[lexical] Chore: Fix minimatch CVE-2026-26996 in example projects

[thatmichael85]

Description

• minimatch is a glob pattern matching library used internally by tools like glob and eslint to match file paths against patterns (e.g. **/*.js). Versions < 3.1.3 have CVE-2026-26996 (ReDoS, HIGH severity) — a crafted pattern can cause catastrophic backtracking.
• The vulnerable minimatch@3.1.2 was a transitive dependency in three example projects, pulled in by other outdated packages. Rather than bumping minimatch directly, we replaced the upstream packages that depended on the vulnerable version:
  • extension-vanilla-react-plugin-host & extension-vanilla-tailwind: Replaced rollup-plugin-copy (unmaintained since Sep 2023, depends on glob → minimatch@3.x) with vite-plugin-static-copy, which uses tinyglobby instead of the glob/minimatch chain entirely.
  • extension-sveltekit-ssr-hydration: Upgraded eslint ^9.22.0 → ^10.0.0 (and related packages: @eslint/js, @eslint/compat, typescript-eslint, eslint-plugin-svelte) since ESLint 9 depended on minimatch@3.x while ESLint 10 uses minimatch@^10.2.1.

Closes #8167

Test plan

Before

• minimatch@3.1.2 present in all three example lockfiles
• GitHub Dependabot alert active for CVE-2026-26996

After

• minimatch@3.1.2 REMOVED from all example lockfiles

• Both vite examples build successfully with vite-plugin-static-copy
• All 2589 unit tests pass

Playground

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
lexical	Ready	Preview, Comment	Feb 26, 2026 7:45pm
lexical-playground	Ready	Preview, Comment	Feb 26, 2026 7:45pm

[Copilot]

Pull request overview

This PR addresses a security vulnerability by removing the deprecated minimatch@3.1.2 dependency from three example projects. However, there is a critical issue with the CVE identifier mentioned in the title and description.

Changes:

• Migrated extension-vanilla-tailwind and extension-vanilla-react-plugin-host from unmaintained rollup-plugin-copy to vite-plugin-static-copy
• Upgraded ESLint to v10.0.2 and related packages in extension-sveltekit-ssr-hydration to eliminate minimatch@3.1.2
• Successfully removed all instances of minimatch@3.1.2 and replaced with minimatch@10.2.3 where needed

Reviewed changes

Copilot reviewed 5 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
examples/extension-vanilla-tailwind/vite.config.ts	Migrated from rollup-plugin-copy to vite-plugin-static-copy with API changes
examples/extension-vanilla-tailwind/package.json	Replaced rollup-plugin-copy dependency with vite-plugin-static-copy
examples/extension-vanilla-tailwind/pnpm-lock.yaml	Updated lockfile with new dependencies, removed minimatch entirely
examples/extension-vanilla-react-plugin-host/vite.config.ts	Migrated from rollup-plugin-copy to vite-plugin-static-copy with API changes
examples/extension-vanilla-react-plugin-host/package.json	Replaced rollup-plugin-copy dependency with vite-plugin-static-copy
examples/extension-vanilla-react-plugin-host/pnpm-lock.yaml	Updated lockfile with new dependencies, removed minimatch entirely
examples/extension-sveltekit-ssr-hydration/package.json	Upgraded ESLint to v10 and related packages
examples/extension-sveltekit-ssr-hydration/pnpm-lock.yaml	Updated lockfile with ESLint 10 dependencies using minimatch@10.2.3

Files not reviewed (3)

• examples/extension-sveltekit-ssr-hydration/pnpm-lock.yaml: Language not supported
• examples/extension-vanilla-react-plugin-host/pnpm-lock.yaml: Language not supported
• examples/extension-vanilla-tailwind/pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.