Fix a security issue in LossNode

[adrinjalali]

This fixes an issue in LossNode where we used to load module from a given file.

This is not too big of a deal since if the user has a malicious package, they're already compromised via .pth files anyway. But this can still be avoided.

[adrinjalali]

The failing CI against nightly build can be ignored, the AI says:

Yes — this is a known upstream issue. scikit-learn/scikit-learn#33616 was filed just yesterday (2026-03-25) about exactly this.

What happened: scipy PR #24800 merged ILP64 support for cython_blas/cython_lapack, changing function signatures from int * to blas_int *. sklearn's nightly wheels were compiled against the old signatures, so they break with scipy 1.18.dev0 nightlies.

Current state on the sklearn side:

Labeled as Blocker for milestone 1.9
@thomasjpfan has a starting point for a fix, but noted it creates the reverse problem: compiling sklearn against the new scipy then breaks with scipy 1.17.x
It's essentially an ABI break in scipy's Cython API for downstream consumers
Nothing to do on the skops side — it'll resolve once sklearn publishes updated nightly wheels.

[cakedev0]

Codex found this issue too, I was about to open a PR when I saw this one.

It wrote a non-regression test, in case you're interested to add it in this PR (I'd say it's a nice-to-have):

Details

def test_loss_node_does_not_import_before_audit(monkeypatch):
    from sklearn._loss._loss import CyAbsoluteError

    dumped = dumps(CyAbsoluteError())
    buffer = io.BytesIO()

    with ZipFile(io.BytesIO(dumped), "r") as src, ZipFile(buffer, "w") as dst:
        schema = json.loads(src.read("schema.json"))
        schema["__module__"] = "malicious_mod"
        schema["__class__"] = "Payload"

        for info in src.infolist():
            if info.filename == "schema.json":
                dst.writestr("schema.json", json.dumps(schema))
            else:
                dst.writestr(info, src.read(info.filename))

    dumped = buffer.getvalue()

    def fail_gettype(*args, **kwargs):
        raise AssertionError("gettype() should not be called before audit")

    monkeypatch.setattr("skops.io._sklearn.gettype", fail_gettype)

    with pytest.raises(UntrustedTypesFoundException, match="malicious_mod.Payload"):
        loads(dumped)