Skip to content

Add optional module allowlist to pydantic serde deserializer#794

Merged
andreahlert merged 2 commits into
apache:mainfrom
andreahlert:feature/pydantic-module-allowlist
Jun 2, 2026
Merged

Add optional module allowlist to pydantic serde deserializer#794
andreahlert merged 2 commits into
apache:mainfrom
andreahlert:feature/pydantic-module-allowlist

Conversation

@andreahlert
Copy link
Copy Markdown
Collaborator

@andreahlert andreahlert commented Jun 2, 2026

This change introduces a configurable allowlist for pydantic deserialization to give users more control over which modules can be dynamically loaded during state restoration.

Changes:

  • set_allowlist([...]) for global configuration
  • Per-call allowlist= kwarg in State.deserialize()
  • Backward-compatible: without an allowlist, behavior is unchanged with a runtime warning
  • Rejects unauthorized modules with a clear ValueError

Includes tests for allowlist acceptance, rejection, and global configuration.

@andreahlert
fix(packaging): repair developer extra reference and dedupe tests extra
124f867 
The 'developer' optional-dependency referenced apache-burr[bloat], but the
'bloat' extra was renamed to 'examples' in cd801c8 and the reference was
never updated, so 'pip install apache-burr[developer]' failed to resolve.

Also drop a duplicate apache-burr[hamilton] entry in the 'tests' extra.

Signed-off-by: André Ahlert <andre@aex.partners>
@andreahlert
Add optional module allowlist to pydantic serde deserializer
878310e 
Introduces a configurable allowlist for pydantic deserialization to
provide stricter control over which modules can be dynamically imported.
When an allowlist is configured, unauthorized modules are rejected with
a clear error message. When no allowlist is set, behavior remains
backward-compatible with an added runtime warning to encourage adoption.

Signed-off-by: André Ahlert <andre@aex.partners>
@github-actions github-actions Bot added area/integrations External integrations (LLMs, frameworks) area/ci Workflows, build, release scripts labels Jun 2, 2026
@andreahlert andreahlert requested review from elijahbenizzy and skrawcz and removed request for skrawcz June 2, 2026 10:48
jernejfrank
jernejfrank approved these changes Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jernejfrank jernejfrank left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great!

@andreahlert andreahlert merged commit 0624e00 into apache:main Jun 2, 2026
27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jernejfrank jernejfrank jernejfrank approved these changes

@elijahbenizzy elijahbenizzy Awaiting requested review from elijahbenizzy

@skrawcz skrawcz Awaiting requested review from skrawcz

Assignees

No one assigned

Labels

area/ci Workflows, build, release scripts area/integrations External integrations (LLMs, frameworks)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andreahlert @jernejfrank