fix(superset): Pin setup-tools to retain pkg-resources for 4.x (#1428)

adwk67 · web-flow · commit ff695b795e94 · 2026-02-19T08:31:22.000Z
* fix(superset): Pin setup-tools for pkg-resources

* changelog

* typo
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -66,6 +66,7 @@ All notable changes to this project will be documented in this file.
 - testing-tools: Re-add `pytest` Python package as well as `diffutils` package ([#1388]).
 - testing-tools: Move Kerberos packages from testing-tools/hive to parent since they provide `kinit` which is needed in other tests too (ex. HBase). ([#1389]).
 - hbase: Removed test class from backport HBASE-29797 to HBase version `2.6.3` ([#1426]).
+- superset: Pin setup-tools to ensure pkg_resources are installed (needed for `4.1.4` builds) ([#1428]).
 
 [#1336]: https://github.com/stackabletech/docker-images/pull/1336
 [#1337]: https://github.com/stackabletech/docker-images/pull/1337
@@ -102,6 +103,7 @@ All notable changes to this project will be documented in this file.
 [#1424]: https://github.com/stackabletech/docker-images/pull/1424
 [#1425]: https://github.com/stackabletech/docker-images/pull/1425
 [#1426]: https://github.com/stackabletech/docker-images/pull/1426
+[#1428]: https://github.com/stackabletech/docker-images/pull/1428
 
 ## [25.11.0] - 2025-11-07
 
diff --git a/superset/Dockerfile b/superset/Dockerfile
@@ -141,7 +141,7 @@ uv pip install --no-cache-dir \
 
 # We bumped this from 21.2.0 to 22.0.0 to fix CVE-2024-1135
 # Superset 4.1.0 will contain at least 22.0.0, the bump was done in https://github.com/apache/superset/commit/4f693c6db0dc5c7286a36b8d23e90541943ff13f
-# We only want to bump this for the 4.0.x line, as the others already have updated and we don't want to accidentially downgrade the version
+# We only want to bump this for the 4.0.x line, as the others already have updated and we do not want to accidentially downgrade the version
 if [[ "$PRODUCT_VERSION" =~ ^4\.0\..* ]]; then
     echo "Superset 4.0.x detected, installing gunicorn 22.0.0 to fix CVE-2024-1135"
     uv pip install gunicorn==22.0.0
@@ -157,6 +157,12 @@ fi
 
 uv pip install --no-cache-dir /tmp/opa_authorizer-0.1.0-py3-none-any.whl
 
+# Setuptools 82+ removed pkg_resources, which is still needed by Superset 4.x
+# dependencies. Re-pin after all other installs in case newer versions
+# have been pulled in by other dependencies.
+# See https://setuptools.pypa.io/en/stable/history.html#v82-0-0
+uv pip install --no-cache-dir setuptools==75.2.0
+
 cyclonedx-py environment --schema-version 1.5 --outfile /stackable/app/superset-${PRODUCT_VERSION}.cdx.json
 uv pip uninstall cyclonedx-bom
 
