Change8

v1.19.0.rc1

Breaking Changes
📦 huggingface-hubView on GitHub →
2 breaking6 features🐛 3 fixes🔧 10 symbols

Summary

This release introduces secure Keyless CI/CD authentication via OIDC and enhances the CLI by supporting `hf://` URIs for uploads and downloads. It also exposes job container ports through the public jobs proxy and migrates Xet functionality to a new session-based API.

⚠️ Breaking Changes

  • When using `hf upload` or `hf download` with an `hf://` URI, positional arguments for repo ID, `--repo-type`, or `--revision` are no longer accepted or take precedence. The URI must be the single source of truth. If a URI is used, passing `--repo-type` or `--revision` will raise an error. Similarly, a path specified within the URI cannot be combined with positional filenames (download) or `path_in_repo` (upload).
  • All Xet upload and download code must migrate from the old function-based `hf_xet` API to the new session-based `XetSession` API (requires `hf-xet >= 1.5.0`). Token refresh logic must use the centralized `xet_connection_info_refresh_url()` builder, and progress reporting must adhere to the new `(group_report, item_reports)` contract.

Migration Steps

  1. If using Xet functionality, migrate all code from the function-based `hf_xet` API to the session-based `XetSession` API (ensure `hf-xet >= 1.5.0`).
  2. If using Xet token refresh or progress reporting, update logic to use `xet_connection_info_refresh_url()` and the `(group_report, item_reports)` contract, respectively.
  3. When using `hf upload` or `hf download`, prefer using the `hf://` URI format and remove reliance on separate `--repo-type` or `--revision` flags if they conflict with the URI content.

✨ New Features

  • Introduced Keyless CI/CD authentication via OIDC token exchange using Trusted Publishers. Set `HF_OIDC_RESOURCE` to scope the token; GitHub Actions is supported out-of-the-box.
  • `hf upload` and `hf download` now accept `hf://` URIs (e.g., `hf://datasets/repo/file@revision/path`) which encode repo type, revision, and path, deprecating the need for separate `--repo-type` and `--revision` flags.
  • Jobs can now expose container ports through the public jobs proxy using `--expose <port>` (CLI) or `expose=[port]` (Python API). Exposed ports are reachable at `https://<job_id>--<port>.hf.jobs`.
  • Job responses now include `expose_urls` on `JobStatus` when ports are exposed.
  • CLI now accepts web URLs in bucket CLI commands.
  • Agent harness detection dynamically fetches the registry from the Hub API instead of using a hardcoded list, with local caching.

🐛 Bug Fixes

  • Fixed `ImportError` on Python 3.15 by removing the private `_MISSING_TYPE` import from the `dataclasses` module.
  • Corrected grammar in the ignored-pattern warning message for `hf download` (changed "have being" to "have been").
  • Fixed transient location errors during file metadata retrieval by accepting `cdn.hf.co` in addition to `xethub.hf.co` in redirect URL checks.

Affected Symbols