Skip to content

Bump the 3-2-auth-ui-package-updates group across 1 directory with 19 updates#65152

Closed
dependabot[bot] wants to merge 100 commits into
v3-2-testfrom
dependabot/npm_and_yarn/airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui/v3-2-test/3-2-auth-ui-package-updates-55b7bce11c
Closed

Bump the 3-2-auth-ui-package-updates group across 1 directory with 19 updates#65152
dependabot[bot] wants to merge 100 commits into
v3-2-testfrom
dependabot/npm_and_yarn/airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui/v3-2-test/3-2-auth-ui-package-updates-55b7bce11c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 13, 2026

Copy link
Copy Markdown
Contributor

Bumps the 3-2-auth-ui-package-updates group with 19 updates in the /airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui directory:

Package From To
@hey-api/openapi-ts 0.94.0 0.95.0
@tanstack/react-query 5.90.21 5.97.0
axios 1.13.6 1.15.0
react 19.2.4 19.2.5
react-cookie 8.0.1 8.1.0
react-dom 19.2.4 19.2.5
react-hook-form 7.71.2 7.72.1
react-router-dom 7.13.1 7.14.0
@7nohe/openapi-react-query-codegen 2.0.0 2.1.0
@eslint/compat 2.0.3 2.0.5
@typescript-eslint/eslint-plugin 8.57.0 8.58.1
@typescript-eslint/parser 8.57.0 8.58.1
@typescript-eslint/utils 8.57.0 8.58.1
@vitest/coverage-v8 4.1.0 4.1.4
eslint 10.0.3 10.2.0
eslint-plugin-perfectionist 5.6.0 5.8.0
typescript-eslint 8.57.0 8.58.1
vite 8.0.5 8.0.8
vitest 4.1.0 4.1.4

Updates @hey-api/openapi-ts from 0.94.0 to 0.95.0

Release notes

Sourced from @​hey-api/openapi-ts's releases.

@​hey-api/openapi-ts@​0.95.0

Minor Changes

Validator request schemas

Valibot plugin no longer exports composite request Data schemas. Instead, each layer is exported as a separate schema. If you're using validators with SDKs, you can preserve the composite schema with shouldExtract:

export default {
  input: "hey-api/backend", // sign up at app.heyapi.dev
  output: "src/client",
  plugins: [
    // ...other plugins
    {
      name: "sdk",
      validator: "valibot",
    },
    {
      name: "valibot",
      requests: {
        shouldExtract: true,
      },
    },
  ],
};

Removed plugin.getSymbol() function

This function has been removed. You can use plugin.querySymbol() instead. It accepts the same arguments and returns the same result.

Validator request schemas

Zod plugin no longer exports composite request Data schemas. Instead, each layer is exported as a separate schema. If you're using validators with SDKs, you can preserve the composite schema with shouldExtract:

export default {
  input: "hey-api/backend", // sign up at app.heyapi.dev
  output: "src/client",
  plugins: [
    // ...other plugins
    {
      name: "sdk",
      validator: "zod",
</tr></table> 

... (truncated)

Changelog

Sourced from @​hey-api/openapi-ts's changelog.

@​hey-api/openapi-ts 0.95.0

Updates

  • internal: remove plugin.getSymbol() function (#3671)

Removed plugin.getSymbol() function

This function has been removed. You can use plugin.querySymbol() instead. It accepts the same arguments and returns the same result.

Plugins

@​hey-api/client-angular

  • improve beforeRequest typing (#3660)

@​hey-api/client-axios

  • improve beforeRequest typing (#3660)

@​hey-api/client-fetch

  • improve beforeRequest typing (#3660)

@​hey-api/client-ky

  • improve beforeRequest typing (#3660)

@​hey-api/client-next

  • improve beforeRequest typing (#3660)

@​hey-api/sdk

  • improve types for SSE events (#3466)

orpc

  • adjust input shape (#3671)

valibot

  • remove request data schema (#3671)

Validator request schemas

Valibot plugin no longer exports composite request Data schemas. Instead, each layer is exported as a separate schema. If you're using validators with SDKs, you can preserve the composite schema with shouldExtract:

export default {
</tr></table> 

... (truncated)

Commits
  • 5e1eaea Merge pull request #3664 from hey-api/changeset-release/main
  • acd0e9d ci: release
  • 632638f Merge pull request #3675 from hey-api/refactor/dsl-from-value
  • 8aa4698 refactor: rename fromValue file to from-value
  • 11db9af Merge pull request #3674 from hey-api/docs/sponsors-mintlify-3
  • a32e70b docs: remove Mintlify from sponsors
  • 3efbe9b Merge pull request #3673 from hey-api/docs/sponsors-mintlify-2
  • bd2bf6e docs: remove Mintlify from sponsors
  • 1162b4a Merge pull request #3672 from hey-api/docs/soon-to-vote
  • 5f696b7 docs: update soon label to vote
  • Additional commits viewable in compare view

Updates @tanstack/react-query from 5.90.21 to 5.97.0

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.97.0

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-devtools@​5.97.0
    • @​tanstack/react-query@​5.97.0

@​tanstack/react-query-next-experimental@​5.97.0

Patch Changes

  • Updated dependencies []:
    • @​tanstack/react-query@​5.97.0

@​tanstack/react-query-persist-client@​5.97.0

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-persist-client-core@​5.97.0
    • @​tanstack/react-query@​5.97.0

@​tanstack/react-query@​5.97.0

Patch Changes

  • Updated dependencies [2bfb12c]:
    • @​tanstack/query-core@​5.97.0

@​tanstack/react-query-devtools@​5.96.2

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-devtools@​5.96.2
    • @​tanstack/react-query@​5.96.2

@​tanstack/react-query-next-experimental@​5.96.2

Patch Changes

  • Updated dependencies []:
    • @​tanstack/react-query@​5.96.2

@​tanstack/react-query-persist-client@​5.96.2

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-persist-client-core@​5.96.2
    • @​tanstack/react-query@​5.96.2

@​tanstack/react-query@​5.96.2

Patch Changes

  • Updated dependencies []:

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.97.0

Patch Changes

  • Updated dependencies [2bfb12c]:
    • @​tanstack/query-core@​5.97.0

5.96.2

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-core@​5.96.2

5.96.1

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-core@​5.96.1

5.96.0

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-core@​5.96.0

5.95.2

Patch Changes

  • Updated dependencies [cd5a35b]:
    • @​tanstack/query-core@​5.95.2

5.95.1

Patch Changes

  • Updated dependencies [1f1775c]:
    • @​tanstack/query-core@​5.95.1

5.95.0

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-core@​5.95.0

5.94.5

... (truncated)

Commits
  • 125067c ci: Version Packages (#10436)
  • f699190 test(react-query): replace hardcoded query keys with 'queryKey()' utility (#1...
  • f3d3eea test(*): replace deprecated 'toMatchTypeOf' with 'toExtend' (#10413)
  • 3d6e001 test(react-query/useSuspenseQueries): replace 'async/await sleep' with 'sleep...
  • 7d7a21c test(react-query): replace 'async/await sleep' with 'sleep().then()' in test ...
  • 5ca721f ci: Version Packages (#10379)
  • 75052a7 ci: Version Packages (#10370)
  • 73e783b ci: Version Packages (#10364)
  • 14a97b7 test(react-query): replace 'import React' with 'import * as React' in 'usePre...
  • fd8c068 test({react,preact}-query/useSuspenseQueries): merge redundant second 'descri...
  • Additional commits viewable in compare view

Updates axios from 1.13.6 to 1.15.0

Release notes

Sourced from axios's releases.

v1.15.0

This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

⚠️ Important Changes

  • Deprecation: url.parse() usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)

🔒 Security Fixes

  • Proxy Handling: Fixed a no_proxy hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)
  • Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)

🚀 New Features

  • Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)

🔧 Maintenance & Chores

  • CI Security: Hardened workflow permissions to least privilege, added the zizmor security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)
  • Dependencies: Bumped serialize-javascript, handlebars, picomatch, vite, and denoland/setup-deno to latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)
  • Documentation: Unified docs, improved beforeRedirect credential leakage example, clarified withCredentials/withXSRFToken behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)
  • Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
  • Tests: Added regression coverage for urlencoded Content-Type casing. (#10573)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

v1.14.0

This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.

