add safe version of numpy.load

[dimapihtar]

• I, the PR author, have personally reviewed every line of this PR.

What does this PR do ?

Security team request. Adds safe version of numpy.load which calls vulnerable pickle.load.

⚠️ For major changes (either in lines of code or in its impact), please make sure to first share a design doc with the team. If you're unsure what's the best way to do so, contact @NVIDIA/mcore-oncall.

Issue tracking

For PRs from open-source community contributors:

• New features: a linked issue is required. Please open a feature request and reference it here before submitting the PR.
• Small updates (bug fixes, minor improvements): a linked issue is recommended and will accelerate the PR review process.

Linked issue:

Contribution process

Pre-checks

• I have added relevant unit tests
• I have added relevant functional tests
• I have added proper typing to my code Typing guidelines
• I have added relevant documentation
• I have run the autoformatter.sh on my PR

Code review

Feel free to message or comment @NVIDIA/mcore-oncall to help accelerate your merge into main. The less complex your PR is, the faster it will be approved and merged!

All PRs start as draft. If you open a non-draft PR, it will be automatically converted to draft.

Step 1: Mark PR as "Ready for Review"

1. When your PR is ready, click Ready for Review.
2. An oncall reviewer is auto-assigned and expert reviewers are notified based on your changes.
   • Some PRs may jump straight to step 2. This is determined by .github/CODEOWNERS.

⚠️ Only mark as ready once merge-conflicts are resolved and the CI is passing.
Final Review might get declined if these requirements are not fulfilled.

Step 2: Final Review

For PRs that change megatron/core, once all expert reviewers have approved, the Final Review label is applied automatically and final reviewers are assigned.

For PRs outside megatron/core, this step is skipped.

Step 3: Approved

Once all required reviewers have approved, the Approved label is applied automatically.

Merge

Any member of mcore-engineers will be able to merge your PR.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[dimapihtar]

/claude review

[dimapihtar]

/ok to test 7ecc412

[dimapihtar]

/claude review

[claude]

Two additional items beyond the inline comment:

1. SafeUnpickler allowlist missing numpy types — SafeUnpickler._SAFE_CLASSES was built for FP8 checkpoint data and contains only builtins/torch/TE types. If pickle.load is actually triggered during safe_numpy_load (e.g., an .npy file with object-dtype arrays), numpy's reconstruction types (numpy.core.multiarray._reconstruct, numpy.ndarray, numpy.dtype) are not in the allowlist and will raise UnpicklingError. For the current call sites (integer index arrays in .npy format), the pickle path is likely never hit, so this won't break anything today — but it means the safety wrapper would reject legitimate numpy pickle data too. Worth confirming this is the intended behavior (block all pickle in numpy loads) and documenting it if so.

2. No dedicated test for safe_numpy_load — The test change in test_builder.py switches to safe_numpy_load but doesn't verify the safety mechanism itself. Since this is a security hardening change, consider adding a unit test that confirms safe_numpy_load blocks a crafted malicious pickle payload while still correctly loading a normal numpy array.

[dimapihtar]

/ok to test 6bbcce6

[dimapihtar]

/ok to test e47712b