chore(deps): bump fabric from 5.5.2 to 7.4.0

[dependabot]

Bumps fabric from 5.5.2 to 7.4.0.

Release notes

Sourced from fabric's releases.

Version 7.4.0

Security notice

FIxes CVE-2026-44311

What's Changed

• chore(): update major eslint to 10 by @​Smrtnyk in fabricjs/fabric.js#10956
• chore(): Fix non functional typos by @​opensourcezeal in fabricjs/fabric.js#10949
• chore(deps-dev): bump oxfmt from 0.42.0 to 0.45.0 by @​dependabot[bot] in fabricjs/fabric.js#10964
• ci(dependabot): group vite-related npm updates by @​asturur in fabricjs/fabric.js#10967
• chore(deps-dev): bump the vitest group with 4 updates by @​dependabot[bot] in fabricjs/fabric.js#10968
• chore(deps-dev): bump es-toolkit from 1.45.1 to 1.46.0 by @​dependabot[bot] in fabricjs/fabric.js#10971
• chore(deps-dev): bump postcss from 8.5.8 to 8.5.12 by @​dependabot[bot] in fabricjs/fabric.js#10972
• chore(deps-dev): bump rolldown from 1.0.0-rc.12 to 1.0.0-rc.16 by @​dependabot[bot] in fabricjs/fabric.js#10966
• fix(): Fix typecheck from security advisory merge by @​asturur in fabricjs/fabric.js#10973
• fix(): Honor viewport rotation in zoom, dimensions, and control coords by @​kausters in fabricjs/fabric.js#10977
• Version 7.4.0 by @​asturur in fabricjs/fabric.js#10980

New Contributors

• @​opensourcezeal made their first contribution in fabricjs/fabric.js#10949
• @​kausters made their first contribution in fabricjs/fabric.js#10977

Full Changelog: fabricjs/fabric.js@v731...v740

Version 7.3.1

What's Changed

Same as 7.3.0 but fixed publishing issues

• feat(): Update cron schedule for scorecard workflow by @​asturur in fabricjs/fabric.js#10952
• ci(): tighten workflow permissions for scorecard hardening by @​asturur in fabricjs/fabric.js#10953
• ci(): pin workflow dependencies for scorecard hardening by @​asturur in fabricjs/fabric.js#10954
• docs(): Revise security vulnerability reporting process by @​asturur in fabricjs/fabric.js#10955
• ci(): Change permission model and declaration to help with OSSF scorecard. by @​asturur in fabricjs/fabric.js#10959
• ci(): inline npm publish workflow and add manual dispatch by @​asturur in fabricjs/fabric.js#10960
• ci(): Publish 7.3.1 by @​asturur in fabricjs/fabric.js#10961
• ci(): Fix for publishing action by @​asturur in fabricjs/fabric.js#10962

Full Changelog: fabricjs/fabric.js@v730...v731

Version 7.3.0

In this release we changed from Rollup to Rolldown, this also changed the minifier. If you notice some bug with your built app please report it.

New Contributors

• @​mauricekindermann made their first contribution in fabricjs/fabric.js#10851
• @​multivoltage made their first contribution in fabricjs/fabric.js#10875
• @​10ef made their first contribution in fabricjs/fabric.js#10943

... (truncated)

Changelog

Sourced from fabric's changelog.

[7.4.0]

• feat(): Support viewport rotation in getZoom, dimensions, and control coords #10977
• fix(): Fix typecheck from security advisory merge #10973
• fix(svg): sanitize unsafe css during SVG export CVE-2026-44311 and CWE-79, CWE-116
• chore(deps-dev): bump rolldown from 1.0.0-rc.12 to 1.0.0-rc.16 #10966
• chore(deps-dev): bump postcss from 8.5.8 to 8.5.12 #10972
• chore(deps-dev): bump es-toolkit from 1.45.1 to 1.46.0 #10971
• chore(deps-dev): bump the vitest group with 4 updates #10968
• ci(dependabot): group vite-related npm updates #10967
• chore(deps-dev): bump oxfmt from 0.42.0 to 0.45.0 #10964
• chore(): fix non functional typos #10949
• chore(): update major eslint to 10 #10956
• ci(): Fix for publishing action #10962

[7.3.1]

• ci(): fix the package version #10961
• ci(): inline npm publish workflow and add manual dispatch #10960
• ci(): Change permission model and declaration to help with OSSF scorecard. #10959
• docs(): Revise security vulnerability reporting process #10955
• ci(): pin workflow dependencies for scorecard hardening #10954
• ci(): tighten workflow permissions for scorecard hardening #10953
• feat(): Update cron schedule for scorecard workflow #10952

[7.3.0]

• Version 7.3.0 #10951
• fix(cropping): keep ghost scaling controls anchored on flipped images #10943
• chore(deps): bump canvas from 3.2.2 to 3.2.3 #10940
• chore(deps-dev): bump serialize-javascript from 7.0.4 to 7.0.5 in the npm_and_yarn group across 1 directory #10936
• refactor(tests): Migrate to official vitest API for custom snapshot matchers #10937
• refactor(test): fix dead assertions in Shadow.spec.ts #10932
• chore(): update typescript to 6 #10935
• chore(deps): update devDependencies to latest versions #10929
• chore(deps-dev): bump picomatch from 2.3.1 to 2.3.2 in the npm_and_yarn group across 1 directory #10928
• chore(deps): bump canvas from 3.2.1 to 3.2.2 #10926
• refactor(tests): consolidate rectangle creation using makeRect #10923
• test(e2e): stabilize drag and drop event snapshots #10918
• ci(): harden privileged workflow_run actions #10922
• ci(): fix SonarCloud PR changed-lines coverage #10921
• refactor(tests): remove coverage merge step #10913
• chore(): remove leftover babel dep #10914
• chore(deps-dev): bump inquirer from 12.10.0 to 13.3.2 #10909
• chore(deps): bump canvas from 3.2.0 to 3.2.1 #10906
• chore(deps-dev): bump es-toolkit from 1.40.0 to 1.45.1 #10907
• refactor(tests): remove coverage collection from playwright #10912
• ci(): fix sonarqube lcov path after artifact download #10910
• ci(): Try to enable sonarqube cloud for coverage reporting #10903
• docs(agents): add repo AGENTS guide and PR skill #10900

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for fabric since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependency. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

Deployment failed with the following error:

Hobby accounts are limited to daily cron jobs. This cron expression (*/15 * * * *) would run more than once per day. Upgrade to the Pro plan to unlock all Cron Jobs features on Vercel.

Learn More: https://vercel.link/3Fpeeb1

[netlify]

❌ Deploy Preview for docmagic1 failed. Why did it fail? →

Name	Link
🔨 Latest commit	a11d23f
🔍 Latest deploy log	https://app.netlify.com/projects/docmagic1/deploys/6a2fc0f7d5032c0008c97914

[netlify]

❌ Deploy Preview for docmagic-muneer failed. Why did it fail? →

Name	Link
🔨 Latest commit	a11d23f
🔍 Latest deploy log	https://app.netlify.com/projects/docmagic-muneer/deploys/6a2fc0f723d3d900088edec5