Bump the npm_and_yarn group across 2 directories with 28 updates by dependabot[bot] · Pull Request #1 · white-nl/cms

dependabot · 2026-02-23T17:46:20Z

Bumps the npm_and_yarn group with 1 update in the /packages/craftcms-webpack directory: webpack-dev-server.
Bumps the npm_and_yarn group with 15 updates in the / directory:

Package	From	To
glob	`10.3.10`	`12.0.0`
webpack	`5.89.0`	`5.104.1`
webpack-dev-server	`4.15.1`	`5.2.1`
axios	`1.7.7`	`1.13.5`
fabric	`1.7.22`	`7.2.0`
vue	`2.7.16`	`3.0.0`
lodash	`4.17.21`	`4.17.23`
ajv	`6.12.6`	`6.14.0`
brace-expansion	`1.1.11`	`1.1.12`
dset	`3.1.3`	`3.1.4`
ip	`2.0.0`	`removed`
js-yaml	`4.1.0`	`4.1.1`
nanoid	`3.3.7`	`3.3.11`
playwright	`1.40.1`	`1.58.2`
tar	`6.2.0`	`7.5.9`

Updates webpack-dev-server from 4.15.2 to 5.2.3

Release notes

Sourced from webpack-dev-server's releases.

v5.2.3

5.2.3 (2026-01-12)

Bug Fixes

add cause for errorObject (#5518) (37b033d)

compatibility with event target and universal target and lazy compilation (574026c)

overlay: add ESC key to dismiss overlay (#5598) (f91baa8)

progress indicator styles (#5557) (41a53a1)

upgrade selfsigned to v5

v5.2.2

5.2.2 (2025-06-03)

Bug Fixes

"Overlay enabled" false positive (18e72ee)

do not crush when error is null for runtime errors (#5447) (309991f)

remove unnecessary header X_TEST (#5451) (64a6124)

respect the allowedHosts option for cross-origin header check (#5510) (03d1214)

v5.2.1

5.2.1 (2025-03-26)

Security

cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header

requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)

take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

v5.2.0

5.2.0 (2024-12-11)

Features

added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

speed up initial client bundling (145b5d0)

... (truncated)

Changelog

Sourced from webpack-dev-server's changelog.

5.2.3 (2026-01-12)

Bug Fixes

add cause for errorObject (#5518) (37b033d)

compatibility with event target and universal target and lazy compilation (574026c)

overlay: add ESC key to dismiss overlay (#5598) (f91baa8)

progress indicator styles (#5557) (41a53a1)

upgrade selfsigned to v5

5.2.2 (2025-06-03)

Bug Fixes

"Overlay enabled" false positive (18e72ee)

do not crush when error is null for runtime errors (#5447) (309991f)

remove unnecessary header X_TEST (#5451) (64a6124)

respect the allowedHosts option for cross-origin header check (#5510) (03d1214)

5.2.1 (2025-03-26)

Security

cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header

requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)

take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

5.2.0 (2024-12-11)

Features

added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

speed up initial client bundling (145b5d0)

5.1.0 (2024-09-03)

... (truncated)

Commits

b550a70 chore(release): 5.2.3
9704dc5 chore: upgrade selfsigned to v5 and remove node-forge dependency (#5618)
92bf644 chore: bump express to update qs (#5621)
792b2f0 chore(deps-dev): bump the dependencies group with 4 updates (#5606)
6d587ca chore(deps): bump the dependencies group across 1 directory with 27 updates (...
f91baa8 fix(overlay): add ESC key to dismiss overlay (#5598)
574026c fix: compatibility with event target and universal target and lazy compilation
c53955d docs: remove unused files
efe0aea test: fix
b6bb50c chore(deps): update
Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates glob from 10.3.10 to 12.0.0

Changelog

Sourced from glob's changelog.

changeglob

13

Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)

Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.

Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

Drop support for node before v20

10.4

Add includeChildMatches: false option

Export the Ignore class

10.3

Add --default -p flag to provide a default pattern

exclude symbolic links to directories when follow and nodir are both set

10.2

Add glob cli

10.1

Return '.' instead of the empty string '' when the current working directory is returned as a match.

Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

2b03cca 12.0.0
d56203d prettier config
bb521e5 Remove --shell option where unsafe to use
2551fb5 11.1.0
47473c0 bin: Do not expose filenames to shell expansion
bc33fe1 skip tilde test on systems that lack tilde expansion
59bf9ca fix notes
dde4fa6 docs(README): add #anchor and improve notes
0559b0e docs: add better links to path-scurry docs
c9773c2 fix: correct typos in README.md
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for glob since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates webpack from 5.89.0 to 5.104.1

Release notes

Sourced from webpack's releases.

v5.104.1

5.104.1

Patch Changes

2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.

c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

v5.104.0

5.104.0

Minor Changes

d3dd841: Use method shorthand to render module content in __webpack_modules__ object.

d3dd841: Enhance import.meta.env to support object access.

4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.

04cd530: Handle more at-rules for CSS modules.

cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.

d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.

5983843: Provide a stable runtime function variable __webpack_global__.

d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

22c48fb: Added module existence check for informative error message in development mode.

50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.

d3dd841: Support universal lazy compilation.

d3dd841: Fixed module library export definitions when multiple runtimes.

d3dd841: Fixed CSS nesting and CSS custom properties parsing.

d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.

aab1da9: Fixed bugs for css/global type.

d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.

d3dd841: Handle nested __webpack_require__.

728ddb7: The speed of identifier parsing has been improved.

0f8b31b: Improve types.

d3dd841: Don't corrupt debugId injection when hidden-source-map is used.

2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.

d3dd841: Serialize HookWebpackError.

d3dd841: Added ability to use built-in properties in dotenv and define plugin.

3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.

d3dd841: Reduce collision for local indent name in CSS.

d3dd841: Remove CSS link tags when CSS imports are removed.

v5.103.0

Features

Added DotenvPlugin and top level dotenv option to enable this plugin

Added WebpackManifestPlugin

Added support the ignoreList option in devtool plugins

Allow to use custom javascript parse function

... (truncated)

Changelog

Sourced from webpack's changelog.

5.104.1

Patch Changes

2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.

c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

5.104.0

Minor Changes

d3dd841: Use method shorthand to render module content in __webpack_modules__ object.

d3dd841: Enhance import.meta.env to support object access.

4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.

04cd530: Handle more at-rules for CSS modules.

cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.

d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.

5983843: Provide a stable runtime function variable __webpack_global__.

d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

22c48fb: Added module existence check for informative error message in development mode.

50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.

d3dd841: Support universal lazy compilation.

d3dd841: Fixed module library export definitions when multiple runtimes.

d3dd841: Fixed CSS nesting and CSS custom properties parsing.

d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.

aab1da9: Fixed bugs for css/global type.

d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.

d3dd841: Handle nested __webpack_require__.

728ddb7: The speed of identifier parsing has been improved.

0f8b31b: Improve types.

d3dd841: Don't corrupt debugId injection when hidden-source-map is used.

2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.

d3dd841: Serialize HookWebpackError.

d3dd841: Added ability to use built-in properties in dotenv and define plugin.

3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.

d3dd841: Reduce collision for local indent name in CSS.

d3dd841: Remove CSS link tags when CSS imports are removed.

Commits

24e3c2d chore(release): new release (#20253)
2efd21b fix(re-exports): reexports runtime calculation should not accessing `__WEBPAC...
c510070 fix(security): userinfo bypass vulnerability in HttpUriPlugin allowedUris
4b0501c ci: fix release (#20252)
0c213ce ci: use \<@&1450591255485743204> over @here for discord notificationw
5bf8bc5 refactor: types for benchmarks and tests
505a5e7 chore(release): new release (#20188)
0c06680 refactor: update eslint configuration
2eb0d6a ci: release announcement (#20238)
b2b2459 ci: cancel in progress (#20239)
Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates webpack-dev-server from 4.15.1 to 5.2.1

Release notes

Sourced from webpack-dev-server's releases.

v5.2.3

5.2.3 (2026-01-12)

Bug Fixes

add cause for errorObject (#5518) (37b033d)

compatibility with event target and universal target and lazy compilation (574026c)

overlay: add ESC key to dismiss overlay (#5598) (f91baa8)

progress indicator styles (#5557) (41a53a1)

upgrade selfsigned to v5

v5.2.2

5.2.2 (2025-06-03)

Bug Fixes

"Overlay enabled" false positive (18e72ee)

do not crush when error is null for runtime errors (#5447) (309991f)

remove unnecessary header X_TEST (#5451) (64a6124)

respect the allowedHosts option for cross-origin header check (#5510) (03d1214)

v5.2.1

5.2.1 (2025-03-26)

Security

cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header

requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)

take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

v5.2.0

5.2.0 (2024-12-11)

Features

added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

speed up initial client bundling (145b5d0)

... (truncated)

Changelog

Sourced from webpack-dev-server's changelog.

5.2.3 (2026-01-12)

Bug Fixes

add cause for errorObject (#5518) (37b033d)

compatibility with event target and universal target and lazy compilation (574026c)

overlay: add ESC key to dismiss overlay (#5598) (f91baa8)

progress indicator styles (#5557) (41a53a1)

upgrade selfsigned to v5

5.2.2 (2025-06-03)

Bug Fixes

"Overlay enabled" false positive (18e72ee)

do not crush when error is null for runtime errors (#5447) (309991f)

remove unnecessary header X_TEST (#5451) (64a6124)

respect the allowedHosts option for cross-origin header check (#5510) (03d1214)

5.2.1 (2025-03-26)

Security

cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header

requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)

take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

5.2.0 (2024-12-11)

Features

added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

speed up initial client bundling (145b5d0)

5.1.0 (2024-09-03)

... (truncated)

Commits

b550a70 chore(release): 5.2.3
9704dc5 chore: upgrade selfsigned to v5 and remove node-forge dependency (#5618)
92bf644 chore: bump express to update qs (#5621)
792b2f0 chore(deps-dev): bump the dependencies group with 4 updates (#5606)
6d587ca chore(deps): bump the dependencies group across 1 directory with 27 updates (...
f91baa8 fix(overlay): add ESC key to dismiss overlay (#5598)
574026c fix: compatibility with event target and universal target and lazy compilation
c53955d docs: remove unused files
efe0aea test: fix
b6bb50c chore(deps): update
Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates axios from 1.7.7 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)

Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

Fix/5657. (PR #7313)

Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

Add input validation to isAbsoluteURL. (PR #7326)

Refactor: bump minor package versions. (PR #7356)

Documentation

Clarify object-check comment. (PR #7323)

Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

Chore: fix issues with YAML. (PR #7355)

CI: update workflow YAMLs. (PR #7372)

CI: fix run condition. (PR #7373)

Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)

Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

@sachin11063 (first contribution — PR #7323)

@asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

fix: issues with version 1.13.3 (#7352) (ee90dfc)

Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)

interceptor: handle the error in the same interceptor (#6269) (5945e40)

main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)

package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)

silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)

turn AxiosError into a native error (#5394) (#5558) (1c6a86d)

types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)

types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)

unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

add undefined as a value in AxiosRequestConfig (#5560) (095033c)

add automatic minor and patch upgrades to dependabot (#6053) (65a7584)

add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)

added copilot instructions (3f83143)

compatibility with frozen prototypes (#6265) (860e033)

enhance pipeFileToResponse with error handling (#7169) (88d7884)

types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298

deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

Ashvin Tiwari

Nikunj Mochi

Anchal Singh

jasonsaayman

Julian Dax

Akash Dhar Dubey

Madhumita

Tackoil

Justin Dhillon

Rudransh

WuMingDao

codenomnom

Nandan Acharya

Eric Dubé

Tibor Pilz

Gabriel Quaresma

Turadg Aleahmad

... (truncated)

Commits

29f7542 chore(release): prepare release 1.13.5 (#7379)
431c3a3 ci: fix run condition (#7373)
9ff3a78 ci: update ymls (#7372)
265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
475e75a feat: add input validation to isAbsoluteURL (#7326)
28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
04cf019 docs: clarify object check comment (#7323)
696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
569f028 fix: added a option to choose between legacy and the new request/response int...
44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates fabric from 1.7.22 to 7.2.0

Release notes

Sourced from fabric's releases.

Version 7.1.0

What's Changed

feat(): Cropping controls extension by @asturur in fabricjs/fabric.js#10825

chore(): Render circle control tweak for code reusability and style by @asturur in fabricjs/fabric.js#10829

Correctly check for cache key equality in calcOwnMatrix by @jiayihu in fabricjs/fabric.js#10831

chore(deps-dev): bump js-yaml from 3.14.1 to 3.14.2 in the npm_and_yarn group across 1 directory by @dependabot[bot] in fabricjs/fabric.js#10812

fix(Text):Double offset when exporting SVG after setting deltaY in Text by @jiao1187875445 in fabricjs/fabric.js#10805

