From 9d161b786b03c42bd32f3a1f9c81c838963aa4f5 Mon Sep 17 00:00:00 2001
From: James Robinson <james.em.robinson@gmail.com>
Date: Thu, 30 Apr 2026 20:08:24 +0100
Subject: [PATCH] :lock: Exclude compromised lightning versions

---
 pyproject.toml | 2 +-
 uv.lock        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 6ac60b07..5c634100 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -32,7 +32,7 @@ dependencies = [
     "icenet==0.2.7", # newer versions require netCDF4<1.6.1 which does not work on macOS 15
     "imageio-ffmpeg>=0.6.0",
     "jaxtyping>=0.3.2",
-    "lightning>=2.5.1",
+    "lightning>=2.5.1,!=2.6.2,!=2.6.3", # 2.6.2 and 2.6.3 are compromised https://www.aikido.dev/blog/pytorch-lightning-pypi-compromise-mini-shai-hulud
     "matplotlib>=3.10.3",
     "netcdf4>=1.7.0",
     "pillow>=11.3.0",
diff --git a/uv.lock b/uv.lock
index 907fc7dc..551fdcab 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1845,7 +1845,7 @@ requires-dist = [
     { name = "icenet", specifier = "==0.2.7" },
     { name = "imageio-ffmpeg", specifier = ">=0.6.0" },
     { name = "jaxtyping", specifier = ">=0.3.2" },
-    { name = "lightning", specifier = ">=2.5.1" },
+    { name = "lightning", specifier = ">=2.5.1,!=2.6.2,!=2.6.3" },
     { name = "matplotlib", specifier = ">=3.10.3" },
     { name = "netcdf4", specifier = ">=1.7.0" },
     { name = "pillow", specifier = ">=11.3.0" },