v0.6.9: Security release + new Mistral 7B 1.00548x record

UltraCompress v0.6.9 closes an RCE-class deserialization vulnerability across all six customer-facing load sites, scrubs the sdist of internal lab modules that leaked in v0.6.7 and v0.6.8 (both now yanked from PyPI), and ships a new Mistral-7B-v0.3 lossless 5-bit record: 1.00548x PPL ratio — the tightest dense 7B-class number we know of publicly.

UltraCompress · 2026-05-15 · Posted by the Sipsa Labs team

The change

Every model-load call in UltraCompress now enforces weights_only=True. There were six customer-facing sites where .uc pack files hit PyTorch's deserialization path. All six are patched. If you have a workflow that depends on loading objects beyond raw tensors, an explicit --unsafe-load flag now gates that behavior — it is off by default and requires conscious opt-in.

The patch is small and surgical. No API surface changed. No new dependencies. No breaking changes to pack files, compression configs, or inference pipelines.

Why it matters

PyTorch's default model-load path uses Python's serialization layer under the hood. A tampered .uc payload could embed arbitrary Python objects that execute on load — classic remote code execution. This is an industry-wide problem (every framework that ships model files has dealt with it), but that does not make it acceptable. We caught it in our own audit, not from a customer report.

The fix is validated by negative tests in test_safe_load.py: we construct intentionally malicious payloads and confirm they are rejected at the deserialization boundary. The test suite ships with the package so you can run the same validation on your own infrastructure.

What we yanked

v0.6.7 and v0.6.8 have been yanked from PyPI. Both carried the deserialization vulnerability, but the yank was also driven by a second issue: the sdist (source distribution) for those versions included internal lab modules that should never have shipped.

The numbers tell the story:

• v0.6.8 sdist: 170 files, 147 .py files — lab modules included
• v0.6.9 sdist: 35 files, 15 .py files — MANIFEST.in-scrubbed to production surface only

If you installed v0.6.7 or v0.6.8 from source, upgrade immediately. The wheel (binary) distributions of those versions did not include the extra files, but the vulnerability was present in both wheel and sdist.

New on the benchmark side

Mistral-7B-v0.3 now compresses to a verified 1.00548x perplexity ratio at 5 bits per weight. That is the tightest lossless 5-bit result we have measured on any dense 7B-class model, and it is the tightest we have found published anywhere on the HuggingFace Hub for this model class and bit budget.

The full 22-architecture matrix as of today:

• 22 architectures validated (dense, mixture-of-experts, state-space)
• Three sub-1.005x records: Mixtral-8x7B at 1.00368x, Qwen3-14B at 1.00403x, Mistral-7B-v0.3 at 1.00548x
• All artifacts SHA-256 verified, bit-identical reconstruction, available on the public HuggingFace Hub

The live benchmark dashboard is at sipsalabs.com/inference. Every number on that page is a measurement we ran, on hardware we own, with conditions we publish.

How to upgrade

pip install --upgrade ultracompress

Drop-in replacement. No code changes required. If you pinned to ==0.6.7 or ==0.6.8, those pins will now fail because the versions are yanked — update your pin to >=0.6.9.

Verify your installation:

python -c "import ultracompress; print(ultracompress.__version__)"
# should print: 0.6.9

Sipsa Labs is an experimental and deep tech-and-software company. UltraCompress is the first publicly-shipped product. Sipsa Inference is the second. More products in flight.