[jojobas]

Is there another way to load a saved dataset in R though, so that it can't execute anything?

[vharuck]

Save it in the usual text-based formats, like a CSV or JSON. Outside of packages, which use serialized data by default for good reasons, I haven't seen many people loading strangers' RDS or RData files.

If an attacker can control a package's rdb and rdx files, it's game over. They could just stick an `.onAttach` function in that does whatever they want when the package is loaded directly or imported by another package.

[jojobas]

The fact that they had to mess with unbounded promises, and that the bug got fixed suggests you normally can't run any code from load().