chore(deps): update dependency mlflow to v2.10.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mlflow	2.2.2 -> 2.10.1

GitHub Vulnerability Alerts

CVE-2023-2356

Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1.

GHSA-83fm-w79m-64r5

Impact

Users of the MLflow Open Source Project who are hosting the MLflow Model Registry using the mlflow server or mlflow ui commands using an MLflow version older than MLflow 2.3.1 may be vulnerable to a remote file access exploit if they are not limiting who can query their server (for example, by using a cloud VPC, an IP allowlist for inbound requests, or authentication / authorization middleware).

This issue only affects users and integrations that run the mlflow server and mlflow ui commands. Integrations that do not make use of mlflow server or mlflow ui are unaffected; for example, the Databricks Managed MLflow product and MLflow on Azure Machine Learning do not make use of these commands and are not impacted by these vulnerabilities in any way.

The vulnerability is very similar to https://nvd.nist.gov/vuln/detail/CVE-2023-1177, and a separate CVE will be published and updated here shortly.

Patches

This vulnerability has been patched in MLflow 2.3.1, which was released to PyPI on April 27th, 2023. If you are using mlflow server or mlflow ui with the MLflow Model Registry, we recommend upgrading to MLflow 2.3.1 as soon as possible.

Workarounds

If you are using the MLflow open source mlflow server or mlflow ui commands, we strongly recommend limiting who can access your MLflow Model Registry and MLflow Tracking servers using a cloud VPC, an IP allowlist for inbound requests, authentication / authorization middleware, or another access restriction mechanism of your choosing.

If you are using the MLflow open source mlflow server or mlflow ui commands, we also strongly recommend limiting the remote files to which your MLflow Model Registry and MLflow Tracking servers have access. For example, if your MLflow Model Registry or MLflow Tracking server uses cloud-hosted blob storage for MLflow artifacts, make sure to restrict the scope of your server's cloud credentials such that it can only access files and directories related to MLflow.

References

CVE-2023-2780

mlflow prior to 2.3.0 is vulnerable to path traversal due to a bypass of the fix for CVE-2023-1177.

CVE-2023-3765

Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.

CVE-2023-4033

OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.

CVE-2023-6015

MLflow allowed arbitrary files to be PUT onto the server.

CVE-2023-43472

An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API.

CVE-2023-6568

A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the victim's browser. The vulnerability is present in the mlflow/server/auth/init.py file, where the user-supplied Content-Type header is directly injected into a Python formatted string and returned to the user, facilitating the XSS attack.

CVE-2023-6709

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.

CVE-2023-6753

Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.

CVE-2023-6831

Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

CVE-2023-6940

with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.

CVE-2023-6975

A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.

CVE-2023-6977

This vulnerability enables malicious users to read sensitive files on the server.

CVE-2023-6974

A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abused to get a remote code execution on the victim machine.

CVE-2023-6976

This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.

CVE-2023-6909

Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

CVE-2024-27132

Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe.

This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook.

The vulnerability stems from lack of sanitization over template variables.

CVE-2024-27133

Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.

CVE-2023-6014

An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirement.

CVE-2024-3573

mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two directory levels from the server's root.

CVE-2024-4263

A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation for DELETE requests by users with EDIT permissions, allowing them to perform unauthorized deletions of artifacts. The vulnerability specifically affects the handling of artifact deletions within the application, as demonstrated by the ability of a low privilege user to delete a directory inside an artifact using a DELETE request, despite the official documentation stating that users with EDIT permission can only read and update artifacts, not delete them.

---

Release Notes

mlflow/mlflow (mlflow)

v2.10.1

Compare Source

MLflow 2.10.1 is a patch release, containing fixes for various bugs in the transformers and langchain flavors, the MLflow UI, and the S3 artifact store. More details can be found in the patch notes below.

