Update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/setup-python	action	minor	v6.1.0 → v6.2.0
anyio (changelog)		patch	==4.12.0 → ==4.12.1
bandit (source, changelog)	dev	patch	1.9.2 → 1.9.3
coverage	dev	patch	7.13.0 → 7.13.4
grpcio		minor	==1.76.0 → ==1.78.0
grpcio		minor	==1.67.1 → ==1.78.0
huggingface-hub		minor	==1.2.3 → ==1.4.1
jiter		minor	==0.12.0 → ==0.13.0
jsonschema (changelog)		minor	==4.25.1 → ==4.26.0
litellm	dependencies	minor	1.80.11 → 1.81.11
litellm		minor	==1.80.11 → ==1.81.11
marshmallow (changelog)	dev	minor	>=4.1,<4.2 → >=4.2,<4.3
multidict		patch	==6.7.0 → ==6.7.1
numpy (changelog)		minor	==2.3.5 → ==2.4.2
numpy (changelog)		minor	==2.2.6 → ==2.4.2
openai		minor	==2.14.0 → ==2.21.0
pytest-html	dev	minor	4.1.1 → 4.2.0
rich	dependencies	minor	>=14.2,<14.3 → >=14.3,<14.4
rich		minor	==14.2.0 → ==14.3.2
soupsieve		patch	==2.8 → ==2.8.3
tokenizers		patch	==0.22.1 → ==0.22.2
tqdm (changelog)		patch	==4.67.1 → ==4.67.3
typer (changelog)	dependencies	minor	>=0.19,<0.20 → >=0.23,<0.24
typer (changelog)		minor	==0.19.2 → ==0.23.1
typer-slim (changelog)	dependencies	minor	>=0.19,<0.20 → >=0.23,<0.24
typer-slim (changelog)		minor	==0.19.2 → ==0.23.1

---

Release Notes

actions/setup-python (actions/setup-python)

v6.2.0

Compare Source

agronholm/anyio (anyio)

v4.12.1

Compare Source

• Changed all functions currently raising the private NoCurrentAsyncBackend exception (since v4.12.0) to instead raise the public NoEventLoopError exception (#​1048)
• Fixed anyio.functools.lru_cache not working with instance methods (#​1042)

PyCQA/bandit (bandit)

v1.9.3

Compare Source

What's Changed

• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​1334
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1335
• Fix B608 to detect VALUES( without space by @​kfess in #​1337
• Add check for hardcoded passwords in dicts. by @​alanverresen in #​1338
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1341
• Update tox tests for Python 3.10 by @​willschlitzer in #​1346
• Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 by @​dependabot[bot] in #​1347
• Limit B614 to torch.load deserializers by @​dibussoc in #​1348

New Contributors

• @​kfess made their first contribution in #​1337
• @​alanverresen made their first contribution in #​1338
• @​willschlitzer made their first contribution in #​1346
• @​dibussoc made their first contribution in #​1348

Full Changelog: PyCQA/bandit@1.9.2...1.9.3

coveragepy/coveragepy (coverage)

v7.13.4

Compare Source

• Fix: the third-party code fix in 7.13.3 required examining the parent
  directories where coverage was run. In the unusual situation that one of the
  parent directories is unreadable, a PermissionError would occur, as
  described in issue 2129_. This is now fixed.

• Fix: in test suites that change sys.path, coverage.py could fail with
  "RuntimeError: Set changed size during iteration" as described and fixed in
  pull 2130_. Thanks, Noah Fatsi.

• We now publish ppc64le wheels, thanks to Pankhudi Jain <pull 2121_>_.

.. _pull 2121: #​2121
.. _issue 2129: #​2129
.. _pull 2130: #​2130

.. _changes_7-13-3:

v7.13.3

Compare Source

• Fix: in some situations, third-party code was measured when it shouldn't have
  been, slowing down test execution. This happened with layered virtual
  environments such as uv sometimes makes. The problem is fixed, closing issue 2082_. Now any directory on sys.path that is inside a virtualenv is
  considered third-party code.

.. _issue 2082: #​2082

.. _changes_7-13-2:

v7.13.2

Compare Source

• Fix: when Python is installed via symlinks, for example with Homebrew, the
  standard library files could be incorrectly included in coverage reports.
  This is now fixed, closing issue 2115_.

• Fix: if a data file is created with no read permissions, the combine step
  would fail completely. Now a warning is issued and the file is skipped.
  Closes issue 2117_.

.. _issue 2115: #​2115
.. _issue 2117: #​2117

.. _changes_7-13-1:

v7.13.1

Compare Source

• Added: the JSON report now includes a "start_line" key for function and
  class regions, indicating the first line of the region in the source. Closes
  issue 2110_.

• Added: The debug data command now takes file names as arguments on the
  command line, so you can inspect specific data files without needing to set
  the COVERAGE_FILE environment variable.

• Fix: the JSON report used to report module docstrings as executed lines,
  which no other report did, as described in issue 2105_. This is now fixed,
  thanks to Jianrong Zhao.

• Fix: coverage.py uses a more disciplined approach to detecting where
  third-party code is installed, and avoids measuring it. This shouldn't change
  any behavior. If you find that it does, please get in touch.

• Performance: data files that will be combined now record their hash as part
  of the file name. This lets us skip duplicate data more quickly, speeding the
  combining step.

