github open-metadata/OpenMetadata 1.12.12-release
on GitHub

21 hours ago

🔒 Security

  • sudo upgraded for CVE-2026-35535 #29343: Upgraded sudo in the ingestion image to patch CVE-2026-35535.
  • Spring, Micrometer & OpenTelemetry CVE patches #29111: Spring 6.2.18 → 6.2.19 (CVE-2026-41850, CVE-2026-41851), Micrometer 1.14.5 → 1.15.12, and pinned OpenTelemetry to patch reported CVEs.
  • ws bumped for CVE-2026-48779 #29122: Updated ws to 8.21.0.
  • handlebars bumped for CVE-2026-55760 #29221: Updated handlebars to 4.5.2 to patch a path-traversal vulnerability.
  • form-data bumped #29349: Updated the form-data package to address reported vulnerabilities.
  • markdown-it bumped #29057: markdown-it 14.1.1 → 14.2.0.
  • UI dependency vulnerability fixes #29223: Addressed assorted UI vulnerabilities, including undici 6.25.0 → 6.27.0 and form-data updates.

🔍 Search & Performance

  • Cap oversized dataModel column trees at index time #29212: Containers/tables with pathologically large dataModel schemas (hundreds of thousands of columns) produced multi-hundred-MB search documents that could OOM the server on read/reindex. The oversized-doc guard now also strips nested column children and derived columnNames/columnNamesFuzzy once a doc is still over the cap after lineage stripping. Top-level columns and the full schema (via the entity API) are preserved.
  • Column tag filtering in advanced search #28871: Added column-tag filtering to advanced search.
  • Defer row fetch in audit logs list query #28850: Avoids a full-row scan when listing audit logs.
  • AuditLogConsumer dropping events on offset gaps #29252: change_event.offset is AUTO_INCREMENT/SERIAL and only visible at commit, so under concurrent writes a lower offset can become visible after a higher one. The consumer no longer skips audit events across these offset gaps.

🧬 Lineage

  • Render traced edges and nodes #29195: Lineage now visually renders traced edges and nodes.
  • Restore edges in lineage PNG export #29124: Edges are restored after canvas re-render in the lineage PNG export.
  • Fix selector for export lineage 5b4fe8c: Fixed the selector used for lineage export.
  • Correct nodeDepth for fetched nodes #27477: Updates nodeDepth on fetched nodes using the base nodeDepth (Issue #25388).

📖 Glossary

  • Approve/reject buttons missing after Expand All #29292: The Expand-All tree fetch omitted the reviewers field, so nested In-Review terms lost their approve/reject buttons. Reviewers are now requested so the buttons remain for nested terms.
  • Approval re-triggers on approved-term rename 1755135: Renaming an already-approved term now records name/parent on the change description so the approval workflow re-triggers correctly.
  • Keep approvals valid after move #29234: Approvals remain valid after a glossary term is moved.
  • Cascade glossary rename to child terms in search index #29134: Renaming a glossary now updates the denormalized glossary.name / glossary.fullyQualifiedName on every child term's search-index doc.

🔐 Authentication

  • MCP OAuth login fails with 400 on id_token fragment #29228: Fixed /mcp/callback handling of the active-session shortcut and implicit-flow id_token returned in the URL fragment by SSO.
  • OIDC/SAML self-signup persists mapped email claim #29189: Self-signup now persists the mapped email claim from OIDC/SAML.

🛡️ Data Governance & Quality

  • Preserve data products across domain deletes #29138: When a data product's domain was changed and the original domain was then recursively hard-deleted, the data product was incorrectly deleted via a stale domain→dataProduct relationship. The stale relationship is now removed so data products are preserved.
  • Delete orphaned test cases + guard test-definition deletion #29081: Orphaned test cases (whose testDefinition relationship was removed) can now be hard-deleted, and test-definition deletion is guarded against the missing relationship.

⚙️ Apps & Ingestion

  • Sync IngestionPipeline scheduleInterval on app schedule changes #28702: When an external app's schedule changes (scheduled→manual or a cron edit), the backing IngestionPipeline scheduleInterval is now synced so K8s/Argo/Hybrid runners pick up the new schedule.
  • Skip CSV consolidation without a previous version #29088: Avoids CSV consolidation when there is no previous version to consolidate against.

🎛️ UI

  • Scope "between" operator fix to numeric custom properties #29334: The between operator now correctly sends the upper bound for numeric custom properties only (Issue #27482).

🔌 Connectors

  • Snowflake: create Query entities in ACCESS_HISTORY lineage #29125: The opt-in ACCESS_HISTORY lineage path now emits a CreateQueryRequest per edge so the originating SQL surfaces as Query entities, and fixes a probe issue.
  • Snowflake: forward-port ACCESS_HISTORY lineage + cache fixes #29036: Forward-ports the opt-in ACCESS_HISTORY lineage path and cache fixes.
  • Metabase: StarRocks SQL dialect for lineage #29033: StarRocks connections now route to the StarRocks SQL dialect so StarRocks-specific syntax in Metabase native queries (e.g. to_bitmap(), bitmap_union_count()) parses correctly for lineage (Issue #28934).
Check out latest releases or
releases around open-metadata/OpenMetadata 1.12.12-release

Don't miss a new OpenMetadata release

NewReleases is sending notifications on new releases.

Get notifications