Out of curiosity I ran `--check-safety` on one of our pickles: https://github.com/scverse/scanpy/blob/1.11.x/tests/_data/objs_t_test.pkl, with fickling saying: > Variable `_var16` is assigned value `scalar(_var15, b'0\x00\x00\x00')` but unused afterward; this is suspicious and indicative of a malicious pickle file but if I trace execution, I see: <pre><code>[…] <strong>_var16</strong> = scalar(_var15, b'0\x00\x00\x00') […] _var24.__setstate__((3, '|', None, (<strong>_var16</strong>, _var19), {<strong>_var16</strong>: (_var21, 0), _var19: (_var23, 200)}, 400, 1, 24)) […]</code></pre> so seems like `--check-safety` doesn’t work correctly.
Out of curiosity I ran
--check-safetyon one of our pickles: https://github.com/scverse/scanpy/blob/1.11.x/tests/_data/objs_t_test.pkl, with fickling saying:but if I trace execution, I see:
so seems like
--check-safetydoesn’t work correctly.