strict template modes in zeppelin-web-angular\n\n### What is this PR for?\r\nType checks in template checks are not fully enabled right now, which makes it harder to catch type errors.\r\nEnabling strict type checks in Angular templates would help surface these errors at compile time.\r\n\r\nI enabled `strictTemplates` and `fullTemplateTypeCheck` options in tsconfig files.\r\nThen I ran `npm run build` and fixed those type errors.\r\n\r\n\r\n### What type of PR is it?\r\nRefactoring\r\n\r\n### What is the Jira issue?\r\nhttps://issues.apache.org/jira/browse/ZEPPELIN-6328\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5075 from tbonelee/strict-template.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "80ff51cdf580b5718c0c531096aa75c2c03b62d2", "tree": "7c3f6d57affb5c5b83aa42932e2872b00b620810", "parents": [ "3e9e89565d311bfbaaafc9932b3adb5ce6104b1d" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Sat Sep 27 13:33:21 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sat Sep 27 13:33:21 2025 +0900" }, "message": "[ZEPPELIN-6336] Fix failing zengine tests caused by invalid interpreters.json\n\n### What is this PR for?\r\nTests in the `zeppelin-zengine` module were failing. The main reason was that the `interpreter.json` in test resources were invalid: the value object did not have an `id` field matching its corresponding key.\r\nAs a result, the deserialized `InterpreterSetting` instance had an auto-genarated `id` field, causing the key and value.id to be inconsistent.\r\nBefore #5063, invalid settings were simply skipped. However, after that change, they caused a NPE.\r\n\r\nThis PR fixes the invalid JSON files and adds minor validation logic in the deserialization method so that such issues can be detected early by users.\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### What is the Jira issue?\r\nhttps://issues.apache.org/jira/browse/ZEPPELIN-6335\r\n\r\n### How should this be tested?\r\n* Check `core-modules` - `zeppelin-zengine` tests in CI\r\n\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5081 from tbonelee/fix-test-resource.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "3e9e89565d311bfbaaafc9932b3adb5ce6104b1d", "tree": "f6d0d5c470bcece9844cc89a18e5f5ed4fc6d61b", "parents": [ "948f1652f9277a9e5b25051eee6e0674f137afd3" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Sun Sep 21 11:26:55 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Sep 21 11:26:55 2025 +0900" }, "message": "[ZEPPELIN-6314] Set up a new E2E testing environment in the New UI\n\n### What is this PR for?\r\n#### [Summary]\r\n\r\n- **Proposal:** Migrate the existing Protractor (and Karma/Jasmine-based E2E/testing system) to a **Playwright**-based testing framework. \r\n- **Objective:** Achieve a more stable and faster testing process while supporting modern E2E requirements such as cross-browser testing, multi-tab scenarios, and automatic waits. Additionally, leverage **Playwright MCP / code generator** to automate and accelerate test creation. \r\n\r\n#### [Background]\r\n\r\n1. **Protractor** has long been the standard for E2E testing in the Angular ecosystem. However, with the [official deprecation/termination of support by the Angular team](https://blog.angular.dev/protractor-deprecation-update-august-2023-2beac7402ce0), long-term maintenance can no longer be relied upon. \r\n2. Existing Protractor tests are WebDriver-based (control method, wait strategies, etc.), which often led to flaky test cases and increased maintenance costs.\r\n3. The **Karma + Jasmine**-based unit testing environment, widely used as the default in Angular CLI, also has limitations in terms of build/compile costs, speed, and developer experience (configuration, parallel execution, etc.). Modern alternatives offer a better DX. \r\n - Since there were no test files, the related environment was removed from this branch, and any future unit tests will be migrated to **Jest**.\r\n\r\n#### [Why Playwright?]\r\n\r\n\u003e Playwright provides a robust ecosystem with **stability, speed, standardization, and AI-assisted automation capabilities**.\r\n\r\n- **[Test Generator (Codegen)](https://playwright.dev/docs/codegen)** \r\n - Records user interactions in the browser and generates scaffolding for tests—useful for quickly setting up E2E scenarios. \r\n- **[MCP (Model Context Protocol) Integration](https://playwright.dev/agents/playwright-mcp-generating-tests)** \r\n - Playwright has extensive documentation and examples for workflows that generate and validate tests via MCP (LLM ↔ test runner interface), enabling automated test creation and LLM-assisted refactoring. This reduces the need for fully manual test writing. \r\n - In the MCP era, Playwright is the most widely used tool.\r\n - According to [State of JavaScript 2024](https://2024.stateofjs.com/en-US/libraries/testing/#testing_work), Playwright is the most widely used E2E tool at work.\r\n- **Functional Advantages** \r\n - Multi-browser support: Chromium / Firefox / WebKit \r\n - Multi-tab \u0026 cross-domain (cross-origin) testing \r\n - Robust auto-waiting, parallel execution \r\n - Built-in reporters, traces, videos, snapshots \r\n- **Why Not Cypress?** \r\n - Parallel execution requires paid [Cypress Cloud](https://docs.cypress.io/cloud/features/smart-orchestration/parallelization)\r\n - Cannot handle [iframes](https://docs.cypress.io/app/guides/cross-origin-testing#Origin), [new tabs](https://reflect.run/articles/accessing-a-new-window-in-cypress-tests), [multi-tab](https://momentic.ai/resources/the-definitive-guide-to-cypress-multi-tab-and-window-handling), or [popup scenarios](https://reflect.run/articles/accessing-a-new-window-in-cypress-tests)without tricks \r\n - MCP support is community-driven and not standardized\r\n- **Why Not Puppeteer?** \r\n - [Chrome-dependent](https://pptr.dev/supported-browsers), [unsuitable for multi-environment E2E testing](https://www.browserstack.com/guide/cross-browser-testing-in-puppeteer)\r\n\r\n#### [Project Structure Overview]\r\n\r\n- **fixtures/**: Environment setup tools for test execution (e.g., `tearup` / `teardown`).\r\n- **models/**: Contains POM (Page Object Model) classes for reusable page actions.\r\n- **tests/**: Contains spec files for the actual test cases.\r\n- **helper.ts**: Zeppelin-specific helper classes.\r\n- **reporter.coverage.*.ts**: Custom reporters for checking test coverage.\r\n- **utils.ts**: Test utilities and page constants.\r\n\r\n[Node 16 is **no longer supported** in `\u003cat\u003eplaywright/test` versions **after v1.53.2**](https://playwright.dev/docs/release-notes#miscellaneous-1). As a result, this project uses **v1.53.2** instead of the latest version (v1.55.0) to maintain compatibility. \r\n\r\n#### [Coverage Rule]\r\n\r\n\u003e **Goal:** Ensure that for each `*.component.ts` file, **at least one test passes**. In other words, verify that E2E tests cover the functionality of each component.\r\n\r\n\u003cimg width\u003d\"1130\" height\u003d\"888\" alt\u003d\"스크린샷 2025-09-11 오후 9 09 57\" src\u003d\"https://github.com/user-attachments/assets/7307d9e5-66b4-45d8-a8aa-6691fdbe6558\" /\u003e\r\n\r\n**Approach (Proposed Flow)**\r\n\r\n1. **Enable frontend code coverage collection** by adding a custom reporter. \r\n2. At the start of each test (or when entering a page), register coverage using a helper like `testPageBeforeEach({TEST-PATH})`. Example usage shown below. \r\n3. During the test execution, if additional coverage is generated, register it via the `testPage({TEST-PATH}, testInfo)` helper. \r\n4. **In the Playwright custom reporter**, after all tests have finished, parse the collected coverage data: \r\n - Read the list of files matching `src/app/**/*.component.ts`. \r\n - Verify that each component has test coverage\r\n - If any component is not sufficiently covered, fail the CI or generate a separate report.\r\n\r\n**Example: Using `testPageBeforeEach` and `testPage`**\r\n\r\n```ts\r\ntest.describe(\u0027TEST EXAMPLE\u0027, () \u003d\u003e {\r\n testPageBeforeEach(\u0027src/app/app.component\u0027);\r\n ...\r\n test(\u0027TEST FOR LOGIN\u0027, async ({ page }, testInfo) \u003d\u003e {\r\n testPage(\u0027src/app/pages/login/login.component\u0027, testInfo);\r\n ...\r\n });\r\n ...\r\n});\r\n```\r\n\r\n#### [Test Generators / Leveraging MCP]\r\n\u003e **Automated Initial Scaffolding**: Developers no longer need to manually write each scenario. Using Playwright Codegen / MCP, initial test templates can be generated automatically and then refined by humans, dramatically increasing productivity. \r\n\r\n- **[Using Test Generator Options](https://playwright.dev/docs/codegen)** \r\n - You can specify viewport, device, color scheme, geolocation, locale, timezone, `auth.json` file, etc. \r\n - `npm run e2e:codegen`\r\n- **[LLM-Assisted Test Generation](https://www.checklyhq.com/blog/generate-end-to-end-tests-with-ai-and-playwright)** \r\n - Through MCP can be provided with the page state to suggest or generate test cases, enabling rapid coverage expansion. \r\n - Developed by Microsoft, MCP integrates well with IDEs like VS Code, making AI-assisted features (test code auto-generation, scenario suggestions, etc.) seamless. \r\n - Example workflow connecting Playwright test runner with MCP server: \r\n - Read the webpage state → LLM generates test cases automatically \r\n - Page Object Model is auto-created/recommended \r\n - Scenario execution and result feedback can be integrated - **Playwright MCP Integrations**\r\n - [Copilot](https://dev.to/debs_obrien/letting-playwright-mcp-explore-your-site-and-write-your-tests-mf1) / [Claude](https://kailash-pathak.medium.com/api-testing-with-llm-claude-and-playwright-mcp-model-context-protocol-a08d6ab979dd) / [Cursor](https://medium.com/\u003cat\u003ejagdalebr/supercharge-testing-with-playwright-mcp-server-and-cursor-ai-0e66f2430d11) / [Chrome Extension](https://kailash-pathak.medium.com/streamline-web-automation-with-the-playwright-mcp-chrome-extension-4ff9e43469cd)\r\n\r\n#### [Reference]\r\n- [apache/apisix-dashboard](https://github.com/apache/apisix-dashboard)\r\n- [Protractor deprecation: Angular Blog](https://blog.angular.dev/protractor-deprecation-update-august-2023-2beac7402ce0)\r\n- [Playwright Codegen](https://playwright.dev/docs/codegen)\r\n- [Playwright MCP / Generative test examples](https://playwright.dev/agents/playwright-mcp-generating-tests)\r\n- [Playwright Migration Guide](https://playwright.dev/docs/protractor)\r\n- [Playwright Reporter API / Custom reporters](https://playwright.dev/docs/api/class-reporter)\r\n\r\n### What type of PR is it?\r\nImprovement\r\nFeature\r\n\r\n### Todos\r\n- [x] The account currently logs in as **anonymous** in the local environment, but I’m not sure how to perform a tear-up with a specific account. I’ll need to look into this further. If anyone is familiar with this, I would appreciate advice. \u003c- I found `conf/shifo.ini`\r\n- [ ] Regarding coverage measurement, we could consider adopting a better approach if one exists. From what I’ve found so far, there doesn’t seem to be a tool that can automatically detect and measure coverage.\r\n- [x] The GitHub Action is running too slowly, and it seems we could improve performance by using a caching strategy. \u003c- Modify it so that it runs during Maven’s test phase and is referenced accordingly\r\n- [ ] We should discuss the approach of moving the E2E tests to a separate repository.\r\n- [ ] We need to consider how to contribute to E2E tests. Currently, the plan is as follows:\r\n - After this PR is merged, either use [ZEPPELIN-6314](https://issues.apache.org/jira/browse/ZEPPELIN-6314) or create a. new parent issue, then manage contributions as sub-issues. \r\n - To avoid duplicate work, contributors can:\r\n 1. Check the `PAGES` variable in `utils` to find areas they want to work on.\r\n 2. Leave a comment and open a new sub-issue. \r\n - Example comment: \r\n - \"I would like to work on testing the header area.\"\r\n - Path: `src/app/share/header/header.component`\r\n\r\n### What is the Jira issue?\r\n* [[ZEPPELIN-6314](https://issues.apache.org/jira/browse/ZEPPELIN-6314)]\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? N \r\n* Is there breaking changes for older versions? N\r\n* Does this needs documentation? N\r\n\n\nCloses #5072 from dididy/feat/ZEPPELIN-6314.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "948f1652f9277a9e5b25051eee6e0674f137afd3", "tree": "0dfecdb2e44de920c029ed63150dc6c5b5d6c78a", "parents": [ "8d18618eabbcc5ab6e27f30363712207445f499b" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Fri Sep 19 21:16:41 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Sep 19 21:16:41 2025 +0900" }, "message": "[ZEPPELIN-6265] Support classic Helium viz packages in new UI\n\n### What is this PR for?\r\nThis PR enables the use of external Helium visualization packages, which are previously available only in the classic UI, in the new UI.\r\n\r\nThe process of loading and importing Helium packages, as well as rendering them, closely follows the logic from the classic UI.\r\n\r\nSince the new-style visualization classes in the new UI are not compatible with the existing ones, the implementation branches accordingly to handle both.\r\n\r\nClassic Helium visualization packages depend on legacy technologies such as AngularJS, jQuery, and several visualization libraries, which had to be included as a result.\r\nFor Bootstrap styles, conflicts arose with existing styles, so I copied and modified the original HTML templates to prevent clashes.\r\nIf a Helium package attempts to use the original HTML template, it will be replaced with the modified version.\r\n\r\nAdditionally, I identified that the Helium visualization support classes from the discontinued development of the new UI are no longer in use, so I removed them.\r\n\r\n### What type of PR is it?\r\n\r\nImprovement\r\n\r\n### Todos\r\n* [v] - Added support for loading Helium packages\r\n* [v] - Fixed style mismatches in Helium packages\r\n* [v] - Other functional issues resolved\r\n\r\n### What is the Jira issue?\r\nhttps://issues.apache.org/jira/browse/ZEPPELIN-6265\r\n\r\n### How should this be tested?\r\n* Enables a classic Helium visualization package in the classic UI, and verify that it works in the new UI.\r\n - Note: The `/helium` package management page has not yet been added.\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5006 from tbonelee/helium-vis.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "8d18618eabbcc5ab6e27f30363712207445f499b", "tree": "8e0930747f17617528cd9a059fa5557c01726540", "parents": [ "3c10d379c50a682fb6aa109e7c72586309243405" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Thu Sep 18 11:45:17 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Sep 18 11:45:17 2025 +0900" }, "message": "[ZEPPELIN-6325] Add Custom TSLint Rule to Alphabetically Order Exports in public-api.ts\n\n### What is this PR for?\r\nhttps://github.com/apache/zeppelin/pull/5065#issuecomment-3266268119\r\n\r\nIn #5065, it was suggested that keeping exports sorted alphabetically would improve readability and consistency.\r\n\r\nTSLint does not provide a built-in rule for this (only `ordered-imports` exists for imports). Therefore, following the approach from #5053, I added a custom TSLint rule to enforce alphabetical ordering for exports.\r\n\r\nApplying this rule across the entire codebase would introduce many disruptive changes, so for now it is scoped only to the **public-api.ts** file.\r\n\r\n\r\n### What type of PR is it?\r\nImprovement\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\n* [[ZEPPELIN-6325](https://issues.apache.org/jira/browse/ZEPPELIN-6325)]\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? N\r\n* Is there breaking changes for older versions? N\r\n* Does this needs documentation? N\r\n\n\nCloses #5071 from dididy/test/orderedExports.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "3c10d379c50a682fb6aa109e7c72586309243405", "tree": "47d4adb6af18d4b82290dcb151201cdefc7eedd7", "parents": [ "5aa65256ff02c1d5e949892d1f1118e507df513e" ], "author": { "name": "Gyeongtae Park", "email": "gyeongtae@apache.org", "time": "Tue Sep 16 20:15:54 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Sep 16 13:15:54 2025 +0200" }, "message": "[ZEPPELIN-6271] Remove TravisCI-related scripts no longer in use\n\n### What is this PR for?\r\nTravisCI is no longer used in this project, so the following obsolete files have been removed:\r\n- dev/travis/save-logs.py\r\n- dev/travis/travis-install.sh\r\nThis cleanup eliminates unused CI scripts and reduces maintenance overhead.\r\n\r\n### What type of PR is it?\r\nRefactoring\r\n\r\n### Todos\r\n* [x] - Remove dev/travis/save-logs.py\r\n* [x] - Remove dev/travis/travis-install.sh\r\n\r\n### What is the Jira issue?\r\n* Jira: https://issues.apache.org/jira/browse/ZEPPELIN-6271\r\n\r\n### How should this be tested?\r\nN/A\r\n\r\n### Screenshots (if appropriate)\r\nN/A\r\n\r\n### Questions:\r\n* Does the license files need to update? No.\r\n* Is there breaking changes for older versions? No.\r\n* Does this needs documentation? No.\r\n\n\nCloses #5019 from ParkGyeongTae/ZEPPELIN-6271.\n\nSigned-off-by: Philipp Dallig \u003cphilipp.dallig@gmail.com\u003e" }, { "commit": "5aa65256ff02c1d5e949892d1f1118e507df513e", "tree": "0bfcb06ac1119fd96a625816aceece3afd2ea9da", "parents": [ "3073e3f034ab4bf59cc52881e72e318545af3f78" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Mon Sep 15 23:39:28 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Sep 15 23:39:28 2025 +0900" }, "message": "[ZEPPELIN-6315] Add a lint rule to prevent circular imports in zeppelin-web-angular\n\n### What is this PR for?\r\n\r\nCircular imports in JS/TS can make imported symbols unexpectedly `undefined` at runtime and also confuse build and tooling. This PR introduces a TSLint rule to detect circular imports and refactors imports to prevent them.\r\n\r\n- Added `tslint-no-circular-imports` and enabled the rule.\r\n- Fixed explicit circular-import violations.\r\n- Standardized import conventions and layering rules to avoid regressions.\r\n\r\n#### Import conventions\r\n\r\nTo keep dependencies simple and acyclic:\r\n\r\n1. Cross-module improts -\u003e use the modules\u0027s barrel\r\nImport from the module entry (its public API), not deep files.