chore(deps): bump fabric from 5.3.0 to 7.2.0 in /client

[dependabot]

Bumps fabric from 5.3.0 to 7.2.0.

Release notes

Sourced from fabric's releases.

Version 7.1.0

What's Changed

• feat(): Cropping controls extension by @​asturur in fabricjs/fabric.js#10825
• chore(): Render circle control tweak for code reusability and style by @​asturur in fabricjs/fabric.js#10829
• Correctly check for cache key equality in calcOwnMatrix by @​jiayihu in fabricjs/fabric.js#10831
• chore(deps-dev): bump js-yaml from 3.14.1 to 3.14.2 in the npm_and_yarn group across 1 directory by @​dependabot[bot] in fabricjs/fabric.js#10812
• fix(Text):Double offset when exporting SVG after setting deltaY in Text by @​jiao1187875445 in fabricjs/fabric.js#10805

New Contributors

• @​jiao1187875445 made their first contribution in fabricjs/fabric.js#10805

Full Changelog: fabricjs/fabric.js@v700...v710

Version 7.0.0

No code changes compared to 7.0.0 - rc1

Version 6.9.1

Full Changelog: fabricjs/fabric.js@v690...v691

• fix(): Fix the situation where undefined + char exists when calculating couple #10816
• fix(): Fix toDataUrl writing on contextTop #10820

Version 7.0.0 rc1

What's Changed

• chore(): Update typescript 5.9, eslint, babel and rollup to latest by @​asturur in fabricjs/fabric.js#10708
• chore(): Fixes to TypeDoc for compilation by @​asturur in fabricjs/fabric.js#10709
• chore(): Remove mouse wheel console warning by setting default explicitly. by @​zhe-he in fabricjs/fabric.js#10712
• fix: The mouse enter and leave events of child elements will be executed twice. by @​zhe-he in fabricjs/fabric.js#10699
• BREAKING: chore(): Update min node version to 20, add 24 by @​asturur in fabricjs/fabric.js#10716
• BREAKING(): Deprecate fireRightClick, fireMiddleClick, stopContextMenu and change their default value. by @​asturur in fabricjs/fabric.js#10720
• Clarify MIT License by @​asturur in fabricjs/fabric.js#10725
• doc: Repair broken link in docs by targeting all demo and samples pages in old fabric docs. by @​tneullas in fabricjs/fabric.js#10723
• chore(): Format dependabot.yml with Prettier to ensure consistent code style by @​Copilot in fabricjs/fabric.js#10733
• chore(deps-dev): bump @​eslint/js from 9.34.0 to 9.35.0 by @​dependabot[bot] in fabricjs/fabric.js#10729
• Update license to include 2016–2025 Fabric.js contributors by @​aswind7 in fabricjs/fabric.js#10726
• chore(deps-dev): bump serve from 14.2.4 to 14.2.5 by @​dependabot[bot] in fabricjs/fabric.js#10730
• chore(deps-dev): bump es-toolkit from 1.39.7 to 1.39.10 by @​dependabot[bot] in fabricjs/fabric.js#10731
• chore(): Pin all GitHub Actions to commit SHAs for security compliance by @​Copilot in fabricjs/fabric.js#10739
• chore(): Remove paths for codeQL let it scan all the repo by @​asturur in fabricjs/fabric.js#10738
• change CN comment to EN by @​aswind7 in fabricjs/fabric.js#10727
• fix(textarea): A form field element has neither an id nor a name attribute. by @​zhe-he in fabricjs/fabric.js#10172
• fix: After executing loadFromJSON, it unexpectedly adds an objects property to the canvas. by @​zhe-he in fabricjs/fabric.js#10741
• ci(): Foked the action find-create-update-comment in order to pin sha(s) by @​asturur in fabricjs/fabric.js#10742
• ci(): Fix CWE-829 in the coverage report action by @​asturur in fabricjs/fabric.js#10743
• ci(): fix CWE-829 in action build-stats by @​asturur in fabricjs/fabric.js#10744
• fix(): CWE-1333 CWE-400 CWE-730 in Text.ts regex by @​asturur in fabricjs/fabric.js#10745
• fix(): CWE-1333 CWE-400 CWE-730 Simplify some regexes in order to avoid slowness with craft bad string by @​asturur in fabricjs/fabric.js#10746
• fix(): Fix some weaknesses in the changelog-update action ( various CWE ) by @​asturur in fabricjs/fabric.js#10747
• fix(): build-stats action, fix for CWE-275 and some code injection by @​asturur in fabricjs/fabric.js#10749
• fix(): Add all actions a set of permissions that is restricted to the minimum necessary by @​asturur in fabricjs/fabric.js#10750

... (truncated)

Changelog

Sourced from fabric's changelog.

[7.2.0]

• fix(): Fix for svg export stored xss CVE-2026-27013
• chore(): update prettier #10863
• chore(): reuse more of the createPointerEvent in unit tests #10864
• test(): refactor test, put common data in shared function #10861
• chore(): update playwright to latest #10860
• chore(): fix Canvas-dispose tests on firefox #10859
• chore(): update vitest to 4.0.18 #10858
• chore(deps-dev): bump lodash from 4.17.21 to 4.17.23 in the npm_and_yarn group across 1 directory #10853
• feat(): Cropping controls follow ups #10839
• chore(): Add pre-commit hook to run lint, prettier, tsc on staged files. #10834

[7.1.0]

• fix(Text):Double offset when exporting SVG after setting deltaY in Text #10805
• chore(deps-dev): bump js-yaml from 3.14.1 to 3.14.2 in the npm_and_yarn group across 1 directory #10812
• Correctly check for cache key equality in calcOwnMatrix #10831
• chore(): Render circle control tweak for code reusability and style #10829
• feat(): Cropping controls extension #10825

[7.0.0]

• fix(): Fix toDataUrl writing on contextTop #10820
• feat(): Multi touch gesture support with module westures #10813
• fix(): Fix the situation where undefined + char exists when calculating couple #10816
• feat(): Add configuration parameter for patternQuality in node #10804
• fix(): BREAKING Fix text positioning #10803
• fix(AligningGuidelines): Guidelines features updates #10120 (fabricjs/fabric.js#10120)
• chore(deps-dev): bump inquirer from 12.9.6 to 12.10.0 #10789
• chore(deps-dev): bump @​types/micromatch from 4.0.9 to 4.0.10 #10788
• chore(): update major version of vitest #10786
• fix(): Prototype pollution risk on text char cache #10782
• fix(): fix rendering of text when line height is set to 0 #10785
• chore(): update playwright #10780
• chore(deps-dev): bump es-toolkit from 1.39.10 to 1.40.0 #10777
• BREAKING chore(): Deprecate originX and originY and change their default to center/center #10715
• chore(deps-dev): bump @​types/node from 24.7.0 to 24.7.2 #10778
• chore(deps-dev): bump @​rollup/plugin-babel from 6.0.4 to 6.1.0 #10776
• chore(): up dev deps #10773
• chore(): up deps #10771
• chore(): remove moment dev dependency #10770
• ci(): Move firefox to headless: false to see if improves passing rate. Renamed config because of deprecation warning #10769
• chore(): remove fs-extra dev dependency #10767
• chore(deps-dev): bump @​playwright/test from 1.55.0 to 1.55.1 #10761
• test(): Add new e2e import test for svg preserve aspect ratio #10766
• chore() Revisit and reduce contribution guidelines, try to streamline things #10759
• chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates #10734
• chore(deps-dev): bump @​babel/core from 7.28.3 to 7.28.4 #10753
• chore(): remove chalk #10758

... (truncated)

Commits

• See full diff in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.