Skip to content

Bump launch-editor to 2.14.1 in www (Dependabot #339)#1317

Merged
mbouaziz merged 1 commit into
mainfrom
fix-launch-editor-339
Jul 10, 2026
Merged

Bump launch-editor to 2.14.1 in www (Dependabot #339)#1317
mbouaziz merged 1 commit into
mainfrom
fix-launch-editor-339

Conversation

@mbouaziz

Copy link
Copy Markdown
Contributor

Summary

Closes Dependabot alert #339GHSA-v6wh-96g9-6wx3 / CVE-2026-53632 (medium: launch-editor NTLMv2 hash disclosure via UNC path handling on Windows). www had launch-editor@2.13.2 (vulnerable range <= 2.14.0).

Fix

launch-editor is a transitive dep of webpack-dev-server (^2.6.1), so a plain npm update launch-editor --package-lock-only bumps it to 2.14.1 within range — no override needed. Single-package, 4-line diff.

Breaking-change check

Changelog 2.13.2 → 2.14.1:

  • v2.14.1: fix: reject UNC paths ([runtime] Fix warnings #138) — the security fix itself — plus non-major dep bumps.
  • v2.14.0: feat: add and improve package types (additive), editor-path detection fixes (Trae casing, vscode path).

No breaking changes; the public API (launch an editor) is unchanged.

Verification

  • Fresh npm install → single launch-editor@2.14.1; no copy <= 2.14.0.
  • Diff scoped to the one package; no lockfile drift.

launch-editor is dev-only tooling — webpack-dev-server's click-to-open-in-editor overlay during docusaurus start — and the vuln is Windows/UNC-specific. It never runs in CI or reaches the shipped static site.

🤖 Generated with Claude Code

Closes Dependabot alert #339 (GHSA-v6wh-96g9-6wx3 / CVE-2026-53632,
medium — launch-editor NTLMv2 hash disclosure via UNC path handling on
Windows). www had launch-editor@2.13.2 (vulnerable range <= 2.14.0).

launch-editor is a transitive dep of webpack-dev-server (^2.6.1), so a
plain `npm update launch-editor --package-lock-only` bumps it to 2.14.1
within range — no override needed. Single-package, 4-line diff.

No breaking changes: 2.14.1 is the UNC-path security fix itself
("fix: reject UNC paths", #138); 2.14.0 adds package types and editor-
path detection fixes (Trae casing, vscode path) — all additive. The
public API (launch an editor) is unchanged.

launch-editor is dev-only tooling — webpack-dev-server's click-to-open-
in-editor overlay during `docusaurus start`, and the vuln is
Windows/UNC-specific; it never runs in CI or the shipped static site.

Closes #339.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@mbouaziz mbouaziz enabled auto-merge July 10, 2026 15:36
@mbouaziz mbouaziz merged commit 3680312 into main Jul 10, 2026
2 checks passed
@mbouaziz mbouaziz deleted the fix-launch-editor-339 branch July 10, 2026 15:37
@mbouaziz mbouaziz mentioned this pull request Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant