Bump mlflow from 2.22.1 to 3.5.0 in /dockerfiles/test

[dependabot]

User description

Bumps mlflow from 2.22.1 to 3.5.0.

Release notes

Sourced from mlflow's releases.

v3.5.0

MLflow 3.5.0 includes several major features and improvements!

Major Features

• 🤖 Tracing support for Claude Code SDK: MLflow now provides a tracing integration for both the Claude Code CLI and SDK! Configure the autologging integration to track your prompts, Claude's responses, tool calls, and more. Check out this doc page to get started. (#18022, @​smoorjani)
• 🎯 Flexible Prompt Optimization API: Introduced a new flexible API for prompt optimization with support for model switching and the GEPA algorithm, enabling more efficient prompt tuning with fewer rollouts. See the documentation to get started. (#18183, #18031, @​TomeHirata)
• 🎨 Enhanced UI Onboarding: Improved in-product onboarding experience with trace quickstart drawer and updated homepage guidance to help users discover MLflow's latest features. (#18098, #18187, @​B-Step62)
• 🔐 Security Middleware for Tracking Server: Added a security middleware layer to protect against DNS rebinding, CORS attacks, and other security threats. Read the documentation for configuration details. (#17910, @​BenWilson2)

Features

• [Tracing / Tracking] Add unlink_traces_from_run batch operation (#18316, @​harupy)
• [Tracing] Add batch trace link/unlink operations to DatabricksTracingRestStore (#18295, @​harupy)
• [Tracking] Claude Code SDK autologging support (#18022, @​smoorjani)
• [Tracing] Add support for reading trace configuration from environment variables (#17792, @​joelrobin18)
• [Tracking] Mistral tracing improvements (#16370, @​joelrobin18)
• [Tracking] Gemini token count tracking (#16248, @​joelrobin18)
• [Tracking] Gemini streaming support (#16249, @​joelrobin18)
• [Tracking] CrewAI token count tracking with documentation updates (#16373, @​joelrobin18)
• [Evaluation] Allow passing empty scorer list for manual result comparison (#18265, @​B-Step62)
• [Evaluation] Log assessments to DSPy evaluation traces (#18136, @​B-Step62)
• [Evaluation] Add support for trace inputs to built-in scorers (#17943, @​BenWilson2)
• [Evaluation] Add synonym handling for built-in scorers (#17980, @​BenWilson2)
• [Evaluation] Add span timing tool for Agent Judges (#17948, @​BenWilson2)
• [Evaluation] Allow disabling evaluation sample check (#18032, @​B-Step62)
• [Evaluation] Reduce verbosity of SIMBA optimizer logs when aligning judges (#17795, @​BenWilson2)
• [Evaluation] Add __repr__ method for Judges (#17794, @​BenWilson2)
• [Prompts] Add prompt registry support to MLflow webhooks (#17640, @​harupy)
• [Prompts] Prompt Registry Chat UI (#17334, @​joelrobin18)
• [UI] Delete parent and child runs together (#18052, @​joelrobin18)
• [UI] Added move to top, move to bottom for charts (#17742, @​joelrobin18)
• [Tracking] Use sampling data for run comparison to improve performance (#17645, @​lkuo)
• [Tracking] Add optional 'outputs' column for evaluation dataset records (#17735, @​WeichenXu123)
• [Tracking] Job backend execution (#17676, #18012, #18070, #18071, #18112, #18049, @​WeichenXu123)

Bug Fixes

• [Tracing] Fix parent run resolution mechanism for LangChain (#17273, @​B-Step62)
• [Tracing] Add client-side retry for get_trace to improve reliability (#18224, @​B-Step62)
• [Tracing] Fix OpenTelemetry dual export (#18163, @​B-Step62)
• [Tracing] Suppress false warnings from span logging (#18092, #18276, @​B-Step62)
• [Tracing] Fix OpenTelemetry resource attributes not propagating correctly (#18019, @​xiaosha007)
• [Tracing] Fix DSPy prompt display (#17988, @​B-Step62)
• [Tracing] Fix usage aggregation to avoid ancestor duplication (#17921, @​TomeHirata)
• [Tracing] Fix double counting in Strands tracing (#17855, @​joelrobin18)
• [Tracing] Fix to_predict_fn to handle traces without tags field (#17784, @​harupy)
• [Tracing] URL-encode trace tag keys in delete_trace_tag to prevent 404 errors (#18232, @​copilot-swe-agent)
• [Tracking] Fix Claude Code autologging inputs not displaying (#17858, @​smoorjani)
• [Tracking] Fix runs with 0-valued metrics not appearing in experiment list contour plots (#17916, @​WeichenXu123)

... (truncated)

Commits

• 77b2695 Run python3 dev/update_mlflow_versions.py pre-release ... (#18355)
• fc2fb36 Revert "Add atomicity to job_start API (#18226)"
• e7b2177 Revert "Fix response handling in log_spans (#18280)" (#18349)
• 5d86ffe Create set_databricks_monitoring_sql_warehouse_id API (#18346)
• 250985f Fetch config after adding first record (#18338)
• ad0aad1 Fix log_metrics slowness for get run (#18241)
• 05a0111 Increase max height of params/metrics boxes (#18306)
• 3e24457 Implement lazy logger initialization in claude_code.tracing (#18339)
• 892bed1 Add github feature requests on the GenAI doc (#18342)
• f605177 Minor comment fix for extract_retrieval_context_from_trace (#18331)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

PR Type

Enhancement, dependencies

---

Description

• Upgrade mlflow to 3.5.0 in test image

• Update pinned hashes in locked requirements

---

Diagram Walkthrough

flowchart LR
  lock["locked-requirements.txt (test)"]
  mlflow221["mlflow 2.22.1 (old)"]
  mlflow350["mlflow 3.5.0 (new)"]
  hashes["Update SHA256 hashes"]

  lock -- "replace version" --> mlflow350
  mlflow221 -- "remove" --> lock
  mlflow350 -- "pin with hashes" --> hashes

Loading

File Walkthrough

	Relevant files
Dependencies	locked-requirements.txt Update mlflow pin and hashes                                                          dockerfiles/test/locked-requirements.txt Bump mlflow from 2.22.1 to 3.5.0. Replace pinned SHA256 hashes for mlflow. Keep surrounding dependencies unchanged. +3/-3

---

[pull-request-agent]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Compatibility Risk Upgrading to mlflow 3.5.0 may introduce API or CLI changes affecting images built from this lockfile; verify downstream Docker builds and runtime scripts are compatible and that transitive dependency resolution remains consistent with the pinned hashes. mlflow==3.5.0 \ --hash=sha256:138cd211eac787d0db80523f8f2456c562c6dd82b3eb912a2a42d96f3a9c4fa3 \ --hash=sha256:ea06c79d933c30fe863cb7c809818c36f356e58a3f4007ab1f6c6c3b752c2b3e

[pull-request-agent]

PR Code Suggestions ✨

No code suggestions found for the PR.