Bump the pip group across 1 directory with 3 updates

[dependabot]

Bumps the pip group with 3 updates in the / directory: mlflow, requests and python-dotenv.

Updates mlflow from 3.9.0rc0 to 3.11.0rc1

Release notes

Sourced from mlflow's releases.

v3.11.0rc1

Stripped third-party dependencies from evaluation and AI Gateway features, replacing external provider routing with built-in implementations.

v3.11.0rc0

We're excited to announce MLflow 3.11.0rc0, which includes several notable updates:

Major New Features:

• 🔍 Automatic Issue Identification: Automatically identify quality issues in your agent with AI! Use the new "Detect Issues" button in the traces table to analyze selected traces and surface potential problems across categories like correctness, safety, and performance. Issues are linked directly to traces for easy investigation and debugging. (#21431, #21204, #21165, #21163, #21161, @​smoorjani, @​serena-ruan)
• 💰 Gateway Budget Alerts & Limits: Control your AI Gateway spending with configurable budget policies! Set spending limits by time window (daily, weekly, or monthly), receive alerts before hitting limits, and prevent runaway costs with automatic request blocking. The new budget management UI lets you track spending, configure webhooks for notifications, and monitor violations across all your gateway endpoints. (#21116, #21534, #21569, #21473, #21108, @​TomeHirata, @​copilot-swe-agent)
• 📊 Trace Graph View: Visualize complex trace hierarchies with an interactive graph view! Navigate multi-level trace structures, understand parent-child relationships at a glance, and debug complex systems more effectively with a visual representation of your trace topology. (#20607, @​joelrobin18)
• 🌐 Native OpenTelemetry GenAI Convention Support: MLflow now natively supports the OpenTelemetry GenAI Semantic Conventions for trace export! When exporting traces via OTLP with MLFLOW_ENABLE_OTEL_GENAI_SEMCONV enabled, MLflow automatically translates them to follow the OTel GenAI semantic conventions, enabling seamless integration with OTel-compatible observability platforms while preserving GenAI-specific metadata. (#21494, #21495, @​B-Step62)
• 🔧 Opencode Tracing Integration: Debug smarter with Opencode CLI integration! Track and analyze code execution flows directly from your development workflow, making it easier to identify performance bottlenecks and trace issues back to specific code paths. (#20133, @​joelrobin18)
• ⚡ UV Package Manager Support: Automatic dependency inference now supports UV! MLflow automatically detects UV projects and captures exact, locked dependencies from your lockfile when logging models, ensuring reproducible environments. (#20344, #20935, @​debu-sinha)
• 🔒 Pickle-Free Model Serialization: Enhance security with pickle-free model formats! MLflow now supports safer model serialization using torch.export and skops formats, with improved controls when MLFLOW_ALLOW_PICKLE_DESERIALIZATION=False. Comprehensive documentation guides you through migrating existing models to pickle-free formats for production deployments. (#21404, #21188, #20774, @​WeichenXu123)

Breaking Changes:

• ⚠️ TypeScript SDK Package Renaming: The MLflow TypeScript SDK packages have been renamed to use npm organization scoping. If you're using the TypeScript SDK, update your package.json dependencies and import statements: mlflow-tracing → @mlflow/core, mlflow-openai → @mlflow/openai, mlflow-anthropic → @mlflow/anthropic, mlflow-gemini → @mlflow/gemini. All packages are now at version 0.2.0. (#20792, @​B-Step62)

Stay tuned for the full release, which will be packed with even more features and bugfixes.

To try out this release candidate, please run:

pip install mlflow==3.11.0rc0

v3.10.1

MLflow 3.10.1 is a patch release that contains some minor feature enhancements, bug fixes, and documentation updates.

Features:

• [UI] Add try-it page on Gateway usage example modal (#21077, @​PattaraS)
• [UI] Filter gateway experiments from the experiment list page (#21130, @​copilot-swe-agent)

Bug fixes:

• [UI] Fix "View full dashboard" link in gateway usage tab when workspace is enabled (#21191, @​copilot-swe-agent)
• [UI] Persist AI Gateway default passphrase security banner dismissal to localStorage (#21292, @​copilot-swe-agent)
• [Evaluation] Demote unused parameters log message from WARNING to DEBUG in instructions judge (#21294, @​copilot-swe-agent)
• [UI] Clear "All" time selector when switching to overview tab (#21371, @​daniellok-db)
• [Prompts / UI] Fix Traces view in Prompts tab not being scrollable (#21282, @​TomeHirata)
• [UI] Fix judge builder instruction textarea (#21299, @​daniellok-db)
• [UI] Fix group mode to aggregate "Additional runs" as "Unassigned" group in charts (#21155, @​copilot-swe-agent)
• [UI] Fix artifact download when workspaces are enabled (#21074, @​timsolovev)
• [Tracing] Fix NOT NULL constraint on assessments.trace_id during trace export (#21348, @​dbczumar)
• [Tracking] Fix 403 Forbidden for artifact list via query param when default_permission=NO_PERMISSIONS (#21220, @​copilot-swe-agent)
• [UI] [ML-63097] Fix broken LLM judge documentation links (#21347, @​smoorjani)
• [Tracing] Fix Run Judge failed with litellm.InternalServerError: Invalid response object. (#21262, @​PattaraS)
• [Tracing / UI] Update Action menu: indentation to avoid confusion (#21266, @​PattaraS)
• [Model Registry] Fix MlflowClient.copy_model_version for the case that copy UC model across workspaces (#21212, @​WeichenXu123)

... (truncated)

Changelog

Sourced from mlflow's changelog.

