build(deps): bump the minor-and-patch group across 1 directory with 19 updates

[dependabot]

Bumps the minor-and-patch group with 19 updates in the / directory:

Package	From	To
anthropic	0.25.0	0.100.0
certifi	2026.2.25	2026.4.22
click	8.3.1	8.3.3
fastapi	0.110.0	0.136.1
filelock	3.25.2	3.29.0
fsspec	2026.2.0	2026.4.0
hf-xet	1.4.2	1.5.0
huggingface-hub	1.7.2	1.14.0
idna	3.11	3.14
markdown-it-py	4.0.0	4.2.0
packaging	26.0	26.2
pydantic	2.12.5	2.13.4
pydantic-core	2.41.5	2.46.4
pygments	2.19.2	2.20.0
pytest	9.0.2	9.0.3
pytz	2026.1.post1	2026.2
tokenizers	0.22.2	0.23.1
typer	0.24.1	0.25.1
uvicorn	0.29.0	0.46.0

Updates anthropic from 0.25.0 to 0.100.0

Release notes

Sourced from anthropic's releases.

v0.100.0

0.100.0 (2026-05-06)

Full Changelog: v0.99.0...v0.100.0

Features

• api: add support for Managed Agents multiagents and outcomes, webhooks, vault validation (3b3deee)

Bug Fixes

• api: Adjust webhook configuration (8c3339e)

v0.99.0

0.99.0 (2026-05-05)

Full Changelog: v0.98.1...v0.99.0

Features

• client: allow targeting a workspace for OIDC federation token exchange (4ba8067)

v0.98.1

0.98.1 (2026-05-04)

Full Changelog: v0.98.0...v0.98.1

Chores

• fix typo in example (#1754) (de8ba13)

v0.98.0

0.98.0 (2026-05-04)

Full Changelog: v0.97.0...v0.98.0

Features

• api: improve Managed Agents APIs (7faf393)
• client: add Workload Identity Federation, interactive OAuth, and auth profiles (6458bcc)
• support setting headers via env (52eb8cd)

Bug Fixes

• streaming: propagate stop_details from message_delta onto accumulated Message (#1725) (900dd9b)
• use correct field name format for multipart file arrays (8350bdc)
• vertex: async client missing us/eu multi-region base_url branches (#1734) (3e78f71)

... (truncated)

Changelog

Sourced from anthropic's changelog.

0.100.0 (2026-05-06)

Full Changelog: v0.99.0...v0.100.0

Features

• api: add support for Managed Agents multiagents and outcomes, webhooks, vault validation (3b3deee)

Bug Fixes

• api: Adjust webhook configuration (8c3339e)

0.99.0 (2026-05-05)

Full Changelog: v0.98.1...v0.99.0

Features

• client: allow targeting a workspace for OIDC federation token exchange (4ba8067)

0.98.1 (2026-05-04)

Full Changelog: v0.98.0...v0.98.1

Chores

• fix typo in example (#1754) (de8ba13)

0.98.0 (2026-05-04)

Full Changelog: v0.97.0...v0.98.0

Features

• api: improve Managed Agents APIs (7faf393)
• client: add Workload Identity Federation, interactive OAuth, and auth profiles (6458bcc)
• support setting headers via env (52eb8cd)

Bug Fixes

• streaming: propagate stop_details from message_delta onto accumulated Message (#1725) (900dd9b)
• use correct field name format for multipart file arrays (8350bdc)
• vertex: async client missing us/eu multi-region base_url branches (#1734) (3e78f71)

Chores

• internal: reformat pyproject.toml (5a9d5fd)

... (truncated)

Commits

• 04b468d release: 0.100.0
• 2c15407 fix(api): Adjust webhook configuration
• dc0ce48 feat(api): add support for Managed Agents multiagents and outcomes, webhooks,...
• d573b82 release: 0.99.0
• 119e123 feat(client): allow targeting a workspace for OIDC federation token exchange
• 637560c release: 0.98.1
• 4fb779f chore: fix typo in example (#1754)
• 11b87bc release: 0.98.0
• b669ad4 codegen metadata
• 3be1e89 feat(client): add Workload Identity Federation, interactive OAuth, and auth p...
• Additional commits viewable in compare view

Updates certifi from 2026.2.25 to 2026.4.22

Commits

• 5dddfb0 2026.04.22 (#410)
• f99eccd Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (#404)
• 918bed0 Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#405)
• 0a49067 Bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 (#403)
• acf6ce8 Bump actions/download-artifact from 8.0.0 to 8.0.1 (#398)
• feb0ed2 Bump actions/download-artifact from 7.0.0 to 8.0.0 (#397)
• d9c11a5 Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#396)
• See full diff in compare view

Updates click from 8.3.1 to 8.3.3

Release notes

Sourced from click's releases.

