GROUPOID is a research prototype. It is not designed for deployment in security-sensitive environments.
If you discover a security issue, please report it by emailing santiago.maniches@gmail.com. Do not open a public issue.
Only the latest commit on main is supported. There are no stable
releases.
- No differential privacy is implemented despite optional dependencies being listed. Do not rely on this software for privacy guarantees.
- Input validation is minimal. The library assumes trusted inputs from the caller.
- The
torchruntime dependency is flagged bypip-auditfor advisory CVE-2025-3000. OSV expresses its affected range as a Git/commit range whose listed versions run up to v2.6.0, with no publishedfixedrelease. Because that upper bound is a source commit rather than a resolvable version,pip-auditconservatively flags the installedtorch(currently 2.12.0, past the listed v2.6.0 affected range) instead of clearing it. CI tracks the advisory via a documented--ignore-vuln; there is no fixed release to upgrade to, and the ignore is revisited when upstream publishes one. The advisory concerns crafted-checkpoint / JIT deserialization (torch.loadand related paths), which GROUPOID's own code does not exercise.