LEANN

TBNilles/LEANN

Fork 0

Commit Graph

Author	SHA1	Message	Date
Aakash Suresh	32967daf81	security: Enhance Hugging Face model loading security - resolves #136 (#138 ) BREAKING CHANGE: trust_remote_code now defaults to False for security - Set trust_remote_code=False by default in HFChat class - Add explicit trust_remote_code parameter to HFChat.__init__() - Add security warning when trust_remote_code=True is used - Update get_llm() function to support trust_remote_code parameter - Update benchmark utilities (load_hf_model, load_vllm_model, load_qwen_vl_model) - Add comprehensive documentation for security implications Security Benefits: - Prevents arbitrary code execution from compromised model repositories - Requires explicit opt-in for models that need remote code execution - Shows clear warnings when security is reduced - Follows security-by-default principle Migration Guide: - Most users: No changes needed (more secure by default) - Users with models requiring remote code: Add trust_remote_code=True explicitly - Config users: Add 'trust_remote_code': true to LLM config if needed Fixes #136	2025-10-07 13:13:44 -07:00
Andy Lee	fecee94af1	Experiments (#68 ) * feat: finance bench * docs: results * chore: ignroe data README * feat: fix financebench * feat: laion, also required idmaps support * style: format * style: format * fix: resolve ruff linting errors - Remove unused variables in benchmark scripts - Rename unused loop variables to follow convention * feat: enron email bench * experiments for running DiskANN & BM25 on Arch 4090 * style: format * chore(ci): remove paru-bin submodule and config to fix checkout --recurse-submodules * docs: data * docs: data updated * fix: as package * fix(ci): only run pre-commit * chore: use http url of astchunk; use group for some dev deps * fix(ci): should checkout modules as well since `uv sync` checks * fix(ci): run with lint only * fix: find links to install wheels available * CI: force local wheels in uv install step * CI: install local wheels via file paths * CI: pick wheels matching current Python tag * CI: handle python tag mismatches for local wheels * CI: use matrix python venv and set macOS deployment target * CI: revert install step to match main * CI: use uv group install with local wheel selection * CI: rely on setup-uv for Python and tighten group install * CI: install build deps with uv python interpreter * CI: use temporary uv venv for build deps * CI: add build venv scripts path for wheel repair	2025-09-24 11:19:04 -07:00

Author

SHA1

Message

Date

Aakash Suresh

32967daf81

security: Enhance Hugging Face model loading security - resolves #136 (#138 )

BREAKING CHANGE: trust_remote_code now defaults to False for security

- Set trust_remote_code=False by default in HFChat class
- Add explicit trust_remote_code parameter to HFChat.__init__()
- Add security warning when trust_remote_code=True is used
- Update get_llm() function to support trust_remote_code parameter
- Update benchmark utilities (load_hf_model, load_vllm_model, load_qwen_vl_model)
- Add comprehensive documentation for security implications

Security Benefits:
- Prevents arbitrary code execution from compromised model repositories
- Requires explicit opt-in for models that need remote code execution
- Shows clear warnings when security is reduced
- Follows security-by-default principle

Migration Guide:
- Most users: No changes needed (more secure by default)
- Users with models requiring remote code: Add trust_remote_code=True explicitly
- Config users: Add 'trust_remote_code': true to LLM config if needed

Fixes #136

2025-10-07 13:13:44 -07:00

Andy Lee

fecee94af1

Experiments (#68 )

* feat: finance bench

* docs: results

* chore: ignroe data README

* feat: fix financebench

* feat: laion, also required idmaps support

* style: format

* style: format

* fix: resolve ruff linting errors

- Remove unused variables in benchmark scripts
- Rename unused loop variables to follow convention

* feat: enron email bench

* experiments for running DiskANN & BM25 on Arch 4090

* style: format

* chore(ci): remove paru-bin submodule and config to fix checkout --recurse-submodules

* docs: data

* docs: data updated

* fix: as package

* fix(ci): only run pre-commit

* chore: use http url of astchunk; use group for some dev deps

* fix(ci): should checkout modules as well since `uv sync` checks

* fix(ci): run with lint only

* fix: find links to install wheels available

* CI: force local wheels in uv install step

* CI: install local wheels via file paths

* CI: pick wheels matching current Python tag

* CI: handle python tag mismatches for local wheels

* CI: use matrix python venv and set macOS deployment target

* CI: revert install step to match main

* CI: use uv group install with local wheel selection

* CI: rely on setup-uv for Python and tighten group install

* CI: install build deps with uv python interpreter

* CI: use temporary uv venv for build deps

* CI: add build venv scripts path for wheel repair

2025-09-24 11:19:04 -07:00

2 Commits