chore(deps): update dependency pathling to v9

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pathling	==7.2.0 → ==9.2.0

---

Release Notes

aehrc/pathling (pathling)

v9.2.0

Compare Source

What's changed

ViewDefinition resource support

The encoders module now supports ViewDefinition as a custom resource type from the SQL on FHIR specification. This includes:

• A new ResourceTypes utility class for resource type validation that supports custom resource types
• A HAPI FHIR resource class for ViewDefinition, allowing HAPI to recognise and parse ViewDefinition resources

Write operation details

All data sink write methods (ndjson(), parquet(), delta(), tables()) now return a WriteDetails object containing information about the files that were written. This is useful
for downstream processing and logging.

This change affects both the Java library API and the Python library.

Authentication library

The terminology module now includes the fhir-auth library (1.0.0) for enhanced authentication capabilities when connecting to terminology servers.

Code quality infrastructure

New tooling has been added to enforce consistent code formatting:

• Spotless Maven plugin for automatic Java code formatting with Google Java Format
• Checkstyle Maven plugin for code style checking
• Updated Python packaging to use pyproject.toml
• Added .lintr configuration for R code linting

Dependency updates

• Updated bulk-export version from 1.0.3 to 1.0.4
• Added fhir-auth dependency (1.0.0)

New contributors

• @​fhnaumann made their first contribution in #​2482

Full changelog: aehrc/pathling@v9.1.0...v9.2.0

v9.1.0

Compare Source

What's Changed

New features

• Implement SQL on FHIR repeat directive for recursive traversal of nested structures by @​piotrszul in #​2516
• Implement toQuantity() and convertsToQuantity() FHIRPath functions with UCUM unit conversion support by @​piotrszul in #​2514

Bug fixes

• Fix getResourceKey() returning versioned IDs that don't match getReferenceKey() (#​2519) by @​johngrimes in #​2520

Security updates

• Bump ch.qos.logback:logback-core from 1.5.18 to 1.5.19 (CVE-2025-11226) by @​dependabot in #​2506

Other changes

• Migrate to uv and Bun for dependency management by @​johngrimes in #​2515

Full Changelog: aehrc/pathling@v9.0.0...v9.1.0

v9.0.0

Compare Source

This major release includes significant infrastructure upgrades, new FHIRPath functionality, and important bug fixes.

Major changes

Infrastructure upgrades (#​2496)

• Upgrade to Apache Spark 4.0.1
• Upgrade to Java 21
• Upgrade to Scala 2.13
• Upgrade to Python 3.9
• Update git-commit-id-plugin to version 9.0.2 (#​2493)

FHIRPath enhancements

• Implement equality and comparison operations for Quantity types per the FHIRPath specification (#​2495)
• Replace FHIR/Ucum-java with ucumate for improved UCUM performance (#​2511)
• Support for comparing quantities with the same units, including calendar quantities
• Support for comparing calendar duration quantities ≥ seconds with UCUM time quantities

Delta Lake improvements (#​2499 by @​MartinBernstorff)

• Add configurable deletion behaviour when merging Delta tables
• Enable whenNotMatchedBySourceDelete() to allow Delta Lake state to reflect current FHIR server state
• New parameter on write.delta() method to control deletion behaviour

Bug fixes

• Fix ClassCastException when using collection mode with decimal values (#​2509)
  • Resolves issue with extracting decimal values from collections using ofType(Quantity).value with collection: true
  • Refactored decimal handling to use consistent representation across all collection types
  • Fixed decimal string output to use plain format (avoiding exponential notation)

Breaking changes

This release includes breaking changes due to the infrastructure upgrades:

• Minimum Java version is now 21
• Applications must be compatible with Spark 4.0.1
• Python applications require Python 3.9 or later

v8.1.0

Compare Source

This release includes the following changes:

✨ Features

• Implement comparison for date/time types and correct equality implementation (#​2485)
  • Added precision-aware comparison and equality for Date, DateTime and Time types
  • Separated equality (=,!=) from comparison (<,>,<=,>=) operations
  • Corrected equality implementation for non-ordered types (Coding, Boolean)
  • Enabled equality between arrays (non-singular collections) of any two types

🐛 Bug Fixes

• Fix unclear error message for choice element selection (#​2489)
  • Improved error message when users attempt to select FHIR choice elements without using ofType()
  • Changed cryptic "Must have a fhirType or a definition" message to clearer "Selection of mixed collection not supported: [elementName]"

🔧 Dependencies

• Remove hadoop-aws from default Spark config in Python and R libraries (#​2488)
  • Removed automatic inclusion of hadoop-aws dependency in Python and R Spark configurations
  • Fixed trailing comma syntax error in R dependencies

v8.0.2

Compare Source

This release fixes a problem with the library-runtime package, where the version of Gson being used gets overridden by the version in Spark.