\r\n```ts\r\n// good\r\nimport { Foo } from \u0027\u003cat\u003ezeppelin/some-module\u0027;\r\n// bad\r\nimport { Foo } from \u0027\u003cat\u003ezeppelin/some-module/feature/foo\u0027;\r\n```\r\n- Rationale: reduces tight coupling and ad-hoc interweaving between modules.\r\n\r\n2. Intra-module imports -\u003e use relative paths\r\nInside the same module, import relatively instead of via that module\u0027s barrel.\r\n```ts\r\n// good\r\nimport { Bar } from \u0027./bar/bar.component\u0027;\r\n// bad\r\nimport { Bar } from \u0027\u003cat\u003ezeppelin/this-module\u0027;\r\n```\r\n- Rationale: prevents barrel -\u003e implementation -\u003e barrel loops that often create cycles.\r\n\r\n\u003e Terminology\r\n\u003e A \"module\" here means a directory published via a single alias like \u003cat\u003ezeppelin/{module} (one slash).\r\n\r\n#### Layering rules\r\n\r\nEnforce a single direction of dependencies. This keeps cycles out by construction.\r\nThis interpretation aims to minimize disruption to the existing structure. If you have alternative proposals, please let me know.\r\n\r\n- `core`: framework-agnostic types, tokens, and utilities.\r\n - Can be used by anyone.\r\n - Must not depend on `services`, `pages`, or `share`\r\n- `services`: non-UI logics\r\n - May depend on `core`.\r\n - Must not depend on `share` or `pages`.\r\n- `pages`: May depend on `services`, `share`, and `core`.\r\n- `share` : presentational componets, directives\r\n - May depend on `core` and `service`\r\n\r\n\r\n### What type of PR is it?\r\nRefactoring\r\n\r\n### What is the Jira issue?\r\n[ZEPPELIN-6315](https://issues.apache.org/jira/browse/ZEPPELIN-6315)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5065 from tbonelee/circular-import.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "3073e3f034ab4bf59cc52881e72e318545af3f78", "tree": "7e76fb35f5a8e227c8567ede9b61eb5c2495e2b4", "parents": [ "75a9caa7b6731e0c1b36aa4ff245b1e461b02d5c" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Mon Sep 15 23:28:39 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Sep 15 23:28:39 2025 +0900" }, "message": "[ZEPPELIN-6236] Prettify format to pass lint in web-angluar\n\n### What is this PR for?\r\nSome files are not prettified so that `zeppelin-web-angular` test is failing.\r\nI just reformat those files to make it pass the CI\r\n\r\n\r\n### What type of PR is it?\r\nRefactoring\r\n\r\n### What is the Jira issue?\r\nhttps://issues.apache.org/jira/browse/ZEPPELIN-6326\r\n\r\n### How should this be tested?\r\nCheck zeppelin-web-angular CI\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5073 from tbonelee/prettify.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "75a9caa7b6731e0c1b36aa4ff245b1e461b02d5c", "tree": "3e9acbca5f687069f6fb6b1cb20cb2e25936b384", "parents": [ "c9d6b133a1536fc412bb74ed4716f09420f1e9e4" ], "author": { "name": "YeonKyung Ryu", "email": "80758099+celinayk@users.noreply.github.com", "time": "Mon Sep 15 13:05:15 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Sep 15 13:05:15 2025 +0900" }, "message": "[ZEPPELIN-6309] Improve method by replacing JsonObject parameter\n\n### What is this PR for?\r\nRefactored the `convertPermissionsFromUsersToOwners` method in InterpreterSetting.java to improve code readability and maintainability by separating JSON parsing logic from business logic, addressing the TODO comment that identified this as \"ugly code\".\r\n\r\n### What type of PR is it?\r\nRefactoring\r\n\r\n\r\n### Todos\r\n * [x] - Refactor convertPermissionsFromUsersToOwners method to remove JsonObject parameter\r\n * [x] - Extract JSON parsing logic into separate static helper method\r\n * [x] - Update all callers to use new method signature\r\n \r\n\r\n### What is the Jira issue?