Changelog
OpenMetadata 1.12.10 is a maintenance release delivering critical security patches, MCP enhancements, and targeted bug fixes across migrations, search, UI, and ingestion runtime.
🔒 Security
- Snyk high/critical dependency patches in ingestion #28623: High and critical Snyk findings patched across ingestion dependencies to address multiple CVEs.
- Jackson-core and CloudFront Snyk high patches #28614: Resolved Snyk high-severity vulnerabilities in jackson-core 3.0.2 and cloudfront 2.30.19.
- Axios version bump for Retire.js vulnerabilities #28582: Frontend dependency updated to address reported Retire.js vulnerabilities.
- XSS security fix with explicit jsonify #28574: Made jsonify explicit at route level to break XSS taint chains.
- CVE fixes in ingestion images #28534: Closed gnutls, libcap, openssh, and rsync CVEs in ingestion container images.
- mlflow-skinny and jsonify security bumps #28501: Updated mlflow-skinny and surface jsonify in trigger route for security.
- Presidio utils XSS false positives fix #28535: Dropped **kwargs Any from presidio_utils factories to clear XSS false positives.
🔌 MCP (Model Context Protocol) Enhancements
- MCP tool error responses mapped to correct HTTP status codes #28644: Tool errors now properly map to their corresponding HTTP status codes.
- New MCP tools added #28586: Extended MCP tool capabilities with new tools for enhanced functionality.
- Optimize get_entity_lineage MCP tool payload #28618: Reduced payload size of get_entity_lineage tool with slim transform optimization.
- MCP custom properties in get_entity_details #28570: Surface custom extension properties in get_entity_details tool responses.
- MCP SAML SSO support in OAuth flow #28548: Added SAML SSO support for MCP OAuth authentication flow.
- MCP client secret handling for public clients #28552: Fixed to not issue client secret to public clients.
- MCP prefer application/json over SSE #28558: MCP now prefers application/json response format when client accepts both JSON and SSE.
- MCP Tool Usage improvements #28352: Enhanced MCP tool usage tracking and execution capabilities.
🛠 API & Migration Fixes
- Migration heal stuck PG certification #28635: Fixed migration to heal stuck PostgreSQL certification records stranded by v1125 update.
- Migration cast :metadata to json on PG tag_usage #28504: Corrected metadata field casting in PostgreSQL tag_usage insert statements.
🔍 Search & Indexing Fixes
- Fix search by nested field names for topics and API endpoints #28610: Resolved issue where nested field name searches failed for topics and API endpoints.
- Scrub stale file extension aggregation on upgrade #28565: Prevented file search 500 errors by cleaning up stale file extension aggregation data during upgrade.
- Backport immense-term children mapping fix #28572: Applied fix for deeply nested children fields that were causing search mapping issues.
- Stop orphan test cases from breaking search indexing #28159: Prevented orphaned test cases from causing search index failures.
🎨 UI & UX Fixes
- Fix entity type filter update button click #28573: Corrected entity type filter interaction where update button click was not being registered.
- Translation fixes for ru-ru and ko-kr locales #28584: Corrected translation values for Russian and Korean language packs.
- Test suite pre-select every test case already in suite #28400: Fixed test case selection logic to pre-select all test cases already added to a suite.
🐛 General Bug Fixes
- Fixed classification visit method #28636: Corrected the visit method for classification entity traversal.
- Fix flaky domain & data product rename #28580: Improved stability of domain and data product rename operations by handling search version conflicts.
- Fix fasturi dependency #28139: Updated fasturi dependency to resolve compatibility issues.
📦 Dependencies & Infrastructure
- Kubernetes client pinned below 36.0.0 (from v1.12.9): Maintained compatibility by capping Kubernetes Python client to avoid breaking API changes.
Full Changelog: Commits between 1.12.9 and 1.12.10