8.3.3

This is the Click 8.3.3 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.3.3/ Changes: https://click.palletsprojects.com/page/changes/#version-8-3-3 Milestone: https://github.com/pallets/click/milestone/30

• Use :func:shlex.split to split pager and editor commands into argv lists for :class:subprocess.Popen, removing shell=True. #1026 #1477 #2775
• Fix TypeError when rendering help for an option whose default value is an object that doesn't support equality comparison with strings, such as semver.Version. #3298 #3299
• Fix pager test pollution under parallel execution by using pytest's tmp_path fixture instead of a shared temporary file path. #3238
• Treat Sentinel.UNSET values in a default_map as absent, so they fall through to the next default source instead of being used as the value. #3224 #3240
• Patch pdb.Pdb in CliRunner isolation so pdb.set_trace(), breakpoint(), and debuggers subclassing pdb.Pdb (ipdb, pdbpp) can interact with the real terminal instead of the captured I/O streams. #654 #824 #843 #951 #3235
• Add optional randomized parallel test execution using pytest-randomly and pytest-xdist to detect test pollution and race conditions. #3151
• Add contributor documentation for running stress tests, randomized parallel tests, and Flask smoke tests. #3151 #3177
• Show custom show_default string in prompts, matching the existing help text behavior. #2836 #2837 #3165 #3262 #3280 #3328
• Fix default=True with boolean flag_value always returning the flag_value instead of True. The default=True to flag_value substitution now only applies to non-boolean flags, where True acts as a sentinel meaning "activate this flag by default". For boolean flags, default=True is returned as a literal value. #3111 #3239
• Mark make_default_short_help as private API. #3189 #3250
• CliRunner's redirected streams now expose the original file descriptor via fileno(), so that faulthandler, subprocess, and other C-level consumers no longer crash with io.UnsupportedOperation. #2865
• Change :class:ParameterSource to an :class:~enum.IntEnum and reorder its members from most to least explicit, so values can be compared to check whether a parameter was explicitly provided. #2879 #3248

8.3.2

This is the Click 8.3.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.3.2/ Changes: https://click.palletsprojects.com/page/changes/#version-8-3-2 Milestone: https://github.com/pallets/click/milestone/29

... (truncated)

Changelog

Sourced from click's changelog.

Version 8.3.3

Released 2026-04-20

• Use :func:shlex.split to split pager and editor commands into argv lists for :class:subprocess.Popen, removing shell=True. :issue:1026 :pr:1477 :pr:2775
• Fix TypeError when rendering help for an option whose default value is an object that doesn't support equality comparison with strings, such as semver.Version. :issue:3298 :pr:3299
• Fix pager test pollution under parallel execution by using pytest's tmp_path fixture instead of a shared temporary file path. :pr:3238
• Treat Sentinel.UNSET values in a default_map as absent, so they fall through to the next default source instead of being used as the value. :issue:3224 :pr:3240
• Patch pdb.Pdb in CliRunner isolation so pdb.set_trace(), breakpoint(), and debuggers subclassing pdb.Pdb (ipdb, pdbpp) can interact with the real terminal instead of the captured I/O streams. :issue:654 :issue:824 :issue:843 :pr:951 :pr:3235
• Add optional randomized parallel test execution using pytest-randomly and pytest-xdist to detect test pollution and race conditions. :pr:3151
• Add contributor documentation for running stress tests, randomized parallel tests, and Flask smoke tests. :pr:3151 :pr:3177
• Show custom show_default string in prompts, matching the existing help text behavior. :issue:2836 :pr:2837 :pr:3165 :pr:3262 :pr:3280 :pr:3328
• Fix default=True with boolean flag_value always returning the flag_value instead of True. The default=True to flag_value substitution now only applies to non-boolean flags, where True acts as a sentinel meaning "activate this flag by default". For boolean flags, default=True is returned as a literal value. :issue:3111 :pr:3239
• Mark make_default_short_help as private API. :issue:3189 :pr:3250
• CliRunner's redirected streams now expose the original file descriptor via fileno(), so that faulthandler, subprocess, and other C-level consumers no longer crash with io.UnsupportedOperation. :issue:2865
• Change :class:ParameterSource to an :class:~enum.IntEnum and reorder its members from most to least explicit, so values can be compared to check whether a parameter was explicitly provided. :issue:2879 :pr:3248

Version 8.3.2

Released 2026-04-02

• Fix handling of flag_value when is_flag=False to allow such options to be used without an explicit value. :issue:3084 :pr:3152
• Hide Sentinel.UNSET values as None when using lookup_default(). :issue:3136 :pr:3199 :pr:3202 :pr:3209 :pr:3212 :pr:3224

... (truncated)

Commits

• c06d2d0 Release 8.3.3
• f1f191e Apply format guidelines to commits since latest 8.3.2 release (#3343)
• bb59ba0 Apply format guidelines to commits since latest 8.3.2 release
• 4a35225 Reduce blast-radius of UNSET in default_map (#3240)
• c07bb93 Merge branch 'stable' into unset-in-default-map
• c7e1ba8 Reorder ParameterSource (#3248)
• 76552ff Show default string in prompt (#3328)
• ac5cec5 Reorder ParameterSource from most to least explicit
• 8c452e0 Merge branch 'stable' into show-default-string-in-prompt
• 8c95c73 Reconcile default value passing and default activation (#3239)
• Additional commits viewable in compare view

Updates fastapi from 0.110.0 to 0.136.1

Release notes

Sourced from fastapi's releases.

0.136.1

Upgrades

• ⬆️ Update Pydantic v2 code to address deprecations. PR #15101 by @​svlandeg.

Internal

• 🔨 Tweak translation script. PR #15174 by @​YuriiMotov.
• ⬆ Bump mkdocs-material from 9.7.1 to 9.7.6. PR #15408 by @​dependabot[bot].
• ⬆ Bump inline-snapshot from 0.31.1 to 0.32.6. PR #15409 by @​dependabot[bot].
• ⬆ Bump pytest-codspeed from 4.3.0 to 4.4.0. PR #15407 by @​dependabot[bot].
• ⬆ Bump pytest-cov from 7.0.0 to 7.1.0. PR #15406 by @​dependabot[bot].
• ⬆ Bump cloudflare/wrangler-action from 3.14.1 to 3.15.0. PR #15405 by @​dependabot[bot].
• ⬆ Bump mypy from 1.19.1 to 1.20.1. PR #15410 by @​dependabot[bot].
• ⬆ Bump python-dotenv from 1.2.1 to 1.2.2. PR #15400 by @​dependabot[bot].
• ⬆ Bump starlette from 0.52.1 to 1.0.0. PR #15397 by @​dependabot[bot].
• ⬆ Bump pygithub from 2.8.1 to 2.9.1. PR #15396 by @​dependabot[bot].
• ⬆ Bump pyjwt from 2.12.0 to 2.12.1. PR #15393 by @​dependabot[bot].
• ⬆ Bump zizmor from 1.23.1 to 1.24.1. PR #15394 by @​dependabot[bot].
• ⬆ Bump strawberry-graphql from 0.312.3 to 0.314.3. PR #15395 by @​dependabot[bot].
• ⬆ Bump python-multipart from 0.0.22 to 0.0.26. PR #15360 by @​dependabot[bot].
• ⬆ Bump authlib from 1.6.9 to 1.6.11. PR #15373 by @​dependabot[bot].
• ⬆ Bump aiohttp from 3.13.3 to 3.13.4. PR #15282 by @​dependabot[bot].
• ⬆ Bump pygments from 2.19.2 to 2.20.0. PR #15263 by @​dependabot[bot].
• ⬆ Bump pymdown-extensions from 10.20.1 to 10.21.2. PR #15391 by @​YuriiMotov.
• ⬆ Bump pillow from 12.1.1 to 12.2.0. PR #15333 by @​dependabot[bot].
• ⬆ Bump pytest from 9.0.2 to 9.0.3. PR #15334 by @​dependabot[bot].
• ⬆ Bump actions/upload-artifact from 7.0.0 to 7.0.1. PR #15374 by @​dependabot[bot].
• ⬆ Bump actions/cache from 5.0.4 to 5.0.5. PR #15385 by @​dependabot[bot].
• 🔧 Update sponsors: remove Zuplo. PR #15369 by @​tiangolo.
• 🔧 Update sponsors: remove Speakeasy. PR #15368 by @​tiangolo.
• 🔒️ Add zizmor and fix audit findings. PR #15316 by @​YuriiMotov.