Full Changelog: aehrc/pathling@v8.0.1...v8.0.2

v8.0.1

Compare Source

What's Changed

Security updates

• Remove commons-lang (CVE-2025-48924)
• Update Derby to 10.16.1.1 (CVE-2022-46337)

Full Changelog: aehrc/pathling@v8.0.0...v8.0.1

v8.0.0

Compare Source

This release features our new SQL on FHIR view runner, a completely reworked and more performant query engine, and many other changes.

As part of this release, we took the decision to significantly change the focus and scope of Pathling with the purpose of rebuilding it around the SQL on FHIR specification.

This will mean that the server implementation will be temporarily removed. It will also mean that the scope of FHIRPath functions will be temporarily reduced to the minimal FHIRPath subset defined within the SQL on FHIR Shareable View Definition specification (with the exception of the terminology functions).

We have released this functionality as version 8, and we have spawned three work streams to build upon this new foundation:

• Implementation of a new server focused upon the Bulk Data Access IG and the draft SQL
  on FHIR server API. This server will not include the aggregate or extract operations.
• Expansion of the scope of the FHIRPath implementation to achieve full or close to full coverage of the FHIRPath spec.
• Implementation of Parquet on FHIR as the new schema for lossless persistence of FHIR data for analytics.

We think that this is the best way to align Pathling to user needs, and also to make sure that the code base is sustainable going forwards.

If you are a current user of the server, aggregate or extract operations, please continue using the v7.x series. We are happy to continue maintaining and accepting contributions to this series as
requested by users, but will be focusing our enhancement efforts on v8.

Major dependency updates

• Spark 3.5.6
• HAPI 8.2.1
• Java 17

Full Changelog: aehrc/pathling@v7.2.0...v8.0.0

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	6		0	0	0.05s
✅ DOCKERFILE	hadolint	8		0	0	0.63s
✅ EDITORCONFIG	editorconfig-checker	51		0	0	0.05s
✅ JSON	jsonlint	6		0	0	0.17s
✅ JSON	prettier	6		0	0	0.7s
✅ JSON	v8r	6		0	0	7.13s
⚠️ MARKDOWN	markdownlint	9		6	0	0.95s
✅ REPOSITORY	checkov	yes		no	no	22.05s
✅ REPOSITORY	gitleaks	yes		no	no	0.56s
✅ REPOSITORY	git_diff	yes		no	no	0.03s
⚠️ REPOSITORY	kics	yes		no	2	3.77s
✅ REPOSITORY	secretlint	yes		no	no	1.92s
✅ REPOSITORY	syft	yes		no	no	8.15s
⚠️ REPOSITORY	trivy	yes		11	5	11.19s
✅ REPOSITORY	trivy-sbom	yes		no	no	1.74s
✅ REPOSITORY	trufflehog	yes		no	no	13.83s
✅ YAML	prettier	9		0	0	0.57s
✅ YAML	v8r	9		0	0	7.36s
✅ YAML	yamllint	9		0	0	0.5s

Detailed Issues

⚠️ REPOSITORY / kics - 2 warnings

warning: The 'Dockerfile' contains the 'chown' flag
   ┌─ images/ml-on-fhir/Dockerfile:43:1
   │
43 │ COPY --chown=${NB_UID}:${NB_GID} requirements.txt /tmp/
   │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   │
   = Chown Flag Exists
   = It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership

warning: The 'Dockerfile' contains the 'chown' flag
   ┌─ images/hive-metastore/Dockerfile:30:1
   │
30 │ COPY --from=downloader --chown=0:0 /tmp/libs/*.jar /opt/hive/lib/
   │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   │
   = Chown Flag Exists
   = It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership

warning: 2 warnings emitted

⚠️ MARKDOWN / markdownlint - 6 errors

images/dsf-bpe-full/CHANGELOG.md:141 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "### Description"]
images/dsf-bpe-full/CHANGELOG.md:144 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "### Versions:"]
images/dsf-bpe-full/CHANGELOG.md:144:13 MD026/no-trailing-punctuation Trailing punctuation in heading [Punctuation: ':']
images/dsf-bpe-full/CHANGELOG.md:145 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "* DFN CA certificate chain fro..."]
images/dsf-bpe-full/CHANGELOG.md:151:31 MD039/no-space-in-links Spaces inside link text [Context: "["MII Data Transfer" process ]"]
images/dsf-bpe-full/CHANGELOG.md:152:30 MD039/no-space-in-links Spaces inside link text [Context: "["MII Data Sharing" process ]"]

⚠️ REPOSITORY / trivy - 11 errors

error: Package: @isaacs/brace-expansion
Installed Version: 5.0.0
Vulnerability CVE-2026-25547
Severity: HIGH
Fixed Version: 5.0.1
Link: [CVE-2026-25547](https://avd.aquasec.com/nvd/cve-2026-25547)
     ┌─ images/semantic-release/package-lock.json:3443:1
     │  
3443 │ ╭     "node_modules/npm/node_modules/@isaacs/brace-expansion": {
3444 │ │       "version": "5.0.0",
3445 │ │       "inBundle": true,
3446 │ │       "license": "MIT",
     · │
3452 │ │       }
3453 │ │     },
     │ ╰^
     │  
     = brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion
     = @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

error: Package: glob
Installed Version: 10.4.5
Vulnerability CVE-2025-64756
Severity: HIGH
Fixed Version: 11.1.0, 10.5.0
Link: [CVE-2025-64756](https://avd.aquasec.com/nvd/cve-2025-64756)
     ┌─ images/semantic-release/package-lock.json:4800:1
     │  
4800 │ ╭     "node_modules/npm/node_modules/node-gyp/node_modules/glob": {
4801 │ │       "version": "10.4.5",
4802 │ │       "inBundle": true,
4803 │ │       "license": "ISC",
     · │
4817 │ │       }
4818 │ │     },
     │ ╰^
     │  
     = glob: glob: Command Injection Vulnerability via Malicious Filenames
     = Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

error: Package: glob
Installed Version: 11.0.3
Vulnerability CVE-2025-64756
Severity: HIGH
Fixed Version: 11.1.0, 10.5.0
Link: [CVE-2025-64756](https://avd.aquasec.com/nvd/cve-2025-64756)
     ┌─ images/semantic-release/package-lock.json:4202:1
     │  
4202 │ ╭     "node_modules/npm/node_modules/glob": {
4203 │ │       "version": "11.0.3",
4204 │ │       "inBundle": true,
4205 │ │       "license": "ISC",
     · │
4222 │ │       }
4223 │ │     },
     │ ╰^
     │  
     = glob: glob: Command Injection Vulnerability via Malicious Filenames
     = Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

warning: Package: js-yaml
Installed Version: 4.1.0
Vulnerability CVE-2025-64718
Severity: MEDIUM
Fixed Version: 4.1.1, 3.14.2
Link: [CVE-2025-64718](https://avd.aquasec.com/nvd/cve-2025-64718)
     ┌─ images/semantic-release/package-lock.json:2874:1
     │  
2874 │ ╭     "node_modules/js-yaml": {
2875 │ │       "version": "4.1.0",
2876 │ │       "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
2877 │ │       "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
     · │
2884 │ │       }
2885 │ │     },
     │ ╰^
     │  
     = js-yaml: js-yaml prototype pollution in merge
     = js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).

warning: Package: lodash
Installed Version: 4.17.21
Vulnerability CVE-2025-13465
Severity: MEDIUM
Fixed Version: 4.17.23
Link: [CVE-2025-13465](https://avd.aquasec.com/nvd/cve-2025-13465)
     ┌─ images/semantic-release/package-lock.json:2972:1
     │  
2972 │ ╭     "node_modules/lodash": {
2973 │ │       "version": "4.17.21",
2974 │ │       "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
2975 │ │       "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
2976 │ │       "license": "MIT"
2977 │ │     },
     │ ╰^
     │  
     = lodash: prototype pollution in _.unset and _.omit functions
     = Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
       
       The issue permits deletion of properties but does not allow overwriting their original behavior.
       