• Docs: added a section explaining more about what is considered a missing
  branch and how it is reported: :ref:branch_explain, as requested in issue 1597. Thanks to Ayisha Mohammed <pull 2092_>.

• Tests: the test suite misunderstood what core was being tested if
  COVERAGE_CORE wasn't set on 3.14+. This is now fixed, closing issue 2109_.

.. _issue 1597: #​1597
.. _pull 2092: #​2092
.. _issue 2105: #​2105
.. _issue 2109: #​2109
.. _issue 2110: #​2110

.. _changes_7-13-0:

grpc/grpc (grpcio)

v1.78.0

Compare Source

This is release 1.78.0 (gutsy) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

C++

• adding address_sorting dep in naming test build. (#​41045)

Objective-C

• [Backport][v1.78.x][Fix][Compiler] Plugins fall back to the edition 2023 for older protobuf. (#​41358)

Python

• [python] aio: fix race condition causing asyncio.run() to hang forever during the shutdown process. (#​40989)
• [Python] Migrate to pyproject.toml build system from setup.py builds. (#​40833)
• [Python] Log error details when ExecuteBatchError occurs (at DEBUG level). (#​40921)
• [Python] Update setuptools min version to 77.0.1 . (#​40931)

Ruby

• [ruby] Fix version comparison for the ruby_abi_version symbol for ruby 4 compatibility. (#​41061)

huggingface/huggingface_hub (huggingface-hub)

v1.4.1: [v1.4.1] Fix file corruption when server ignores Range header on download retry

Compare Source

Fix file corruption when server ignores Range header on download retry.
Full details in #​3778 by @​XciD.

Full Changelog: huggingface/huggingface_hub@v1.4.0...v1.4.1

v1.4.0: [v1.4.0] Building the HF CLI for You and your AI Agents

Compare Source

🧠 hf skills add CLI Command

A new hf skills add command installs the hf-cli skill for AI coding assistants (Claude Code, Codex, OpenCode). Your AI Agent now knows how to search the Hub, download models, run Jobs, manage repos, and more.

> hf skills add --help
Usage: hf skills add [OPTIONS]

  Download a skill and install it for an AI assistant.

Options:
  --claude      Install for Claude.
  --codex       Install for Codex.
  --opencode    Install for OpenCode.
  -g, --global  Install globally (user-level) instead of in the current
                project directory.
  --dest PATH   Install into a custom destination (path to skills directory).
  --force       Overwrite existing skills in the destination.
  --help        Show this message and exit.

Examples
  $ hf skills add --claude
  $ hf skills add --claude --global
  $ hf skills add --codex --opencode

Learn more
  Use `hf <command> --help` for more information about a command.
  Read the documentation at
  https://huggingface.co/docs/huggingface_hub/en/guides/cli

The skill is composed of two files fetched from the huggingface_hub docs: a CLI guide (SKILL.md) and the full CLI reference (references/cli.md). Files are installed to a central .agents/skills/hf-cli/ directory, and relative symlinks are created from agent-specific directories (e.g., .claude/skills/hf-cli/ → ../../.agents/skills/hf-cli/). This ensures a single source of truth when installing for multiple agents.

• Add hf skills add CLI command by @​julien-c in #​3741
• [CLI] hf skills add installs hf-cli skill to central location with symlinks by @​hanouticelina in #​3755

🖥️ Improved CLI Help Output

The CLI help output has been reorganized to be more informative and agent-friendly:

• Commands are now grouped into Main commands and Help commands
• Examples section showing common usage patterns
• Learn more section with links to documentation

> hf cache --help
Usage: hf cache [OPTIONS] COMMAND [ARGS]...

  Manage local cache directory.

Options:
  --help  Show this message and exit.

Main commands:
  ls      List cached repositories or revisions.
  prune   Remove detached revisions from the cache.
  rm      Remove cached repositories or revisions.
  verify  Verify checksums for a single repo revision from cache or a local
          directory.

Examples
  $ hf cache ls
  $ hf cache ls --revisions
  $ hf cache ls --filter "size>1GB" --limit 20
  $ hf cache ls --format json
  $ hf cache prune
  $ hf cache prune --dry-run
  $ hf cache rm model/gpt2
  $ hf cache rm <revision_hash>
  $ hf cache rm model/gpt2 --dry-run
  $ hf cache rm model/gpt2 --yes
  $ hf cache verify gpt2
  $ hf cache verify gpt2 --revision refs/pr/1
  $ hf cache verify my-dataset --repo-type dataset

Learn more
  Use `hf <command> --help` for more information about a command.
  Read the documentation at
  https://huggingface.co/docs/huggingface_hub/en/guides/cli

• [CLI] improve hf CLI help output by @​hanouticelina in #​3743

📊 Evaluation Results Module

The Hub now has a decentralized system for tracking model evaluation results. Benchmark datasets (like MMLU-Pro, HLE, GPQA) host leaderboards, and model repos store evaluation scores in .eval_results/*.yaml files. These results automatically appear on both the model page and the benchmark's leaderboard. See the Evaluation Results documentation for more details.

We added helpers in huggingface_hub to work with this format:

• EvalResultEntry dataclass representing evaluation scores
• eval_result_entries_to_yaml() to serialize entries to YAML format
• parse_eval_result_entries() to parse YAML data back into EvalResultEntry objects

import yaml
from huggingface_hub import EvalResultEntry, eval_result_entries_to_yaml, upload_file

entries = [
    EvalResultEntry(dataset_id="cais/hle", task_id="default", value=20.90),
    EvalResultEntry(dataset_id="Idavidrein/gpqa", task_id="gpqa_diamond", value=0.412),
]
yaml_content = yaml.dump(eval_result_entries_to_yaml(entries))
upload_file(
    path_or_fileobj=yaml_content.encode(),
    path_in_repo=".eval_results/results.yaml",
    repo_id="your-username/your-model",
)

• Add evaluation results module by @​hanouticelina in #​3633
• Eval results synchronization by @​Wauplin in #​3718
• Eval results notes by @​Wauplin in #​3738

🖥️ Other CLI Improvements

New hf papers ls command to list daily papers on the Hub, with support for filtering by date and sorting by trending or publication date.

hf papers ls                       # List most recent daily papers
hf papers ls --sort=trending       # List trending papers
hf papers ls --date=2025-01-23     # List papers from a specific date
hf papers ls --date=today          # List today's papers

• Add hf papers ls CLI command by @​julien-c in #​3723

New hf collections commands for managing collections from the CLI:

# List collections
hf collections ls --owner nvidia --limit 5
hf collections ls --sort trending

# Create a collection
hf collections create "My Models" --description "Favorites" --private

# Add items
hf collections add-item user/my-coll models/gpt2 model
hf collections add-item user/my-coll datasets/squad dataset --note "QA dataset"

# Get info
hf collections info user/my-coll

# Delete
hf collections delete user/my-coll

• [CLI] Add hf collections commands by @​Wauplin in #​3767

Other CLI-related improvements:

• [CLI] output format option for ls CLIs by @​hanouticelina in #​3735
• [CLI] Dynamic table columns based on --expand field by @​hanouticelina in #​3760
• [CLI] Adds centralized error handling by @​hanouticelina in #​3754
• [CLI] exception handling scope by @​hanouticelina in #​3748
• Update CLI help output in docs to include new commands by @​julien-c in #​3722

📊 Jobs

Multi-GPU training commands are now supported with torchrun and accelerate launch:

> hf jobs uv run --with torch -- torchrun train.py
> hf jobs uv run --with accelerate -- accelerate launch train.py

You can also pass local config files alongside your scripts:

> hf jobs uv run script.py config.yml
> hf jobs uv run --with torch torchrun script.py config.yml

New hf jobs hardware command to list available hardware options:

> hf jobs hardware
NAME         PRETTY NAME            CPU      RAM     ACCELERATOR      COST/MIN COST/HOUR 
------------ ---------------------- -------- ------- ---------------- -------- --------- 
cpu-basic    CPU Basic              2 vCPU   16 GB   N/A              $0.0002  $0.01     
cpu-upgrade  CPU Upgrade            8 vCPU   32 GB   N/A              $0.0005  $0.03     
t4-small     Nvidia T4 - small      4 vCPU   15 GB   1x T4 (16 GB)    $0.0067  $0.40     
t4-medium    Nvidia T4 - medium     8 vCPU   30 GB   1x T4 (16 GB)    $0.0100  $0.60     
a10g-small   Nvidia A10G - small    4 vCPU   15 GB   1x A10G (24 GB)  $0.0167  $1.00     
a10g-large   Nvidia A10G - large    12 vCPU  46 GB   1x A10G (24 GB)  $0.0250  $1.50     
a10g-largex2 2x Nvidia A10G - large 24 vCPU  92 GB   2x A10G (48 GB)  $0.0500  $3.00     
a10g-largex4 4x Nvidia A10G - large 48 vCPU  184 GB  4x A10G (96 GB)  $0.0833  $5.00     
a100-large   Nvidia A100 - large    12 vCPU  142 GB  1x A100 (80 GB)  $0.0417  $2.50     
a100x4       4x Nvidia A100         48 vCPU  568 GB  4x A100 (320 GB) $0.1667  $10.00    
a100x8       8x Nvidia A100         96 vCPU  1136 GB 8x A100 (640 GB) $0.3333  $20.00    
l4x1         1x Nvidia L4           8 vCPU   30 GB   1x L4 (24 GB)    $0.0133  $0.80     
l4x4         4x Nvidia L4           48 vCPU  186 GB  4x L4 (96 GB)    $0.0633  $3.80     
l40sx1       1x Nvidia L40S         8 vCPU   62 GB   1x L40S (48 GB)  $0.0300  $1.80     
l40sx4       4x Nvidia L40S         48 vCPU  382 GB  4x L40S (192 GB) $0.1383  $8.30     
l40sx8       8x Nvidia L40S         192 vCPU 1534 GB 8x L40S (384 GB) $0.3917  $23.50  

Better filtering with label support and negation:

> hf jobs ps -a --filter status!=error
> hf jobs ps -a --filter label=fine-tuning
> hf jobs ps -a --filter label=model=Qwen3-06B

• [Jobs] Support multi gpu training commands by @​lhoestq in #​3674
• [Jobs] List available hardware by @​Wauplin in #​3693
• [Jobs] Better jobs filtering in CLI: labels and negation by @​lhoestq in #​3742
• Pass local script and config files to job by @​lhoestq in #​3724
• Support setting Label in Jobs API by @​Wauplin in #​3719
• Pass namespace parameter to fetch job logs in jobs CLI by @​Praful932 in #​3736
• Add more error handling output to hf jobs cli commands by @​davanstrien in #​3744

⚡️ Inference

• Add dimensions & encoding_format parameter to InferenceClient for output embedding size by @​mishig25 in #​3671
• feat: zai-org provider supports text to image by @​tomsun28 in #​3675
• [Inference Providers] fix fal image urls payload by @​hanouticelina in #​3746
• Fix Replicate image-to-image compatibility with different model schemas by @​hanouticelina in #​3749

🔧 QoL Improvements

• add source org field by @​hanouticelina in #​3694
• add num_papers field to Organization class by @​cfahlgren1 in #​3695
• Add limit param to list_papers API method by @​Wauplin in #​3697
• Repo commit count warning by @​Wauplin in #​3698
• List datasets benchmark alias by @​Wauplin in #​3734
• List repo files repoType by @​Wauplin in #​3753
• Update hardware list in SpaceHardware enum by @​lhoestq in #​3756
• Use HF_HUB_DOWNLOAD_TIMEOUT as default httpx timeout by @​Wauplin in #​3751
• Default _endpoint to None in CommitInfo by @​tomaarsen in #​3737
• Update MAX_FILE_SIZE_GB from 50 to 200 to match hub-docs PR #​2169 by @​davanstrien in #​3696
• Pass kwargs to post init in dataclasses by @​zucchini-nlp in #​3771
• Add retry/backoff when fetching Xet connection info to handle 502 errors by @​aabhathanki in #​3768

📖 Documentation

• Wildcard pattern documentation by @​hanouticelina in #​3710
• Add link to Hub Jobs documentation by @​gary149 in #​3712
• Update HTTP backend configuration link to main branch by @​IliasAarab in #​3713
• Correct img tag style in README.md by @​sadnesslovefreedom-debug in #​3689

🐛 Bug and typo fixes

• Fix endpoint not forwarded in CommitUrl by @​Wauplin in #​3679
• fix curlify with streaming request by @​hanouticelina in #​3692
• Fix severe performance regression in streaming by keeping a byte iterator in HfFileSystemStreamFile by @​leq6c in #​3685
• fix resolve_path() with special char @​ by @​lhoestq in #​3704
• Fix cache verify incorrectly reporting folders as missing files by @​Mitix-EPI in #​3707
• Fix multi user cache lock permissions by @​hanouticelina in #​3714
• [CLI] Fix typo in CLI error handling by @​hanouticelina in #​3757
• Log 'x-amz-cf-id' on http error (if no request id) by @​Wauplin in #​3759
• [Fix] Filter datasets by benchmark official by @​Wauplin in #​3761

🏗️ Internal

• Ignore unused-ignore-comment warnings in ty for mypy compatibility by @​hanouticelina in #​3691
• Skip sync test on Windows Python 3.14 by @​Wauplin in #​3700
• Upgrade GitHub Actions to latest versions by @​salmanmkc in #​3729
• Remove canonical dataset test case from test_access_repositories_lists by @​hanouticelina in #​3740
• Fix style issues in CI by @​Wauplin in #​3773

Significant community contributions

The following contributors have made significant changes to the library over the last release:

• @​tomsun28
  • feat: zai-org provider supports text to image (#​3675)
• @​leq6c
  • Fix severe performance regression in streaming by keeping a byte iterator in HfFileSystemStreamFile (#​3685)
• @​Mitix-EPI
  • Fix cache verify incorrectly reporting folders as missing files (#​3707)
• @​Praful932
  • Pass namespace parameter to fetch job logs in jobs CLI (#​3736)
• @​aabhathanki
  • Add retry/backoff when fetching Xet connection info to handle 502 errors (#​3768)

v1.3.7: [v1.3.7] Log 'x-amz-cf-id' on http error if no request id

Compare Source

Log 'x-amz-cf-id' on http error (if no request id) (#​3759)

Full Changelog: huggingface/huggingface_hub@v1.3.5...v1.3.7

v1.3.5: [v1.3.5] Configurable default timeout for HTTP calls

Compare Source

• Use HF_HUB_DOWNLOAD_TIMEOUT as default httpx timeout by @​Wauplin in #​3751

Default timeout is 10s. This is ok in most use cases but can trigger errors in CIs making a lot of requests to the Hub. Solution is to set HF_HUB_DOWNLOAD_TIMEOUT=60 as environment variable in these cases.

Full Changelog: huggingface/huggingface_hub@v1.3.4...v1.3.5

v1.3.4: [v1.3.4] Fix CommitUrl._endpoint default to None

Compare Source

• Default _endpoint to None in CommitInfo, fixes tiny regression from v1.3.3 by @​tomaarsen in #​3737

Full Changelog: huggingface/huggingface_hub@v1.3.3...v1.3.4

v1.3.3: [v1.3.3] List Jobs Hardware & Bug Fixes

Compare Source

⚙️ List Jobs Hardware

You can now list all available hardware options for Hugging Face Jobs, both from the CLI and programmatically.

From the CLI:

➜ hf jobs hardware                           
NAME            PRETTY NAME            CPU      RAM     ACCELERATOR      COST/MIN COST/HOUR 
--------------- ---------------------- -------- ------- ---------------- -------- --------- 
cpu-basic       CPU Basic              2 vCPU   16 GB   N/A              $0.0002  $0.01     
cpu-upgrade     CPU Upgrade            8 vCPU   32 GB   N/A              $0.0005  $0.03     
cpu-performance CPU Performance        8 vCPU   32 GB   N/A              $0.0000  $0.00     
cpu-xl          CPU XL                 16 vCPU  124 GB  N/A              $0.0000  $0.00     
t4-small        Nvidia T4 - small      4 vCPU   15 GB   1x T4 (16 GB)    $0.0067  $0.40     
t4-medium       Nvidia T4 - medium     8 vCPU   30 GB   1x T4 (16 GB)    $0.0100  $0.60     
a10g-small      Nvidia A10G - small    4 vCPU   15 GB   1x A10G (24 GB)  $0.0167  $1.00     
a10g-large      Nvidia A10G - large    12 vCPU  46 GB   1x A10G (24 GB)  $0.0250  $1.50     
a10g-largex2    2x Nvidia A10G - large 24 vCPU  92 GB   2x A10G (48 GB)  $0.0500  $3.00     
a10g-largex4    4x Nvidia A10G - large 48 vCPU  184 GB  4x A10G (96 GB)  $0.0833  $5.00     
a100-large      Nvidia A100 - large    12 vCPU  142 GB  1x A100 (80 GB)  $0.0417  $2.50     
a100x4          4x Nvidia A100         48 vCPU  568 GB  4x A100 (320 GB) $0.1667  $10.00    
a100x8          8x Nvidia A100         96 vCPU  1136 GB 8x A100 (640 GB) $0.3333  $20.00    
l4x1            1x Nvidia L4           8 vCPU   30 GB   1x L4 (24 GB)    $0.0133  $0.80     
l4x4            4x Nvidia L4           48 vCPU  186 GB  4x L4 (96 GB)    $0.0633  $3.80     
l40sx1          1x Nvidia L40S         8 vCPU   62 GB   1x L40S (48 GB)  $0.0300  $1.80     
l40sx4          4x Nvidia L40S         48 vCPU  382 GB  4x L40S (192 GB) $0.1383  $8.30     
l40sx8          8x Nvidia L40S         192 vCPU 1534 GB 8x L40S (384 GB) $0.3917  $23.50 

Programmatically:

>>> from huggingface_hub import HfApi
>>> api = HfApi()
>>> hardware_list = api.list_jobs_hardware()
>>> hardware_list[0]
JobHardware(name='cpu-basic', pretty_name='CPU Basic', cpu='2 vCPU', ram='16 GB', accelerator=None, unit_cost_micro_usd=167, unit_cost_usd=0.000167, unit_label='minute')
>>> hardware_list[0].name
'cpu-basic'

• [Jobs] List available hardware in #​3693 by @​Wauplin

🐛 Bug Fixes

• Fix severe performance regression in streaming by keeping a byte iterator in HfFileSystemStreamFile in #​3685 by @​leq6c
• Fix verify incorrectly reporting folders as missing files in #​3707 by @​Mitix-EPI
• Fix resolve_path() with special char @​ in #​3704 by @​lhoestq
• Fix curlify with streaming request in #​3692 by @​hanouticelina

✨ Various Improvements

• Add num_papers field to Organization class in #​3695 by @​cfahlgren1
• Add limit param to list_papers API method in #​3697 by @​Wauplin
• Add repo commit count warning when exceeding recommended limits in #​3698 by @​Wauplin
• Update MAX_FILE_SIZE_GB from 50 to 200 GB in #​3696 by @​davanstrien

📚 Documentation

• Wildcard pattern documentation in #​3710 by @​hanouticelina

v1.3.2: [v1.3.2] Zai provider support for text-to-image and fix custom endpoint not forwarded

Compare Source

• Fix endpoint not forwarded in CommitUrl #​3679 by @​Wauplin
• feat: zai-org provider supports text to image #​3675 by @​tomsun28

Full Changelog: huggingface/huggingface_hub@v1.3.1...v1.3.2

v1.3.1: [v1.3.1] Add dimensions & encoding_format parameters to feature extraction (embeddings) task

Compare Source

• Add dimensions & encoding_format parameter to InferenceClient for output embedding size #​3671 by @​mishig25

Full Changelog: huggingface/huggingface_hub@v1.3.0...v1.3.1

v1.3.0: [v1.3.0] New CLI Commands for Hub Discovery, Jobs Monitoring and more!

Compare Source

🖥️ CLI: hf models, hf datasets, hf spaces Commands

The CLI has been reorganized with dedicated commands for Hub discovery, while hf repo stays focused on managing your own repositories.

New commands:

# Models
hf models ls --author=Qwen --limit=10
hf models info Qwen/Qwen-Image-2512

# Datasets
hf datasets ls --filter "format:parquet" --sort=downloads
hf datasets info HuggingFaceFW/fineweb

# Spaces
hf spaces ls --search "3d"
hf spaces info enzostvs/deepsite

This organization mirrors the Python API (list_models, model_info, etc.), keeps the hf <resource> <action> pattern, and is extensible for future commands like hf papers or hf collections.

• [CLI] Add hf models/hf datasets/hf spaces commands by @​hanouticelina in #​3669

🔧 Transformers CLI Installer

You can now install the transformers CLI alongside the huggingface_hub CLI using the standalone installer scripts.