Bug fixes:

• [UI] Fixed a bug that prevented datasets from showing up in the MLflow UI (#​10992, @​daniellok-db)
• [Artifact Store] Fixed directory bucket region name retrieval (#​10967, @​kriscon-db)
• Bug fixes for Transformers flavor
  • [Models] Fix an issue with transformer pipelines not inheriting the torch dtype specified on the model, causing pipeline inference to consume more resources than expected. (#​10979, @​B-Step62)
  • [Models] Fix non-idempotent prediction due to in-place update to model-config (#​11014, @​B-Step62)
  • [Models] Fixed a bug affecting prompt templating with Text2TextGeneration pipelines. Previously, calling predict() on a pyfunc-loaded Text2TextGeneration pipeline would fail for string and List[string] inputs. (#​10960, @​B-Step62)
• Bug fixes for Langchain flavor
  • Fixed errors that occur when logging inputs and outputs with different lengths (#​10952, @​serena-ruan)

Documentation updates:

• [Docs] Add indications of DL UI capabilities to the DL landing page (#​10991, @​BenWilson2)
• [Docs] Fix incorrect logo on LLMs landing page (#​11017, @​BenWilson2)

Small bug fixes and documentation updates:

#​10930, #​11005, @​serena-ruan; #​10927, @​harupy

v2.10.0

Compare Source

MLflow 2.10.0 includes several major features and improvements

In MLflow 2.10, we're introducing a number of significant new features that are preparing the way for current and future enhanced support for Deep Learning use cases, new features to support a broadened support for GenAI applications, and some quality of life improvements for the MLflow Deployments Server (formerly the AI Gateway).

Our biggest features this release are:

• We have a new home. The new site landing page is fresh, modern, and contains more content than ever. We're adding new content and blogs all of the time.

• Objects and Arrays are now available as configurable input and output schema elements. These new types are particularly useful for GenAI-focused flavors that can have complex input and output types. See the new Signature and Input Example documentation to learn more about how to use these new signature types.

• LangChain has autologging support now! When you invoke a chain, with autologging enabled, we will automatically log most chain implementations, recording and storing your configured LLM application for you. See the new Langchain documentation to learn more about how to use this feature.

• The MLflow transformers flavor now supports prompt templates. You can now specify an application-specific set of instructions to submit to your GenAI pipeline in order to simplify, streamline, and integrate sets of system prompts to be supplied with each input request. Check out the updated guide to transformers to learn more and see examples!

• The MLflow Deployments Server now supports two new requested features: (1) OpenAI endpoints that support streaming responses. You can now configure an endpoint to return realtime responses for Chat and Completions instead of waiting for the entire text contents to be completed. (2) Rate limits can now be set per endpoint in order to help control cost overrun when using SaaS models.

• Continued the push for enhanced documentation, guides, tutorials, and examples by expanding on core MLflow functionality (Deployments, Signatures, and Model Dependency management), as well as entirely new pages for GenAI flavors. Check them out today!

Features:

• [Models] Introduce Objects and Arrays support for model signatures (#​9936, @​serena-ruan)
• [Models] Support saving prompt templates for transformers (#​10791, @​daniellok-db)
• [Models] Enhance the MLflow Models predict API to serve as a pre-logging validator of environment compatibility. (#​10759, @​B-Step62)
• [Models] Add support for Image Classification pipelines within the transformers flavor (#​10538, @​KonakanchiSwathi)
• [Models] Add support for retrieving and storing license files for transformers models (#​10871, @​BenWilson2)
• [Models] Add support for model serialization in the Visual NLP format for JohnSnowLabs flavor (#​10603, @​C-K-Loan)
• [Models] Automatically convert OpenAI input messages to LangChain chat messages for pyfunc predict (#​10758, @​dbczumar)
• [Tracking] Add support for Langchain autologging (#​10801, @​serena-ruan)
• [Tracking] Enhance async logging functionality by ensuring flush is called on Futures objects (#​10715, @​chenmoneygithub)
• [Tracking] Add support for a non-interactive mode for the login() API (#​10623, @​henxing)
• [Scoring] Allow MLflow model serving to support direct dict inputs with the messages key (#​10742, @​daniellok-db, @​B-Step62)
• [Deployments] Add streaming support to the MLflow Deployments Server for OpenAI streaming return compatible routes (#​10765, @​gabrielfu)
• [Deployments] Add the ability to set rate limits on configured endpoints within the MLflow deployments server API (#​10779, @​TomeHirata)
• [Deployments] Add support for directly interfacing with OpenAI via the MLflow Deployments server (#​10473, @​prithvikannan)
• [UI] Introduce a number of new features for the MLflow UI (#​10864, @​daniellok-db)
• [Server-infra] Add an environment variable that can disallow HTTP redirects (#​10655, @​daniellok-db)
• [Artifacts] Add support for Multipart Upload for Azure Blob Storage (#​10531, @​gabrielfu)

Bug fixes:

