Bump dagster-snowflake from 0.28.10 to 0.29.1 in /examples/snowflake_cortex/dagster_snowflake

[dependabot]

Bumps dagster-snowflake from 0.28.10 to 0.29.1.

Release notes

Sourced from dagster-snowflake's releases.

1.13.1 (core) / 0.29.1 (libraries)

New

• Added PipesCompositeMessageReader (preview) to support multiple concurrent message streams in a single Pipes session.
• Added sensor:, schedule:, and job: attribute support to the asset selection syntax (e.g., sensor:my_sensor, job:my_job).
• Added automation_type: attribute support to the asset selection syntax, allowing queries like automation_type:schedule or automation_type:sensor. (Thanks, @​bengotow!)
• State-backed integration components (e.g., AirbyteWorkspaceComponent, FivetranWorkspaceComponent) now default to LOCAL_FILESYSTEM state storage instead of legacy_code_server_snapshots.
• [dg] Added dg api issue create and dg api issue update commands.
• [dg] Added filter support to dg api issue list.
• [ui] Improved asset selection autocomplete performance.
• [dagster-dbt] DagsterDbtTranslatorSettings.enable_source_metadata now defaults to True, enabling upstream asset key remapping based on dbt source table names by default.

Bugfixes

• Fixed a SQL injection vulnerability in several IO managers. We recommend all users upgrade. More details can be found at GHSA-mjw2-v2hm-wj34.
• Fixed an issue where runs executed via execute_in_process() would sometimes fail to display the step timeline in the Dagster UI.
• Fixed a bug where multi-asset definitions containing virtual assets would produce incorrect execution plans.
• [ui] Fixed the tick result button for sensors using dynamic partitions.
• [dagster-aws] PickledObjectS3IOManager now defaults the S3 key prefix to an empty string when none is provided. (Thanks, @​aksestok!)
• [dagster-databricks] PipesDatabricksClient.run_multi_task and PipesDatabricksServerlessClient.run_multi_task now give each submitted task its own message destination by default, fixing chunk-file collisions between concurrent tasks.
• [dagster-dbt] Fixed the dbt Cloud v2 polling sensor and adhoc job to use stable, ID-based identifiers, preventing naming conflicts.
• [dagster-dbt] Fixed the dbt Cloud v2 polling sensor to correctly filter out runs from adhoc jobs.

Documentation

• Added a guide for virtual assets.
• Added documentation for partitioned asset checks.
• Added documentation for the free_slots_after_run_end_seconds concurrency configuration option.
• Clarified SCIM provisioning and SSO permission requirements in the authentication documentation.
• Added a guide for migrating Dagster+ from the US to the EU control plane.

1.13.0 (core) / 0.29.0 (libraries)

Major Changes Since 1.12.0

• AI-assisted development: Released dagster-io/skills, a collection of Dagster-focused AI skills for coding agents like Claude Code, OpenAI Codex, and others. Expanded dg api commands for programmatic inspection of assets, runs, jobs, schedules, and more.
• Partitioned asset checks: Asset checks can now target specific partitions of an upstream asset, aligning data quality logic with how partitioned data is produced and monitored.
• State-backed components enabled by default: Integrations that depend on external metadata (dbt, Fivetran, Airbyte, Tableau, Looker, etc.) now use persisted local state by default, providing a more predictable code location loading experience.
• Virtual assets (preview): New is_virtual parameter on @asset and AssetSpec for modeling assets like database views that automatically reflect upstream changes without explicit materialization.
• 20+ new components: Added or expanded components for dbt Cloud, Spark, Azure (Blob Storage, ADLS2), GCP (BigQuery, GCS, Dataproc), Databricks, Tableau, Looker, Census, Polytomic, and more. Integrations gained richer observability, metadata, and operational support.
• Deeper integration support: dbt Cloud supports partitioned assets; Databricks gained job-level subsetting and auto-cancel on run termination; Fivetran added polling sensors, retry-on-reschedule, and resync support; BI integrations auto-enrich assets with table metadata for cross-system lineage.
• Dagster+ improvements: Organization-level timezone settings, service users for Pro accounts, more resilient code server redeploy behavior, improved agent failure recovery, and expanded insights and alerting workflows.

Breaking Changes

• Removed deprecated external_asset_from_spec and external_assets_from_specs. Use AssetSpec inputs directly to Definitions(...) or AssetsDefinition(specs=[...]) instead.
• Removed deprecated single-AssetKey deps argument support from asset dependencies. Use a sequence of AssetDep objects instead.
• Removed deprecated get_all_asset_specs from Definitions.
• Removed deprecated legacy_freshness_policy parameter from @observable_source_asset.
• Removed deprecated auto_observe_interval_minutes parameter from @observable_source_asset.
• Removed deprecated legacy_freshness_policies_by_output_name parameter from AssetsDefinition.

... (truncated)

Changelog

Sourced from dagster-snowflake's changelog.

1.13.1 (core) / 0.29.1 (libraries)

New

• Added PipesCompositeMessageReader (preview) to support multiple concurrent message streams in a single Pipes session.
• Added sensor:, schedule:, and job: attribute support to the asset selection syntax (e.g., sensor:my_sensor, job:my_job).
• Added automation_type: attribute support to the asset selection syntax, allowing queries like automation_type:schedule or automation_type:sensor. (Thanks, @​bengotow!)
• State-backed integration components (e.g., AirbyteWorkspaceComponent, FivetranWorkspaceComponent) now default to LOCAL_FILESYSTEM state storage instead of legacy_code_server_snapshots.
• [dg] Added dg api issue create and dg api issue update commands.
• [dg] Added filter support to dg api issue list.
• [ui] Improved asset selection autocomplete performance.
• [dagster-dbt] DagsterDbtTranslatorSettings.enable_source_metadata now defaults to True, enabling upstream asset key remapping based on dbt source table names by default.

Bugfixes

• Fixed a possible SQL injection in a few IO managers when used with dynamic partition.
• Fixed an issue where runs executed via execute_in_process() would sometimes fail to display the step timeline in the Dagster UI.
• Fixed a bug where multi-asset definitions containing virtual assets would produce incorrect execution plans.
• [ui] Fixed the tick result button for sensors using dynamic partitions.
• [dagster-aws] PickledObjectS3IOManager now defaults the S3 key prefix to an empty string when none is provided. (Thanks, @​aksestok!)
• [dagster-databricks] PipesDatabricksClient.run_multi_task and PipesDatabricksServerlessClient.run_multi_task now give each submitted task its own message destination by default, fixing chunk-file collisions between concurrent tasks.
• [dagster-dbt] Fixed the dbt Cloud v2 polling sensor and adhoc job to use stable, ID-based identifiers, preventing naming conflicts.
• [dagster-dbt] Fixed the dbt Cloud v2 polling sensor to correctly filter out runs from adhoc jobs.

Documentation

• Added a guide for virtual assets.
• Added documentation for partitioned asset checks.
• Added documentation for the free_slots_after_run_end_seconds concurrency configuration option.
• Clarified SCIM provisioning and SSO permission requirements in the authentication documentation.
• Added a guide for migrating Dagster+ from the US to the EU control plane.

1.13.0 (core) / 0.29.0 (libraries)

Major Changes Since 1.12.0

• AI-assisted development: Released dagster-io/skills, a collection of Dagster-focused AI skills for coding agents like Claude Code, OpenAI Codex, and others. Expanded dg api commands for programmatic inspection of assets, runs, jobs, schedules, and more.
• Partitioned asset checks: Asset checks can now target specific partitions of an upstream asset, aligning data quality logic with how partitioned data is produced and monitored.
• State-backed components enabled by default: Integrations that depend on external metadata (dbt, Fivetran, Airbyte, Tableau, Looker, etc.) now use persisted local state by default, providing a more predictable code location loading experience.
• Virtual assets (preview): New is_virtual parameter on @asset and AssetSpec for modeling assets like database views that automatically reflect upstream changes without explicit materialization.
• 20+ new components: Added or expanded components for dbt Cloud, Spark, Azure (Blob Storage, ADLS2), GCP (BigQuery, GCS, Dataproc), Databricks, Tableau, Looker, Census, Polytomic, and more. Integrations gained richer observability, metadata, and operational support.
• Deeper integration support: dbt Cloud supports partitioned assets; Databricks gained job-level subsetting and auto-cancel on run termination; Fivetran added polling sensors, retry-on-reschedule, and resync support; BI integrations auto-enrich assets with table metadata for cross-system lineage.
• Dagster+ improvements: Organization-level timezone settings, service users for Pro accounts, more resilient code server redeploy behavior, improved agent failure recovery, and expanded insights and alerting workflows.

Breaking Changes

• Removed deprecated external_asset_from_spec and external_assets_from_specs. Use AssetSpec inputs directly to Definitions(...) or AssetsDefinition(specs=[...]) instead.
• Removed deprecated single-AssetKey deps argument support from asset dependencies. Use a sequence of AssetDep objects instead.
• Removed deprecated get_all_asset_specs from Definitions.
• Removed deprecated legacy_freshness_policy parameter from @observable_source_asset.