⚠️ Important Changes

  • Breaking Changes: None identified in this release.
  • Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably proxy-from-env v2 alignment and main entry compatibility fix).

🚀 New Features

  • Runtime Features: No new end-user features were introduced in this release.
  • Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (#7510)

🐛 Bug Fixes

  • Headers: Trim trailing CRLF in normalised header values. (#7456)
  • HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (#7457)
  • Fetch Adapter: Cancel ReadableStream created during request-stream capability probing to prevent async resource leaks. (#7515)
  • Proxy Handling: Fixed env proxy behavior with proxy-from-env v2 usage. (#7499)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

  • http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
  • interceptor: handle the error in the same interceptor (#6269) (5945e40)
  • main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
  • package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
  • silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
  • turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
  • types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
  • types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
  • unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

Reverts

  • Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
  • deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

... (truncated)

Commits
  • 772a4e5 chore(release): prepare release 1.15.0 (#10671)
  • 4b07137 chore(deps-dev): bump vite from 8.0.0 to 8.0.5 in /tests/smoke/esm (#10663)
  • 51e57b3 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 (#10664)
  • fba1a77 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 in /tests/module/esm (#10665)
  • 0bf6e28 chore(deps): bump denoland/setup-deno in the github-actions group (#10669)
  • 8107157 chore(deps-dev): bump the development_dependencies group with 4 updates (#10670)
  • e66530e ci: require npm-publish environment for releases (#10666)
  • 49f23cb chore(sponsor): update sponsor block (#10668)
  • 3631854 fix: unrestricted cloud metadata exfiltration via header injection chain (#10...
  • fb3befb fix: no_proxy hostname normalization bypass leads to ssrf (#10661)
  • Additional commits viewable in compare view
Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates react from 19.2.4 to 19.2.5

Release notes

Sourced from react's releases.

19.2.5 (April 8th, 2026)

React Server Components

Commits

Updates react-cookie from 8.0.1 to 8.1.0

Release notes

Sourced from react-cookie's releases.

v8.1.0

What's Changed

New Contributors

... (truncated)

Commits
  • e597546 Bump to v8.1.0 (#948)
  • 9480fc5 Revert from .mts to .ts files (#947)
  • ba4bf65 fix: refactor useLayoutEffect to follow React Hook rules and update SSR tests...
  • 99a80f7 chore: fix types for react components (#939)
  • a5ae6b9 Potential fix for code scanning alert no. 2: Workflow does not contain permis...
  • ac30565 Potential fix for code scanning alert no. 1: Workflow does not contain permis...
  • 78cd882 Upgrade libraries (#944)
  • 3442112 chore(deps): update dependency @​types/react to ^19.1.2 (#921)
  • b988767 chore(deps): update yarn to v4.9.1 (#919)
  • 060bf39 chore(deps): lock file maintenance (#918)
  • Additional commits viewable in compare view

Updates react-dom from 19.2.4 to 19.2.5

Release notes

Sourced from react-dom's releases.

19.2.5 (April 8th, 2026)

React Server Components

Commits

Updates react-hook-form from 7.71.2 to 7.72.1

Release notes

Sourced from react-hook-form's releases.

Version 7.72.1

🐞 fix: add isDirty check for numeric string keys in defaultValues (issue #13346) (#13347) 🐞 fix: prevent setValue with shouldDirty from polluting unrelated dirty fields (#13326) 🐞 fix: memoize control in HookFormControlContext to prevent render conflicts (#13272) (#13312) 🐞 fix: isNameInFieldArray should check all ancestor paths for nested field arrays (#13318) 🐞 fix: #13320 formState.isValid incorrect on Controller re-mount (#13324)

thanks to @​6810779s, @​candymask0712, @​olagokemills, @​shahmir-oscilar & @​bae080311

Version 7.72.0

⚓️ feat: built-in form level validate (#13195)

useForm({
  validate: async ({ formValues }: FormValidateResult) => {
    if (formValues.test1.length > formValues.test.length) {
      return {
        type: 'formError',
        message: 'something is wrong here',
      };
    }
if (formValues.test === 'test') {
  return 'direct error message';
}
return true;

},
});

