Bump launch-editor to 2.14.1 in www (Dependabot #339)#1317
Merged
Conversation
Closes Dependabot alert #339 (GHSA-v6wh-96g9-6wx3 / CVE-2026-53632, medium — launch-editor NTLMv2 hash disclosure via UNC path handling on Windows). www had launch-editor@2.13.2 (vulnerable range <= 2.14.0). launch-editor is a transitive dep of webpack-dev-server (^2.6.1), so a plain `npm update launch-editor --package-lock-only` bumps it to 2.14.1 within range — no override needed. Single-package, 4-line diff. No breaking changes: 2.14.1 is the UNC-path security fix itself ("fix: reject UNC paths", #138); 2.14.0 adds package types and editor- path detection fixes (Trae casing, vscode path) — all additive. The public API (launch an editor) is unchanged. launch-editor is dev-only tooling — webpack-dev-server's click-to-open- in-editor overlay during `docusaurus start`, and the vuln is Windows/UNC-specific; it never runs in CI or the shipped static site. Closes #339. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes Dependabot alert #339 — GHSA-v6wh-96g9-6wx3 / CVE-2026-53632 (medium:
launch-editorNTLMv2 hash disclosure via UNC path handling on Windows).wwwhadlaunch-editor@2.13.2(vulnerable range<= 2.14.0).Fix
launch-editoris a transitive dep ofwebpack-dev-server(^2.6.1), so a plainnpm update launch-editor --package-lock-onlybumps it to 2.14.1 within range — no override needed. Single-package, 4-line diff.Breaking-change check
Changelog 2.13.2 → 2.14.1:
fix: reject UNC paths([runtime] Fix warnings #138) — the security fix itself — plus non-major dep bumps.feat: add and improve package types(additive), editor-path detection fixes (Trae casing, vscode path).No breaking changes; the public API (launch an editor) is unchanged.
Verification
npm install→ singlelaunch-editor@2.14.1; no copy<= 2.14.0.launch-editoris dev-only tooling —webpack-dev-server's click-to-open-in-editor overlay duringdocusaurus start— and the vuln is Windows/UNC-specific. It never runs in CI or reaches the shipped static site.🤖 Generated with Claude Code