Remove minimatch CVE audit ignore once upstream ships fix

## Context

We added `CVE-2026-26996` (minimatch ReDoS, GHSA-3ppc-4f35-3m26) to `pnpm.auditConfig.ignoreCves` in root `package.json` because all vulnerable paths are devDependencies only (Nx, ESLint, typescript-eslint). No runtime exposure in `@ghx-dev/core`.

## Action

Once upstream packages bump `minimatch >= 10.2.1`, remove the ignore:

1. Delete `pnpm.auditConfig` block from root `package.json`
2. Run `pnpm audit --audit-level=high` to verify clean
3. Commit

## Upstream deps to watch

| Package | Current minimatch | Needs |
|---------|------------------|-------|
| `@nx/devkit` | `10.1.1` (exact) | `>=10.2.1` |
| `@eslint/eslintrc` | `^3.1.2` | major bump |
| `@typescript-eslint/typescript-estree` | `^9.0.5` | major bump |
| `filelist` (via jake/ejs/Nx) | `^5.0.1` | major bump |

Quick check: `pnpm why minimatch` and `pnpm audit --audit-level=high`

Added in PR #48 (`feat/claude-plugin` branch).

Package	Current minimatch	Needs
`@nx/devkit`	`10.1.1` (exact)	`>=10.2.1`
`@eslint/eslintrc`	`^3.1.2`	major bump
`@typescript-eslint/typescript-estree`	`^9.0.5`	major bump
`filelist` (via jake/ejs/Nx)	`^5.0.1`	major bump

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove minimatch CVE audit ignore once upstream ships fix #49

Context

Action

Upstream deps to watch

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Remove minimatch CVE audit ignore once upstream ships fix #49

Description

Context

Action

Upstream deps to watch

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions