deps(deps): update huggingface-hub requirement from >=0.30.0 to >=1.19.0

[dependabot]

Updates the requirements on huggingface-hub to permit the latest version.

Release notes

Sourced from huggingface-hub's releases.

[v1.19.0] Trusted Publishers, hf:// URIs, and expose-ports for Jobs

🔐 Keyless CI/CD auth via OIDC token exchange

CI workflows can now authenticate to the Hub without storing an HF_TOKEN secret, using Trusted Publishers. Set HF_OIDC_RESOURCE to the repo (or username) you want to scope the token to, and huggingface_hub performs the OIDC exchange under the hood — no token, no setup code. GitHub Actions is supported out of the box (with permissions: id-token: write), and other providers can pass a pre-minted ID token via HF_OIDC_ID_TOKEN. Exchanged tokens are short-lived (1 hour), repo-scoped, and cached locally with automatic refresh.

# Publish a model without storing any HF_TOKEN secret
- name: Push the model
  env:
    HF_OIDC_RESOURCE: acme/awesome-model
  run: hf upload acme/awesome-model ./model .

• [Auth] Keyless CI/CD auth via OIDC token exchange by @​hanouticelina in #4326

📚 Documentation: Trusted Publishers

🖥️ hf:// URIs for upload and download

hf upload and hf download now accept an hf:// URI in place of the positional repo ID. The URI encodes repo type, revision, and file path in a single string following the grammar hf://[<TYPE>/]<ID>[@<REVISION>][/<PATH>], so you no longer need separate --repo-type and --revision flags. When a URI is provided, it is the single source of truth — passing --repo-type or --revision on top of it raises an error, and a path in the URI cannot be combined with positional filenames (download) or path_in_repo (upload).

# Download a single file from a dataset at a given revision
hf download hf://datasets/HuggingFaceM4/FineVision@refs/pr/1/data/train.parquet
Download an entire repo
hf download hf://datasets/google/fleurs
Upload a file to a dataset on a specific branch
hf upload hf://datasets/Wauplin/my-cool-dataset@my-branch/data/train.csv ./train.csv

• [CLI] Support hf:// URIs in hf upload and hf download by @​Wauplin in #4297

📚 Documentation: CLI guide — hf:// URIs · Download guide · Upload guide

🚀 Expose job ports through the jobs proxy

Jobs can now expose container ports through the public jobs proxy using --expose <port> (CLI) or expose=[8000] (Python API). Each exposed port is reachable at https://<job_id>--<port>.hf.jobs and requires an HF token with read access to the job's namespace. This works on hf jobs run, hf jobs uv run, and their scheduled variants. Job responses now surface expose_urls on JobStatus.

# Expose a web server running on port 8000
> hf jobs run --expose 8000 python:3.12 python -m http.server 8000
✓ Job started
  id: 6a2aa7cec4f53f9fc5aa4cff
  url: https://huggingface.co/jobs/Wauplin/6a2aa7cec4f53f9fc5aa4cff
Hint: Exposed ports are reachable at (requires an HF token with read access to the job):
  https://6a2aa7cec4f53f9fc5aa4cff--8000.hf.jobs
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

... (truncated)

Commits

• b1909eb Release: v1.19.0
• fe27c47 OIDC: Include error_description in HTTP error messages (#4341)
• 68dd701 Release: v1.19.0.rc1
• 934797e Release: v1.19.0.rc0
• 69ef7d7 [Agent] Dynamic agent harness registry (#4325)
• f6b439c [fix] Transient locaion error due to CDN (#4339)
• f1f2c43 Fix ignored-pattern warning grammar in download CLI (#4337)
• 92009d4 [Tests] Add xet/no_xet pytest markers to filter Xet vs non-Xet tests (#4336)
• e3b6d5b [Auth] Keyless CI/CD auth via OIDC token exchange (#4326)
• 8e4ca5c [CI] Remove .github/workflows/python-prerelease.yml (#4335)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[vesper-review]

Vesper

Reviewed commits

Commit	Summary
d4d7895	deps(deps): update huggingface-hub requirement from >=0.30.0 to >=1.19.0

The huggingface_hub library is currently versioned in the 0.x range (with recent versions being 0.28.x and 0.29.x). There is no version 1.19.0 available on PyPI, so specifying >=1.19.0 will cause pip install to fail with a "No matching distribution found" error.

If you intended to specify a recent version, you should use a valid 0.x version such as 0.29.0 (or revert to 0.30.0 if you are targeting an upcoming release).

Suggestion

requirements.txt
@@ -8,3 +8,3 @@ evaluate==0.4.6
-huggingface_hub>=1.19.0
+huggingface_hub>=0.29.0

[vesper-review]

Vesper Analysis for d4d7895

[vesper-review]

If you intended to specify a recent version, you should use a valid 0.x version such as 0.29.0 (or revert to 0.30.0 if you are targeting an upcoming release).

Suggested change

	huggingface_hub>=1.19.0
	huggingface_hub>=0.29.0