New Contributors

@jiao1187875445 made their first contribution in fabricjs/fabric.js#10805

Full Changelog: fabricjs/fabric.js@v700...v710

Version 7.0.0

No code changes compared to 7.0.0 - rc1

Version 6.9.1

Full Changelog: fabricjs/fabric.js@v690...v691

fix(): Fix the situation where undefined + char exists when calculating couple #10816

fix(): Fix toDataUrl writing on contextTop #10820

Version 7.0.0 rc1

What's Changed

chore(): Update typescript 5.9, eslint, babel and rollup to latest by @asturur in fabricjs/fabric.js#10708

chore(): Fixes to TypeDoc for compilation by @asturur in fabricjs/fabric.js#10709

chore(): Remove mouse wheel console warning by setting default explicitly. by @zhe-he in fabricjs/fabric.js#10712

fix: The mouse enter and leave events of child elements will be executed twice. by @zhe-he in fabricjs/fabric.js#10699

BREAKING: chore(): Update min node version to 20, add 24 by @asturur in fabricjs/fabric.js#10716

BREAKING(): Deprecate fireRightClick, fireMiddleClick, stopContextMenu and change their default value. by @asturur in fabricjs/fabric.js#10720

Clarify MIT License by @asturur in fabricjs/fabric.js#10725

doc: Repair broken link in docs by targeting all demo and samples pages in old fabric docs. by @tneullas in fabricjs/fabric.js#10723

chore(): Format dependabot.yml with Prettier to ensure consistent code style by @Copilot in fabricjs/fabric.js#10733

chore(deps-dev): bump @eslint/js from 9.34.0 to 9.35.0 by @dependabot[bot] in fabricjs/fabric.js#10729

Update license to include 2016–2025 Fabric.js contributors by @aswind7 in fabricjs/fabric.js#10726

chore(deps-dev): bump serve from 14.2.4 to 14.2.5 by @dependabot[bot] in fabricjs/fabric.js#10730

chore(deps-dev): bump es-toolkit from 1.39.7 to 1.39.10 by @dependabot[bot] in fabricjs/fabric.js#10731

chore(): Pin all GitHub Actions to commit SHAs for security compliance by @Copilot in fabricjs/fabric.js#10739

chore(): Remove paths for codeQL let it scan all the repo by @asturur in fabricjs/fabric.js#10738

change CN comment to EN by @aswind7 in fabricjs/fabric.js#10727

fix(textarea): A form field element has neither an id nor a name attribute. by @zhe-he in fabricjs/fabric.js#10172

fix: After executing loadFromJSON, it unexpectedly adds an objects property to the canvas. by @zhe-he in fabricjs/fabric.js#10741

ci(): Foked the action find-create-update-comment in order to pin sha(s) by @asturur in fabricjs/fabric.js#10742

ci(): Fix CWE-829 in the coverage report action by @asturur in fabricjs/fabric.js#10743

ci(): fix CWE-829 in action build-stats by @asturur in fabricjs/fabric.js#10744

fix(): CWE-1333 CWE-400 CWE-730 in Text.ts regex by @asturur in fabricjs/fabric.js#10745

fix(): CWE-1333 CWE-400 CWE-730 Simplify some regexes in order to avoid slowness with craft bad string by @asturur in fabricjs/fabric.js#10746

fix(): Fix some weaknesses in the changelog-update action ( various CWE ) by @asturur in fabricjs/fabric.js#10747

fix(): build-stats action, fix for CWE-275 and some code injection by @asturur in fabricjs/fabric.js#10749

fix(): Add all actions a set of permissions that is restricted to the minimum necessary by @asturur in fabricjs/fabric.js#10750

... (truncated)

Changelog

Sourced from fabric's changelog.

[7.2.0]

fix(): Fix for svg export stored xss CVE-2026-27013

chore(): update prettier #10863

chore(): reuse more of the createPointerEvent in unit tests #10864

test(): refactor test, put common data in shared function #10861

chore(): update playwright to latest #10860

chore(): fix Canvas-dispose tests on firefox #10859

chore(): update vitest to 4.0.18 #10858

chore(deps-dev): bump lodash from 4.17.21 to 4.17.23 in the npm_and_yarn group across 1 directory #10853

feat(): Cropping controls follow ups #10839

chore(): Add pre-commit hook to run lint, prettier, tsc on staged files. #10834

[7.1.0]

fix(Text):Double offset when exporting SVG after setting deltaY in Text #10805

chore(deps-dev): bump js-yaml from 3.14.1 to 3.14.2 in the npm_and_yarn group across 1 directory #10812

Correctly check for cache key equality in calcOwnMatrix #10831

chore(): Render circle control tweak for code reusability and style #10829

feat(): Cropping controls extension #10825

[7.0.0]

fix(): Fix toDataUrl writing on contextTop #10820

feat(): Multi touch gesture support with module westures #10813

fix(): Fix the situation where undefined + char exists when calculating couple #10816

feat(): Add configuration parameter for patternQuality in node #10804

fix(): BREAKING Fix text positioning #10803

fix(AligningGuidelines): Guidelines features updates #10120 (fabricjs/fabric.js#10120)
...
Description has been truncated

