Fix crypto.randomUUID() unavailable in HTTP contexts

[tobyxdd]

🛠 DevTools 🛠

Install mlflow from this PR

# mlflow
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/19573/merge
# mlflow-skinny
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/19573/merge#subdirectory=libs/skinny

For Databricks, use the following command:

%sh curl -LsSf https://raw.githubusercontent.com/mlflow/mlflow/HEAD/dev/install-skinny.sh | sh -s pull/19573/merge

Related Issues/PRs

#19480

What changes are proposed in this pull request?

crypto.randomUUID() requires a secure context (HTTPS, localhost, or file://). When MLflow is deployed over plain HTTP, this API throws an error, breaking the UI.

This PR created generateUUID() utility that:

1. Tries crypto.randomUUID() first (for secure contexts)
2. Falls back to crypto.getRandomValues() which works in all contexts

How is this PR tested?

• Existing unit/integration tests
• New unit/integration tests
• Manual tests

Does this PR require documentation update?

• No. You can skip the rest of this section.
• Yes. I've updated:
  • Examples
  • API references
  • Instructions

Release Notes

Is this a user-facing change?

• No. You can skip the rest of this section.
• Yes. Give a description of this change to be included in the release notes for MLflow users.

Fix broken frontend when server is using HTTP protocol

What component(s), interfaces, languages, and integrations does this PR affect?

Components

• area/tracking: Tracking Service, tracking client APIs, autologging
• area/models: MLmodel format, model serialization/deserialization, flavors
• area/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registry
• area/scoring: MLflow Model server, model deployment tools, Spark UDFs
• area/evaluation: MLflow model evaluation features, evaluation metrics, and evaluation workflows
• area/gateway: MLflow AI Gateway client APIs, server, and third-party integrations
• area/prompts: MLflow prompt engineering features, prompt templates, and prompt management
• area/tracing: MLflow Tracing features, tracing APIs, and LLM tracing functionality
• area/projects: MLproject format, project running backends
• area/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev server
• area/build: Build and test infrastructure for MLflow
• area/docs: MLflow documentation pages

How should the PR be classified in the release notes? Choose one:

• rn/none - No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" section
• rn/breaking-change - The PR will be mentioned in the "Breaking Changes" section
• rn/feature - A new user-facing feature worth mentioning in the release notes
• rn/bug-fix - A user-facing bug fix worth mentioning in the release notes
• rn/documentation - A user-facing documentation change worth mentioning in the release notes

Should this PR be included in the next patch release?

Yes should be selected for bug fixes, documentation updates, and other small changes. No should be selected for new features and larger changes. If you're unsure about the release classification of this PR, leave this unchecked to let the maintainers decide.

What is a minor/patch release?

• Minor release: a release that increments the second part of the version number (e.g., 1.2.0 -> 1.3.0).
  Bug fixes, doc updates and new features usually go into minor releases.
• Patch release: a release that increments the third part of the version number (e.g., 1.2.0 -> 1.2.1).
  Bug fixes and doc updates usually go into patch releases.

• Yes (this PR will be cherry-picked and included in the next patch release)
• No (this PR will be included in the next minor release)

[github-actions]

@tobyxdd Thank you for the contribution! Could you fix the following issue(s)?

⚠ DCO check

The DCO check failed. Please sign off your commit(s) by following the instructions here. See https://github.com/mlflow/mlflow/blob/master/CONTRIBUTING.md#sign-your-work for more details.

[Copilot]

Pull request overview

This PR fixes a critical issue where crypto.randomUUID() was causing the MLflow UI to break when deployed over HTTP. The API requires a secure context (HTTPS, localhost, or file://) and throws an error in plain HTTP environments. The solution introduces a generateUUID() utility that attempts to use crypto.randomUUID() first and falls back to crypto.getRandomValues() which works in all contexts.

• Creates a new generateUUID() utility with secure and non-secure context support
• Replaces all occurrences of crypto.randomUUID() with the new utility function

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
mlflow/server/js/src/common/utils/generateUUID.ts	New utility function that generates UUIDs with fallback for HTTP contexts
mlflow/server/js/src/telemetry/worker/TelemetryLogger.worker.ts	Updates session ID generation to use the new utility
mlflow/server/js/src/telemetry/TelemetryClient.ts	Updates installation ID generation to use the new utility
mlflow/server/js/src/experiment-tracking/pages/experiment-page-tabs/side-nav/ExperimentPageSideNavSection.tsx	Updates view ID generation to use the new utility
mlflow/server/js/src/common/components/MlflowSidebar.tsx	Updates view ID generation to use the new utility

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The fallback implementation doesn't handle the case where crypto.getRandomValues() might also be unavailable (e.g., in very old browsers or non-browser environments). Consider adding a check for crypto.getRandomValues() availability and wrapping it in a try-catch block to provide a more graceful error message if UUID generation fails completely.

[WeichenXu123]

I am not expert of front-end, do we need to consider the case crypto.getRandomValues() might also be unavailable (e.g., in very old browsers or non-browser environments) ? @tobyxdd

[Copilot]

This new utility function lacks test coverage. Since other utilities in the same directory (e.g., ActionUtils, StringUtils, FileUtils) have accompanying test files, consider adding tests for generateUUID to verify both the secure context path and the fallback mechanism work correctly.

[WeichenXu123]

shall we use the existing lib https://www.npmjs.com/package/uuid

or embed the code from the uuid lib ?

[github-actions]

Documentation preview for f8a5e67 is available at:

• https://pr-19573--mlflow-docs-preview.netlify.app/docs/latest/

More info

• Ignore this comment if this PR does not change the documentation.
• The preview is updated when a new commit is pushed to this PR.
• This comment was created by this workflow run.
• The documentation was built by this workflow run.

[WeichenXu123]

the issue has caused many complaints so we decide to release a patch version soon,

to unblock the release, I filed a new PR with some updates #19644 and merged it.

still appreciating your contribution!