Skip to content

Upgrade mlflow to 3.12.0#160

Open
brentsea wants to merge 1 commit into
mainfrom
mlflow-3.12
Open

Upgrade mlflow to 3.12.0#160
brentsea wants to merge 1 commit into
mainfrom
mlflow-3.12

Conversation

@brentsea

Copy link
Copy Markdown
Collaborator

Bumps the MLflow client and tracking-server image from 3.7.0 to 3.12.0, keeping the
client pin, the server base image, and the lockfile coordinated. 3.12.0 is the last
release before the 3.13.0 RBAC overhaul, so this picks up several minor releases of
fixes without taking on the server-side permission-model migration that 3.13 requires.

Changes:

  • pyproject.toml, Dockerfile.mlflow (base image + pip install), and uv.lock
    all move to 3.12.0 together (these pins must move in lockstep - see the comment in
    pyproject.toml).
  • .github/dependabot.yml: tightened the mlflow ignore rule from >= 3.8 to >= 3.13
    so Dependabot can now propose 3.12.x patch bumps but still holds back the breaking
    3.13 RBAC release.
  • uv.lock regenerated for 3.12.0's transitive deps: adds prettytable and skops,
    and pins starlette down from 1.3.1 to 0.52.1. No first-party code changes needed.

Testing (local, full CI parity):

  • cli-test flow: rebuilt the MLflow image, server reports 3.12.0,
    scripts/check_mlflow_versions.sh + uv lock --check pass, and pytest is green
    (35 passed) against a fresh Postgres-backed 3.12 server.
  • jupyter-test flow: rebuilt the full stack (MLflow + Jupyter + vLLM mock); all four
    flightpaths/ notebooks execute successfully.

Notes:

  • Authentication is unchanged - the server still uses HTTP Basic Auth. 3.13's RBAC
    change is authorization-only and would be a separate server-side task.
  • Follow-ups (not in this PR): upgrade the shared dev tracking server to 3.12.0, then
    revisit the NaN/inf metric workaround in src/modelplane/runways/scorer.py
    (upstream MLflow issue #16555, fixed server-side in 3.2.0+).
  • This branch was developed and tested with the aid of Anthropic Opus 4.8

Bump the mlflow[auth] pin, the Dockerfile.mlflow base image, and its
pip install to 3.12.0, and regenerate uv.lock (adds prettytable and
skops, moves starlette to 0.52.1).

Raise the Dependabot mlflow ignore floor from >= 3.8 to >= 3.13 to stay
on the pre-RBAC side of MLflow; 3.13 overhauls auth into a new RBAC
model, so hold there until that upgrade is deliberately planned.
@brentsea brentsea requested a review from superdosh July 10, 2026 21:56
@brentsea brentsea requested a review from a team as a code owner July 10, 2026 21:56
@github-actions

Copy link
Copy Markdown

MLCommons CLA bot All contributors have signed the MLCommons CLA ✍️ ✅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant