RepoJournal
Google

Google

JAX, the GenAI SDK, and the Cloud libs — Google's open source layer

Pick a date

  1. Sun 3 may
  2. Mon 4 may
  3. Tue 5 may
  4. Wed 6 may
  5. Thu 7 may
  6. Fri 8 may
  7. Sat 9 may
  8. Sun 10 may
  9. Mon 11 may
  10. Tue 12 may
  11. Wed 13 may
  12. Fri 15 may
  13. Sat 16 may
  14. Sun 17 may
  15. Mon 18 may
  16. Tue 19 may
  17. Wed 20 may
  18. Thu 21 may
  19. Sat 23 may
  20. Sun 24 may
  21. Mon 25 may
  22. Tue 26 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

JAX HARDENS DESERIALIZATION TRUST MODEL AFTER SECURITY ADVISORY

By RepoJournal · Filed · About Google

JAX is documenting a critical trust boundary in its export deserialization path after identifying potential security risks in untrusted blob handling.

The JAX team issued a security advisory [1] flagging that `jax.export.deserialize` was accepting untrusted serialized objects without sufficient safeguards, prompting immediate documentation hardening. A new admonition in the export docs [1] now explicitly warns developers that deserialization expects trusted input only—closing the gap between API capability and safe usage. In parallel, the team shipped a structural fix [2] that uses abstract value information during deserialization to ensure py_tree objects maintain consistent shapes and dtypes throughout unflattening, rather than defaulting to placeholder floats. This prevents shape mismatches that could silently introduce bugs in downstream computations. The XLA dependency was also bumped [3] to pull in upstream fixes that likely complement these changes. Together, these moves harden JAX's serialization layer without breaking existing workflows.

Action items

References

  1. [1] PR #37441: docs(export): note deserialize trust boundary google/jax
  2. [2] Using avals for deserialization of the py_tree. ↗ google/jax
  3. [3] Update XLA dependency to use revision http://github.com/openxla/xla/commit/59031c7d1c120837166ad812f64b4e4bbf05b7b6 google/jax

FAQ

What changed in Google on May 11, 2026?
JAX is documenting a critical trust boundary in its export deserialization path after identifying potential security risks in untrusted blob handling.
What should Google teams do about it?
Review any code deserializing JAX exports from untrusted sources—this is now unsupported • Update JAX to pick up deserialization structural improvements and XLA fixes
Which Google repositories shipped on May 11, 2026?
google/jax

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.