• [Models] Add deduplication logic for pip requirements and extras handling for MLflow models (#​10778, @​BenWilson2)
• [Models] Add support for paddle 2.6.0 release (#​10757, @​WeichenXu123)
• [Tracking] Fix an issue with an incorrect retry default timeout for urllib3 1.x (#​10839, @​BenWilson2)
• [Recipes] Fix an issue with MLflow Recipes card display format (#​10893, @​WeichenXu123)
• [Java] Fix an issue with metadata collection when using Streaming Sources on certain versions of Spark where Delta is the source (#​10729, @​daniellok-db)
• [Scoring] Fix an issue where SageMaker tags were not propagating correctly (#​9310, @​clarkh-ncino)
• [Windows / Databricks] Fix an issue with executing Databricks run commands from within a Window environment (#​10811, @​wolpl)
• [Models / Databricks] Disable mlflowdbfs mounts for JohnSnowLabs flavor due to flakiness (#​9872, @​C-K-Loan)

Documentation updates:

• [Docs] Fixed the KeyError: 'loss' bug for the Quickstart guideline (#​10886, @​yanmxa)
• [Docs] Relocate and supplement Model Signature and Input Example docs (#​10838, @​BenWilson2)
• [Docs] Add the HuggingFace Model Evaluation Notebook to the website (#​10789, @​BenWilson2)
• [Docs] Rewrite the search run documentation (#​10863, @​chenmoneygithub)
• [Docs] Create documentation for transformers prompt templates (#​10836, @​daniellok-db)
• [Docs] Refactoring of the Getting Started page (#​10798, @​BenWilson2)
• [Docs] Add a guide for model dependency management (#​10807, @​B-Step62)
• [Docs] Add tutorials and guides for LangChain (#​10770, @​BenWilson2)
• [Docs] Refactor portions of the Deep Learning documentation landing page (#​10736, @​chenmoneygithub)
• [Docs] Refactor and overhaul the Deployment documentation and add new tutorials (#​10726, @​B-Step62)
• [Docs] Add a PyTorch landing page, quick start, and guide (#​10687, #​10737 @​chenmoneygithub)
• [Docs] Add additional tutorials to OpenAI flavor docs (#​10700, @​BenWilson2)
• [Docs] Enhance the guides on quickly getting started with MLflow by demonstrating how to use Databricks Community Edition (#​10663, @​BenWilson2)
• [Docs] Create the OpenAI Flavor landing page and intro notebooks (#​10622, @​BenWilson2)
• [Docs] Refactor the Tensorflow flavor API docs (#​10662, @​chenmoneygithub)

Small bug fixes and documentation updates:

#​10538, #​10901, #​10903, #​10876, #​10833, #​10859, #​10867, #​10843, #​10857, #​10834, #​10814, #​10805, #​10764, #​10771, #​10733, #​10724, #​10703, #​10710, #​10696, #​10691, #​10692, @​B-Step62; #​10882, #​10854, #​10395, #​10725, #​10695, #​10712, #​10707, #​10667, #​10665, #​10654, #​10638, #​10628, @​harupy; #​10881, #​10875, #​10835, #​10845, #​10844, #​10651, #​10806, #​10786, #​10785, #​10781, #​10741, #​10772, #​10727, @​serena-ruan; #​10873, #​10755, #​10750, #​10749, #​10619, @​WeichenXu123; #​10877, @​amueller; #​10852, @​QuentinAmbard; #​10822, #​10858, @​gabrielfu; #​10862, @​jerrylian-db; #​10840, @​ernestwong-db; #​10841, #​10795, #​10792, #​10774, #​10776, #​10672, @​BenWilson2; #​10827, #​10826, #​10825, #​10732, #​10481, @​michael-berk; #​10828, #​10680, #​10629, @​daniellok-db; #​10799, #​10800, #​10578, #​10782, #​10783, #​10723, #​10464, @​annzhang-db; #​10803, #​10731, #​10708, @​kriscon-db; #​10797, @​dbczumar; #​10756, #​10751, @​Ankit8848; #​10784, @​AveshCSingh; #​10769, #​10763, #​10717, @​chenmoneygithub; #​10698, @​rmalani-db; #​10767, @​liangz1; #​10682, @​cdreetz; #​10659, @​prithvikannan; #​10639, #​10609, @​TomeHirata

v2.9.2

Compare Source

MLflow 2.9.2 is a patch release, containing several critical security fixes and configuration updates to support extremely large model artifacts.

