Bump the pip group across 1 directory with 3 updates

[dependabot]

Bumps the pip group with 3 updates in the / directory: scikit-learn, mlflow and gunicorn.

Updates scikit-learn from 1.3.2 to 1.5.0

Release notes

Sourced from scikit-learn's releases.

Scikit-learn 1.5.0

We're happy to announce the 1.5.0 release.

You can read the release highlights under https://scikit-learn.org/stable/auto_examples/release_highlights/plot_release_highlights_1_5_0.html and the long version of the change log under https://scikit-learn.org/stable/whats_new/v1.5.html

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

The conda-forge builds can be installed using:

conda install -c conda-forge scikit-learn

Scikit-learn 1.4.2

We're happy to announce the 1.4.2 release.

This release only includes support for numpy 2.

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

Scikit-learn 1.4.1.post1

We're happy to announce the 1.4.1.post1 release.

You can see the changelog here: https://scikit-learn.org/stable/whats_new/v1.4.html#version-1-4-1-post1

This version supports Python versions 3.9 to 3.12.

You can upgrade with pip as usual:

pip install -U scikit-learn

The conda-forge builds can be installed using:

conda install -c conda-forge scikit-learn

... (truncated)

Commits

• b51d0c9 trigger whell builder [cd build]
• 919ae9b MAINT Reoder what's new for 1.5 (#29039)
• 0ac28ad DOC Release highlights 1.5 (#29007)
• 729b54d test py3.12 against numpy 2 [cd build]
• 1e50434 set version
• ffbe4ab DOC remove obsolete SVM example (#27108)
• 4647729 DOC Fix time complexity of MLP (#28592)
• 9bd7047 FIX convergence criterion of MeanShift (#28951)
• b79420f FIX add long long for int32/int64 windows compat in NumPy 2.0 (#29029)
• 37f544d DOC replace pandas with Polars in examples/gaussian_process/plot_gpr_co2.py (...
• Additional commits viewable in compare view

Updates mlflow from 3.1.4 to 3.5.0

Release notes

Sourced from mlflow's releases.

v3.5.0

MLflow 3.5.0 includes several major features and improvements!

Major Features

• 🤖 Tracing support for Claude Code SDK: MLflow now provides a tracing integration for both the Claude Code CLI and SDK! Configure the autologging integration to track your prompts, Claude's responses, tool calls, and more. Check out this doc page to get started. (#18022, @​smoorjani)
• 🎯 Flexible Prompt Optimization API: Introduced a new flexible API for prompt optimization with support for model switching and the GEPA algorithm, enabling more efficient prompt tuning with fewer rollouts. See the documentation to get started. (#18183, #18031, @​TomeHirata)
• 🎨 Enhanced UI Onboarding: Improved in-product onboarding experience with trace quickstart drawer and updated homepage guidance to help users discover MLflow's latest features. (#18098, #18187, @​B-Step62)
• 🔐 Security Middleware for Tracking Server: Added a security middleware layer to protect against DNS rebinding, CORS attacks, and other security threats. Read the documentation for configuration details. (#17910, @​BenWilson2)

Features

• [Tracing / Tracking] Add unlink_traces_from_run batch operation (#18316, @​harupy)
• [Tracing] Add batch trace link/unlink operations to DatabricksTracingRestStore (#18295, @​harupy)
• [Tracking] Claude Code SDK autologging support (#18022, @​smoorjani)
• [Tracing] Add support for reading trace configuration from environment variables (#17792, @​joelrobin18)
• [Tracking] Mistral tracing improvements (#16370, @​joelrobin18)
• [Tracking] Gemini token count tracking (#16248, @​joelrobin18)
• [Tracking] Gemini streaming support (#16249, @​joelrobin18)
• [Tracking] CrewAI token count tracking with documentation updates (#16373, @​joelrobin18)
• [Evaluation] Allow passing empty scorer list for manual result comparison (#18265, @​B-Step62)
• [Evaluation] Log assessments to DSPy evaluation traces (#18136, @​B-Step62)
• [Evaluation] Add support for trace inputs to built-in scorers (#17943, @​BenWilson2)
• [Evaluation] Add synonym handling for built-in scorers (#17980, @​BenWilson2)
• [Evaluation] Add span timing tool for Agent Judges (#17948, @​BenWilson2)
• [Evaluation] Allow disabling evaluation sample check (#18032, @​B-Step62)
• [Evaluation] Reduce verbosity of SIMBA optimizer logs when aligning judges (#17795, @​BenWilson2)
• [Evaluation] Add __repr__ method for Judges (#17794, @​BenWilson2)
• [Prompts] Add prompt registry support to MLflow webhooks (#17640, @​harupy)
• [Prompts] Prompt Registry Chat UI (#17334, @​joelrobin18)
• [UI] Delete parent and child runs together (#18052, @​joelrobin18)
• [UI] Added move to top, move to bottom for charts (#17742, @​joelrobin18)
• [Tracking] Use sampling data for run comparison to improve performance (#17645, @​lkuo)
• [Tracking] Add optional 'outputs' column for evaluation dataset records (#17735, @​WeichenXu123)
• [Tracking] Job backend execution (#17676, #18012, #18070, #18071, #18112, #18049, @​WeichenXu123)