🐞 fix: prevent useFieldArray from marking unrelated fields as dirty (#13299) 🐞 fix #13300 checkbox form validation ignored with native validation (#13310) 🌉 allow subscribe formState to track submit state (#13319)

thanks to @​WiXSL, @​BrendanC23 & @​6810779s

Commits
  • 724e563 7.72.1
  • ba649e9 🐞 test: add isDirty check for numeric string keys in defaultValues (issue #13...
  • 2f56eb0 🛖 build(deps): bump yaml from 1.10.2 to 1.10.3 in /app (#13335)
  • f29f546 👯 combine duplicated code (#13328)
  • 2cfc8a5 🐞 fix: prevent setValue with shouldDirty from polluting unrelated dirty field...
  • 44e8815 🐞 fix: memoize control in HookFormControlContext to prevent render conflicts ...
  • 302d160 🐞 fix: isNameInFieldArray should check all ancestor paths for nested field ar...
  • d7ccd70 🦾 dev deps upgrade (#13325)
  • fddf779 🐞 fix: #13320 formState.isValid incorrect on Controller re-mount (#13324)
  • 26ae54e 🛖 build(deps-dev): bump rollup from 4.53.3 to 4.59.0 (#13323)
  • Additional commits viewable in compare view

Updates react-router-dom from 7.13.1 to 7.14.0

Changelog

Sourced from react-router-dom's changelog.

7.14.0

Patch Changes

7.13.2

Patch Changes

Commits

Updates @7nohe/openapi-react-query-codegen from 2.0.0 to 2.1.0

Release notes

Sourced from @​7nohe/openapi-react-query-codegen's releases.

v2.1.0

What's Changed

New Contributors

Full Changelog: 7nohe/openapi-react-query-codegen@v2.0.0...v2.1.0

Commits
  • b0c732b chore: release v2.1.0
  • 1d5006f chore: add missing path for react-router-7-app in biome.json
  • dc3c833 ci: migrate npm release workflow to trusted publishing (#193)
  • bee536d Support TypeScript5.9.x and hey-api/openapi-ts 0.92.x (#192)
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​7nohe/openapi-react-query-codegen since your current version.


Updates @eslint/compat from 2.0.3 to 2.0.5

Release notes

Sourced from @​eslint/compat's releases.

migrate-config: v2.0.5

2.0.5 (2026-04-03)

Dependencies

  • The following workspace dependencies were updated
    • dependencies
      • @​eslint/compat bumped from ^2.0.3 to ^2.0.4
    • devDependencies
      • @​eslint/core bumped from ^1.1.1 to ^1.2.0

compat: v2.0.5

2.0.5 (2026-04-08)

Dependencies

  • The following workspace dependencies were updated
    • dependencies
      • @​eslint/core bumped from ^1.2.0 to ^1.2.1

migrate-config: v2.0.4

2.0.4 (2026-03-20)

Bug Fixes

  • update dependency @​eslint/eslintrc to ^3.3.5 (#397) (8567c19)

compat: v2.0.4

2.0.4 (2026-04-03)

Dependencies

  • The following workspace dependencies were updated
    • dependencies
      • @​eslint/core bumped from ^1.1.1 to ^1.2.0
    • Description has been truncated

github-actions Bot and others added 30 commits April 8, 2026 18:09
…nd scheduled builds (#64673) (#64675)

UI E2E tests are expensive and should only run when UI files actually
changed or the "full tests needed" label is explicitly set. Previously
they ran on every push to main, canary build, scheduled run, and any
PR that triggered derived full_tests_needed (env file changes, large
PRs, etc.).
(cherry picked from commit b15a5c9)

Co-authored-by: Jarek Potiuk <[email protected]>
…4713) (#64717)

Temporary switch to the latest commit of infrastructure-actions
allowlist-check until apache/infrastructure-actions#662 is merged,
which will provide a proper tagged release.
(cherry picked from commit 04b3dd0)

Co-authored-by: Jarek Potiuk <[email protected]>
Bumps the github-actions-updates group with 3 updates: [actions/setup-go](https://github.com/actions/setup-go), [github/codeql-action](https://github.com/github/codeql-action) and [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv).


