Update dependency mlflow to v2.12.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mlflow	2.4.1 -> 2.12.1

GitHub Vulnerability Alerts

CVE-2023-3765

Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.

CVE-2023-4033

OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.

CVE-2023-6015

MLflow allowed arbitrary files to be PUT onto the server.

CVE-2023-6018

The mlflow web server includes tools for tracking experiments, packaging code into reproducible runs, and sharing and deploying models. As this vulnerability allows to write / overwrite any file on the file system, it gives a lot of ways to archive code execution (like overwriting /home/<user>/.bashrc). A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.

CVE-2023-43472

An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.

CVE-2023-6568

A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the victim's browser. The vulnerability is present in the mlflow/server/auth/init.py file, where the user-supplied Content-Type header is directly injected into a Python formatted string and returned to the user, facilitating the XSS attack.

CVE-2023-6709

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.

CVE-2023-6753

Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.

CVE-2023-6831

Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

CVE-2023-6940

with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.

CVE-2023-6975

A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.

CVE-2023-6977

This vulnerability enables malicious users to read sensitive files on the server.

CVE-2023-6974

A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abused to get a remote code execution on the victim machine.

CVE-2023-6976

This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.

CVE-2023-6909

Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

CVE-2024-27132

Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe.

This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook.

The vulnerability stems from lack of sanitization over template variables.

CVE-2024-27133

Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.

CVE-2023-6014

An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirement.

CVE-2024-1483

A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters, using a local URI with '#' instead of '?', an attacker can traverse the server's directory structure. The issue occurs due to insufficient validation of user-supplied input in the server's handlers.

CVE-2024-3573

mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two directory levels from the server's root.

CVE-2024-1558

A path traversal vulnerability exists in the _create_model_version() function within server/handlers.py of the mlflow/mlflow repository, due to improper validation of the source parameter. Attackers can exploit this vulnerability by crafting a source parameter that bypasses the _validate_non_local_source_contains_relative_paths(source) function's checks, allowing for arbitrary file read access on the server. The issue arises from the handling of unquoted URL characters and the subsequent misuse of the original source value for model version creation, leading to the exposure of sensitive files when interacting with the /model-versions/get-artifact handler.

CVE-2024-4263

A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation for DELETE requests by users with EDIT permissions, allowing them to perform unauthorized deletions of artifacts. The vulnerability specifically affects the handling of artifact deletions within the application, as demonstrated by the ability of a low privilege user to delete a directory inside an artifact using a DELETE request, despite the official documentation stating that users with EDIT permission can only read and update artifacts, not delete them.

CVE-2024-0520

A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the mlflow.data.http_dataset_source.py module. Specifically, when loading a dataset from a source URL with an HTTP scheme, the filename extracted from the Content-Disposition header or the URL path is used to generate the final file path without proper sanitization. This flaw enables an attacker to control the file path fully by utilizing path traversal or absolute path techniques, such as '../../tmp/poc.txt' or '/tmp/poc.txt', leading to arbitrary file write. Exploiting this vulnerability could allow a malicious user to execute commands on the vulnerable machine, potentially gaining access to data and model information. The issue is fixed in version 2.9.0.

CVE-2024-2928

A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system, including sensitive files like '/etc/passwd'. The vulnerability is a bypass to a previous patch that only addressed similar manipulation within the URI's query string, highlighting the need for comprehensive validation of all parts of a URI to prevent LFI attacks.

CVE-2024-3099

A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the intended model, as it will open a different model each time. Additionally, an attacker can exploit this vulnerability to perform data model poisoning by creating a model with the same name, potentially causing an authenticated user to become a victim by using the poisoned model. The issue stems from inadequate validation of model names, allowing for the creation of models with URL-encoded names that are treated as distinct from their URL-decoded counterparts.

---

Release Notes

mlflow/mlflow (mlflow)

v2.12.1

MLflow 2.12.1 includes several major features and improvements

With this release, we're pleased to introduce several major new features that are focused on enhanced GenAI support, Deep Learning workflows involving images, expanded table logging functionality, and general usability enhancements within the UI and external integrations.