0.136.0

Upgrades

• ⬆️ Support free-threaded Python 3.14t. PR #15149 by @​svlandeg.

0.135.4

Refactors

• 🔥 Remove April Fool's @app.vibe() 🤪. PR #15363 by @​tiangolo.

Internal

• ⬆ Bump cryptography from 46.0.5 to 46.0.7. PR #15314 by @​dependabot[bot].
• ⬆ Bump strawberry-graphql from 0.307.1 to 0.312.3. PR #15309 by @​dependabot[bot].
• 🔨 Add pre-commit hook to ensure latest release header has date. PR #15293 by @​YuriiMotov.

0.135.3

... (truncated)

Commits

• e54e5a8 🔖 Release version 0.136.1
• 9a8a5fd 📝 Update release notes
• 7815a32 ⬆️ Update Pydantic v2 code to address deprecations (#15101)
• ef1c927 📝 Update release notes
• 38039e1 🔨 Tweak translation script (#15174)
• 4fa826c 📝 Update release notes
• c394156 ⬆ Bump mkdocs-material from 9.7.1 to 9.7.6 (#15408)
• ae230ad 📝 Update release notes
• d9eb39d ⬆ Bump inline-snapshot from 0.31.1 to 0.32.6 (#15409)
• 4f8b5d1 📝 Update release notes
• Additional commits viewable in compare view

Updates filelock from 3.25.2 to 3.29.0

Release notes

Sourced from filelock's releases.

3.29.0

What's Changed

• 🐛 fix(async): use single-thread executor for lock consistency by @​gaborbernat in tox-dev/filelock#533
• ✨ feat(soft): enable stale lock detection on Windows by @​gaborbernat in tox-dev/filelock#534

Full Changelog: tox-dev/filelock@3.28.0...3.29.0

3.28.0

What's Changed

• 🐛 fix(ci): unbreak release workflow, publish to PyPI again by @​gaborbernat in tox-dev/filelock#529

Full Changelog: tox-dev/filelock@3.27.0...3.28.0

3.27.0

What's Changed

• ✨ feat(rw): add SoftReadWriteLock for NFS and HPC clusters by @​gaborbernat in tox-dev/filelock#528

Full Changelog: tox-dev/filelock@3.26.1...3.27.0

3.26.1

What's Changed

• 🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handling by @​naarob in tox-dev/filelock#518

New Contributors

• @​naarob made their first contribution in tox-dev/filelock#518

Full Changelog: tox-dev/filelock@3.26.0...3.26.1

3.26.0

What's Changed

• 🔒 ci(workflows): add zizmor security auditing by @​gaborbernat in tox-dev/filelock#517
• 🔧 fix(ci): restore git credentials for release job by @​gaborbernat in tox-dev/filelock#520
• ✨ feat(soft): add PID inspection and lock breaking by @​gaborbernat in tox-dev/filelock#524

Full Changelog: tox-dev/filelock@3.25.2...3.26.0

Changelog

Sourced from filelock's changelog.

