security(deps): bump mlflow from 3.5.0 to 3.8.0rc0 in /training/rl

[dependabot]

Bumps mlflow from 3.5.0 to 3.8.0rc0.

Release notes

Sourced from mlflow's releases.

v3.8.0rc0

MLflow 3.8.0rc0 includes several major features and improvements. More features to come in the final 3.8.0 release!

To try out this release candidate:

pip install mlflow==3.8.0rc0

Major Features

• ⚙️ Prompt Model Configuration: Prompts can now include model configuration, allowing you to associate specific model settings with prompt templates for more reproducible LLM workflows. (#18963, #19174, #19279, @​chenmoneygithub)
• ⏳ In-Progress Trace Display: The Traces UI now supports displaying spans from in-progress traces with auto-polling, enabling real-time debugging and monitoring of long-running LLM applications. (#19265, @​B-Step62)
• ⚖️ DeepEval Judges Integration: New get_judge API enables using DeepEval's evaluation metrics as MLflow scorers, providing access to 20+ evaluation metrics including answer relevancy, faithfulness, and hallucination detection. (#18988, @​smoorjani)
• 🛡️ Conversational Safety Scorer: New built-in scorer for evaluating safety of multi-turn conversations, analyzing entire conversation histories for hate speech, harassment, violence, and other safety concerns. (#19106, @​joelrobin18)
• ⚡ Conversational Tool Call Efficiency Scorer: New built-in scorer for evaluating tool call efficiency in multi-turn agent interactions, detecting redundant calls, missing batching opportunities, and poor tool selections. (#19245, @​joelrobin18)

v3.7.0

MLflow 3.7.0 includes several major features and improvements for GenAI Observability, Evaluation, and Prompt Management.

Major Features

• 📝 Experiment Prompts UI: New prompts functionality in the experiment UI allows you to manage and search prompts directly within experiments, with support for filter strings and prompt version search in traces. (#19156, #18919, #18906, @​TomeHirata)
• 💬 Multi-turn Evaluation Support: Enhanced mlflow.genai.evaluate now supports multi-turn conversations, enabling comprehensive assessment of conversational AI applications with DataFrame and list inputs. (#18971, @​AveshCSingh)
• ⚖️ Trace Comparison: New side-by-side comparison view in the Traces UI allows you to analyze and debug LLM application behavior across different runs, making it easier to identify regressions and improvements. (#17138, @​joelrobin18)
• 🌐 Gemini TypeScript SDK: Auto-tracing support for Google's Gemini in TypeScript, expanding MLflow's observability capabilities for JavaScript/TypeScript AI applications. (#18207, @​joelrobin18)
• 🎯 Structured Outputs in Judges: The make_judge API now supports structured outputs, enabling more precise and programmatically consumable evaluation results. (#18529, @​TomeHirata)
• 🔗 VoltAgent Tracing: Added auto-tracing support for VoltAgent, extending MLflow's observability to this AI agent framework. (#19041, @​joelrobin18)

Breaking Changes

• [Tracking] SQLite is now the default backend for the MLflow Tracking server. (#18497, @​harupy)
• [Models] Remove deprecated diviner flavor (#18808, @​copilot-swe-agent)
• [Models] Remove deprecated promptflow flavor (#18805, @​copilot-swe-agent)

Features

• [Tracking] Create parent directories for SQLite database files (#19205, @​harupy)
• [Prompts] Link Prompts and Experiments when prompts are loaded/registered (#18883, @​TomeHirata)
• [Tracking] Include environment variable fallback for SGC run resumption (#19143, @​artjen)
• [Tracking] Add support for SGC run resumption from Databricks Jobs (#19015, @​artjen)
• [Evaluation] Add --builtin/-b flag to mlflow scorers list command (#19095, @​alkispoly-db)
• [Tracing] Pydantic AI Chat UI support (#18777, @​joelrobin18)
• [Tracking] Add auth support for scorers (#18699, @​BenWilson2)
• [Evaluation] Remove experimental flags from scorers (#18122, @​BenWilson2)
• [Evaluation] Add description field to all built-in scorers (#18547, @​alkispoly-db)

Bug Fixes

• [Tracing] Handle traces with third-party generic root span (#19217, @​B-Step62)

... (truncated)

Changelog

Sourced from mlflow's changelog.

CHANGELOG

3.11.0rc0 (2026-03-16)

We're excited to announce MLflow 3.11.0rc0, which includes several notable updates:

Major New Features:

