​

Changelog

​

🔒 Security patches

• Snyk high/critical dependency patches in ingestion #28623: Patches high and critical Snyk findings across ingestion dependencies to address multiple common vulnerabilities and exposures (CVEs).
• Jackson-core and CloudFront Snyk high patches #28614: Resolves Snyk high-severity vulnerabilities in jackson-core 3.0.2 and cloudfront 2.30.19.
• Axios version bump for Retire.js vulnerabilities #28582: Updates the frontend dependency to address reported Retire.js vulnerabilities.
• Cross-site scripting (XSS) security fix with explicit jsonify #28574: Makes jsonify explicit at the route level to break XSS taint chains.
• CVE fixes in ingestion images #28534: Closes gnutls, libcap, openssh, and rsync CVEs in ingestion container images.
• mlflow-skinny and jsonify security bumps #28501: Updates mlflow-skinny and surfaces jsonify in the trigger route for security.
• Presidio utils XSS false positives fix #28535: Drops **kwargs Any from presidio_utils factories to clear XSS false positives.

​

🔌 MCP enhancements

• MCP tool errors mapped to correct HTTP status codes #28644: MCP now maps tool errors to the correct HTTP status codes.
• New MCP tools added #28586: Extends MCP tool capabilities with new tools for enhanced functionality.
• Optimized get_entity_lineage MCP tool payload #28618: Reduces the payload size of the get_entity_lineage tool with a slim transform optimization.
• MCP custom properties in get_entity_details #28594: Surfaces custom extension properties in get_entity_details tool responses.
• MCP single sign-on (SSO) support in OAuth flow #28548: Adds SAML SSO support for the MCP OAuth authentication flow.
• MCP client secret handling for public clients #28552: Fixes client secret issuance to no longer send secrets to public clients.
• MCP prefers application/json over SSE #28558: MCP now prefers the application/json response format when a client accepts both JSON and SSE.
• MCP tool usage improvements #28352: Enhances MCP tool usage tracking and execution capabilities.

​

🛠 API and migration fixes

• Migration heals stuck PostgreSQL certification #28635: Fixes migration to heal stuck PostgreSQL certification records stranded by the v1.12.5 update.
• Migration casts :metadata to JSON on PostgreSQL tag_usage #28504: Corrects metadata field casting in PostgreSQL tag_usage insert statements.

​

🔍 Search and indexing fixes

• Search by nested field names for topics and API endpoints #28610: Resolves an issue where nested field name searches failed for topics and API endpoints.
• Stale file extension aggregation scrubbed on upgrade #28565: Prevents file search 500 errors by cleaning up stale file extension aggregation data during upgrade.
• Backport of immense-term children mapping fix #28572: Applies a fix for deeply nested children fields that were causing search mapping issues.
• Orphan test cases no longer break search indexing #28159: Prevents orphaned test cases from causing search index failures.

​

🎨 UI and UX fixes

• Entity type filter update button click fixed #28573: Corrects the entity type filter interaction where the update button click was not being registered.
• Translation fixes for ru-RU and ko-KR locales #28584: Corrects translation values for Russian and Korean language packs.
• Test suite pre-selects every test case already in suite #28543: Fixes test case selection logic to pre-select all test cases already added to a suite.

​

🐛 General bug fixes

• Classification visit method fixed #28636: Corrects the visit method for classification entity traversal.
• Flaky domain and data product rename fixed #28580: Improves stability of domain and data product rename operations by handling search version conflicts.
• fasturi dependency fix #28139: Updates the fasturi dependency to resolve compatibility issues.

​

📦 Dependencies and infrastructure

• Kubernetes client pinned below 36.0.0 (from v1.12.9): Maintains compatibility by capping the Kubernetes Python client to avoid breaking API changes.