From 724ee32c49573c00151255fbd8299f0dffe89ae4 Mon Sep 17 00:00:00 2001
From: linusdevx <sunilpharswan4198@gmail.com>
Date: Mon, 22 Jun 2026 15:53:00 +0530
Subject: [PATCH] chore(deps): bump vite from 6.4.2 to 6.4.3 (security)

Resolves two Dependabot alerts:
- GHSA-fx2h-pf6j-xcff (high): vite server.fs.deny bypass on Windows alternate paths
- GHSA-v6wh-96g9-6wx3 (medium): launch-editor NTLMv2 hash disclosure via UNC paths on Windows

Both CVEs affect Vite's dev server on Windows only. This project uses Vite
for the production build (`npm run build`), not as a live dev server
(`npm run serve` runs http-server), so practical exposure is nil. Bumping
anyway to clear the alerts and live up to the SECURITY.md "continuous
scanning" claim.

Lockfile-only change; declared range `^6.0.0` already permits 6.4.3.
Verified: `npm run build` passes.
---
 package-lock.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 6dd4d64..7e56461 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1691,9 +1691,9 @@
       "license": "MIT"
     },
     "node_modules/vite": {
-      "version": "6.4.2",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.2.tgz",
-      "integrity": "sha512-2N/55r4JDJ4gdrCvGgINMy+HH3iRpNIz8K6SFwVsA+JbQScLiC+clmAxBgwiSPgcG9U15QmvqCGWzMbqda5zGQ==",
+      "version": "6.4.3",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.3.tgz",
+      "integrity": "sha512-NTKlcQjlAK7MlQoyb6LgaqHc8sso/pVyUJYWMws3jg21uTJw/LddqIFPcPqP6PzpgbIcZyKI85sFE4HBrQDA8A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {