Skip to content

[lexical] Chore: Fix minimatch CVE-2026-26996 in example projects#8169

Open
thatmichael85 wants to merge 1 commit intomainfrom
users/thatmichael85/T257123839
Open

[lexical] Chore: Fix minimatch CVE-2026-26996 in example projects#8169
thatmichael85 wants to merge 1 commit intomainfrom
users/thatmichael85/T257123839

Conversation

@thatmichael85
Copy link
Contributor

@thatmichael85 thatmichael85 commented Feb 25, 2026
edited
Loading

Description

  • minimatch < 3.1.3 (CVE-2026-26996, HIGH severity) was present as a transitive dependency in three example projects.
  • extension-vanilla-react-plugin-host & extension-vanilla-tailwind: Migrated from rollup-plugin-copy (unmaintained since Sep 2023) to vite-plugin-static-copy, which uses tinyglobby instead of the deprecated glob/minimatch chain.
  • extension-sveltekit-ssr-hydration: Upgraded eslint ^9.22.0^10.0.0 (and related packages: @eslint/js, @eslint/compat, typescript-eslint, eslint-plugin-svelte) since ESLint 10 replaced minimatch@3.x with minimatch@^10.2.1.

Test plan

Before

  • minimatch@3.1.2 present in all three example lockfiles
  • GitHub Dependabot alert active for CVE-2026-26996

After

  • minimatch@3.1.2 removed from all example lockfiles
  • Both vite examples build successfully with vite-plugin-static-copy
  • All 2533 unit tests pass

Playground

image

@thatmichael85
[lexical] Security: Fix minimatch CVE-2026-26996 in example projects (#…
e6eafa9 
…8117)

Fixes a HIGH severity vulnerability (GHSA-3ppc-4f35-3m26) where
minimatch < 3.1.3 was present as a transitive dependency in three
example projects. Rather than applying pnpm overrides as a workaround,
each project was fixed by upgrading the dependency that introduced it:

extension-vanilla-react-plugin-host & extension-vanilla-tailwind:
- Migrated from rollup-plugin-copy (unmaintained since Sep 2023) to
  vite-plugin-static-copy, which uses tinyglobby instead of the
  deprecated glob/minimatch chain.

extension-sveltekit-ssr-hydration:
- Upgraded eslint ^9.22.0 -> ^10.0.0 (and related packages: @eslint/js,
  @eslint/compat, typescript-eslint, eslint-plugin-svelte) since ESLint
  10 replaced minimatch@3.x with minimatch@^10.2.1.
@vercel
Copy link

vercel bot commented Feb 25, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
lexical Ready Ready Preview, Comment Feb 25, 2026 3:02pm
lexical-playground Ready Ready Preview, Comment Feb 25, 2026 3:02pm

Request Review

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Feb 25, 2026
@etrepum etrepum added the extended-tests Run extended e2e tests on a PR label Feb 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zurfyx zurfyx Awaiting requested review from zurfyx zurfyx is a code owner

@fantactuka fantactuka Awaiting requested review from fantactuka fantactuka is a code owner

@acywatson acywatson Awaiting requested review from acywatson acywatson is a code owner

@ivailop7 ivailop7 Awaiting requested review from ivailop7 ivailop7 is a code owner

@potatowagon potatowagon Awaiting requested review from potatowagon potatowagon is a code owner

@takuyakanbr takuyakanbr Awaiting requested review from takuyakanbr takuyakanbr is a code owner

@etrepum etrepum Awaiting requested review from etrepum etrepum is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. extended-tests Run extended e2e tests on a PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thatmichael85 @etrepum