Major Features and Improvements:

• PromptFlow: Introducing the new PromptFlow flavor, designed to enrich the GenAI landscape within MLflow. This feature simplifies the creation and management of dynamic prompts, enhancing user interaction with AI models and streamlining prompt engineering processes. (#​11311, #​11385 @​brynn-code)

• Enhanced Metadata Sharing for Unity Catalog: MLflow now supports the ability to share metadata (and not model weights) within Databricks Unity Catalog. When logging a model, this functionality enables the automatic duplication of metadata into a dedicated subdirectory, distinct from the model’s actual storage location, allowing for different sharing permissions and access control limits. (#​11357, #​11720 @​WeichenXu123)

• Code Paths Unification and Standardization: We have unified and standardized the code_paths parameter across all MLflow flavors to ensure a cohesive and streamlined user experience. This change promotes consistency and reduces complexity in the model deployment lifecycle. (#​11688, @​BenWilson2)

• ChatOpenAI and AzureChatOpenAI Support: Support for the ChatOpenAI and AzureChatOpenAI interfaces has been integrated into the LangChain flavor, facilitating seamless deployment of conversational AI models. This development opens new doors for building sophisticated and responsive chat applications leveraging cutting-edge language models. (#​11644, @​B-Step62)

• Custom Models in Sentence-Transformers: The sentence-transformers flavor now supports custom models, allowing for a greater flexibility in deploying tailored NLP solutions. (#​11635, @​B-Step62)

• Image Support for Log Table: With the addition of image support in log_table, MLflow enhances its capabilities in handling rich media. This functionality allows for direct logging and visualization of images within the platform, improving the interpretability and analysis of visual data. (#​11535, @​jessechancy)

• Streaming Support for LangChain: The newly introduced predict_stream API for LangChain models supports streaming outputs, enabling real-time output for chain invocation via pyfunc. This feature is pivotal for applications requiring continuous data processing and instant feedback. (#​11490, #​11580 @​WeichenXu123)

Security Fixes:

• Security Patch: Addressed a critical Local File Read/Path Traversal vulnerability within the Model Registry, ensuring robust protection against unauthorized access and securing user data integrity. (#​11376, @​WeichenXu123)

Features:

• [Models] Add the PromptFlow flavor (#​11311, #​11385 @​brynn-code)
• [Models] Add a new predict_stream API for streamable output for Langchain models and the DatabricksDeploymentClient (#​11490, #​11580 @​WeichenXu123)
• [Models] Deprecate and add code_paths alias for code_path in pyfunc to be standardized to other flavor implementations (#​11688, @​BenWilson2)
• [Models] Add support for custom models within the sentence-transformers flavor (#​11635, @​B-Step62)
• [Models] Enable Spark MapType support within model signatures when used with Spark udf inference (#​11265, @​WeichenXu123)
• [Models] Add support for metadata-only sharing within Unity Catalog through the use of a subdirectory (#​11357, #​11720 @​WeichenXu123)
• [Models] Add Support for the ChatOpenAI and AzureChatOpenAI LLM interfaces within the LangChain flavor (#​11644, @​B-Step62)
• [Artifacts] Add support for utilizing presigned URLs when uploading and downloading files when using Unity Catalog (#​11534, @​artjen)
• [Artifacts] Add a new Image object for handling the logging and optimized compression of images (#​11404, @​jessechancy)
• [Artifacts] Add time and step-based metadata to the logging of images (#​11243, @​jessechancy)
• [Artifacts] Add the ability to log a dataset to Unity Catalog by means of UCVolumeDatasetSource (#​11301, @​chenmoneygithub)
• [Tracking] Remove the restrictions for logging a table in Delta format to no longer require running within a Databricks environment (#​11521, @​chenmoneygithub)
• [Tracking] Add support for logging mlflow.Image files within tables (#​11535, @​jessechancy)
• [Server-infra] Introduce override configurations for controlling how http retries are handled (#​11590, @​BenWilson2)
• [Deployments] Implement chat & chat streaming for Anthropic within the MLflow deployments server (#​11195, @​gabrielfu)

Security fixes:

• [Model Registry] Fix Local File Read/Path Traversal (LFI) bypass vulnerability (#​11376, @​WeichenXu123)

Bug fixes:

• [Model Registry] Fix a registry configuration error that occurs within Databricks serverless clusters (#​11719, @​WeichenXu123)
• [Model Registry] Delete registered model permissions when deleting the underlying models (#​11601, @​B-Step62)
• [Model Registry] Disallow % in model names to prevent URL mangling within the UI (#​11474, @​daniellok-db)
• [Models] Fix an issue where crtically important environment configurations were not being captured as langchain dependencies during model logging (#​11679, @​serena-ruan)
• [Models] Patch the LangChain loading functions to handle uncorrectable pickle-related exceptions that are thrown when loading a model in certain versions (#​11582, @​B-Step62)
• [Models] Fix a regression in the sklearn flavor to reintroduce support for custom prediction methods (#​11577, @​B-Step62)
• [Models] Fix an inconsistent and unreliable implementation for batch support within the langchain flavor (#​11485, @​WeichenXu123)
• [Models] Fix loading remote-code-dependent transformers models that contain custom code (#​11412, @​daniellok-db)
• [Models] Remove the legacy conversion logic within the transformers flavor that generates an inconsistent input example display within the MLflow UI (#​11508, @​B-Step62)
• [Models] Fix an issue with Keras autologging iteration input handling (#​11394, @​WeichenXu123)
• [Models] Fix an issue with keras autologging training dataset generator (#​11383, @​WeichenXu123)
• [Tracking] Fix an issue where a module would be imported multiple times when logging a langchain model (#​11553, @​sunishsheth2009)
• [Tracking] Fix the sampling logic within the GetSampledHistoryBulkInterval API to produce more consistent results when displayed within the UI (#​11475, @​daniellok-db)
• [Tracking] Fix import issues and properly resolve dependencies of langchain and lanchain_community within langchain models when logging (#​11450, @​sunishsheth2009)
• [Tracking] Improve the performance of asynchronous logging (#​11346, @​chenmoneygithub)
• [Deployments] Add middle-of-name truncation to excessively long deployment names for Sagemaker image deployment (#​11523, @​BenWilson2)

Documentation updates:

• [Docs] Add clarity and consistent documentation for code_paths docstrings in API documentation (#​11675, @​BenWilson2)
• [Docs] Add documentation guidance for sentence-transformers OpenAI-compatible API interfaces (#​11373, @​es94129)

Small bug fixes and documentation updates:

#​11723, @​freemin7; #​11722, #​11721, #​11690, #​11717, #​11685, #​11689, #​11607, #​11581, #​11516, #​11511, #​11358, @​serena-ruan; #​11718, #​11673, #​11676, #​11680, #​11671, #​11662, #​11659, #​11654, #​11633, #​11628, #​11620, #​11610, #​11605, #​11604, #​11600, #​11603, #​11598, #​11572, #​11576, #​11555, #​11563, #​11539, #​11532, #​11528, #​11525, #​11514, #​11513, #​11509, #​11457, #​11501, #​11500, #​11459, #​11446, #​11443, #​11442, #​11433, #​11430, #​11420, #​11419, #​11416, #​11418, #​11417, #​11415, #​11408, #​11325, #​11327, #​11313, @​harupy; #​11707, #​11527, #​11663, #​11529, #​11517, #​11510, #​11489, #​11455, #​11427, #​11389, #​11378, #​11326, @​B-Step62; #​11715, #​11714, #​11665, #​11626, #​11619, #​11437, #​11429, @​BenWilson2; #​11699, #​11692, @​annzhang-db; #​11693, #​11533, #​11396, #​11392, #​11386, #​11380, #​11381, #​11343, @​WeichenXu123; #​11696, #​11687, #​11683, @​chilir; #​11387, #​11625, #​11574, #​11441, #​11432, #​11428, #​11355, #​11354, #​11351, #​11349, #​11339, #​11338, #​11307, @​daniellok-db; #​11653, #​11369, #​11270, @​chenmoneygithub; #​11666, #​11588, @​jessechancy; #​11661, @​jmjeon94; #​11640, @​tunjan; #​11639, @​minkj1992; #​11589, @​tlm365; #​11566, #​11410, @​brynn-code; #​11570, @​lababidi; #​11542, #​11375, #​11345, @​edwardfeng-db; #​11463, @​taranarmo; #​11506, @​ernestwong-db; #​11502, @​fzyzcjy; #​11470, @​clemenskol; #​11452, @​jkfran; #​11413, @​GuyAglionby; #​11438, @​victorsun123; #​11350, @​liangz1; #​11370, @​sunishsheth2009; #​11379, #​11304, @​zhouyou9505; #​11321, #​11323, #​11322, @​michael-berk; #​11333, @​cdancette; #​11228, @​TomeHirata

v2.12.0

MLflow 2.12.0 has been yanked from PyPI due to an issue with packaging required JS components. MLflow 2.12.1 is its replacement.

v2.11.3

Compare Source

MLflow 2.11.3 is a patch release that addresses a security exploit with the Open Source MLflow tracking server and miscellaneous Databricks integration fixes

Bug fixes:

• [Security] Address an LFI exploit related to misuse of url parameters (#​11473, @​daniellok-db)
• [Databricks] Fix an issue with Databricks Runtime version acquisition when deploying a model using Databricks Docker Container Services (#​11483, @​WeichenXu123)
• [Databricks] Correct an issue with credential management within Databricks Model Serving (#​11468, @​victorsun123)
• [Models] Fix an issue with chat request validation for LangChain flavor (#​11478, @​BenWilson2)
• [Models] Fixes for LangChain models that are logged as code (#​11494, #​11436 @​sunishsheth2009)

v2.11.2

Compare Source

MLflow 2.11.2 is a patch release that introduces corrections for the support of custom transformer models, resolves LangChain integration problems, and includes several fixes to enhance stability.

Bug fixes:

• [Security] Address LFI exploit (#​11376, @​WeichenXu123)
• [Models] Fix transformers models implementation to allow for custom model and component definitions to be loaded properly (#​11412, #​11428 @​daniellok-db)
• [Models] Fix the LangChain flavor implementation to support defining an MLflow model as code (#​11370, @​sunishsheth2009)
• [Models] Fix LangChain VectorSearch parsing errors (#​11438, @​victorsun123)
• [Models] Fix LangChain import issue with the community package (#​11450, @​sunishsheth2009)
• [Models] Fix serialization errors with RunnableAssign in the LangChain flavor (#​11358, @​serena-ruan)
• [Models] Address import issues with LangChain community for Databricks models (#​11350, @​liangz1)
• [Registry] Fix model metadata sharing within Databricks Unity Catalog (#​11357, #​11392 @​WeichenXu123)

Small bug fixes and documentation updates:

#​11321, #​11323, @​michael-berk; #​11326, #​11455, @​B-Step62; #​11333, @​cdancette; #​11373, @​es94129; #​11429, @​BenWilson2; #​11413, @​GuyAglionby; #​11338, #​11339, #​11355, #​11432, #​11441, @​daniellok-db; #​11380, #​11381, #​11383, #​11394, @​WeichenXu123; #​11446, @​harupy;

v2.11.1

Compare Source

MLflow 2.11.1 is a patch release, containing fixes for some Databricks integrations and other various issues.

Bug fixes:

• [UI] Add git commit hash back to the run page UI (#​11324, @​daniellok-db)
• [Databricks Integration] Explicitly import vectorstores and embeddings in databricks_dependencies (#​11334, @​daniellok-db)
• [Databricks Integration] Modify DBR version parsing logic (#​11328, @​daniellok-db)

Small bug fixes and documentation updates:

#​11336, #​11335, @​harupy; #​11303, @​B-Step62; #​11319, @​BenWilson2; #​11306, @​daniellok-db

v2.11.0

Compare Source

MLflow 2.11.0 includes several major features and improvements

With the MLflow 2.11.0 release, we're excited to bring a series of large and impactful features that span both GenAI and Deep Learning use cases.

• The MLflow Tracking UI got an overhaul to better support the review and comparison of training runs for Deep Learning workloads. From grouping to large-scale metric plotting throughout
  the iterations of a DL model's training cycle, there are a large number of quality of life improvements to enhance your Deep Learning MLOps workflow.