Updates `actions/setup-go` from 6.3.0 to 6.4.0
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@4b73464...4a36011)

Updates `github/codeql-action` from 4.32.6 to 4.35.1
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@0d579ff...c10b806)

Updates `astral-sh/setup-uv` from 7.6.0 to 8.0.0
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](astral-sh/setup-uv@37802ad...cec2083)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: 6.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions-updates
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions-updates
- dependency-name: astral-sh/setup-uv
  dependency-version: 8.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions-updates
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…logging e2e (#64697) (#64698)

Refactor ci_image_build to delegate to prod_image_build instead of
duplicating conditions. Add ci-image-build assertions to all 5 remote
logging e2e test cases to verify CI image is built when remote logging
files change.
(cherry picked from commit 3cf4f51)

Co-authored-by: Jarek Potiuk <[email protected]>
… uv lock behavior (#64699) (#64721)

(cherry picked from commit f2a3e5f)

Co-authored-by: Jarek Potiuk <[email protected]>
Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
…rflow (#63882) (#64758)

* Fix start_date in example DAGs to avoid TZ conversion overflow

* Update airflow-core/src/airflow/example_dags/example_inlet_event_extra.py



* Update airflow-core/src/airflow/example_dags/example_inlet_event_extra.py



* Update airflow-core/src/airflow/example_dags/example_outlet_event_extra.py



* Update airflow-core/src/airflow/example_dags/example_outlet_event_extra.py



* Apply suggestion from @yuseok89



---------
(cherry picked from commit db5e555)

Co-authored-by: HuangWei <[email protected]>
Co-authored-by: yuseok89 <[email protected]>
…64720)

Reset the OTel SDK's Once() guard on _METER_PROVIDER_SET_ONCE before
calling set_meter_provider() in get_otel_logger(). When a forked child
process re-initializes Stats (detected via PID mismatch in stats.py),
the inherited Once._done = True flag prevents the new MeterProvider from
being registered. The child falls back to the parent's stale provider
whose PeriodicExportingMetricReader thread is dead after fork, causing
task-level metrics like ti.finish to be silently dropped.

The fix resets _done and _METER_PROVIDER before each set_meter_provider()
call. On first initialization (no fork), _done is already False so this
is a no-op. On re-initialization after fork, it allows the new provider
to be set correctly.
(cherry picked from commit ff77bd2)


Closes: #64690

Co-authored-by: Michael Black <[email protected]>
…log download (#64235) (#64640)

* Fix #62414: Remove spurious blank lines in filtered task log download

When log level or source filters were applied, renderStructuredLog returned
empty strings for dropped lines. Joining those with newlines still
inserted blank lines, often at the start of the downloaded file.

* Fix prek formatting in Logs.tsx and logDownloadContent.test.ts

Reformats getLogString arrow function to stay within line length limit,
and fixes object key ordering (content before continuation_token) in
test fixtures to match Prettier's alphabetical sorting.
(cherry picked from commit 32ac564)

Co-authored-by: Bernardo Gunzburger Lopes <[email protected]>
…vironment (#64536) (#64769)

* Build CI image before syncing breeze lock in version upgrades

When upgrade_important_versions.py detects changed versions, force-build
the CI image for Python 3.10 before running breeze's uv sync so that
the lock file is generated against the updated image.

* CI: Upgrade important CI environment
(cherry picked from commit 1522953)
…e ci upgrade (#64777) (#64781)

(cherry picked from commit b875c40)

Co-authored-by: Jarek Potiuk <[email protected]>
…Run (#64736) (#64771)

* UI: Filter DagVersionSelect options based on selected DagRun

* fix: remove trailing blank line in test file

---------
(cherry picked from commit 8e1f6c4)

Co-authored-by: Daniel Seo <[email protected]>
Co-authored-by: hseo36 <[email protected]>
…tes (#64542) (#64772)

* fix(ui): correct external link target and add rel attributes with test

* fix(ui): correct external link target and add rel attributes with test

* fix(ui): correct external link target and add rel attributes with test

* fix: apply UI formatting
(cherry picked from commit 8509dc9)

Co-authored-by: Mayank Aggarwal <[email protected]>
…4808)

Previously, the initialize_virtualenv script didn't correctly build the uv command to
distinguish between `--group` and `--extra`. This updates the `extra_param` to fix that.
(cherry picked from commit 6339d09)

Co-authored-by: Michael Doo <[email protected]>
…uns (#64584) (#64809)

Changes to .txt and .md files that are not part of the doc build
should not trigger the full test suite. This adds a new
TEXT_NON_DOC_FILES file group to selective checks and an
only_text_non_doc_files_changed property so these files are
subtracted from the "remaining files" set, avoiding unnecessary
CI runs for text-only, non-doc-build changes.

Also removes the overly broad `^dev/.*` pattern from the
test-always file group since dev/ changes should be evaluated
by more specific file group patterns.
(cherry picked from commit aca2d59)
…s instead of separate CI jobs (#64780) (#64810)

Non-provider mypy checks (airflow-core, task-sdk, airflow-ctl, dev, scripts,
devel-common) now run locally via uv as regular prek hooks in the pre-commit
stage, instead of running as separate mypy CI jobs in the CI image checks
workflow. This means they run as part of the regular static checks job in CI
and automatically on every local commit.

The folder-level mypy checks (which check entire directories at once for
comprehensive cross-file type checking) replace the previous file-level
incremental checks.

Provider mypy checks still run via breeze as a dedicated CI job, now embedded
directly in the main CI workflow (ci-amd-arm.yml) instead of being dispatched
through the ci-image-checks reusable workflow.

The selective checks logic skips non-provider mypy hooks when their relevant
files haven't changed, unless devel-common/pyproject.toml changes on main
(which affects all mypy configurations).
(cherry picked from commit 0ce1dd7)
…single-dict arguments (#64773)

* Fix dict args in structlog positional formatting

When a dict was passed as a positional argument to a log message
(e.g. log.warning('message %s', {'a': 10})), both the structlog
bound logger and the stdlib logging path would try named substitution
first, causing TypeError for positional format specifiers like %s.

Fix both paths to match CPython's stdlib logging behavior: try
positional formatting (msg % args) first, fall back to named
substitution (msg % args[0]) only on TypeError/KeyError.

- In _make_airflow_structlogger.meth(): try event % args first,
  fall back to named substitution on failure
- Add positional_arguments_formatter() to replace structlog's built-in
  PositionalArgumentsFormatter, which has the same ordering bug for
  stdlib logging records

Fixes #62201

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
(cherry picked from commit e1e4bdb)

* fix: add missing blank line before parametrize decorator

(cherry picked from commit 9c6e3a4)

---------

Co-authored-by: Claude Sonnet 4.6 <[email protected]>
) (#64729)

Verify rustup-init binary with SHA256 checksum instead of curl-pipe-sh

Download the rustup-init binary directly and verify its SHA256 checksum
before execution, instead of piping the shell installer script through sh.

Pin rustup-init to version 1.29.0 with hardcoded SHA256 checksums for
amd64 and arm64, matching the existing cosign verification pattern.
This prevents a compromised server from serving a tampered binary with
a matching checksum.
(cherry picked from commit 1b28933)

Co-authored-by: Jarek Potiuk <[email protected]>
…allback) (#64552) (#64852)

* Add .worktrees/ to .gitignore

* Make Theme tokens field optional to allow CSS-only or empty theme configs

* Add integration test: CSS-only theme passes config endpoint validation

* Docs: note that Theme tokens is optional, empty config restores OSS defaults

* Improve CSS-only theme test: also assert icon fields absent from response

* Add newsfragment for optional theme tokens

* Rename newsfragment to PR #64552

* Fix TypeScript errors in createTheme for optional tokens support

The API schema for Theme became opaque ({[key: string]: unknown}) after
@model_serializer was added to Theme in Python to exclude None values.
This broke theme.ts in two ways:
- userTheme.tokens typed as unknown, not assignable to TokenDefinition
- mergeConfigs() called with undefined, which it doesn't accept

Fix by conditionally spreading tokens/globalCss (guarding for CSS-only
themes) and casting to Record<string, unknown> which is assignable to
TokenDefinition. Use conditional mergeConfigs call to avoid passing
undefined.

* Fix Theme OpenAPI schema collapsing to untyped object

The @model_serializer(mode="wrap") on Theme and ThemeColors caused
Pydantic to generate additionalProperties:true for both models in the
OpenAPI spec, losing typed fields (tokens, globalCss, icon) and
breaking TypeScript types to {[key: string]: unknown}.