# Install hf CLI only (default)
curl -LsSf https://hf.co/cli/install.sh | bash -s

# Install both hf and transformers CLIs
curl -LsSf https://hf.co/cli/install.sh | bash -s -- --with-transformers

# Install hf CLI only (default)
powershell -c "irm https://hf.co/cli/install.ps1 | iex"

# Install both hf and transformers CLIs
powershell -c "irm https://hf.co/cli/install.ps1 | iex" -WithTransformers

Once installed, you can use the transformers CLI directly:

transformers serve
transformers chat openai/gpt-oss-120b

• Add transformers CLI installer by @​Wauplin in #​3666

📊 Jobs Monitoring

New hf jobs stats command to monitor your running jobs in real-time, similar to docker stats. It displays a live table with CPU, memory, network, and GPU usage.

>>> hf jobs stats
JOB ID                   CPU % NUM CPU MEM % MEM USAGE      NET I/O         GPU UTIL % GPU MEM % GPU MEM USAGE
------------------------ ----- ------- ----- -------------- --------------- ---------- --------- ---------------
6953ff6274100871415c13fd 0%    3.5     0.01% 1.3MB / 15.0GB 0.0bps / 0.0bps 0%         0.0%      0.0B / 22.8GB

A new HfApi.fetch_jobs_metrics() method is also available:

>>> for metrics in fetch_job_metrics(job_id="6953ff6274100871415c13fd"):
...     print(metrics)
{
    "cpu_usage_pct": 0,
    "cpu_millicores": 3500,
    "memory_used_bytes": 1306624,
    "memory_total_bytes": 15032385536,
    "rx_bps": 0,
    "tx_bps": 0,
    "gpus": {
        "882fa930": {
            "utilization": 0,
            "memory_used_bytes": 0,
            "memory_total_bytes": 22836000000
        }
    },
    "replica": "57vr7"
}

• [Jobs] Monitor cpu, memory, network and gpu (if any) by @​lhoestq in #​3655

💔 Breaking Change

The direction parameter in list_models, list_datasets, and list_spaces is now deprecated and not used. The sorting is always descending.

• [HfApi] deprecate direction in list repos methods by @​hanouticelina in #​3630

🔧 Other QoL Improvements

• [Jobs][CLI] allow unknown options in jobs cli by @​lhoestq in #​3614
• [UV Jobs] Pass local script as env variable by @​Wauplin in #​3616
• [CLI] hf repo info + add --expand parameter by @​Wauplin in #​3664
• log a message when HF_TOKEN is set in auth list by @​hanouticelina in #​3608
• Support 'x | y' syntax in strict dataclasses by @​Wauplin in #​3668
• feat: use http_backoff for LFS batch/verify/completion endpoints by @​The-Obstacle-Is-The-Way in #​3622
• Support local folders safetensors metadata by @​vrdn-23 in #​3623
• Add @​dataclass_transform decorator to dataclass_with_extra by @​charliermarsh in #​3639
• Update papers model by @​Samoed in #​3586

📖 Documentation

• doc fix by @​jzhang533 in #​3597
• Fix a url in the docs by @​neo in #​3606
• Add Job Timeout section to CLI docs by @​davanstrien in #​3665

🛠️ Small fixes and maintenance

🐛 Bug and typo fixes

• Fix unbound local error when reading corrupted metadata files by @​Wauplin in #​3610
• [CLI] Fix private should default to None, not False by @​Wauplin in #​3618
• Fix create_repo returning wrong repo_id by @​hanouticelina in #​3634
• Fix: Use self.endpoint in job-related APIs for custom endpoint support by @​PredictiveManish in #​3653
• Fix hf-xet version mismatch by @​Tanishq1030 in #​3662

🏗️ Internal

• Prepare for v1.3 by @​Wauplin in #​3599
• [Internal] Fix quality by @​hanouticelina in #​3607
• [CI] Fix warn on warning tests by @​Wauplin in #​3617
• Try update bot settings by @​Wauplin in #​3624
• trigger sentence-transformers CI for hfh prerelease by @​hanouticelina in #​3626
• fix by @​hanouticelina in #​3627
• remove unnecessary test by @​hanouticelina in #​3631
• [Bot] Update inference types by @​HuggingFaceInfra in #​3520
• Fix ty in CI by @​Wauplin in #​3661
• Upgrade GitHub Actions for Node 24 compatibility by @​salmanmkc in #​3637
• Upgrade GitHub Actions to latest versions by @​salmanmkc in #​3638
• Remove fastai integration tests by @​hanouticelina in #​3670

Significant community contributions

The following contributors have made significant changes to the library over the last release:

• @​jzhang533
  • doc fix (#​3597)
• @​akshatvishu
  • [CLI] Add 'hf repo list' command (#​3611)
• @​The-Obstacle-Is-The-Way
  • feat: use http_backoff for LFS batch/verify/completion endpoints (#​3622)
• @​salmanmkc
  • Upgrade GitHub Actions for Node 24 compatibility (#​3637)
  • Upgrade GitHub Actions to latest versions ([#​363

