From e4015526fe3c865e7de11dff0d18e2863c6a0c7f Mon Sep 17 00:00:00 2001
From: Brandon Garcia <brandon.garcia@roboflow.com>
Date: Thu, 30 Apr 2026 17:08:44 -0700
Subject: [PATCH] Pin lightning==2.6.1 to avoid compromised 2.6.2/2.6.3

Lightning AI advisory GHSA-w37p-236h-pfx3 reports the lightning /
pytorch-lightning 2.6.2 and 2.6.3 wheels on PyPI contain a
credential-harvesting payload that auto-executes on import. 2.6.1 is
the last known clean release.

The previous spec 'lightning>=2.4.0' would resolve to 2.6.3 on a fresh
install. Pinning to 2.6.1 forces resolvers to skip the malicious
versions until upstream publishes a clean replacement.

Refs: https://github.com/Lightning-AI/pytorch-lightning/security/advisories/GHSA-w37p-236h-pfx3
---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 171792b..7e29fb4 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -39,7 +39,7 @@ classifiers = [
 dependencies = [
     "roboflow>=1.1.0",
     "dacite>=1.9.1",
-    "lightning>=2.4.0",
+    "lightning==2.6.1",
     "supervision>=0.26.0rc4",
     "requests>=2.31.0,<=2.32.3",
     "typer>=0.12.5",