Skip to content

Build: Bump huggingface-hub from 1.3.4 to 1.18.0#135

Open
dependabot[bot] wants to merge 1 commit into
li-0.11from
dependabot/uv/huggingface-hub-1.18.0
Open

Build: Bump huggingface-hub from 1.3.4 to 1.18.0#135
dependabot[bot] wants to merge 1 commit into
li-0.11from
dependabot/uv/huggingface-hub-1.18.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 11, 2026

Copy link
Copy Markdown
Contributor

Bumps huggingface-hub from 1.3.4 to 1.18.0.

Release notes

Sourced from huggingface-hub's releases.

[v1.18.0] Unified file copying, web URL support, and storage usage

🖥️ Unified hf cp command

A single hf cp command now handles all file-copy workflows (upload a local file, download from the Hub, or copy between two remote locations) with consistent hf:// URI syntax for both repositories and buckets. It is also available as hf repos cp and hf buckets cp; all three aliases are identical, so you can use whichever reads best for your workflow. You can stream from stdin (-) or to stdout (-), and a trailing / on the source path gives you rsync-style semantics (copy the folder contents, not the folder itself). Note that remote-to-remote copies only work within the same storage region, and bucket-to-repo is not yet supported.

# Upload a local file to a repo
hf cp ./model.safetensors hf://username/my-model/model.safetensors

Download a file to stdout


hf cp hf://username/my-model/config.json - | jq .


Copy between two Hub repos


hf cp hf://username/source-model/config.json hf://username/dest-model/config.json

📚 Documentation: CLI guide — Copy files

  • [CLI] Add unified hf cp command (aliased as hf repos cp and hf buckets cp) by @​Wauplin in #4295

🥚 Easter egg:explore your storage usage

🔗 Paste web URLs directly

parse_hf_uri now accepts Hugging Face web URLs so you can paste a link straight into the CLI or the library and it "just works".

# Copy-paste a URL from the website
hf cp https://huggingface.co/nvidia/LocateAnything-3B/blob/main/config.json - | jq '.architectures'

📚 Documentation: HF URIs — Web URLs

  • [URIs] Parse web URLs in parse_hf_uri + add HfUri.to_url by @​Wauplin in #4296

🚨 Breaking change

On Lustre, GPFS, and some NFS mounts, flock(2) silently succeeds for every caller, which means filelock provides no mutual exclusion. When multiple hf_hub_download calls race for the same file, they can append to the same .incomplete file and silently corrupt the blob cache. This release fixes that by always downloading to a fresh temporary file instead of resuming an incomplete one, making the download path safe even when file locking is broken. filelock is still used as a "best-effort" hint to avoid unnecessary duplicate downloads, but correctness no longer depends on it. This is a breaking change: resuming a previously failed partial download is no longer possible. However, file resumability was already a niche use case only applicable when hf_xet is disabled.

  • [Fix] Make concurrent downloads safe even when file locking is broken by @​Wauplin in #4306

🖥️ CLI

... (truncated)

Commits
  • 64e5356 Release: v1.18.0
  • b1c4c20 Release: v1.18.0.rc0
  • c505f77 [Fix] Make concurrent downloads safe even when file locking is broken (#4306)
  • d04c3b2 [URIs] Parse web URLs in parse_hf_uri + add HfUri.to_url (#4296)
  • 0e57086 Bump the actions group with 2 updates (#4309)
  • e628f15 [Download] Probe umask next to incomplete file instead of two levels above de...
  • f4a91c2 [CLI] inline enum choices in the generated CLI skill (#4299)
  • 1138933 [Docs] Mention storage region limitation for server-side copy (#4302)
  • 26a6df1 [Docs] Document missing parameters in hf_hub_url and preupload_lfs_files (#4300)
  • c6dfc6d [Docs] Document missing endpoint and template_str parameters (#4298)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Build: Bump huggingface-hub from 1.3.4 to 1.18.0
eabaa55 
Bumps [huggingface-hub](https://github.com/huggingface/huggingface_hub) from 1.3.4 to 1.18.0.
- [Release notes](https://github.com/huggingface/huggingface_hub/releases)
- [Commits](huggingface/huggingface_hub@v1.3.4...v1.18.0)

---
updated-dependencies:
- dependency-name: huggingface-hub
  dependency-version: 1.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 11, 2026
@dependabot dependabot Bot mentioned this pull request Jun 11, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants