I'm not sure but I was told a lot of times that ONNX support for sklearn was sub-par. I haven't researched that one yet. I can ask to maintainers if you're interested.

no worries, I hope you'll find it useful! 🙂

h5 and SavedModel of TF are the safest options, yet you can still inject code through Lambda layers or subclassed models (that's why Keras developed a new format too!) AFAIK. What SavedModel does is that it reconstructs the architecture and loads weights into it, and this architecture part is essentially code (loading the weights is never the problem for any framework anyway, it's the code part!). so again, you shouldn't deserialize it. (safest code is no code) if you can see the architecture and confirm that it doesn't have any custom layers, you should be fine. (this is also essentially what we do with skops (we audit the model) (or reconstruct it yourself and load weights into it but it's a little tricky, you might have custom objects or e.g. preprocessing layers for keras)

>The architecture of subclassed models and layers are defined in the methods __init__ and call. They are considered Python bytecode, which cannot be serialized into a JSON-compatible config -- you could try serializing the bytecode (e.g. via pickle), but it's completely unsafe and means your model cannot be loaded on a different system. (in model subclassing guide)
>
>WARNING: tf.keras.layers.Lambda layers have (de)serialization limitations! (in lambda layers guide)

Hugging Face also introduced a new format called safetensors if you're interested: https://github.com/huggingface/safetensors in README there's a detailed explanation & comparison.

it uses pickle's way of serialization under the hood. the difference between pickle and joblib is that one is performing better with numpy objects AFAIK. you shouldn't deserialize any joblib file on your local.

see one of the sklearn core developers' neat response on difference between them: https://stackoverflow.com/a/12617603

this is a good explanation 🤌🏼💜

I think it's because this was raised recently and people really didn't know! since it was raised by Yannic Kilcher couple of months ago, François Chollet has announced a format specific to Keras models, Pytorch folks are cooking something for this too. hopefully this will be solved 🙂

It can execute arbitrary code as others said. Other ML frameworks (TF/Keras, PyTorch) are also researching alternative solutions to this at the moment. you should never deserialize a pickle on your local unless it's made by you. pickle is made for python in general, not specifically for machine learning. this format is used to serialize sklearn models/pipelines avoiding pickle.

you dodged a bullet!