Skip to content

[lexical] Chore: Fix minimatch CVE-2026-26996 in example projects#8169

Open
thatmichael85 wants to merge 1 commit intomainfrom
users/thatmichael85/T257123839
Open

[lexical] Chore: Fix minimatch CVE-2026-26996 in example projects#8169
thatmichael85 wants to merge 1 commit intomainfrom
users/thatmichael85/T257123839

Conversation

@thatmichael85
Copy link
Contributor

@thatmichael85 thatmichael85 commented Feb 25, 2026

Description

  • minimatch < 3.1.3 (CVE-2026-26996, HIGH severity) was present as a transitive dependency in three example projects.
  • extension-vanilla-react-plugin-host & extension-vanilla-tailwind: Migrated from rollup-plugin-copy (unmaintained since Sep 2023) to vite-plugin-static-copy, which uses tinyglobby instead of the deprecated glob/minimatch chain.
  • extension-sveltekit-ssr-hydration: Upgraded eslint ^9.22.0^10.0.0 (and related packages: @eslint/js, @eslint/compat, typescript-eslint, eslint-plugin-svelte) since ESLint 10 replaced minimatch@3.x with minimatch@^10.2.1.

Test plan

Before

  • minimatch@3.1.2 present in all three example lockfiles
  • GitHub Dependabot alert active for CVE-2026-26996

After

  • minimatch@3.1.2 removed from all example lockfiles
  • Both vite examples build successfully with vite-plugin-static-copy
  • All 2533 unit tests pass

Playground

image

…8117)

Fixes a HIGH severity vulnerability (GHSA-3ppc-4f35-3m26) where
minimatch < 3.1.3 was present as a transitive dependency in three
example projects. Rather than applying pnpm overrides as a workaround,
each project was fixed by upgrading the dependency that introduced it:

extension-vanilla-react-plugin-host & extension-vanilla-tailwind:
- Migrated from rollup-plugin-copy (unmaintained since Sep 2023) to
  vite-plugin-static-copy, which uses tinyglobby instead of the
  deprecated glob/minimatch chain.

extension-sveltekit-ssr-hydration:
- Upgraded eslint ^9.22.0 -> ^10.0.0 (and related packages: @eslint/js,
  @eslint/compat, typescript-eslint, eslint-plugin-svelte) since ESLint
  10 replaced minimatch@3.x with minimatch@^10.2.1.
@vercel
Copy link

vercel bot commented Feb 25, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
lexical Ready Ready Preview, Comment Feb 25, 2026 3:02pm
lexical-playground Ready Ready Preview, Comment Feb 25, 2026 3:02pm

Request Review

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Feb 25, 2026
@etrepum etrepum added the extended-tests Run extended e2e tests on a PR label Feb 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. extended-tests Run extended e2e tests on a PR

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants