Hi all,
I would like to report a vulnerability. Your security policy suggests that email is the preferred channel, but the listed addresses don’t seem to be active. The Slack channel seems to be restricted to only a couple of internal domains.
Please let me know if I should open an issue on the repository instead.
Lightning requires fastapi<0.89, which requires starlette==0.22.0. Versions of starlette before 0.25.0 have some vulnerabilities:
Two questions:
- Is there a way to install Lightning without the app requirements? I am only interested in the classic PyTorch Lightning features.
- If not, would you be happy to relax the requirement and release a patch?
Hello
Thanks for reporting it.
It is being worked on here: CVE-2023-30798: FastAPI <0.92 has a security vulnerability due to Starlette <0.25 · Issue #17563 · Lightning-AI/lightning · GitHub
- Is there a way to install Lightning without the app requirements? I am only interested in the classic PyTorch Lightning features.
Yes and no: One can install pytorch_lightning, this package only contains the lightning.pytorch part without app modules and dependencies, but this uses the old-style import, i.e., import pytorch_lightning as pl.
If not, would you be happy to relax the requirement and release a patch?
I believe this is what is being done in the linked PR. In any case, you should be good by installing via
pip install -U fastapi starlette if my understanding is correct.
1 Like
You are right, our email address on the issue page is outdated. I’ll reach out internally to get it fixed. Thanks!
EDIT: I reached out and email address is being updated.
1 Like
Thanks, @awaelchli. I’ve subscribed to the issue and the PR.
Yes and no: One can install pytorch_lightning, this package only contains the lightning.pytorch part without app modules and dependencies, but this uses the old-style import, i.e., import pytorch_lightning as pl .
That sounds good enough. We’ll give that a try.
Thank you!