From 0a048cf4cbbadd1defac5f50ab3ee7b13df6e973 Mon Sep 17 00:00:00 2001
From: JacobPEvans <20714140+JacobPEvans@users.noreply.github.com>
Date: Sun, 24 May 2026 19:00:07 -0400
Subject: [PATCH 1/2] fix(deps): floor huggingface-hub at major-only (>=1.0.0)

Renovate PR #56 merged with `huggingface-hub>=1.16.1`. Per the new
lower-bounds policy (JacobPEvans/.github#344), `>=` floors should
express the major version only. Rewrite to `>=1.0.0`.

Other security-fix floors in this file (pyarrow, pillow, orjson, idna)
intentionally pin at the CVE-fix patch version per the inline comment
and are left untouched.
---
 space/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/space/requirements.txt b/space/requirements.txt
index d7666f8..8526c1f 100644
--- a/space/requirements.txt
+++ b/space/requirements.txt
@@ -1,7 +1,7 @@
 gradio>=6.12.0
 pandas>=2.0
 plotly>=6.7.0
-huggingface-hub>=1.16.1
+huggingface-hub>=1.0.0
 # Minimum-version pins for direct + transitive deps that have CVEs in
 # older versions. Lower-bound only — HF Spaces resolves the actual
 # installed version. Tighten to exact pins if reproducibility becomes

From 0c4b7c98c01d0bac8958aa2ca4415a5185dca0bd Mon Sep 17 00:00:00 2001
From: JacobPEvans <20714140+JacobPEvans@users.noreply.github.com>
Date: Mon, 25 May 2026 15:41:17 -0400
Subject: [PATCH 2/2] fix(deps): align pyproject.toml + uv.lock huggingface-hub
 floor to >=1.0.0

Addresses gemini-code-assist review on PR #60. The space/requirements.txt
fix to `>=1.0.0` left pyproject.toml at `>=0.23` and the uv.lock
specifier matching it, creating cross-file drift. All three now express
the major-only floor consistently.
---
 pyproject.toml | 2 +-
 uv.lock        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index cdbf01e..26f5279 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -17,7 +17,7 @@ classifiers = [
     "Topic :: Scientific/Engineering :: Artificial Intelligence",
 ]
 dependencies = [
-    "huggingface-hub>=0.23",
+    "huggingface-hub>=1.0.0",
     "jsonschema[format]>=4.23.0",
     "psutil>=5.9",
     "pyarrow>=24.0.0",
diff --git a/uv.lock b/uv.lock
index 44e612f..d707d1e 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1866,7 +1866,7 @@ dev = [
 requires-dist = [
     { name = "google-adk", marker = "extra == 'framework-eval'", specifier = ">=2.0.0" },
     { name = "gradio", marker = "extra == 'viewer'", specifier = ">=6.12.0" },
-    { name = "huggingface-hub", specifier = ">=0.23" },
+    { name = "huggingface-hub", specifier = ">=1.0.0" },
     { name = "jsonschema", extras = ["format"], specifier = ">=4.23.0" },
     { name = "lm-eval", extras = ["api"], specifier = "==0.4.12" },
     { name = "openai", marker = "extra == 'framework-eval'", specifier = ">=1.0.0" },