(2) FA4 support (sglang-fa4 -> sglang)

[avnermay]

No description provided.

[arnica-github-connector]

Static Code Analysis Risk: Together python huggingface trust remote code

trust_remote_code=True downloads and executes arbitrary Python code from the model repository without sandboxing (OWASP LLM03:2025 Supply Chain). A malicious or compromised model repo can achieve RCE on every host that loads the model (CWE-94). Pin to a verified commit hash and audit remote code before use, or use models that don't require trust_remote_code.

Severity: High 🚨
Status: Open 🔴

References:

1. https://cwe.mitre.org/data/definitions/94
2. https://huggingface.co/docs/transformers/main/en/main_classes/model#transformers.PreTrainedModel.from_pretrained
3. https://genai.owasp.org/llmrisk/llm032025-supply-chain/
4. https://hiddenlayer.com/research/weaponizing-machine-learning-models-with-ransomware/

Suggested reviewers 🧐: @avnermay

More details:

🌻 View in Arnica

If you see an issue, please contact Shasheen in the #security-engineering Slack channel.

---

Take action by replying with an [arnica] command 💬

Actions

Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.

To acknowledge the finding as a valid code risk: [arnica] ack <acknowledge additional details>

To dismiss the risk with a reason: [arnica] dismiss <fp|accept|capacity> <dismissal reason>

Examples

• [arnica] ack This is a valid risk and I'm looking into it

• [arnica] dismiss fp Dismissed - Risk Not Accurate: (i.e. False Positive)

• [arnica] dismiss accept Dismiss - Risk Accepted: Allow the risk to exist in the system

• [arnica] dismiss capacity Dismiss - No Capacity: This will need to wait for a future sprint