• 🔍 Automatic Issue Identification: Automatically identify quality issues in your agent with AI! Use the new "Detect Issues" button in the traces table to analyze selected traces and surface potential problems across categories like correctness, safety, and performance. Issues are linked directly to traces for easy investigation and debugging. (#21431, #21204, #21165, #21163, #21161, @​smoorjani, @​serena-ruan)
• 💰 Gateway Budget Alerts & Limits: Control your AI Gateway spending with configurable budget policies! Set spending limits by time window (daily, weekly, or monthly), receive alerts before hitting limits, and prevent runaway costs with automatic request blocking. The new budget management UI lets you track spending, configure webhooks for notifications, and monitor violations across all your gateway endpoints. (#21116, #21534, #21569, #21473, #21108, @​TomeHirata, @​copilot-swe-agent)
• 📊 Trace Graph View: Visualize complex trace hierarchies with an interactive graph view! Navigate multi-level trace structures, understand parent-child relationships at a glance, and debug complex systems more effectively with a visual representation of your trace topology. (#20607, @​joelrobin18)
• 🌐 Native OpenTelemetry GenAI Convention Support: MLflow now natively supports the OpenTelemetry GenAI Semantic Conventions for trace export! When exporting traces via OTLP with MLFLOW_ENABLE_OTEL_GENAI_SEMCONV enabled, MLflow automatically translates them to follow the OTel GenAI semantic conventions, enabling seamless integration with OTel-compatible observability platforms while preserving GenAI-specific metadata. (#21494, #21495, @​B-Step62)
• 🔧 Opencode Tracing Integration: Debug smarter with Opencode CLI integration! Track and analyze code execution flows directly from your development workflow, making it easier to identify performance bottlenecks and trace issues back to specific code paths. (#20133, @​joelrobin18)
• ⚡ UV Package Manager Support: Automatic dependency inference now supports UV! MLflow automatically detects UV projects and captures exact, locked dependencies from your lockfile when logging models, ensuring reproducible environments. (#20344, #20935, @​debu-sinha)
• 🔒 Pickle-Free Model Serialization: Enhance security with pickle-free model formats! MLflow now supports safer model serialization using torch.export and skops formats, with improved controls when MLFLOW_ALLOW_PICKLE_DESERIALIZATION=False. Comprehensive documentation guides you through migrating existing models to pickle-free formats for production deployments. (#21404, #21188, #20774, @​WeichenXu123)

Breaking Changes:

• ⚠️ TypeScript SDK Package Renaming: The MLflow TypeScript SDK packages have been renamed to use npm organization scoping. If you're using the TypeScript SDK, update your package.json dependencies and import statements: mlflow-tracing → @mlflow/core, mlflow-openai → @mlflow/openai, mlflow-anthropic → @mlflow/anthropic, mlflow-gemini → @mlflow/gemini. All packages are now at version 0.2.0. (#20792, @​B-Step62)

Stay tuned for the full release, which will be packed with even more features and bugfixes.

To try out this release candidate, please run:

pip install mlflow==3.11.0rc0

3.10.1 (2026-03-05)

MLflow 3.10.1 is a patch release that contains some minor feature enhancements, bug fixes, and documentation updates.

Features:

• [UI] Add try-it page on Gateway usage example modal (#21077, @​PattaraS)
• [UI] Filter gateway experiments from the experiment list page (#21130, @​copilot-swe-agent)

Bug fixes:

• [UI] Fix "View full dashboard" link in gateway usage tab when workspace is enabled (#21191, @​copilot-swe-agent)
• [UI] Persist AI Gateway default passphrase security banner dismissal to localStorage (#21292, @​copilot-swe-agent)
• [Evaluation] Demote unused parameters log message from WARNING to DEBUG in instructions judge (#21294, @​copilot-swe-agent)
• [UI] Clear "All" time selector when switching to overview tab (#21371, @​daniellok-db)
• [Prompts / UI] Fix Traces view in Prompts tab not being scrollable (#21282, @​TomeHirata)
• [UI] Fix judge builder instruction textarea (#21299, @​daniellok-db)
• [UI] Fix group mode to aggregate "Additional runs" as "Unassigned" group in charts (#21155, @​copilot-swe-agent)
• [UI] Fix artifact download when workspaces are enabled (#21074, @​timsolovev)
• [Tracing] Fix NOT NULL constraint on assessments.trace_id during trace export (#21348, @​dbczumar)
• [Tracking] Fix 403 Forbidden for artifact list via query param when default_permission=NO_PERMISSIONS (#21220, @​copilot-swe-agent)
• [UI] [ML-63097] Fix broken LLM judge documentation links (#21347, @​smoorjani)
• [] Fix Run Judge failed with litellm.InternalServerError: Invalid response object. (#21262, @​PattaraS)
• [Tracing / UI] Update Action menu: indentation to avoid confusion (#21266, @​PattaraS)

... (truncated)

Commits

• 23ec3fb Run python3 dev/update_mlflow_versions.py pre-release ... (#19387)
• 3bf2844 Fix non-reproducible code examples in deep-learning.mdx (#19376)
• 995412d fix: Confusing documentation for mlflow.genai.evaluate() (#19380)
• 9169bd7 AgentServer: add proxy helper (#19323)
• 62d6aae Refactor test to use pytest.mark.parametrize (#19373)
• 44736a5 [Bug fix] Traces UI: Support filtering on assessments with multiple values (e...
• ff1728c Remove sklearn_version parameterization from `test_spark_udf_env_manager_ca...
• e35e11a Use db_uri fixture in test_rest_store_webhooks.py to skip database migrat...
• 9d8c5e5 Replace pyfunc_serve_and_score_model with score_model_in_process in `test...
• a9bf958 Remove obsolete conda-forge mirror workaround from setup-python action (#19367)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
pip/mlflow	3.8.0rc0	Unknown	Unknown

Scanned Files

• training/rl/requirements.txt

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 38.37%. Comparing base (1534462) to head (68dae62).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #297   +/-   ##
=======================================
  Coverage   38.37%   38.37%           
=======================================
  Files          73       73           
  Lines        8579     8579           
  Branches      497      497           
=======================================
  Hits         3292     3292           
  Misses       5277     5277           
  Partials       10       10           

Flag	Coverage Δ		*Carryforward flag
pester	79.87% <ø> (ø)
pytest	6.89% <ø> (ø)		Carriedforward from acbab4e
pytest-dataviewer	61.98% <ø> (ø)

*This pull request uses carry forward flags. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.