chore(deps): bump the pip group across 1 directory with 2 updates

[dependabot]

Bumps the pip group with 2 updates in the /lib/python directory: mlflow and protobuf.

Updates mlflow from 2.12.1 to 2.22.2

Release notes

Sourced from mlflow's releases.

v2.22.2

Lightweight patch release to backport #15970 to v2.22.2.

v2.22.1

MLflow 2.22.1 includes several major features and improvements

Features:

• [Scoring] For DBConnect client, make spark_udf support DBR 15.4 and DBR dedicated cluster (#15938, @​WeichenXu123)

Bug fixes:

• [Model Registry] Log Resources from SystemAuthPolicy in CreateModelVersion (#15485, @​aravind-segu)
• [Tracking] Trace search: Avoid spawning threads for span fetching if include_spans=False (#, @​dbczumar)

Documentation updates:

• [Docs] Spark UDF Doc update (#15586, @​WeichenXu123)

Small bug fixes and documentation updates:

#15523, #15728, @​TomeHirata; #13997, #16025, #15647, #16030, @​harupy; #15786, @​rahuja23; #15703, @​joelrobin18; #15612, @​serena-ruan; #16031, @​daniellok-db; #15841, @​frontsideair; #15807, @​B-Step62

MLflow 2.22.0 brings important bug fixes and improves the UI and tracking capabilities.

Features:

• [Tracking] Supported tracing for OpenAI Responses API (#15240, @​B-Step62)
• [Tracking] Introduced get_last_active_trace_id, which affects model serving/monitoring logic (#15233, @​B-Step62)
• [Tracking] Introduced async export for Databricks traces (default behavior) (#15163, @​B-Step62)
• [AI Gateway] Added Gemini embeddings support with corresponding unit tests (#15017, @​joelrobin18)
• [Tracking / SQLAlchemy] MySQL SSL connections are now supported with client certs (#14839, @​aksylumoed)
• [Models] Added Optuna storage utility for enabling parallel hyperparameter tuning (#15243, @​XiaohanZhangCMU)
• [Artifacts] Added support for Azure Data Lake Storage (ADLS) artifact repositories (#14723, @​serena-ruan)
• [UI] Artifact views for text now auto-refresh in the UI (#14939, @​joelrobin18)

Bug Fixes:

• [Tracking / UI] Fixed serialization for structured output in langchain_tracer + added unit tests (#14971, @​joelrobin18)
• [Server-infra] Enforced password validation for authentication (min. 8 characters) (#15287, @​WeichenXu123)
• [Deployments] Resolved an issue with the OpenAI Gateway adapter (#15286, @​WeichenXu123)
• [Artifacts / Tracking / Server-infra] Normalized paths by stripping trailing slashes (#15016, @​tarek7669)
• [Tags] Fixed bug where tag values containing ": " were being truncated (#14896, @​harupy)

Small bug fixes and documentation updates:

#15396, #15379, #15292, #15305, #15078, #15251, #15267, #15208, #15104, #15045, #15084, #15055, #15056, #15048, #14946, #14956, #14903, #14854, #14830, @​serena-ruan; #15417, #15256, #15186, #15007, @​TomeHirata; #15119, @​bbqiu; #15413, #15314, #15311, #15303, #15301, #15288, #15275, #15269, #15272, #15268, #15262, #15266, #15264, #15261, #15252, #15249, #15244, #15236, #15235, #15237, #15140, #14982, #14898, #14893, #14861, #14870, #14853, #14849, #14813, #14822, @​harupy; #15333, #15298, #15300, #15156, #15019, #14957, @​B-Step62; #15313, #15297, #14880, @​daniellok-db; #15066, #15074, #14913, @​joelrobin18; #15232, @​kbolashev; #15242, @​dbczumar; #15210, #15178, @​WeichenXu123; #15187, #15177, @​hubertzub-db; #15059, #15070, #15050, #15012, #14959, #14918, #15005, #14965, #14858, #14930, #14927, #14786, #14883, #14863, #14852, #14788, @​Gumichocopengin8; #15134, #15129, #15120, #15117, #15002, #14997, #14996, #14998, #14975, #14874, @​mlflow-automation; #14920, #14919, @​jaceklaskowski

MLflow 2.21.3 includes a few bug fixes and feature updates.

... (truncated)

Changelog

Sourced from mlflow's changelog.

CHANGELOG

3.4.0rc0 (2025-09-11)

MLflow 3.4.0rc0 includes several major features and improvements

Major New Features

• 📊 OpenTelemetry Metrics Export: MLflow now exports span-level statistics as OpenTelemetry metrics, providing enhanced observability and monitoring capabilities for traced applications. (#17325, @​dbczumar)
• 🤖 MCP Server Integration: Introducing the Model Context Protocol (MCP) server for MLflow, enabling AI assistants and LLMs to interact with MLflow programmatically. (#17122, @​harupy)
• 🧑‍⚖️ Custom Judges API: New make_judge API enables creation of custom evaluation judges for assessing LLM outputs with domain-specific criteria. (#17647, @​BenWilson2, @​dbczumar, @​alkispoly-db, @​smoorjani)
• 📈 Correlations Backend: Implemented backend infrastructure for storing and computing correlations between experiment metrics using NPMI (Normalized Pointwise Mutual Information). (#17309, #17368, @​BenWilson2)
• 🗂️ Evaluation Datasets: MLflow now supports storing and versioning evaluation datasets directly within experiments for reproducible model assessment. (#17447, @​BenWilson2)
• 🔗 Databricks Backend for MLflow Server: MLflow server can now use Databricks as a backend, enabling seamless integration with Databricks workspaces. (#17411, @​nsthorat)
• 🤖 Claude Autologging: Automatic tracing support for Claude AI interactions, capturing conversations and model responses. (#17305, @​smoorjani)
• 🌊 Strands Agent Tracing: Added comprehensive tracing support for Strands agents, including automatic instrumentation for agent workflows and interactions. (#17151, @​joelrobin18)

