suhacker1
commented
8 months ago Thanks for raising this issue! We're looking into this for the next release.
Closed stevemarin closed 8 months ago
suhacker1
commented
8 months ago Thanks for raising this issue! We're looking into this for the next release.
drdavella
commented
8 months ago Hi! I just want to second this issue. I think this is a really cool project and I would love to recommend fickling to our users as a way to harden pickle usage when handling potentially untrusted data.
However I'm not sure how many users would be okay with adding torch as a transient dependency so I agree it would be great if it were optional.
drdavella
commented
8 months ago Thanks for the quick turnaround and response! I'll keep an eye out for the release.
Just in case you're curious: our framework automatically introduces fickling to code that is using pickle and helps harden against cases where untrusted pickles may be loaded: https://github.com/pixee/codemodder-python/pull/332
Hello and thank you very much for all your hard work! We use
ficklingas a dependency ofpolyfile. Version 0.1.0 added a significant build time for us due to the inclusion of torch as a requirement.We can continue working with 0.0.8 for now, so we have no complaints. But we were wondering if the torch requirement could be made optional in the future?
Thank you again!