One thing that makes me wonder is that there are 4 security issues raised and all of them were automatically commented and closed by some bot called `pl-ghost` [1][2][3][4]. In the end, only this one [4] properly handled, and all bot comments are deleted. You can see the bot comments in another report [5], which is more informative than the OP one.

[1] https://github.com/Lightning-AI/pytorch-lightning/issues/216...

[2] https://github.com/Lightning-AI/pytorch-lightning/issues/216...

[3] https://github.com/Lightning-AI/pytorch-lightning/issues/216...

[4] https://github.com/Lightning-AI/pytorch-lightning/issues/216...

[5] https://socket.dev/blog/lightning-pypi-package-compromised