feat(config): add EXPOSE_VERSION_INFO to control /version detail

[rusackas]

SUMMARY

The unauthenticated /version endpoint (superset/views/health.py) returns the full version metadata: version_string, version_sha, full_sha, build_number, and branch_name (when available, sourced from get_version_metadata()). This PR adds an EXPOSE_VERSION_INFO config option so operators can control how much of that build-specific detail is exposed to unauthenticated callers — generic surface-reduction hardening.

Default choice: EXPOSE_VERSION_INFO = True, which preserves the existing behavior and is the least-breaking option. I chose to keep the current behavior by default rather than silently changing what /version returns; operators opt in to the reduced response. When set to False, /version returns only {"version_string": ...} and omits the Git SHA, full SHA, build number, and branch name. The gating lives in the endpoint itself.

Back-compat / escape hatch: because the default is True, existing deployments see no change. The reduced response is fully opt-in via:

EXPOSE_VERSION_INFO = False

An UPDATING.md entry under ## Next documents the new option and notes it is non-breaking.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

GET /version with EXPOSE_VERSION_INFO = True (default):

{"version_string": "1.2.3", "version_sha": "abcd1234", "full_sha": "abcd1234ef567890", "build_number": "42", "branch_name": "master"}

GET /version with EXPOSE_VERSION_INFO = False:

{"version_string": "1.2.3"}

TESTING INSTRUCTIONS

Unit tests added in tests/unit_tests/views/health_version_test.py (pass locally):

• default (True) returns full metadata including SHA and branch
• False returns only version_string and omits SHA/full SHA/build number/branch

Plus a config-default assertion in tests/unit_tests/config_test.py::test_expose_version_info_defaults_to_true.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

Note: introduces a new config option. Default (True) preserves the current shipped behavior; the reduced response is opt-in via EXPOSE_VERSION_INFO = False. UPDATING.md entry included.

🤖 Generated with Claude Code

[bito-code-review]

The PR comment indicates a performance issue where the /version endpoint always calls get_version_metadata() before checking EXPOSE_VERSION_INFO, even when it's set to False. This results in unnecessary Git subprocess calls and resource usage. To resolve this, the endpoint should first check EXPOSE_VERSION_INFO, and if it's False, return version_string directly from the config without invoking get_version_metadata().

superset/views/health.py

def version():
    if not app.config.get('EXPOSE_VERSION_INFO', True):
        return {'version_string': app.config['VERSION_STRING']}

    metadata = get_version_metadata()
    return {'version_string': metadata['version_string']}

[codecov]

Codecov Report

❌ Patch coverage is 50.00000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.08%. Comparing base (b9dc9d7) to head (0052909).

Files with missing lines	Patch %	Lines
superset/views/health.py	0.00%	2 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #40652   +/-   ##
=======================================
  Coverage   64.08%   64.08%           
=======================================
  Files        2663     2663           
  Lines      143289   143292    +3     
  Branches    32952    32953    +1     
=======================================
+ Hits        91832    91835    +3     
  Misses      49871    49871           
  Partials     1586     1586           

Flag	Coverage Δ
hive	39.80% <50.00%> (+<0.01%)	⬆️
mysql	58.47% <50.00%> (+<0.01%)	⬆️
postgres	58.55% <50.00%> (+<0.01%)	⬆️
presto	41.39% <50.00%> (+<0.01%)	⬆️
python	60.03% <50.00%> (+<0.01%)	⬆️
sqlite	58.17% <50.00%> (+<0.01%)	⬆️
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bito-code-review]

Code Review Agent Run #fabd4a

Actionable Suggestions - 1

• tests/unit_tests/views/health_version_test.py - 1

  • Missing build_number assertion · Line 32-51

Review Details

• Files reviewed - 4 · Commit Range: bde4d0a..bde4d0a

  • superset/config.py
  • superset/views/health.py
  • tests/unit_tests/config_test.py
  • tests/unit_tests/views/health_version_test.py
• Files skipped - 1

  • UPDATING.md - Reason: Filter setting
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[Copilot]

Pull request overview

Adds an operator-controlled config (EXPOSE_VERSION_INFO) to limit how much build/version metadata the unauthenticated /version endpoint exposes, while keeping the current behavior by default for backward compatibility.

Changes:

• Introduces EXPOSE_VERSION_INFO (default True) in superset/config.py.
• Gates /version response in superset/views/health.py to optionally return only version_string.
• Adds unit tests for both behaviors and documents the new option in UPDATING.md.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
superset/views/health.py	Adds EXPOSE_VERSION_INFO check to redact /version response fields when disabled.
superset/config.py	Defines the new EXPOSE_VERSION_INFO config default and documentation comment.
tests/unit_tests/views/health_version_test.py	New unit tests covering full vs. redacted /version responses.
tests/unit_tests/config_test.py	Asserts the config default is True.
UPDATING.md	Documents the new config option and its effect on /version.

[bito-code-review]

Code Review Agent Run #8b792b

Actionable Suggestions - 0

Filtered by Review Rules

Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.

• superset/views/health.py - 1

  • CWE-200: Exposure of Sensitive Info · Line 48-53

Review Details

• Files reviewed - 4 · Commit Range: bde4d0a..62556ae

  • superset/config.py
  • tests/unit_tests/config_test.py
  • superset/views/health.py
  • tests/unit_tests/views/health_version_test.py
• Files skipped - 1

  • UPDATING.md - Reason: Filter setting
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

Code Review Agent Run #3c52c2

Actionable Suggestions - 0

Review Details

• Files reviewed - 4 · Commit Range: 81a4665..0052909

  • superset/config.py
  • superset/views/health.py
  • tests/unit_tests/config_test.py
  • tests/unit_tests/views/health_version_test.py
• Files skipped - 1

  • UPDATING.md - Reason: Filter setting
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[rusackas]

Closing for now... will re-assess if this is really needed.