CHANGELOG

3.12.0 (2026-05-04)

MLflow 3.12.0 includes several major features and improvements

Major New Features

• 🖼️ Multimodal Tracing: Users can now store multimodal content in tracing spans as artifact attachments instead of inline binary data. We've also patched the UI to support the new mlflow-attachment:// style URI, with rich rendering available for PDFs, audio, and images.
• 🤖 Codex, Gemini, Qwen coding agent tracing support: Similar to our Claude Code tracing integration, we've now added support for the Codex, Gemini, and Qwen coding agent platforms as well!
• 🛡️ Gateway guardrails: You can now set guardrails on your gateway endpoints to prevent unsafe or non-compliant model inputs and outputs. Try it out in the MLflow UI!
• ⚡ Trace table pagination: The traces tab is now paginated, rather than fetching all traces up to a limit of 1000. This improves initial load time, and makes the page feel more responsive overall.

Breaking Changes

• [Scoring] Deprecate enable_mlserver in pyfunc serving backend (#22994, @​B-Step62)

Other Assorted Features & Improvements:

• [UI] Add coding agents section to AI Gateway quick start (#23006, @​TomeHirata)
• [Tracing] feat: record caller in gateway traces from request headers (#22926, @​TomeHirata)
• [] Run guardrails on passthrough endpoints; skip response_format for non-chat payloads (#22856, @​TomeHirata)
• [] Gateway: preserve client auth header for subscription-based CLI tools (claude-cli, Codex-Desktop, GeminiCLI) (#22915, @​TomeHirata)
• [Tracing] Expose Codex and Qwen Code hooks as installable CLI binaries (#22853, @​kriscon-db)
• [Tracking / UI] Add Portkey as a supported AI Gateway provider (#22830, @​sairavuri-sudo)
• [Tracking] Cache successful basic-auth credential checks to eliminate per-request PBKDF2 (#22817, @​PattaraS)
• [] Add last_updated_at field to model catalog entries (#22838, @​copilot-swe-agent)
• [Evaluation] Enable third-party scorer registration in OSS MLflow (#22634, @​smoorjani)
• [] Add platform-side telemetry fields to Gateway invocation and budget events (#22557, @​PattaraS)
• [Tracing] Auto-start SQL warehouse before V4/V5 MLflow tracing calls (#22798, @​artjen)
• [Tracing] Migrate Claude Code tracing to TypeScript-based plugin for simpler installation and runtime handling. (#22338, @​B-Step62)
• [Tracing] Add TypeScript Qwen Code tracing via Stop hook (#22411, @​kriscon-db)
• [] Support model_kwargs in DeepEval scorers for LLM parameter control (#22494, @​debu-sinha)
• [] Add Application Default Credentials auth mode for Vertex AI gateway (#22754, @​harupy)
• [UI] Reorganize Settings into section-based routing with sub-sidebar navigation (#22743, @​serena-ruan)
• [Tracing] Add TypeScript Codex CLI tracing via notify hook (#22410, @​kriscon-db)
• [Tracing / UI] Add Share button to trace detail view (#22608, @​alkispoly-db)
• [Docs / Models] Add mlflow.diffusers flavor for diffusion model LoRA adapters (#22253, @​Rasaboun)
• [Tracing] Add size limit for trace attachments (#22575, @​kriscon-db)
• [Tracing] Add GeminiCliTranslator for Gemini CLI OTLP span type mapping (#22409, @​kriscon-db)
• [Tracing] Add JSON OTLP encoding support for trace ingestion (#22408, @​kriscon-db)
• [Tracing] Extract service.name from OTLP resource attributes for usage telemetry (#22407, @​kriscon-db)
• [Tracing] Add MLflow tracing spans to guardrail execution in gateway (#22581, @​TomeHirata)
• [Tracing / UI] Add rendering size guards for large media content (#22574, @​kriscon-db)
• [Tracking] #21037 Add presigned upload URL endpoint for S3 artifact uploads (#21039, @​henishborad)
• [UI] Add Guardrails tab to endpoint editor (#22360, @​TomeHirata)
• [UI] Add click-to-expand modal for trace attachment images (#22461, @​kriscon-db)
• [UI] Enhance Gateway quick start cards with logos, multi-model options, and compact variant (#22513, @​xq-yin)
• [Tracing] Add @​mlflow/vercel for better Vercel AI SDK tracing in Databricks UC (#22105, @​dbrx-euirim)
• [UI] [UI] Refactor API keys page: bulk delete, inline drawer editing, consistent list pattern (#22485, @​xq-yin)