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Greptile Summary

This dependabot PR bumps dagster-snowflake from 0.28.10 to 0.29.1, which transitively updates the entire dagster-* package family from 1.12.10 to 1.13.1 in the lockfile. Notably, the 0.29.1 release includes a fix for a SQL injection vulnerability in several IO managers (GHSA-mjw2-v2hm-wj34), making this a security-relevant update worth prioritizing.

Confidence Score: 5/5

Safe to merge — standard dependabot lockfile bump with a security fix included.

All changes are mechanical version bumps generated by dependabot. The update patches a known SQL injection vulnerability (GHSA-mjw2-v2hm-wj34) and no application code was modified. No P0/P1 findings.

No files require special attention.

Important Files Changed

Filename	Overview
examples/snowflake_cortex/dagster_snowflake/pyproject.toml	Bumps dagster-snowflake minimum version constraint from >=0.23.0 to >=0.29.1; no other changes.
examples/snowflake_cortex/dagster_snowflake/uv.lock	Lockfile updated: all dagster-* packages move from 1.12.10/0.28.10 to 1.13.1/0.29.1; new transitive dep dagster-rest-resources 0.29.1 added; setuptools removed as a dagster runtime dep; Python resolution markers refined to split 3.12 from 3.13+.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[dagster-snowflake-helm example] --> B[dagster-snowflake 0.28.10 → 0.29.1]
    A --> C[dagster 1.12.10 → 1.13.1]
    B --> C
    C --> D[dagster-graphql 1.13.1]
    C --> E[dagster-pipes 1.13.1]
    C --> F[dagster-shared 1.13.1]
    A --> G[dagster-dbt 0.28.10 → 0.29.1]
    A --> H[dagster-webserver 1.13.1]
    A --> I[dagster-dg-cli 1.13.1]
    I --> J[dagster-rest-resources 0.29.1 NEW]
    style B fill:#f96,stroke:#333
    style J fill:#9f6,stroke:#333

Loading

_{Reviews (1): Last reviewed commit: "Bump dagster-snowflake in /examples/snow..." | Re-trigger Greptile}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​dagster@​1.12.10 ⏵ 1.13.1	+1	+16
	pypi/​dagster-webserver@​1.12.10 ⏵ 1.13.1	-25
	pypi/​dagster-dg-cli@​1.12.10 ⏵ 1.13.1	-3
	pypi/​dagster-dbt@​0.28.10 ⏵ 0.29.1	-2
	pypi/​requests@​2.33.1
	pypi/​dagster-snowflake@​0.28.10 ⏵ 0.29.1		+16

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Telemetry collection: pypi dagster Note: This module implements a background telemetry uploader that reads local Dagster log files and POSTs compressed contents to a remote telemetry endpoint, then deletes uploaded files. It does not contain obvious obfuscated or stealthy backdoor code, but it does perform potentially sensitive data exfiltration (logs -> remote server) and uses insecure defaults (plain HTTP, compression/header mismatch). There are correctness/robustness bugs (content-encoding mismatch, a typo in exception handling) that may hide failures. If you do not trust the receiving endpoint or if logs may contain sensitive data, treat this as a moderate supply-chain/privacy risk and either disable telemetry via DAGSTER_DISABLE_TELEMETRY or review/modify the uploader to use HTTPS, authentication/allowlist, and safer file handling. From: examples/data-quality-patterns/uv.lock → pypi/dagster@1.13.1 ℹ Read more on: This package | This alert | What is telemetry? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/dagster@1.13.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Telemetry collection: pypi dagster Note: This module implements a background telemetry uploader that reads local Dagster log files and POSTs compressed contents to a remote telemetry endpoint, then deletes uploaded files. It does not contain obvious obfuscated or stealthy backdoor code, but it does perform potentially sensitive data exfiltration (logs -> remote server) and uses insecure defaults (plain HTTP, compression/header mismatch). There are correctness/robustness bugs (content-encoding mismatch, a typo in exception handling) that may hide failures. If you do not trust the receiving endpoint or if logs may contain sensitive data, treat this as a moderate supply-chain/privacy risk and either disable telemetry via DAGSTER_DISABLE_TELEMETRY or review/modify the uploader to use HTTPS, authentication/allowlist, and safer file handling. From: examples/data-quality-patterns/uv.lock → pypi/dagster@1.13.1 ℹ Read more on: This package | This alert | What is telemetry? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/dagster@1.13.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report