########### Changelog ###########

---

3.29.0 (2026-04-19)

---

• ✨ feat(soft): enable stale lock detection on Windows :pr:534
• 🐛 fix(async): use single-thread executor for lock consistency :pr:533
• build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 :pr:530 - by :user:dependabot[bot]

---

3.28.0 (2026-04-14)

---

• 🐛 fix(ci): unbreak release workflow, publish to PyPI again :pr:529

---

3.26.1 (2026-04-09)

---

• 🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handling :pr:518 - by :user:naarob
• build(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 :pr:525 - by :user:dependabot[bot]

---

3.26.0 (2026-04-06)

---

• ✨ feat(soft): add PID inspection and lock breaking :pr:524
• [pre-commit.ci] pre-commit autoupdate :pr:523 - by :user:pre-commit-ci[bot]
• build(deps): bump astral-sh/setup-uv from 7.6.0 to 8.0.0 :pr:522 - by :user:dependabot[bot]
• Remove persist-credentials: false from release job :pr:520
• [pre-commit.ci] pre-commit autoupdate :pr:519 - by :user:pre-commit-ci[bot]
• 🔒 ci(workflows): add zizmor security auditing :pr:517
• [pre-commit.ci] pre-commit autoupdate :pr:516 - by :user:pre-commit-ci[bot]
• [pre-commit.ci] pre-commit autoupdate :pr:514 - by :user:pre-commit-ci[bot]

---

3.25.2 (2026-03-11)

---

• 🐛 fix(unix): suppress EIO on close in Docker bind mounts :pr:513

---

3.25.1 (2026-03-09)

---

• [pre-commit.ci] pre-commit autoupdate :pr:510 - by :user:pre-commit-ci[bot]
• 🐛 fix(win): restore best-effort lock file cleanup on release :pr:511

... (truncated)

Commits

• 469b47f Release 3.29.0
• e85d072 ✨ feat(soft): enable stale lock detection on Windows (#534)
• f5ee171 🐛 fix(async): use single-thread executor for lock consistency (#533)
• 2a95458 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#530)
• 55de20c Release 3.28.0
• 476b0e4 🐛 fix(ci): unbreak release workflow, publish to PyPI again (#529)
• 824713e ✨ feat(rw): add SoftReadWriteLock for NFS and HPC clusters (#528)
• 9879de9 [pre-commit.ci] pre-commit autoupdate (#527)
• 4cfab49 Release 3.26.1
• 734c9f2 🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handli...
• Additional commits viewable in compare view

Updates fsspec from 2026.2.0 to 2026.4.0

Commits

• 8fdedd1 Merge branch 'master' of https://github.com/fsspec/filesystem_spec
• 8205d0d Release (#2027)
• 50bfba2 Merge branch 'master' of https://github.com/fsspec/filesystem_spec
• f58bc85 Revert "DEP: de-duplicate and sort optional dependencies (#2021)" (#2026)
• c6c7b40 Revert "DEP: de-duplicate and sort optional dependencies (#2021)"
• 3bc67f8 DEP: de-duplicate and sort optional dependencies (#2021)
• 0b290bf docs: add URL handling note to HTTPFileSystem class docstring (#2024)
• b33a2d6 ci: install downstream systems like gcsfs before testing so the _version.py...
• e9e7a5b Delegate DirFileSystem delete and write_text (#2022)
• 105d614 fix: use encode_url() in _pipe_file for consistency (#2023)
• Additional commits viewable in compare view

Updates hf-xet from 1.4.2 to 1.5.0

Release notes

Sourced from hf-xet's releases.

[hf-xet v1.5.0] Session based API

Replaces the old upload_files / download_files / hash_files Python functions with a new object-oriented API that exposes XetSession and its child objects directly as PyO3 classes. This gives Python callers full control over session lifecycle, connection pooling, and progress reporting.

The previous module-level functions are kept under hf_xet/src/legacy/ and remain importable as from hf_xet import upload_files etc., but now emit DeprecationWarning.

New Python API

import hf_xet
Optional: create a custom config (immutable; use .with_config() to derive updates)
config = hf_xet.XetConfig().with_config("data.max_concurrent_file_ingestion", 8)
Create session; config is optional (defaults to XetConfig() with HF_XET_* env overrides)
session = hf_xet.XetSession(config=config)
Upload — multiple files, bytes, and streaming within one commit
with session.new_upload_commit(
endpoint="https://cas.xethub.hf.co",
token="jwt", token_expiry_unix_secs=9999999999,
token_refresh_url="https://…/xet-write-token/main",
token_refresh_headers={"Authorization": "Bearer hf_…"},
) as commit:
h1 = commit.start_upload_file("/path/to/model.bin")
h2 = commit.start_upload_file("/path/to/tokenizer.json", sha256="f2358d9a…")
h3 = commit.start_upload_bytes(b"...", name="config.json")
with commit.start_upload_stream(name="big.bin") as stream:
for chunk in produce_chunks():
    stream.write(chunk)

on normal exit: wait_to_finish() is called automatically
on exception:   abort() is called automatically
SHA-256 sentinels
commit.start_upload_file("/path/to/model.bin", sha256=hf_xet.COMPUTE_SHA256)  # default
commit.start_upload_file("/path/to/model.bin", sha256=hf_xet.SKIP_SHA256)     # skip
Progress callback — receives (GroupProgressReport, dict[UniqueID, ItemProgressReport])
def on_progress(group, items):
bar.n = group.total_bytes_completed
bar.refresh()
with session.new_upload_commit(
token_refresh_url="https://…/xet-write-token/main",
token_refresh_headers={"Authorization": "Bearer hf_…"},
progress_callback=on_progress,
progress_interval_ms=100,
) as commit:
commit.start_upload_file("/path/to/model.bin")
</tr></table>

... (truncated)

Commits

• 6ed5a00 Bump rustls-webpki from 0.103.10 to 0.103.13 (#823)
• 1629992 Add context manager for upload stream (#825)
• 9e804c2 Remove unnecessary UniqueId -> UniqueID type alias (#824)
• 23ec294 Expose XetSession APIs to Python (#792)
• d40f96b Fix spelling typos in comments and docs (#826)
• 18ebe48 Bump hf_xet rand to 0.10 (#811)
• 145b819 feat: expose CAS client factory and chunk cache re-exports (#730)
• 8df04e8 Potential fix for a couple of crates release issues (#806)
• b43c0ae Move XetRuntime model away from thread-local statics (#801)
• 7e91d1c Upgrade testing capability for GC simulations (#786)
• Additional commits viewable in compare view

Updates huggingface-hub from 1.7.2 to 1.14.0

Release notes

Sourced from huggingface-hub's releases.

[v1.14.0] Handle Spaces secrets & variables from CLI and other improvements

🖥️ Manage Space secrets and variables from the CLI

You can now manage Space secrets and environment variables directly from the command line with two new hf spaces subgroups: secrets and variables. Use hf spaces secrets to add, list, and delete write-only secrets, and hf spaces variables to add, list, and delete readable environment variables. Both add commands support multiple -s/-e flags and --secrets-file/-env-file for loading from dotenv files. On the Python side, HfApi.get_space_secrets() returns secret metadata (key, description, updated timestamp) without ever revealing values.

# List secrets (values are write-only — only keys and timestamps are shown)
$ hf spaces secrets ls username/my-space
Add secrets
$ hf spaces secrets add username/my-space -s OPENAI_API_KEY=sk-...
$ hf spaces secrets add username/my-space --secrets-file .env.secrets
Delete a secret (confirmation prompt, use --yes to skip)
$ hf spaces secrets delete username/my-space OPENAI_API_KEY --yes
List, add, and delete variables (values are readable)
$ hf spaces variables ls username/my-space
$ hf spaces variables add username/my-space -e MODEL_ID=gpt2 -e MAX_TOKENS=512
$ hf spaces variables delete username/my-space MAX_TOKENS --yes

• [CLI] Add hf spaces secrets and variables subgroups by @​davanstrien in #4170
• [CLI] Add get_space_secrets + hf spaces secrets ls by @​Wauplin in #4182

📚 Documentation: CLI guide · Manage your Space

🪣 Rsync-style trailing slash for bucket folder copies

hf buckets cp now supports rsync-style trailing slash semantics when copying folders. A trailing / on the source path copies only the folder's contents to the destination, while omitting it nests the folder itself — matching the behavior you'd expect from rsync. This makes it possible to flatten directory structures during copies, which was not possible before. Additionally, copy_files now raises an explicit EntryNotFoundError when the source path resolves to no files, instead of silently succeeding with zero operations.

# Without trailing slash: "logs" dir is nested => dst/logs/...
$ hf buckets cp hf://buckets/username/src-bucket/logs hf://buckets/username/dst/
With trailing slash: only contents of "logs" are copied => dst/...
$ hf buckets cp hf://buckets/username/src-bucket/logs/ hf://buckets/username/dst/

• [Buckets] Support rsync-style trailing slash in copy_files by @​Wauplin in #4187
• [CLI] Raise error when copy_files source doesn't exist by @​Wauplin in #4186

📚 Documentation: Buckets guide · CLI guide

💔 Breaking Change

• [CLI] Rename hf skills upgrade -> hf skills update by @​hanouticelina in #4176 — hf skills upgrade no longer exists; use hf skills update instead.
• [CLI] Add out.status() by @​hanouticelina in #4171 — status updates (spinners/progress) on hf extensions install and hf spaces dev-mode are now suppressed when using --format json, --quiet, or --format agent.

🖥️ CLI

... (truncated)

Commits

• 2ea0c83 Release: v1.14.0
• f7cffc7 Release: v1.14.0.rc0
• ac0156b style
• 32476d9 Update typer dependency version in setup.py (#4193)
• fadab7a [CLI] Raise error when copy_files source doesn't exist (#4186)
• 7c0abeb [CLI] Add get_space_secrets + hf spaces secrets ls (#4182)
• 51adb8f [Buckets] Support rsync-style trailing slash in copy_files to copy folder con...
• 22eaf89 [internal] Untrack useless files (#4191)
• 2774771 Update unit test warnings check to ignore unrelated deprecation warnings (#4188)
• 3d19907 [CLI] Support hf -v to print version (#4185)
• Additional commits viewable in compare view

Updates idna from 3.11 to 3.14

Changelog

Sourced from idna's changelog.

3.14 (2026-05-10) +++++++++++++++++

• Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [GHSA-65pc-fj4g-8rjx]

Thanks to Stan Ulbrych for reporting the issue.

3.13 (2026-04-22) +++++++++++++++++

• Correct classification error for codepoint U+A7F1

3.12 (2026-04-21) +++++++++++++++++

• Update to Unicode 17.0.0.
• Issue a deprecation warning for the transitional argument.
• Added lazy-loading to provide some performance improvements.
• Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.

Thanks to Rodrigo Nogueira for contributions to this release.

Commits

• 37b6b74 Release v3.14
• 628fef8 Use valid_string_length() for early oversized-input check
• 1e26c7f Tweak release wording
• ab5668f Pre-release 3.14
• c0dda45 Merge commit from fork
• b7391f4 Add docstrings to package (#226)
• 0f4a28d Raise IDNAError on non-string input to encode/decode (#224)
• 7e6df71 Address type issues found by ty (#225)
• 6ebfaab Merge pull request #221 from kjd/release-3.13
• 89cdfd2 Release v3.13
• Additional commits viewable in compare view

Updates markdown-it-py from 4.0.0 to 4.2.0

Release notes

Sourced from markdown-it-py's releases.

v4.2.0

What's Changed

• ✨ Add make_fence_rule() factory for configurable fence markers by @​chrisjsewell in executablebooks/markdown-it-py#394
• 🚀 RELEASE v4.2.0 by @​chrisjsewell in executablebooks/markdown-it-py#395

Full Changelog: executablebooks/markdown-it-py@v4.1.0...v4.2.0

v4.1.0

What's Changed

• ✨ Add --stdin option to CLI by @​mcepl in executablebooks/markdown-it-py#379
• Add AGENTS.md and copilot-setup-steps workflow by @​Copilot in executablebooks/markdown-it-py#380
• 🔧 Add typing to Scanner by @​Alunderin in executablebooks/markdown-it-py#382
• 👌 Fix quadratic complexity in fragments_join / text_join by @​petricevich in executablebooks/markdown-it-py#389
• ✨Allow plugins to register inline terminator characters by @​Copilot in executablebooks/markdown-it-py#391
• ✨ Add gfm-like2 preset with task lists, alerts, and single-tilde strikethrough by @​chrisjsewell in executablebooks/markdown-it-py#388
• 🔧 Update pre-commit hooks by @​chrisjsewell in executablebooks/markdown-it-py#392
• 🚀 RELEASE v4.1.0 by @​chrisjsewell in executablebooks/markdown-it-py#393

New Contributors

• @​mcepl made their first contribution in executablebooks/markdown-it-py#379
• @​Copilot made their first contribution in executablebooks/markdown-it-py#380
• @​Alunderin made their first contribution in executable...

  Description has been truncated