... (truncated)

Commits

• 2627607 update uv.lock (#22235)
• 099fe52 bump version to rc1 (#22232)
• 0e2ae1b Fix telemetry initialization and flush in job subprocesses (#22222)
• 6da4f10 Move native providers to non-LiteLLM in gateway UI (#22203)
• b934d23 Fix response parsing for older models (#22138)
• d2d92ee Remove MLFLOW_ENABLE_INCREMENTAL_SPAN_EXPORT environment variable (#22182)
• aaad8d8 Remove notification and redirect to eval run (#22175)
• 3f220eb Replace torch dependency group with requirements/torch.txt (#22192)
• 1c65d9a Edit LiteLLM mentions in docs (#22140)
• 9a328e5 Remove dynamic logs from workspace selector (#22180)
• Additional commits viewable in compare view

Updates requests from 2.32.4 to 2.33.0

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @​M0d3v1 made their first contribution in psf/requests#6865
• @​aminvakil made their first contribution in psf/requests#7220
• @​E8Price made their first contribution in psf/requests#6960
• @​mitre88 made their first contribution in psf/requests#7244
• @​magsen made their first contribution in psf/requests#6553
• @​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

v2.32.5

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

Commits

• bc04dfd v2.33.0
• 66d21cb Merge commit from fork
• 8b9bc8f Move badges to top of README (#7293)
• e331a28 Remove unused extraction call (#7292)
• 753fd08 docs: fix FAQ grammar in httplib2 example
• 774a0b8 docs(socks): same block as other sections
• 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
• ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
• 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
• d568f47 docs: clarify Quickstart POST example (#6960)
• Additional commits viewable in compare view

Updates python-dotenv from 1.0.1 to 1.2.2

Release notes

Sourced from python-dotenv's releases.

v1.2.2

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#)

Changed

• The dotenv run command now forwards flags directly to the specified command by @​bbc2 in theskumar/python-dotenv#607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by @​bbc2 in #790c5
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by @​JYOuyang in theskumar/python-dotenv#590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

Misc

• skip 000 permission tests for root user by @​burnout-projects in theskumar/python-dotenv#561
• Bump actions/checkout from 5 to 6 in the github-actions group by @​dependabot[bot] in theskumar/python-dotenv#593
• Add Windows testing to CI by @​bbc2 in theskumar/python-dotenv#604
• Improve workflow efficiency with best practices by @​theskumar in theskumar/python-dotenv#609
• Remove the use of sh in tests by @​bbc2 in theskumar/python-dotenv#612

New Contributors

• @​JYOuyang made their first contribution in theskumar/python-dotenv#590
• @​burnout-projects made their first contribution in theskumar/python-dotenv#561
• @​cpackham-atlnz made their first contribution in theskumar/python-dotenv#597

Full Changelog: theskumar/python-dotenv@v1.2.1...v1.2.2

v1.2.1

What's Changed

... (truncated)

Changelog

Sourced from python-dotenv's changelog.

[1.2.2] - 2026-03-01

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#588)

Changed

• The dotenv run command now forwards flags directly to the specified command by [@​bbc2] in #607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Dropped Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by [@​bbc2] in [790c5c0]
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by [@​JYOuyang] in #590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

[1.2.1] - 2025-10-26

• Move more config to pyproject.toml, removed setup.cfg
• Add support for reading .env from FIFOs (Unix) by [@​sidharth-sudhir] in #586

[1.2.0] - 2025-10-26

• Upgrade build system to use PEP 517 & PEP 518 to use build and pyproject.toml by [@​EpicWink] in #583
• Add support for Python 3.14 by [@​23f3001135] in #579
• Add support for disabling of load_dotenv() using PYTHON_DOTENV_DISABLED env var. by [@​matthewfranglen] in #569

[1.1.1] - 2025-06-24

Fixed

• CLI: Ensure find_dotenv work reliably on python 3.13 by [@​theskumar] in #563

... (truncated)

Commits

• 36004e0 Bump version: 1.2.1 → 1.2.2
• eb20252 docs: update changelog for v1.2.2
• 790c5c0 Merge commit from fork
• 43340da Remove the use of sh in tests (#612)
• 09d7cee docs: clarify override behavior and document FIFO support (#610)
• c8de288 ci: improve workflow efficiency with best practices (#609)
• 7bd9e3d Add Windows testing to CI (#604)
• 1baaf04 Drop Python 3.9 support and update to PyPy 3.11 (#608)
• 4a22cf8 ci: enable testing on Python 3.14t (free-threaded) (#588)
• e2e8e77 Fix license specifier (#597)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.