v1.19.0.rc1
Breaking Changes📦 huggingface-hubView on GitHub →
⚠ 2 breaking✨ 6 features🐛 3 fixes🔧 10 symbols
Summary
This release introduces secure Keyless CI/CD authentication via OIDC and enhances the CLI by supporting `hf://` URIs for uploads and downloads. It also exposes job container ports through the public jobs proxy and migrates Xet functionality to a new session-based API.
⚠️ Breaking Changes
- When using `hf upload` or `hf download` with an `hf://` URI, positional arguments for repo ID, `--repo-type`, or `--revision` are no longer accepted or take precedence. The URI must be the single source of truth. If a URI is used, passing `--repo-type` or `--revision` will raise an error. Similarly, a path specified within the URI cannot be combined with positional filenames (download) or `path_in_repo` (upload).
- All Xet upload and download code must migrate from the old function-based `hf_xet` API to the new session-based `XetSession` API (requires `hf-xet >= 1.5.0`). Token refresh logic must use the centralized `xet_connection_info_refresh_url()` builder, and progress reporting must adhere to the new `(group_report, item_reports)` contract.
Migration Steps
- If using Xet functionality, migrate all code from the function-based `hf_xet` API to the session-based `XetSession` API (ensure `hf-xet >= 1.5.0`).
- If using Xet token refresh or progress reporting, update logic to use `xet_connection_info_refresh_url()` and the `(group_report, item_reports)` contract, respectively.
- When using `hf upload` or `hf download`, prefer using the `hf://` URI format and remove reliance on separate `--repo-type` or `--revision` flags if they conflict with the URI content.
✨ New Features
- Introduced Keyless CI/CD authentication via OIDC token exchange using Trusted Publishers. Set `HF_OIDC_RESOURCE` to scope the token; GitHub Actions is supported out-of-the-box.
- `hf upload` and `hf download` now accept `hf://` URIs (e.g., `hf://datasets/repo/file@revision/path`) which encode repo type, revision, and path, deprecating the need for separate `--repo-type` and `--revision` flags.
- Jobs can now expose container ports through the public jobs proxy using `--expose <port>` (CLI) or `expose=[port]` (Python API). Exposed ports are reachable at `https://<job_id>--<port>.hf.jobs`.
- Job responses now include `expose_urls` on `JobStatus` when ports are exposed.
- CLI now accepts web URLs in bucket CLI commands.
- Agent harness detection dynamically fetches the registry from the Hub API instead of using a hardcoded list, with local caching.
🐛 Bug Fixes
- Fixed `ImportError` on Python 3.15 by removing the private `_MISSING_TYPE` import from the `dataclasses` module.
- Corrected grammar in the ignored-pattern warning message for `hf download` (changed "have being" to "have been").
- Fixed transient location errors during file metadata retrieval by accepting `cdn.hf.co` in addition to `xethub.hf.co` in redirect URL checks.