chore(deps)(deps): bump the python-versions group across 1 directory with 4 updates

[dependabot]

Bumps the python-versions group with 4 updates in the / directory: huggingface-hub, pydantic-settings, licensecheck and pytest.

Updates huggingface-hub from 1.19.0 to 1.20.1

Release notes

Sourced from huggingface-hub's releases.

[v1.20.0] Browser-based OAuth login, multi-commit folder uploads, and more

🔒 Browser-based OAuth login

hf auth login now defaults to a browser-based OAuth Device Code flow instead of asking you to copy-paste a token. The command prints a URL and a short code, you authorize in the browser, and the CLI retrieves and saves the token for you. The same applies to login() in Python. In an interactive terminal you still get a gh-style arrow-key menu to pick between browser login and pasting a token, and --token works exactly as before.

OAuth tokens expire after 30 days, but they come with a refresh token: get_token() transparently refreshes them when less than a day of validity remains, so long-running setups keep working without re-authenticating. hf auth list now shows the expiry date for OAuth tokens.

> hf auth login
? How would you like to log in? Log in with your browser
Open this URL in your browser:
    https://hf.co/oauth/device
And enter the code: 52AT-FLYZ
Waiting for authorization.

When the command is run by an AI agent, it never prompts. Instead it streams structured events so the agent can surface the URL and code to its user, then blocks until a terminal auth_success / auth_error event:

$ hf auth login --format json
{"event": "device_code", "verification_uri": "https://hf.co/oauth/device", "user_code": "52AT-FLYZ", "verification_uri_complete": "https://hf.co/oauth/device", "expires_in": 300, "interval": 5}
{"event": "auth_success", "user": "celinah", "token_name": "oauth-celinah"}

hf auth list surfaces the new expiry column:

$ hf auth list
  name          token       expires
- ------------- ----------- -------------------
  my-token      hf_****5678
* oauth-user    hf_****1234 2026-07-09
  oauth-old     hf_****9999 2026-06-09 (expired)

Finally, notebook_login() now renders the link and code with plain IPython.display.HTML, dropping the ipywidgets dependency.

• [Auth] Browser-based OAuth login by @​hanouticelina in #4354

⚡ Faster, more reliable hf upload for large folders

hf upload and the underlying upload_folder have been revamped to be faster and far more robust on large folders. When hf_xet is installed (the default), uploads now run through a streamed, multi-commit pipeline built on the XetSession API: the folder is scanned and fed into a background Xet upload while previous batches are committed in parallel, and files are hashed in a single read pass while they are chunked (the old flow read every large file twice). Nothing changes in how you call it:

hf upload <repo-id> <path/to/folder>

... (truncated)

Commits

• 5efdca0 Release: v1.20.1
• 0c3a062 [Auth] Fix circular import on from huggingface_hub import login (#4384) (#4...
• 8d52526 Release: v1.20.0
• 9379ae3 Release: v1.20.0.rc0
• 3b3abe3 [Spaces] Add wait_for_space API and hf spaces wait CLI (#4380)
• e52fdef [CLI] Make hf jobs ssh wait for job to be running (#4379)
• a0c1dfe [Jobs] Add hf jobs wait and HfApi.wait_for_job (#4345)
• 5589874 [Inference Endpoints] Custom-container deploy CLI + deprecate protected endpo...
• 462d093 [CLI] Suggest creating repo/bucket on NotFound errors (#4372)
• ebe5315 Add new JobNotFound error (#4367)
• Additional commits viewable in compare view

Updates pydantic-settings from 2.14.1 to 2.14.2

Release notes

Sourced from pydantic-settings's releases.

v2.14.2

What's Changed

This is a security patch release.

• Prevent NestedSecretsSettingsSource from following symlinks outside secrets_dir by @​hramezani in pydantic/pydantic-settings#889
• Prepare release 2.14.2 by @​hramezani in pydantic/pydantic-settings#890

Security

Fixes GHSA-4xgf-cpjx-pc3j: NestedSecretsSettingsSource with secrets_nested_subdir=True could follow a symbolic link inside secrets_dir pointing outside it, reading out-of-tree files into settings values and bypassing the secrets_dir_max_size cap. Affected versions: >= 2.12.0, < 2.14.2.

Full Changelog: pydantic/pydantic-settings@v2.14.1...v2.14.2

Commits

• d703bd7 Prepare release 2.14.2 (#890)
• See full diff in compare view

Updates licensecheck from 2026.0.5 to 2026.0.8

Release notes

Sourced from licensecheck's releases.

2026.0.8

Full Changelog: FHPythonUtils/LicenseCheck@2026.0.7...2026.0.8

Full Changelog: FHPythonUtils/LicenseCheck@2026.0.7...2026.0.8

2026.0.7

What's Changed

• Allow waiting for sqlite locks in request cache by @​atom-andrew in FHPythonUtils/LicenseCheck#149

Full Changelog: FHPythonUtils/LicenseCheck@2026.0.6...2026.0.7

What's Changed

• Allow waiting for sqlite locks in request cache by @​atom-andrew in FHPythonUtils/LicenseCheck#149

Full Changelog: FHPythonUtils/LicenseCheck@2026.0.6...2026.0.7

2026.0.6

Full Changelog: FHPythonUtils/LicenseCheck@2026.0.5...2026.0.6

Full Changelog: FHPythonUtils/LicenseCheck@2026.0.5...2026.0.6

Commits

• 21abbeb remove stdin support
• 0d4a091 fix #131; apply fix from https://github.com/FHPythonUtils/AttestationCheck/pu...
• 1f4cab9 Merge pull request #149 from atom-andrew/asb/busy-timeout
• fe4404f Allow waiting for sqlite locks in request cache
• 72d32bc fix #148
• b7c93c5 fmt; fix #132
• 2e5ce05 fix #121
• See full diff in compare view

Updates pytest from 9.1.0 to 9.1.1

Release notes

Sourced from pytest's releases.

9.1.1

pytest 9.1.1 (2026-06-19)

Bug fixes

• #14220: Fixed a logic bug in pytest.RaisesGroup which would might cause it to display incorrect "It matches FooError() which was paired with BarError" messages.
• #14591: Fixed a regression in pytest 9.1.0 which caused overriding a parametrized fixture with an indirect @​pytest.mark.parametrize to fail with "duplicate parametrization of '<fixture name>'".
• #14606: Fixed list-item typing errors from mypy in @pytest.mark.parametrize <pytest.mark.parametrize ref> argvalues parameter.
• #14608: Fixed a regression in pytest 9.1.0 where conftest.py files located in <invocation dir>/test* were no longer loaded as initial conftests when invoked without arguments. This could cause certain hooks (like pytest_addoption) in these files to not fire.

Commits

• cf470ec Prepare release version 9.1.1
• e0c8ce6 Merge pull request #14625 from pytest-dev/patchback/backports/9.1.x/a07c31a97...
• 1b82d16 Merge pull request #14624 from pytest-dev/patchback/backports/9.1.x/b375b79ec...
• 501c4bc Merge pull request #14596 from bluetech/doc-classmethod
• b61f588 Merge pull request #14622 from chrisburr/fix-14608-initial-conftest-test-subdir
• 9a567e0 [automated] Update plugin list (#14617) (#14618)
• ef8b299 Merge pull request #14620 from pytest-dev/patchback/backports/9.1.x/680f9f3ed...
• 66abd07 Merge pull request #14220 from bysiber/fix-stale-iexp-raisesgroup
• 79fbf93 Merge pull request #14612 from pytest-dev/patchback/backports/9.1.x/974ed48b6...
• 0d312eb Merge pull request #14611 from bluetech/parametrize-argvalues-typing
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, python:uv. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.