Features:

• [Deployments] Add the mlflow.deployments.openai API to simplify direct access to OpenAI services through the deployments API (#​10473, @​prithvikannan)
• [Server-infra] Add a new environment variable that permits disabling http redirects within the Tracking Server for enhanced security in publicly accessible tracking server deployments (#​10673, @​daniellok-db)
• [Artifacts] Add environment variable configurations for both Multi-part upload and Multi-part download that permits modifying the per-chunk size to support extremely large model artifacts (#​10648, @​harupy)

Security fixes:

• [Server-infra] Disable the ability to inject malicious code via manipulated YAML files by forcing YAML rendering to be performed in a secure Sandboxed mode (#​10676, @​BenWilson2, #​10640, @​harupy)
• [Artifacts] Prevent path traversal attacks when querying artifact URI locations by disallowing .. path traversal queries (#​10653, @​B-Step62)
• [Data] Prevent a mechanism for conducting a malicious file traversal attack on Windows when using tracking APIs that interface with HTTPDatasetSource (#​10647, @​BenWilson2)
• [Artifacts] Prevent a potential path traversal attack vector via encoded url traversal paths by decoding paths prior to evaluation (#​10650, @​B-Step62)
• [Artifacts] Prevent the ability to conduct path traversal attacks by enforcing the use of sanitized paths with the tracking server (#​10666, @​harupy)
• [Artifacts] Prevent path traversal attacks when using an FTP server as a backend store by enforcing base path declarations prior to accessing user-supplied paths (#​10657, @​harupy)

Documentation updates:

• [Docs] Add an end-to-end tutorial for RAG creation and evaluation (#​10661, @​AbeOmor)
• [Docs] Add Tensorflow landing page (#​10646, @​chenmoneygithub)
• [Deployments / Tracking] Add endpoints to LLM evaluation docs (#​10660, @​prithvikannan)
• [Examples] Add retriever evaluation tutorial for LangChain and improve the Question Generation tutorial notebook (#​10419, @​liangz1)

Small bug fixes and documentation updates:

#​10677, #​10636, @​serena-ruan; #​10652, #​10649, #​10641, @​harupy; #​10643, #​10632, @​BenWilson2

v2.9.1

Compare Source

MLflow 2.9.1 is a patch release, containing a critical bug fix related to loading pyfunc models that were saved in previous versions of MLflow.

Bug fixes:

• [Models] Revert Changes to PythonModel that introduced loading issues for models saved in earlier versions of MLflow (#​10626, @​BenWilson2)

Small bug fixes and documentation updates:

#​10625, @​BenWilson2

v2.9.0

Compare Source

MLflow 2.9.0 includes several major features and improvements.

MLflow AI Gateway deprecation (#​10420, @​harupy):

The feature previously known as MLflow AI Gateway has been moved to utilize the MLflow deployments API.
For guidance on migrating from the AI Gateway to the new deployments API, please see the [MLflow AI Gateway Migration Guide](https://mlflow.org/docs/latest/llms/gateway/migration.html.

MLflow Tracking docs overhaul (#​10471, @​B-Step62):

The MLflow tracking docs have been overhauled. We'd like your feedback on the new tracking docs!

Security fixes:

Three security patches have been filed with this release and CVE's have been issued with the details involved in the security patch and potential attack vectors. Please review and update your tracking server deployments if your tracking server is not securely deployed and has open access to the internet.

• Sanitize path in HttpArtifactRepository.list_artifacts (#​10585, @​harupy)
• Sanitize filename in Content-Disposition header for HTTPDatasetSource (#​10584, @​harupy).
• Validate Content-Type header to prevent POST XSS (#​10526, @​B-Step62)

Features:

• [Tracking] Use backoff_jitter when making HTTP requests (#​10486, @​ajinkyavbhandare)
• [Tracking] Add default aggregate_results if the score type is numeric in make_metric API (#​10490, @​sunishsheth2009)
• [Tracking] Add string type of score types for metric value for genai (#​10307, @​sunishsheth2009)
• [Artifacts] Support multipart upload for for proxy artifact access (#​9521, @​harupy)
• [Models] Support saving torch_dtype for transformers models (#​10586, @​serena-ruan)
• [Models] Add built-in metric ndcg_at_k to retriever evaluation (#​10284, @​liangz1)
• [Model Registry] Implement universal copy_model_version (#​10308, @​jerrylian-db)
• [Models] Support saving/loading RunnableSequence, RunnableParallel, and RunnableBranch (#​10521, #​10611, @​serena-ruan)

Bug fixes:

• [Tracking] Resume system metrics logging when resuming an existing run (#​10312, @​chenmoneygithub)
• [UI] Fix incorrect sorting order in line chart (#​10553, @​B-Step62)
• [UI] Remove extra whitespace in git URLs (#​10506, @​mrplants)
• [Models] Make spark_udf use NFS to broadcast model to spark executor on databricks runtime and spark connect mode (#​10463, @​WeichenXu123)
• [Models] Fix promptlab pyfunc models not working for chat routes (#​10346, @​daniellok-db)

Documentation updates:

• [Docs] Add a quickstart guide for Tensorflow (#​10398, @​chenmoneygithub)
• [Docs] Improve the parameter tuning guide (#​10344, @​chenmoneygithub)
• [Docs] Add a guide for system metrics logging (#​10429, @​chenmoneygithub)
• [Docs] Add instructions on how to configure credentials for Azure OpenAI (#​10560, @​BenWilson2)
• [Docs] Add docs and tutorials for Sentence Transformers flavor (#​10476, @​BenWilson2)
• [Docs] Add tutorials, examples, and guides for Transformers Flavor (#​10360, @​BenWilson2)

Small bug fixes and documentation updates:

#​10567, #​10559, #​10348, #​10342, #​10264, #​10265, @​B-Step62; #​10595, #​10401, #​10418, #​10394, @​chenmoneygithub; #​10557, @​dan-licht; #​10584, #​10462, #​10445, #​10434, #​10432, #​10412, #​10411, #​10408, #​10407, #​10403, #​10361, #​10340, #​10339, #​10310, #​10276, #​10268, #​10260, #​10224, #​10214, @​harupy; #​10415, @​jessechancy; #​10579, #​10555, @​annzhang-db; #​10540, @​wllgrnt; #​10556, @​smurching; #​10546, @​mbenoit29; #​10534, @​gabrielfu; #​10532, #​10485, #​10444, #​10433, #​10375, #​10343, #​10192, @​serena-ruan; #​10480, #​10416, #​10173, @​jerrylian-db; #​10527, #​10448, #​10443, #​10442, #​10441, #​10440, #​10439, #​10381, @​prithvikannan; #​10509, @​keenranger; #​10508, #​10494, @​WeichenXu123; #​10489, #​10266, #​10210, #​10103, @​TomeHirata; #​10495, #​10435, #​10185, @​daniellok-db; #​10319, @​michael-berk; #​10417, @​bbqiu; #​10379, #​10372, #​10282, @​BenWilson2; #​10297, @​KonakanchiSwathi; #​10226, #​10223, #​10221, @​milinddethe15; #​10222, @​flooxo; #​10590, @​letian-w;

v2.8.1

Compare Source

MLflow 2.8.1 is a patch release, containing some critical bug fixes and an update to our continued work on reworking our docs.

Notable details:

• The API mlflow.llm.log_predictions is being marked as deprecated, as its functionality has been incorporated into mlflow.log_table. This API will be removed in the 2.9.0 release. (#​10414, @​dbczumar)

Bug fixes:

• [Artifacts] Fix a regression in 2.8.0 where downloading a single file from a registered model would fail (#​10362, @​BenWilson2)
• [Evaluate] Fix the Azure OpenAI integration for mlflow.evaluate when using LLM judge metrics (#​10291, @​prithvikannan)
• [Evaluate] Change Examples to optional for the make_genai_metric API (#​10353, @​prithvikannan)
• [Evaluate] Remove the fastapi dependency when using mlflow.evaluate for LLM results (#​10354, @​prithvikannan)
• [Evaluate] Fix syntax issues and improve the formatting for generated prompt templates (#​10402, @​annzhang-db)
• [Gateway] Fix the Gateway configuration validator pre-check for OpenAI to perform instance type validation (#​10379, @​BenWilson2)
• [Tracking] Fix an intermittent issue with hanging threads when using asynchronous logging (#​10374, @​chenmoneygithub)
• [Tracking] Add a timeout for the mlflow.login() API to catch invalid hostname configuration input errors (#​10239, @​chenmoneygithub)
• [Tracking] Add a flush operation at the conclusion of logging system metrics (#​10320, @​chenmoneygithub)
• [Models] Correct the prompt template generation logic within the Prompt Engineering UI so that the prompts can be used in the Python API (#​10341, @​daniellok-db)
• [Models] Fix an issue in the SHAP model explainability functionality within mlflow.shap.log_explanation so that duplicate or conflicting dependencies are not registered when logging (#​10305, @​BenWilson2)