Fix: remove wrap serializers from Theme/ThemeColors; add
@field_serializer("theme") to ConfigResponse with model_dump(exclude_none=True)
to preserve None-exclusion behavior scoped to the theme field only.
Add ConfigDict(json_schema_mode_override="validation") to ConfigResponse
so schema generation uses type annotations rather than the field
serializer's dict return type, keeping the $ref: Theme link intact.

Also removes unrelated .worktrees/ entry from .gitignore.
(cherry picked from commit a06896f)

Co-authored-by: Constance Martineau <[email protected]>
…4752) (#64853)

* Fix Gantt view "Error invalid date" on running DagRun (#64599)

The Gantt chart scale calculation used new Date() to parse date strings,
which fails for non-UTC timezone abbreviations, returning NaN and
crashing Chart.js's time scale.

Changes:
- Replace new Date().getTime() with dayjs().valueOf() for reliable date
  parsing in the x-axis scale min/max calculations.
- Add unit tests for Gantt chart scale calculations and data
  transformation covering completed tasks, running tasks with null end
  dates, groups with null dates, and ISO date string validity.

* Address review feedback: fix static checks and consistency

- Fix object property ordering in test data (alphabetical)
- Import vi as type-only from vitest
- Fix duration field position in selectedRun objects
- Make dayjs null handling consistent between max and min scale
  calculations (remove unnecessary ?? undefined)

* Fix ESLint no-empty-function error in Gantt utils test

* Fix TypeScript type errors in Gantt utils tests

Update test fixtures to match current generated types:
- Add has_missed_deadline to GridRunsResponse objects
- Remove dag_id and map_index from GanttTaskInstance objects
- Add depth to GridTask objects
- Add task_display_name to LightGridTaskInstanceSummary objects

* Fix translate type to use TFunction in Gantt utils tests
(cherry picked from commit 0b2efb9)

Co-authored-by: Ashir Alam <[email protected]>
…tes away from auth pages (#63873) (#64854)

When a user opens a Security panel (e.g. Users) and clicks the Airflow
logo inside the embedded FAB iframe, the iframe navigates to '/' which
causes the React SPA to render inside the iframe, including its own Nav
sidebar. This produces a duplicate navigation bar alongside the outer
app's sidebar.

Fix: before calling navigate('/'), set iframe.src = 'about:blank' to
immediately clear the iframe content so the inner React app has no
chance to render its Nav. A isRedirecting ref guards against the extra
onLoad event that setting src to about:blank would otherwise trigger.

Closes #63805
(cherry picked from commit 545baf4)

Co-authored-by: nagasrisai <[email protected]>
…age action (#64872) (#64873)

Jobs that use the prepare_breeze_and_image composite action all had
a duplicate "Free up disk space" step. Centralize it in the action
to reduce repetition. Jobs that don't use the action (e.g. summarize
warnings) keep their own copy.
(cherry picked from commit 1d67953)

Co-authored-by: Jarek Potiuk <[email protected]>
…ctions (#64865) (#64866)

(cherry picked from commit 1f0709c)

Co-authored-by: Jarek Potiuk <[email protected]>
@vincbeck

Copy link
Copy Markdown
Contributor

Something off happened here

@vincbeck vincbeck closed this Apr 15, 2026
@dependabot @github

dependabot Bot commented on behalf of github Apr 15, 2026

Copy link
Copy Markdown
Contributor Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/airflow-core/src/airflow/api_fastapi/auth/managers/simple/ui/v3-2-test/3-2-auth-ui-package-updates-55b7bce11c branch April 15, 2026 13:29
@vincbeck

Copy link
Copy Markdown
Contributor

@dependabot recreate

@dependabot @github

dependabot Bot commented on behalf of github Apr 15, 2026

Copy link
Copy Markdown
Contributor Author

Looks like this PR is closed. If the branch still exists, you can re-open the PR and then use @dependabot rebase or @dependabot recreate. If the branch was deleted, Dependabot will create a new PR on the next scheduled run, or you can trigger an update from the Dependency graph page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:API Airflow's REST/HTTP API dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

10 participants