Bug Fixes

• [Tracing] Fix parent run resolution mechanism for LangChain (#17273, @​B-Step62)
• [Tracing] Add client-side retry for get_trace to improve reliability (#18224, @​B-Step62)
• [Tracing] Fix OpenTelemetry dual export (#18163, @​B-Step62)
• [Tracing] Suppress false warnings from span logging (#18092, #18276, @​B-Step62)
• [Tracing] Fix OpenTelemetry resource attributes not propagating correctly (#18019, @​xiaosha007)
• [Tracing] Fix DSPy prompt display (#17988, @​B-Step62)
• [Tracing] Fix usage aggregation to avoid ancestor duplication (#17921, @​TomeHirata)
• [Tracing] Fix double counting in Strands tracing (#17855, @​joelrobin18)
• [Tracing] Fix to_predict_fn to handle traces without tags field (#17784, @​harupy)
• [Tracing] URL-encode trace tag keys in delete_trace_tag to prevent 404 errors (#18232, @​copilot-swe-agent)
• [Tracking] Fix Claude Code autologging inputs not displaying (#17858, @​smoorjani)
• [Tracking] Fix runs with 0-valued metrics not appearing in experiment list contour plots (#17916, @​WeichenXu123)

... (truncated)

Changelog

Sourced from mlflow's changelog.

3.5.0 (2025-10-16)

MLflow 3.5.0 includes several major features and improvements!

Major Features

• ⚙️ Job Execution Backend: Introduced a new job execution backend infrastructure for running asynchronous tasks with individual execution pools, job search capabilities, and transient error handling. (#17676, #18012, #18070, #18071, #18112, #18049, @​WeichenXu123)
• 🎯 Flexible Prompt Optimization API: Introduced a new flexible API for prompt optimization with support for model switching and the GEPA algorithm, enabling more efficient prompt tuning with fewer rollouts. See the documentation to get started. (#18183, #18031, @​TomeHirata)
• 🎨 Enhanced UI Onboarding: Improved in-product onboarding experience with trace quickstart drawer and updated homepage guidance to help users discover MLflow's latest features. (#18098, #18187, @​B-Step62)
• 🔐 Security Middleware for Tracking Server: Added a security middleware layer to protect against DNS rebinding, CORS attacks, and other security threats. Read the documentation for configuration details. (#17910, @​BenWilson2)

Features

• [Tracing / Tracking] Add unlink_traces_from_run batch operation (#18316, @​harupy)
• [Tracing] Add batch trace link/unlink operations to DatabricksTracingRestStore (#18295, @​harupy)
• [Tracking] Claude Code SDK autologging support (#18022, @​smoorjani)
• [Tracing] Add support for reading trace configuration from environment variables (#17792, @​joelrobin18)
• [Tracking] Mistral tracing improvements (#16370, @​joelrobin18)
• [Tracking] Gemini token count tracking (#16248, @​joelrobin18)
• [Tracking] Gemini streaming support (#16249, @​joelrobin18)
• [Tracking] CrewAI token count tracking with documentation updates (#16373, @​joelrobin18)
• [Evaluation] Allow passing empty scorer list for manual result comparison (#18265, @​B-Step62)
• [Evaluation] Log assessments to DSPy evaluation traces (#18136, @​B-Step62)
• [Evaluation] Add support for trace inputs to built-in scorers (#17943, @​BenWilson2)
• [Evaluation] Add synonym handling for built-in scorers (#17980, @​BenWilson2)
• [Evaluation] Add span timing tool for Agent Judges (#17948, @​BenWilson2)
• [Evaluation] Allow disabling evaluation sample check (#18032, @​B-Step62)
• [Evaluation] Reduce verbosity of SIMBA optimizer logs when aligning judges (#17795, @​BenWilson2)
• [Evaluation] Add __repr__ method for Judges (#17794, @​BenWilson2)
• [Prompts] Add prompt registry support to MLflow webhooks (#17640, @​harupy)
• [Prompts] Prompt Registry Chat UI (#17334, @​joelrobin18)
• [UI] Delete parent and child runs together (#18052, @​joelrobin18)
• [UI] Added move to top, move to bottom for charts (#17742, @​joelrobin18)
• [Tracking] Use sampling data for run comparison to improve performance (#17645, @​lkuo)
• [Tracking] Add optional 'outputs' column for evaluation dataset records (#17735, @​WeichenXu123)

Bug Fixes

• [Tracing] Fix parent run resolution mechanism for LangChain (#17273, @​B-Step62)
• [Tracing] Add client-side retry for get_trace to improve reliability (#18224, @​B-Step62)
• [Tracing] Fix OpenTelemetry dual export (#18163, @​B-Step62)
• [Tracing] Suppress false warnings from span logging (#18092, #18276, @​B-Step62)
• [Tracing] Fix OpenTelemetry resource attributes not propagating correctly (#18019, @​xiaosha007)
• [Tracing] Fix DSPy prompt display (#17988, @​B-Step62)
• [Tracing] Fix usage aggregation to avoid ancestor duplication (#17921, @​TomeHirata)
• [Tracing] Fix double counting in Strands tracing (#17855, @​joelrobin18)
• [Tracing] Fix to_predict_fn to handle traces without tags field (#17784, @​harupy)
• [Tracing] URL-encode trace tag keys in delete_trace_tag to prevent 404 errors (#18232, @​copilot-swe-agent)
• [Tracking] Fix Claude Code autologging inputs not displaying (#17858, @​smoorjani)
• [Tracking] Fix runs with 0-valued metrics not appearing in experiment list contour plots (#17916, @​WeichenXu123)

... (truncated)

Commits

• 77b2695 Run python3 dev/update_mlflow_versions.py pre-release ... (#18355)
• fc2fb36 Revert "Add atomicity to job_start API (#18226)"
• e7b2177 Revert "Fix response handling in log_spans (#18280)" (#18349)
• 5d86ffe Create set_databricks_monitoring_sql_warehouse_id API (#18346)
• 250985f Fetch config after adding first record (#18338)
• ad0aad1 Fix log_metrics slowness for get run (#18241)
• 05a0111 Increase max height of params/metrics boxes (#18306)
• 3e24457 Implement lazy logger initialization in claude_code.tracing (#18339)
• 892bed1 Add github feature requests on the GenAI doc (#18342)
• f605177 Minor comment fix for extract_retrieval_context_from_trace (#18331)
• Additional commits viewable in compare view

Updates gunicorn from 21.2.0 to 22.0.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

use utime to notify workers liveness
migrate setup to pyproject.toml
fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
parsing additional requests is no longer attempted past unsupported request framing
on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
Trailer fields are no longer inspected for headers indicating secure scheme
support Python 3.12

** Breaking changes **

minimum version is Python 3.7
the limitations on valid characters in the HTTP method have been bounded to Internet Standards
requests specifying unsupported transfer coding (order) are refused by default (rare)
HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
HTTP methods containing the number sign (#) are no longer accepted by default (rare)
HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

** SECURITY **

fix CVE-2024-1135

1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
2. Packages: https://pypi.org/project/gunicorn/

Commits

• f63d59e bump to 22.0
• 4ac81e0 Merge pull request #3175 from e-kwsm/typo
• 401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
• 0243ec3 fix(deps): exclude eventlet 0.36.0
• 628a0bc chore: fix typos
• 88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
• deae2fc CI: back off the agressive timeout
• f470382 docs: promise 3.12 compat
• 5e30bfa add changelog to project.urls (updated for PEP621)
• 481c3f9 remove setup.cfg - overridden by pyproject.toml
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.