Documentation updates:

• [Docs] Add MLflow Tracking Quickstart (#​10285, @​BenWilson2)
• [Docs] Add tracking server configuration guide (#​10241, @​chenmoneygithub)
• [Docs] Refactor and improve the model deployment quickstart guide (#​10322, @​prithvikannan)
• [Docs] Add documentation for system metrics logging (#​10261, @​chenmoneygithub)

Small bug fixes and documentation updates:

#​10367, #​10359, #​10358, #​10340, #​10310, #​10276, #​10277, #​10247, #​10260, #​10220, #​10263, #​10259, #​10219, @​harupy; #​10313, #​10303, #​10213, #​10272, #​10282, #​10283, #​10231, #​10256, #​10242, #​10237, #​10238, #​10233, #​10229, #​10211, #​10231, #​10256, #​10242, #​10238, #​10237, #​10229, #​10233, #​10211, @​BenWilson2; #​10375, @​serena-ruan; #​10330, @​Haxatron; #​10342, #​10249, #​10249, @​B-Step62; #​10355, #​10301, #​10286, #​10257, #​10236, #​10270, #​10236, @​prithvikannan; #​10321, #​10258, @​jerrylian-db; #​10245, @​jessechancy; #​10278, @​daniellok-db; #​10244, @​gabrielfu; #​10226, @​milinddethe15; #​10390, @​bbqiu; #​10232, @​sunishsheth2009

v2.8.0

Compare Source

MLflow 2.8.0 includes several notable new features and improvements

• The MLflow Evaluate API has had extensive feature development in this release to support LLM workflows and multiple new evaluation modalities. See the new documentation, guides, and tutorials for MLflow LLM Evaluate to learn more.
• The MLflow Docs modernization effort has started. You will see a very different look and feel to the docs when visiting them, along with a batch of new tutorials and guides. More changes will be coming soon to the docs!
• 4 new LLM providers have been added! Google PaLM 2, AWS Bedrock, AI21 Labs, and HuggingFace TGI can now be configured and used within the AI Gateway. Learn more in the new AI Gateway docs!

Features:

• [Gateway] Add support for AWS Bedrock as a provider in the AI Gateway (#​9598, @​andrew-christianson)
• [Gateway] Add support for Huggingface Text Generation Inference as a provider in the AI Gateway (#​10072, @​SDonkelaarGDD)
• [Gateway] Add support for Google PaLM 2 as a provider in the AI Gateway (#​9797, @​arpitjasa-db)
• [Gateway] Add support for AI21labs as a provider in the AI Gateway (#​9828, #​10168, @​zhe-db)
• [Gateway] Introduce a simplified method for setting the configuration file location for the AI Gateway via environment variable (#​9822, @​danilopeixoto)
• [Evaluate] Introduce default provided LLM evaluation metrics for MLflow evaluate (#​9913, @​prithvikannan)
• [Evaluate] Add support for evaluating inference datasets in MLflow evaluate (#​9830, @​liangz1)
• [Evaluate] Add support for evaluating single argument functions in MLflow evaluate (#​9718, @​liangz1)
• [Evaluate] Add support for Retriever LLM model type evaluation within MLflow evaluate (#​10079, @​liangz1)
• [Models] Add configurable parameter for external model saving in the ONNX flavor to address a regression (#​10152, @​daniellok-db)
• [Models] Add support for saving inference parameters in a logged model's input example (#​9655, @​serena-ruan)
• [Models] Add support for completions in the OpenAI flavor ([#​9838](https://togithub.com/mlfl

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 18.47%. Comparing base (7406a2a) to head (ee1f921).

❗ Current head ee1f921 differs from pull request most recent head 5560b08

Please upload reports for the commit 5560b08 to get more accurate results.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #419   +/-   ##
=======================================
  Coverage   18.47%   18.47%           
=======================================
  Files          29       29           
  Lines        3631     3631           
  Branches      477      477           
=======================================
  Hits          671      671           
  Misses       2951     2951           
  Partials        9        9           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.