fix(deps): drop default features on hf-hub; opt into rustls-tls

[krishung5]

Description

Both multimodal and tokenizer only use the async (tokio) hf-hub client (hf_hub::api::tokio::ApiBuilder); they don't need the default-on native-tls + blocking ureq features. Pin hf-hub = { default-features = false, features = ["tokio", "rustls-tls"] } so downstream crates don't have to pull in the openssl/native-tls toolchain just to use lightseek.

Problem

crates/multimodal and crates/tokenizer depend on hf-hub = "0.5.0" with default features (["default-tls", "tokio", "ureq"]). That transitively pulls in:

• native-tls, tokio-native-tls, hyper-tls
• openssl, openssl-sys, openssl-macros
• openssl-src (vendored OpenSSL C source — requires perl at build time)
• the blocking ureq client (with native-tls)

Neither crate ever calls the blocking client — the only hf-hub usage in both crates is hf_hub::api::tokio::ApiBuilder. Consumers that depend on llm-multimodal (e.g. ai-dynamo/dynamo, which explicitly bans native-tls and openssl-sys in their cargo-deny config) currently have to fork or [patch.crates-io] to use the crate.

Solution

Pin hf-hub with default-features = false and the minimal feature set actually used (tokio + rustls-tls). The async ApiBuilder API stays available; the openssl/native-tls subtree disappears from the dep graph; the build no longer needs perl to compile vendored OpenSSL.

Changes

• crates/multimodal/Cargo.toml: hf-hub = "0.5.0" → hf-hub = { version = "0.5.0", default-features = false, features = ["tokio", "rustls-tls"] }
• crates/tokenizer/Cargo.toml: hf-hub = { version = "0.5.0", features = ["tokio"] } → hf-hub = { version = "0.5.0", default-features = false, features = ["tokio", "rustls-tls"] }

No code changes — both crates already only call hf_hub::api::tokio::ApiBuilder, which is in the tokio feature.

Test Plan

Before:

$ cargo tree -p llm-multimodal --target x86_64-unknown-linux-gnu | grep -E 'native-tls|openssl|rustls'
│   ├── native-tls v0.2.18
│   │   ├── openssl v0.10.79
│   │   │   ├── openssl-macros v0.1.1 (proc-macro)
│   │   │   └── openssl-sys v0.9.115
│   │   ├── openssl-probe v0.2.1
│   │   └── openssl-sys v0.9.115 (*)
│   ├── reqwest v0.12.28
│       └── native-tls v0.2.18 (*)
└── openssl-sys v0.9.115 (*)

After:

$ cargo tree -p llm-multimodal --target x86_64-unknown-linux-gnu | grep -E 'native-tls|openssl|rustls'
│   │   ├── hyper-rustls v0.27.9
│   │   │   ├── rustls v0.23.40
│   │   │   │   ├── rustls-pki-types v1.14.1
│   │   │   │   └── rustls-webpki v0.103.13
│   │   │   ├── tokio-rustls v0.26.4

cargo tree -i native-tls returns "did not match any packages".

cargo check -p llm-multimodal -p llm-tokenizer passes:

    Checking llm-tokenizer v1.3.2 (/workspace/crates/tokenizer)
    Checking llm-multimodal v1.5.0 (/workspace/crates/multimodal)
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 39.86s

Existing tests in both crates pass; no behavior change in the async ApiBuilder path that the crates actually use.

Checklist

• cargo +nightly fmt passes
• cargo clippy --all-targets --all-features -- -D warnings passes
• (Optional) Documentation updated
• (Optional) Please join us on Slack #sig-smg to discuss, review, and merge PRs

Summary by CodeRabbit

• Chores
  • Updated dependency configurations to improve network security, TLS handling, and asynchronous runtime compatibility for more reliable and secure operation.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a7d01bde-c7d6-4659-a3ea-85f92bd72ce6

📥 Commits

Reviewing files that changed from the base of the PR and between 600aedf and ae28503.

📒 Files selected for processing (2)

• crates/multimodal/Cargo.toml
• crates/tokenizer/Cargo.toml

---

📝 Walkthrough

Hidden review stack artifact

Walkthrough

This PR updates the hf-hub dependency configuration in the multimodal and tokenizer crates to disable default features and explicitly enable tokio and rustls-tls.

Changes

Dependency Feature Configuration

Layer / File(s)	Summary
hf-hub Feature Specification crates/multimodal/Cargo.toml, crates/tokenizer/Cargo.toml	hf-hub dependency updated to default-features = false and features = ["tokio", "rustls-tls"] across both crates.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• CatherineSue

Poem

🐰 Two crates hop in step today,
🔧 Features trimmed, defaults away,
✨ tokio races, rustls guards the gate,
🥕 A tidy config—neat and straight,
🌿 Small change, big-hoped-for fate.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change: dropping default features on hf-hub and opting into rustls-tls across the affected crates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mergify]

Hi @krishung5, the DCO sign-off check has failed. All commits must include a Signed-off-by line.

To fix existing commits:

# Sign off the last N commits (replace N with the number of unsigned commits)
git rebase HEAD~N --signoff
git push --force-with-lease

To sign off future commits automatically:

• Use git commit -s every time, or
• VSCode: enable Git: Always Sign Off in Settings
• PyCharm: enable Sign-off commit in the Commit tool window

[gemini-code-assist]

Code Review

This pull request updates the hf-hub dependency configuration in both crates/multimodal/Cargo.toml and crates/tokenizer/Cargo.toml. The changes disable default features and explicitly enable the tokio and rustls-tls features for this dependency. I have no feedback to provide as there were no review comments.

[krishung5]

@slin1237 Thanks for the quick review and merge! Quick question on release timeline, is there a target window for the next llm-multimodal crates.io publish that would include this change?

[slin1237]

@slin1237 Thanks for the quick review and merge! Quick question on release timeline, is there a target window for the next llm-multimodal crates.io publish that would include this change?

hopefully by Wednesday
Do you need this sooner? And is this used in dynamo?

[krishung5]

@slin1237 Thanks for the quick review and merge! Quick question on release timeline, is there a target window for the next llm-multimodal crates.io publish that would include this change?

hopefully by Wednesday Do you need this sooner? And is this used in dynamo?

Thanks, Wednesday time sounds good! Yes, in dynamo's Rust frontend we'd like to utilize the crates from smg project for resolving image token id and expanding image tokens for our MM aware KV routing.