Safetensors moves toward PyTorch governance

Loading an artificial intelligence model can be as dangerous as opening a program, because some model files do not just contain numbers — they can also tell Python to run code while the file is being read. Safetensors was built to strip that behavior out and store only the weights, which are the giant tables of numbers a model uses to make predictions. (huggingface.co) The unsafe format here is Python pickle, a general-purpose way to save objects that can re-create code paths when you load them back. PyTorch has long used pickle-based loading in common workflows, which is why security researchers and model hubs have spent years warning that a downloaded model can act more like a script than a spreadsheet. (huggingface.co) Safetensors takes the opposite approach: a tiny header says where each tensor sits in the file, and the rest is raw data with no embedded instructions. That design also enables zero-copy loading, which means the system can read weights straight from memory-mapped storage instead of constantly duplicating them in random access memory. (huggingface.co) Hugging Face launched Safetensors in 2022 after the open model ecosystem started passing around bigger and bigger checkpoints, which are saved snapshots of model weights. By April 2026, Hugging Face says Safetensors is the default format for model distribution on the Hugging Face Hub and is used by tens of thousands of models across text, image, audio, and other machine learning tasks. (huggingface.co) The format also got outside scrutiny early. Security firm Trail of Bits reviewed the library in March 2023 and published a public report, which gave the project a more formal audit trail than many machine learning file formats ever get. (trailofbits.com) Now the project is moving under the PyTorch Foundation, which announced on April 8, 2026 that Safetensors has become a foundation-hosted project under the Linux Foundation. It joins PyTorch, vLLM, Ray, DeepSpeed, and Helion in the same governance umbrella instead of remaining only a Hugging Face-run project. (pytorch.org) That does not change the file format people already use. Hugging Face says the format, application programming interfaces, and Hub integration stay the same, so existing `.safetensors` files should keep working without conversion or breaking changes. (huggingface.co) What changes is who steers it. Hugging Face says contributor paths and maintainer rules are now formally documented in public governance files, which is the kind of neutral control structure companies usually want before they bet infrastructure on a standard. (huggingface.co; github.com) PyTorch has already been working on the plumbing around this. In June 2025, the PyTorch team said its Distributed Checkpointing system was adding support for Hugging Face Safetensors so large training jobs could move weights around without forcing everyone back into older serialization habits. (pytorch.org) The timing fits the way artificial intelligence is now shipped. A model file downloaded from a hub is increasingly the software artifact itself, so the industry is starting to treat model formats the way browsers treat attachments: if the file only needs to hold data, it should not also be able to execute code on the way in. (pytorch.org; huggingface.co)