Features:

• [Evaluation] Add ability to pass tags via dataframe in mlflow.genai.evaluate (#17549, @​smoorjani)
• [Evaluation] Add custom judge model support for Safety and RetrievalRelevance builtin scorers (#17526, @​dbrx-euirim)
• [Tracing] Add AI commands as MCP prompts for LLM interaction (#17608, @​nsthorat)
• [Tracing] Add MLFLOW_ENABLE_OTLP_EXPORTER environment variable (#17505, @​dbczumar)
• [Tracing] Support OTel and MLflow dual export (#17187, @​dbczumar)
• [Tracing] Make set_destination use ContextVar for thread safety (#17219, @​B-Step62)
• [CLI] Add MLflow commands CLI for exposing prompt commands to LLMs (#17530, @​nsthorat)
• [CLI] Add 'mlflow runs link-traces' command (#17444, @​nsthorat)
• [CLI] Add 'mlflow runs create' command for programmatic run creation (#17417, @​nsthorat)
• [CLI] Add MLflow traces CLI command with comprehensive search and management capabilities (#17302, @​nsthorat)
• [CLI] Add --env-file flag to all MLflow CLI commands (#17509, @​nsthorat)
• [Tracking] Backend for storing scorers in MLflow experiments (#17090, @​WeichenXu123)
• [Model Registry] Allow cross-workspace copying of model versions between WMR and UC (#17458, @​arpitjasa-db)
• [Models] Add automatic Git-based model versioning for GenAI applications (#17076, @​harupy)
• [Models] Improve WheeledModel._download_wheels safety (#17004, @​serena-ruan)
• [Projects] Support resume run for Optuna hyperparameter optimization (#17191, @​lu-wang-dl)
• [Scoring] Add MLFLOW_DEPLOYMENT_CLIENT_HTTP_REQUEST_TIMEOUT environment variable (#17252, @​dbczumar)
• [UI] Add ability to hide/unhide all finished runs in Chart view (#17143, @​joelrobin18)
• [Telemetry] Add MLflow OSS telemetry for invoke_custom_judge_model (#17585, @​dbrx-euirim)

Bug fixes:

• [Evaluation] Implement DSPy LM interface for default Databricks model serving (#17672, @​smoorjani)
• [Evaluation] Fix aggregations incorrectly applied to legacy scorer interface (#17596, @​BenWilson2)
• [Evaluation] Add Unity Catalog table source support for mlflow.evaluate (#17546, @​BenWilson2)
• [Evaluation] Fix custom prompt judge encoding issues with custom judge models (#17584, @​dbrx-euirim)
• [Tracking] Fix OpenAI autolog to properly reconstruct Response objects from streaming events (#17535, @​WeichenXu123)
• [Tracking] Add basic authentication support in TypeScript SDK (#17436, @​kevin-lyn)
• [Tracking] Update scorer endpoints to v3.0 API specification (#17409, @​WeichenXu123)
• [Tracking] Fix scorer status handling in MLflow tracking backend (#17379, @​WeichenXu123)
• [Tracking] Fix missing source-run information in UI (#16682, @​WeichenXu123)

... (truncated)

Commits

• fb8a67c Bump version to 2.22.2 (#17456)
• 25c14d2 Validate gateway_path in gateway_proxy_handler (#15970)
• 491aac5 Run python3 dev/update_mlflow_versions.py pre-release ... (#16108)
• 3473e28 Spark UDF Doc update (#15586)
• c7a323d Update tests/pyfunc/docker/test_docker.py
• 07b3a0c Fix hugginface incompatibility (#15523)
• 35d7c71 Avoid pandas 2.3.0
• e3f9a85 pin huggingface_hub
• de5008b Unpin huggingface-hub (#13997)
• ad862e9 fix pytest
• Additional commits viewable in compare view

Updates protobuf from 3.20.3 to 4.25.8

Commits

• a4cbdd3 Updating version.json and repo version numbers to: 25.8
• 29445be Merge pull request #21880 from shaod2/py-25
• cc13b69 Remove debugging code and add EOLs
• d31100c Manually backport recursion limit enforcement to 25.x
• 88a3b90 Change pre-22 poison pill to only log once per affected message type. (#21754)
• 320eafa Weaken vulnerable gencode poison pills to warning by default.
• f584fe3 Merge branch 'protocolbuffers:25.x' into 25.x
• c710036 Update test_upb.yml to use ubuntu-22
• 9721758 Fix missing trailing newline.
• cca7b28 Update test_upb.yml to use ubuntu-22
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.