[deprecation] Warn when loading local custom code without trust_remote_code#3807
Merged
tomaarsen merged 2 commits intoJun 12, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a forward-looking deprecation warning to tighten the trust_remote_code security contract when loading repository-local custom code from disk, aligning Sentence Transformers with transformers behavior planned for v6.0.
Changes:
- Emit a
FutureWarningwhen dynamic custom-module loading succeeds from a local path whiletrust_remote_code=False(with a TODO marker for removing the local-path short-circuit in v6.0). - Document the deprecation directly in
import_module_class’s docstring via a Sphinx.. deprecated:: 5.6directive. - Add tests asserting the warning fires only for the local-path +
trust_remote_code=Falsesuccess path, and does not fire whentrust_remote_code=True.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
sentence_transformers/util/misc.py |
Adds a FutureWarning on successful local dynamic-module loads without explicit trust; documents upcoming v6.0 behavior change. |
tests/util/test_misc.py |
Adds regression tests to ensure the warning behavior is correct for trusted vs untrusted local loads. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves #3801
Hello!
Pull Request overview
FutureWarningwhen a local model loads custom code withouttrust_remote_code=Truetrust_remote_code=Truefor local custom code, matchingtransformersDetails
Sentence Transformers currently treats any local model directory as implicitly trusted.
import_module_classresolves repository-local custom classes throughget_class_from_dynamic_moduleeven whentrust_remote_code=False, because of theor os.path.exists(model_name_or_path)short-circuit. That was a deliberate choice on my part (once the files are on disk, the code isn't really "remote" anymore), but it diverges fromtransformers, which requirestrust_remote_code=Truefor local custom code as well, and it can surprise "download, then load" pipelines:snapshot_downloaddoesn't execute any code, so loading the result withtrust_remote_code=Falselooks safe but isn't. Reported in #3801.For now this PR only adds a
FutureWarning, emitted when custom code is actually loaded from a local path withouttrust_remote_code=True. It fires on the success path only, so it won't false-alarm when dynamic loading fails and we fall back toimport_from_string(e.g. a class that resolves from an installed package). Loading by Hub id and built-insentence_transformers.*modules are unaffected.The behavior change itself is breaking (local custom-code models would suddenly require
trust_remote_code=True), so it's deferred to v6.0, where theos.path.existsshort-circuit will be removed to matchtransformers. There's aTODO(v6.0)in the code marking exactly that.