• Support for the popular PEFT library from HuggingFace is now available
  in the mlflow.transformers flavor. In addition to PEFT support, we've removed the restrictions on Pipeline types
  that can be logged to MLflow, as well as the ability to, when developing and testing models, log a transformers pipeline without copying foundational model weights. These
  enhancements strive to make the transformers flavor more useful for cutting-edge GenAI models, new pipeline types, and to simplify the development process of prompt engineering, fine-tuning,
  and to make iterative development faster and cheaper. Give the updated flavor a try today! (#​11240, @​B-Step62)

• We've added support to both PyTorch and
  TensorFlow for automatic model weights checkpointing (including resumption from a
  previous state) for the auto logging implementations within both flavors. This highly requested feature allows you to automatically configure long-running Deep Learning training
  runs to keep a safe storage of your best epoch, eliminating the risk of a failure late in training from losing the state of the model optimization. (#​11197, #​10935, @​WeichenXu123)

• We've added a new interface to Pyfunc for GenAI workloads. The new ChatModel interface allows for interacting with a deployed GenAI chat model as you would with any other provider.
  The simplified interface (no longer requiring conformance to a Pandas DataFrame input type) strives to unify the API interface experience. (#​10820, @​daniellok-db)

• We now support Keras 3. This large overhaul of the Keras library introduced new fundamental changes to how Keras integrates with different DL frameworks, bringing with it
  a host of new functionality and interoperability. To learn more, see the Keras 3.0 Tutorial
  to start using the updated model flavor today! (#​10830, @​chenmoneygithub)

• Mistral AI has been added as a native provider for the MLflow Deployments Server. You can
  now create proxied connections to the Mistral AI services for completions and embeddings with their powerful GenAI models. (#​11020, @​thnguyendn)

• We've added compatibility support for the OpenAI 1.x SDK. Whether you're using an OpenAI LLM for model evaluation or calling OpenAI within a LangChain model, you'll now be able to
  utilize the 1.x family of the OpenAI SDK without having to point to deprecated legacy APIs. (#​11123, @​harupy)

Features:

• [UI] Revamp the MLflow Tracking UI for Deep Learning workflows, offering a more intuitive and efficient user experience (#​11233, @​daniellok-db)
• [Data] Introduce the ability to log datasets without loading them into memory, optimizing resource usage and processing time (#​11172, @​chenmoneygithub)
• [Models] Introduce logging frequency controls for TensorFlow, aligning it with Keras for consistent performance monitoring (#​11094, @​chenmoneygithub)
• [Models] Add PySpark DataFrame support in mlflow.pyfunc.predict, enhancing data compatibility and analysis options for batch inference (#​10939, @​ernestwong-db)
• [Models] Introduce new CLI commands for updating model requirements, facilitating easier maintenance, validation and updating of models without having to re-log (#​11061, @​daniellok-db)
• [Models] Update Embedding API for sentence transformers to ensure compatibility with OpenAI format, broadening model application scopes (#​11019, @​lu-wang-dl)
• [Models] Improve input and signature support for text-generation models, optimizing for Chat and Completions tasks (#​11027, @​es94129)
• [Models] Enable chat and completions task outputs in the text-generation pipeline, expanding interactive capabilities (#​10872, @​es94129)
• [Tracking] Add node id to system metrics for enhanced logging in multi-node setups, improving diagnostics and monitoring (#​11021, @​chenmoneygithub)
• [Tracking] Implement mlflow.config.enable_async_logging for asynchronous logging, improving log handling and system performance (#​11138, @​chenmoneygithub)
• [Evaluate] Enhance model evaluation with endpoint URL support, streamlining performance assessments and integrations (#​11262, @​B-Step62)
• [Deployments] Implement chat & chat streaming support for Cohere, enhancing interactive model deployment capabilities (#​10976, @​gabrielfu)
• [Deployments] Enable Cohere streaming support, allowing real-time interaction functionalities for the MLflow Deployments server with the Cohere provider (#​10856, @​gabrielfu)
• [Docker / Scoring] Optimize Docker images for model serving, ensuring more efficient deployment and scalability (#​10954, @​B-Step62)
• [Scoring] Support completions (prompt) and embeddings (input) format inputs in the scoring server, increasing model interaction flexibility (#​10958, @​es94129)