\r\n[ZEPPELIN-6309](https://issues.apache.org/jira/browse/ZEPPELIN-6309)\r\n\r\n### How should this be tested?\r\n\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5063 from celinayk/ZEPPELIN-6309.\n\nSigned-off-by: ParkGyeongTae \u003cgyeongtae@apache.org\u003e" }, { "commit": "c9d6b133a1536fc412bb74ed4716f09420f1e9e4", "tree": "92d31ae277d22a15c0c629094b82d469b564224b", "parents": [ "0f20ffcd0f32d8195203ad871d1f4bc52f10b8c2" ], "author": { "name": "ChanHo Lee", "email": "chanholee@apache.org", "time": "Tue Sep 09 19:54:14 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Sep 09 19:54:14 2025 +0900" }, "message": "[ZEPPELIN-6319] Fixing unsupported wildcard path expansion in zeppelin-web-angular\n\n### What is this PR for?\r\nWindows cmd and does not support wildcard path expansion, which causes errors like the one below.\r\n\u003cimg width\u003d\"954\" height\u003d\"190\" alt\u003d\"image\" src\u003d\"https://github.com/user-attachments/assets/3356609d-d2a6-4135-8c35-75d35df54291\" /\u003e\r\n\r\nThis PR fixes the issue by replacing the glob pattern path argument with a specific `tsconfig.json` file for `tslint-rules/`.\r\n\r\n\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### What is the Jira issue?\r\nhttps://issues.apache.org/jira/browse/ZEPPELIN-6319\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #5070 from tbonelee/fix-wildcard-path.\n\nSigned-off-by: ParkGyeongTae \u003cgyeongtae@apache.org\u003e" }, { "commit": "0f20ffcd0f32d8195203ad871d1f4bc52f10b8c2", "tree": "908bbdc7b28059835f7333868eda4c2604da23ef", "parents": [ "4fbfaec6160f338248c44b72938ca50d38068d19" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Mon Sep 08 00:22:21 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Sep 08 00:22:21 2025 +0900" }, "message": "[ZEPPELIN-6203] Connect shortcut modal for info button\n\n### What is this PR for?\r\n\u003cimg width\u003d\"417\" height\u003d\"103\" alt\u003d\"image\" src\u003d\"https://github.com/user-attachments/assets/d4fca2f3-0dca-43ae-b159-ca881bd1766d\" /\u003e\r\n\r\nNothing happened when I click above info button inside of Zeppelin Notebook. So I connect this function work properly. \r\n\r\nThis button related in [here](https://github.com/apache/zeppelin/blob/526eb15b8732909ab994adba76e0c3e33bfa001c/zeppelin-web-angular/src/app/pages/workspace/notebook/action-bar/action-bar.component.ts#L239) so I made shared shortcut component and connect it. Now it works well.\r\n\r\n\r\n\u003cimg width\u003d\"1624\" height\u003d\"1056\" alt\u003d\"스크린샷 2025-07-12 오후 6 10 05\" src\u003d\"https://github.com/user-attachments/assets/d71e7264-eefb-4e80-bf4d-cf4467627d5e\" /\u003e\r\n\r\nI refer to [zeppelin-web\u0027s shortcut file](https://github.com/apache/zeppelin/blob/526eb15b8732909ab994adba76e0c3e33bfa001c/zeppelin-web/src/app/notebook/shortcut.html)\r\n\r\n### What type of PR is it?\r\nBug Fix\r\nFeature\r\nRefactoring\r\n\r\n### Todos\r\n* [x] makes html file\u0027s isMac working well\r\n* [ ] Adjust shortcut for zeppelin-web to zeppelin-web-angular / check this file for preventing weird working when user try to use shortcut // [here](https://github.com/apache/zeppelin/blob/526eb15b8732909ab994adba76e0c3e33bfa001c/zeppelin-web-angular/src/app/services/shortcut.service.ts) [ZEPPELIN-6229](https://issues.apache.org/jira/browse/ZEPPELIN-6229) [ZEPPELIN-6197](https://issues.apache.org/jira/browse/ZEPPELIN-6197)\r\n* [ ] Made \"Clone paragraph\" button work properly in New UI // [ZEPPELIN-6294](https://issues.apache.org/jira/browse/ZEPPELIN-6294)\r\n\r\n### What is the Jira issue?\r\nhttps://issues.apache.org/jira/browse/ZEPPELIN-6203\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? No\r\n* Is there breaking changes for older versions? No\r\n* Does this needs documentation? No\r\n\n\nCloses #4963 from dididy/fix/ZEPPELIN-6203.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" }, { "commit": "4fbfaec6160f338248c44b72938ca50d38068d19", "tree": "1172ea86ff9d380c59c715e0efe281c67d57798d", "parents": [ "4297661d8f15453a30a898dc9151c6ab6c181e7f" ], "author": { "name": "YONGJAE LEE(이용재)", "email": "dev.yongjaelee@gmail.com", "time": "Sun Sep 07 21:55:33 2025 +0900" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Sep 07 21:55:33 2025 +0900" }, "message": "[ZEPPELIN-6298] Fix cursor-related issues in New UI\u0027s Paragraph\n\n### What is this PR for?\r\n**Description:**\r\nCursor behavior in the New UI’s paragraph needs to be fixed for several cursor related actions, including double-clicking, running all above/below, adding(clone), and removing paragraphs.\r\n\r\nWhen **cloneParagraph()** is called, it internally calls **addParagraph()**, which has already been tested. The same addParagraph-related code is also applied in #5044. If either PR is merged first, I will rebase accordingly. I have also confirmed that **cloneParagraph()** works correctly through #5044.\r\n\r\nDue to timing issues, I used `setTimeout` for **removeParagraph()** and **doubleClickParagraph()**. Since this is in the UI area, it likely won’t have major side effects, but I will look into it further.\r\n\r\n**Expected:**\r\n- When **doubleClickParagraph()** is executed, the cursor should move to the end of the paragraph.\r\n- When **runAllAbove()** or **runAllBelow()** is executed, the current cursor position should be remembered, and after execution, focus should return to the previous cursor position.\r\n- When **addParagraph()** is executed, the newly added paragraph should receive focus.\r\n- When **removeParagraph()** is executed, focus should move to the paragraph that takes the deleted paragraph’s place.\r\n\r\n**Actual (New UI):**\r\n- When **doubleClickParagraph()** is executed, the cursor moves to the beginning instead of the end.\r\n- After **runAllAbove()** or **runAllBelow()**, focus is lost completely.\r\n- When **addParagraph()** is executed, the new paragraph does not automatically receive focus.\r\n- After **removeParagraph()**, focus may not move to the correct paragraph.\r\n\r\n**[Appropriate action - Classic UI]**\r\n\r\nhttps://github.com/user-attachments/assets/fc0066f7-4e03-4e3b-9d5b-2f33df415ba7\r\n\r\nRun all above -\u003e Run all below -\u003e Double click .md paragraph -\u003e Add paragraph -\u003e Delete paragraph\r\n\r\n**[AS-IS]**\r\n\r\nhttps://github.com/user-attachments/assets/f699f788-cf29-4c4c-8c47-2ef34d7962f0\r\n\r\nRun all above -\u003e Run all below -\u003e Double click .md paragraph -\u003e Add paragraph -\u003e Delete paragraph\r\n\r\n**[TO-BE]**\r\n\r\nhttps://github.com/user-attachments/assets/1206c524-103f-4328-85ee-04408073b628\r\n\r\nRun all above -\u003e Run all below -\u003e Double click .md paragraph -\u003e Add paragraph -\u003e Delete paragraph\r\n\r\n\r\n### What type of PR is it?\r\nBug Fix\r\n\r\n### Todos\r\n\r\n### What is the Jira issue?\r\n* [[ZEPPELIN-6298](https://issues.apache.org/jira/browse/ZEPPELIN-6298)]\r\n\r\n### How should this be tested?\r\n\r\n### Screenshots (if appropriate)\r\n\r\n### Questions:\r\n* Does the license files need to update? N\r\n* Is there breaking changes for older versions? N\r\n* Does this needs documentation? N\r\n\n\nCloses #5057 from dididy/fix/ZEPPELIN-6298.\n\nSigned-off-by: ChanHo Lee \u003cchanholee@apache.org\u003e" } ], "next": "4297661d8f15453a30a898dc9151c6ab6c181e7f" }