       This issue is patched on 4.17.23

warning: Package: lodash-es
Installed Version: 4.17.21
Vulnerability CVE-2025-13465
Severity: MEDIUM
Fixed Version: 4.17.23
Link: [CVE-2025-13465](https://avd.aquasec.com/nvd/cve-2025-13465)
     ┌─ images/semantic-release/package-lock.json:2978:1
     │  
2978 │ ╭     "node_modules/lodash-es": {
2979 │ │       "version": "4.17.21",
2980 │ │       "resolved": "https://registry.npmjs.org/lodash-es/-/lodash-es-4.17.21.tgz",
2981 │ │       "integrity": "sha512-mKnC+QJ9pWVzv+C4/U3rRsHapFfHvQFoFB92e52xeyGMcX6/OlIl78je1u8vePzYZSkkogMPJ2yjxxsb89cxyw==",
2982 │ │       "license": "MIT"
2983 │ │     },
     │ ╰^
     │  
     = lodash: prototype pollution in _.unset and _.omit functions
     = Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
       
       The issue permits deletion of properties but does not allow overwriting their original behavior.
       
       This issue is patched on 4.17.23

error: Package: tar
Installed Version: 7.5.1
Vulnerability CVE-2026-23745
Severity: HIGH
Fixed Version: 7.5.3
Link: [CVE-2026-23745](https://avd.aquasec.com/nvd/cve-2026-23745)
     ┌─ images/semantic-release/package-lock.json:5408:1
     │  
5408 │ ╭     "node_modules/npm/node_modules/tar": {
5409 │ │       "version": "7.5.1",
5410 │ │       "inBundle": true,
5411 │ │       "license": "ISC",
     · │
5421 │ │       }
5422 │ │     },
     │ ╰^
     │  
     = node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
     = node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

error: Package: tar
Installed Version: 7.5.1
Vulnerability CVE-2026-23950
Severity: HIGH
Fixed Version: 7.5.4
Link: [CVE-2026-23950](https://avd.aquasec.com/nvd/cve-2026-23950)
     ┌─ images/semantic-release/package-lock.json:5408:1
     │  
5408 │ ╭     "node_modules/npm/node_modules/tar": {
5409 │ │       "version": "7.5.1",
5410 │ │       "inBundle": true,
5411 │ │       "license": "ISC",
     · │
5421 │ │       }
5422 │ │     },
     │ ╰^
     │  
     = node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
     = node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.

error: Package: tar
Installed Version: 7.5.1
Vulnerability CVE-2026-24842
Severity: HIGH
Fixed Version: 7.5.7
Link: [CVE-2026-24842](https://avd.aquasec.com/nvd/cve-2026-24842)
     ┌─ images/semantic-release/package-lock.json:5408:1
     │  
5408 │ ╭     "node_modules/npm/node_modules/tar": {
5409 │ │       "version": "7.5.1",
5410 │ │       "inBundle": true,
5411 │ │       "license": "ISC",
     · │
5421 │ │       }
5422 │ │     },
     │ ╰^
     │  
     = node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
     = node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

warning: Package: tar
Installed Version: 7.5.1
Vulnerability CVE-2025-64118
Severity: MEDIUM
Fixed Version: 7.5.2
Link: [CVE-2025-64118](https://avd.aquasec.com/nvd/cve-2025-64118)
     ┌─ images/semantic-release/package-lock.json:5408:1
     │  
5408 │ ╭     "node_modules/npm/node_modules/tar": {
5409 │ │       "version": "7.5.1",
5410 │ │       "inBundle": true,
5411 │ │       "license": "ISC",
     · │
5421 │ │       }
5422 │ │     },
     │ ╰^
     │  
     = node-tar: tar: node-tar: Information disclosure via reading a truncated tar file
     = node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.

warning: Package: undici
Installed Version: 5.29.0
Vulnerability CVE-2026-22036
Severity: MEDIUM
Fixed Version: 7.18.2, 6.23.0
Link: [CVE-2026-22036](https://avd.aquasec.com/nvd/cve-2026-22036)
     ┌─ images/semantic-release/package-lock.json:7375:1
     │  
7375 │ ╭     "node_modules/undici": {
7376 │ │       "version": "5.29.0",
7377 │ │       "resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz",
7378 │ │       "integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==",
     · │
7385 │ │       }
7386 │ │     },
     │ ╰^
     │  
     = undici: Undici: Denial of Service via excessive decompression steps
     = Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.

error: Artifact: images/apache-superset/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
   ┌─ images/apache-superset/Dockerfile:8:1
   │  
 8 │ ╭ RUN <<EOF
 9 │

(Truncated to 13333 characters out of 16764)

See detailed reports in MegaLinter artifacts

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

• oxsecurity/megalinter/flavors/[email protected] (54 linters)
• oxsecurity/megalinter/flavors/[email protected] (88 linters)

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx [email protected] --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,EDITORCONFIG_EDITORCONFIG_CHECKER,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R