Bug Fixes:

• [Model Registry] Correct the oversight of not utilizing the default credential file in model registry setups (#​11261, @​B-Step62)
• [Model Registry] Address the visibility issue of aliases in the model versions table within the registered model detail page (#​11223, @​smurching)
• [Models] Ensure load_context() is called when enforcing ChatModel outputs so that all required external references are included in the model object instance (#​11150, @​daniellok-db)
• [Models] Rectify the keras output dtype in signature mismatches, ensuring data consistency and accuracy (#​11230, @​chenmoneygithub)
• [Models] Resolve spark model loading failures, enhancing model reliability and accessibility (#​11227, @​WeichenXu123)
• [Models] Eliminate false warnings for missing signatures in Databricks, improving the user experience and model validation processes (#​11181, @​B-Step62)
• [Models] Implement a timeout for signature/requirement inference during Transformer model logging, optimizing the logging process and avoiding delays (#​11037, @​B-Step62)
• [Models] Address the missing dtype issue for transformer pipelines, ensuring data integrity and model accuracy (#​10979, @​B-Step62)
• [Models] Correct non-idempotent predictions due to in-place updates to model-config, stabilizing model outputs (#​11014, @​B-Step62)
• [Models] Fix an issue where specifying torch.dtype as a string was not being applied correctly to the underlying transformers model (#​11297, #​11295, @​harupy)
• [Tracking] Fix mlflow.evaluate col_mapping bug for non-LLM/custom metrics, ensuring accurate evaluation and metric calculation (#​11156, @​sunishsheth2009)
• [Tracking] Resolve the TensorInfo TypeError exception message issue, ensuring clarity and accuracy in error reporting for users (#​10953, @​leecs0503)
• [Tracking] Enhance RestException objects to be picklable, improving their usability in distributed computing scenarios where serialization is essential (#​10936, @​WeichenXu123)
• [Tracking] Address the handling of unrecognized response error codes, ensuring robust error processing and improved user feedback in edge cases (#​10918, @​chenmoneygithub)
• [Spark] Update hardcoded io.delta:delta-spark_2.12:3.0.0 dependency to the correct scala version, aligning dependencies with project requirements (#​11149, @​WeichenXu123)
• [Server-infra] Adapt to newer versions of python by avoiding importlib.metadata.entry_points().get, enhancing compatibility and stability (#​10752, @​raphaelauv)
• [Server-infra / Tracking] Introduce an environment variable to disable mlflow configuring logging on import, improving configurability and user control (#​11137, @​jmahlik)
• [Auth] Enhance auth validation for mlflow.login(), streamlining the authentication process and improving security (#​11039, @​chenmoneygithub)

Documentation Updates:

• [Docs] Introduce a comprehensive notebook demonstrating the use of ChatModel with Transformers and Pyfunc, providing users with practical insights and guidelines for leveraging these models (#​11239, @​daniellok-db)
• [Tracking / Docs] Stabilize the dataset logging APIs, removing the experimental status (#​11229, @​dbczumar)
• [Docs] Revise and update the documentation on authentication database configuration, offering clearer instructions and better support for setting up secure authentication mechanisms (#​11176, @​gabrielfu)
• [Docs] Publish a new guide and tutorial for MLflow data logging and log_input, enriching the documentation with actionable advice and examples for effective data handling (#​10956, @​BenWilson2)
• [Docs] Upgrade the documentation visuals by replacing low-resolution and poorly dithered GIFs with high-quality HTML5 videos, significantly enhancing the learning experience (#​11051, @​BenWilson2)
• [Docs / Examples] Correct the compatibility matrix for OpenAI in MLflow Deployments Server documentation, providing users with accurate integration details and supporting smoother deployments (#​11015, @​BenWilson2)

Small bug fixes and documentation updates:

#​11284, #​11096, #​11285, #​11245, #​11254, #​11252, #​11250, #​11249, #​11234, #​11248, #​11242, #​11244, #​11236, #​11208, #​11220, #​11222, #​11221, #​11219, [#​11218](https://redirect.github.com/mlflow/mlflow/i

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.