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
⚠️ ACTION	actionlint	4		3	0	0.08s
✅ COPYPASTE	jscpd	yes		no	no	1.87s
⚠️ DOCKERFILE	hadolint	2		1	0	0.1s
✅ JSON	jsonlint	3		0	0	0.46s
✅ JSON	prettier	3	0	0	0	0.51s
✅ JSON	v8r	3		0	0	8.04s
⚠️ MARKDOWN	markdownlint	12	0	17	0	1.3s
✅ MARKDOWN	markdown-table-formatter	12	0	0	0	0.31s
✅ PYTHON	bandit	7		0	0	1.53s
✅ PYTHON	black	7	0	0	0	2.22s
✅ PYTHON	flake8	7		0	0	0.99s
✅ PYTHON	isort	7	0	0	0	0.3s
⚠️ PYTHON	mypy	7		5	0	5.07s
✅ PYTHON	pylint	7		0	0	7.82s
⚠️ PYTHON	pyright	7		4	0	5.53s
✅ PYTHON	ruff	7	0	0	0	0.06s
✅ REPOSITORY	checkov	yes		no	no	20.7s
✅ REPOSITORY	gitleaks	yes		no	no	17.08s
✅ REPOSITORY	git_diff	yes		no	no	0.03s
⚠️ REPOSITORY	grype	yes		12	no	40.37s
✅ REPOSITORY	secretlint	yes		no	no	0.51s
✅ REPOSITORY	syft	yes		no	no	2.49s
❌ REPOSITORY	trivy	yes		1	no	12.88s
✅ REPOSITORY	trivy-sbom	yes		no	no	5.03s
✅ REPOSITORY	trufflehog	yes		no	no	5.14s
✅ SPELL	cspell	49		0	0	3.52s
⚠️ SPELL	lychee	30		3	0	1.5s
✅ YAML	prettier	15	0	0	0	0.94s
✅ YAML	v8r	15		0	0	10.21s
✅ YAML	yamllint	15		0	0	0.59s

Detailed Issues

❌ REPOSITORY / trivy - 1 error

│               │ https://avd.aquasec.com/nvd/cve-2025-69227                   │
│          ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-69228 │          │        │                   │               │ aiohttp: aiohttp: Denial of Service via memory exhaustion    │
│          │                │          │        │                   │               │ from crafted POST request...                                 │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-69228                   │
│          ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-69229 │          │        │                   │               │ aiohttp: AIOHTTP: Denial of Service via excessive CPU usage  │
│          │                │          │        │                   │               │ in chunked message...                                        │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-69229                   │
│          ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-69224 │ LOW      │        │                   │               │ aiohttp: aiohttp: Request smuggling via non-ASCII characters │
│          │                │          │        │                   │               │ in HTTP parser                                               │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-69224                   │
│          ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-69225 │          │        │                   │               │ aiohttp: aiohttp: Request smuggling vulnerability via        │
│          │                │          │        │                   │               │ non-ASCII decimals in Range header                           │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-69225                   │
│          ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-69226 │          │        │                   │               │ aiohttp: aiohttp: Information disclosure of path components  │
│          │                │          │        │                   │               │ via static file path normalization...                        │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-69226                   │
│          ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-69230 │          │        │                   │               │ aiohttp: aiohttp: Denial of Service via specially crafted    │
│          │                │          │        │                   │               │ invalid cookies                                              │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-69230                   │
├──────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ filelock │ CVE-2026-22701 │ MEDIUM   │        │ 3.20.1            │ 3.20.3        │ filelock: filelock Time-of-Check-Time-of-Use (TOCTOU) in     │
│          │                │          │        │                   │               │ SoftFileLock                                                 │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-22701                   │
├──────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ urllib3  │ CVE-2026-21441 │ HIGH     │        │ 2.6.2             │ 2.6.3         │ urllib3: urllib3 vulnerable to decompression-bomb safeguard  │
│          │                │          │        │                   │               │ bypass when following HTTP redirects (streaming...           │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-21441                   │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

(Truncated to last 5000 characters out of 19018)

⚠️ ACTION / actionlint - 3 errors

.github/workflows/github-dependents-info.yml:53:9: shellcheck reported issue in this script: SC2086:info:1:15: Double quote to prevent globbing and word splitting [shellcheck]
   |
53 |         run: sudo chown -R $USER:$USER .
   |         ^~~~
.github/workflows/github-dependents-info.yml:53:9: shellcheck reported issue in this script: SC2086:info:1:21: Double quote to prevent globbing and word splitting [shellcheck]
   |
53 |         run: sudo chown -R $USER:$USER .
   |         ^~~~
.github/workflows/release.yml:63:9: shellcheck reported issue in this script: SC2086:info:1:55: Double quote to prevent globbing and word splitting [shellcheck]
   |
63 |         run: echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> ${GITHUB_ENV}
   |         ^~~~

⚠️ REPOSITORY / grype - 12 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME          INSTALLED  FIXED IN  TYPE    VULNERABILITY        SEVERITY  EPSS           RISK   
aiohttp       3.13.2     3.13.3    python  GHSA-6mq8-rvhq-8wgg  High      < 0.1% (18th)  < 0.1  
aiohttp       3.13.2     3.13.3    python  GHSA-6jhg-hg63-jvvf  Medium    < 0.1% (18th)  < 0.1  
aiohttp       3.13.2     3.13.3    python  GHSA-jj3x-wxrx-4x23  Medium    < 0.1% (18th)  < 0.1  
aiohttp       3.13.2     3.13.3    python  GHSA-g84x-mcqj-x9qq  Medium    < 0.1% (15th)  < 0.1  
aiohttp       3.13.2     3.13.3    python  GHSA-54jq-c3m8-4m76  Low       < 0.1% (18th)  < 0.1  
urllib3       2.6.2      2.6.3     python  GHSA-38jv-5279-wg99  High      < 0.1% (4th)   < 0.1  
aiohttp       3.13.2     3.13.3    python  GHSA-mqqc-3gqh-h2x8  Low       < 0.1% (13th)  < 0.1  
aiohttp       3.13.2     3.13.3    python  GHSA-69f9-5gxw-wvc2  Low       < 0.1% (12th)  < 0.1  
aiohttp       3.13.2     3.13.3    python  GHSA-fh55-r93g-j68g  Low       < 0.1% (12th)  < 0.1  
filelock      3.20.1     3.20.3    python  GHSA-qmgc-5h2g-mvrw  Medium    < 0.1% (5th)   < 0.1  
virtualenv    20.35.4    20.36.1   python  GHSA-597g-3phw-6986  Medium    < 0.1% (5th)   < 0.1  
cryptography  46.0.3     46.0.5    python  GHSA-r6ph-v2qm-q3c2  High      < 0.1% (0th)   < 0.1
[0040] ERROR discovered vulnerabilities at or above the severity threshold

⚠️ DOCKERFILE / hadolint - 1 error

Dockerfile:5 DL3013 warning: Pin versions in pip. Instead of `pip install <package>` use `pip install <package>==<version>` or `pip install --requirement <requirements file>`
docker/Dockerfile:7 DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`
docker/Dockerfile:12 DL3045 warning: `COPY` to a relative destination without `WORKDIR` set.
docker/Dockerfile:15 DL3003 warning: Use WORKDIR to switch to a directory
docker/Dockerfile:15 DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check
docker/Dockerfile:15 SC2226 warning: This ln has no destination. Check the arguments, or specify '.' explicitly.
docker/Dockerfile:24 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments

⚠️ SPELL / lychee - 3 errors

[IGNORED] docker://nvuillam/github-dependents-info:v3.0.0 | Unsupported: Error creating request client: builder error for url (docker://nvuillam/github-dependents-info:v3.0.0)
[ERROR] https://www.contributor-covenant.org/ | Network error: error sending request for url (https://www.contributor-covenant.org/)
[404] https://docs.github.com/en/github/administering-a-repository/keeping-your-dependencies-updated-automatically | Network error: Not Found
[404] https://github.com/actions-marketplace-validations/AkhileshNS_heroku-deploy | Network error: Not Found
📝 Summary
---------------------
🔍 Total..........177
✅ Successful.....137
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded........36
❓ Unknown..........0
🚫 Errors...........3

Errors in CODE_OF_CONDUCT.md
[ERROR] https://www.contributor-covenant.org/ | Network error: error sending request for url (https://www.contributor-covenant.org/)

Errors in .github/dependabot.yml
[404] https://docs.github.com/en/github/administering-a-repository/keeping-your-dependencies-updated-automatically | Network error: Not Found

Errors in docs/github-dependents-info.md
[404] https://github.com/actions-marketplace-validations/AkhileshNS_heroku-deploy | Network error: Not Found

⚠️ MARKDOWN / markdownlint - 17 errors

.github/PULL_REQUEST_TEMPLATE.md:1 error MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## Description"]
docs/github-dependents-info.md:8:401 error MD013/line-length Line length [Expected: 400; Actual: 1092]
README.md:47:2 error MD045/no-alt-text Images should have alternate text (alt text)
README.md:48:2 error MD045/no-alt-text Images should have alternate text (alt text)
README.md:49:2 error MD045/no-alt-text Images should have alternate text (alt text)
README.md:50:2 error MD045/no-alt-text Images should have alternate text (alt text)
README.md:216:3 error MD051/link-fragments Link fragments should be valid [Context: "[Installation](#⚙️-installation)"]
README.md:217:3 error MD051/link-fragments Link fragments should be valid [Context: "[Usage](#🛠️-usage)"]
README.md:218:3 error MD051/link-fragments Link fragments should be valid [Context: "[Examples](#🧪-examples)"]
README.md:276 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:280 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:285 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:289 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:293 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:297 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:301 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:328:1 error MD045/no-alt-text Images should have alternate text (alt text)

⚠️ PYTHON / mypy - 5 errors

github_dependents_info/gh_dependents_info.py:50: error: Need type annotation for "packages" (hint: "packages: list[<type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:51: error: Need type annotation for "all_public_dependent_repos" (hint: "all_public_dependent_repos: list[<type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:52: error: Need type annotation for "badges" (hint: "badges: dict[<type>, <type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:53: error: Need type annotation for "result" (hint: "result: dict[<type>, <type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:240: error: Item "None" of "Path | None" has no attribute "mkdir"  [union-attr]
Found 5 errors in 1 file (checked 7 source files)

⚠️ PYTHON / pyright - 4 errors

github_dependents_info/__main__.py
  github_dependents_info/__main__.py:7:6 - error: Import "rich.console" could not be resolved (reportMissingImports)
github_dependents_info/gh_dependents_info.py
  github_dependents_info/gh_dependents_info.py:13:8 - error: Import "pandas" could not be resolved (reportMissingImports)
  github_dependents_info/gh_dependents_info.py:14:6 - error: Import "bs4" could not be resolved (reportMissingImports)
  github_dependents_info/gh_dependents_info.py:240:32 - error: "mkdir" is not a known attribute of "None" (reportOptionalMemberAccess)
4 errors, 0 warnings, 0 informations

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@beta --custom-flavor-setup --custom-flavor-linters PYTHON_PYLINT,PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_PYRIGHT,PYTHON_RUFF,ACTION_ACTIONLINT,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_CSPELL,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository