From b26d28110684805f38d4373d49e0ab604b8f7686 Mon Sep 17 00:00:00 2001
From: Sean Colby <seanmcolby@gmail.com>
Date: Fri, 1 May 2026 13:51:42 -0800
Subject: [PATCH 1/2] fix: pin lightning <=2.6.1 to avoid CVE in 2.6.2/2.6.3

PyTorch Lightning 2.6.2 and 2.6.3 contain a security vulnerability.
Cap the upper bound so fresh installs don't resolve to affected releases
while preserving the existing >=2.0 floor.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index f2c1c7c..cb766d1 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -9,7 +9,7 @@ description = "Cost-aware synthetic active learning pipeline for cheminformatics
 requires-python = ">=3.11"
 dependencies = [
     "chemprop>=2.0,<3.0",
-    "lightning>=2.0",
+    "lightning>=2.0,<=2.6.1",
     "torch>=2.0",
     "rdkit>=2023.3",
     "pandas>=2.0",

From 9c688ee931d1635043b7de137bd6b1bcd86ecbfe Mon Sep 17 00:00:00 2001
From: Sean Colby <seanmcolby@gmail.com>
Date: Fri, 1 May 2026 14:15:36 -0800
Subject: [PATCH 2/2] Use exclusive upper bound for lightning

---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index cb766d1..cf3a9e0 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -9,7 +9,7 @@ description = "Cost-aware synthetic active learning pipeline for cheminformatics
 requires-python = ">=3.11"
 dependencies = [
     "chemprop>=2.0,<3.0",
-    "lightning>=2.0,<=2.6.1",
+    "lightning>=2.0,<2.6.2",
     "torch>=2.0",
     "rdkit>=2023.3",
     "pandas>=2.0",