Bumps the npm_and_yarn group with 1 update in the /packages/craftcms-webpack directory: [webpack-dev-server](https://github.com/webpack/webpack-dev-server). Bumps the npm_and_yarn group with 15 updates in the / directory: | Package | From | To | | --- | --- | --- | | [glob](https://github.com/isaacs/node-glob) | `10.3.10` | `12.0.0` | | [webpack](https://github.com/webpack/webpack) | `5.89.0` | `5.104.1` | | [webpack-dev-server](https://github.com/webpack/webpack-dev-server) | `4.15.1` | `5.2.1` | | [axios](https://github.com/axios/axios) | `1.7.7` | `1.13.5` | | [fabric](https://github.com/fabricjs/fabric.js) | `1.7.22` | `7.2.0` | | [vue](https://github.com/vuejs/core) | `2.7.16` | `3.0.0` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` | | [ajv](https://github.com/ajv-validator/ajv) | `6.12.6` | `6.14.0` | | [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.11` | `1.1.12` | | [dset](https://github.com/lukeed/dset) | `3.1.3` | `3.1.4` | | [ip](https://github.com/indutny/node-ip) | `2.0.0` | `removed` | | [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` | | [nanoid](https://github.com/ai/nanoid) | `3.3.7` | `3.3.11` | | [playwright](https://github.com/microsoft/playwright) | `1.40.1` | `1.58.2` | | [tar](https://github.com/isaacs/node-tar) | `6.2.0` | `7.5.9` | Updates `webpack-dev-server` from 4.15.2 to 5.2.3 - [Release notes](https://github.com/webpack/webpack-dev-server/releases) - [Changelog](https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md) - [Commits](webpack/webpack-dev-server@v4.15.2...v5.2.3) Updates `glob` from 10.3.10 to 12.0.0 - [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md) - [Commits](isaacs/node-glob@v10.3.10...v12.0.0) Updates `webpack` from 5.89.0 to 5.104.1 - [Release notes](https://github.com/webpack/webpack/releases) - [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md) - [Commits](webpack/webpack@v5.89.0...v5.104.1) Updates `webpack-dev-server` from 4.15.1 to 5.2.1 - [Release notes](https://github.com/webpack/webpack-dev-server/releases) - [Changelog](https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md) - [Commits](webpack/webpack-dev-server@v4.15.2...v5.2.3) Updates `axios` from 1.7.7 to 1.13.5 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.7.7...v1.13.5) Updates `fabric` from 1.7.22 to 7.2.0 - [Release notes](https://github.com/fabricjs/fabric.js/releases) - [Changelog](https://github.com/fabricjs/fabric.js/blob/master/CHANGELOG.md) - [Commits](https://github.com/fabricjs/fabric.js/commits) Updates `vue` from 2.7.16 to 3.0.0 - [Release notes](https://github.com/vuejs/core/releases) - [Changelog](https://github.com/vuejs/core/blob/v3.0.0/CHANGELOG.md) - [Commits](https://github.com/vuejs/core/commits/v3.0.0) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `ajv` from 6.12.6 to 6.14.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v6.12.6...v6.14.0) Updates `body-parser` from 1.20.1 to 1.20.4 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@1.20.1...1.20.4) Updates `qs` from 6.5.3 to 6.14.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.5.3...v6.14.2) Updates `brace-expansion` from 1.1.11 to 1.1.12 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12) Updates `cookie` from 0.5.0 to 0.7.2 - [Release notes](https://github.com/jshttp/cookie/releases) - [Commits](jshttp/cookie@v0.5.0...v0.7.2) Updates `cross-spawn` from 7.0.3 to 7.0.6 - [Changelog](https://github.com/moxystudio/node-cross-spawn/blob/master/CHANGELOG.md) - [Commits](moxystudio/node-cross-spawn@v7.0.3...v7.0.6) Updates `dset` from 3.1.3 to 3.1.4 - [Release notes](https://github.com/lukeed/dset/releases) - [Commits](lukeed/dset@v3.1.3...v3.1.4) Updates `express` from 4.18.2 to 4.22.1 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/v4.22.1/History.md) - [Commits](expressjs/express@4.18.2...v4.22.1) Updates `form-data` from 2.3.3 to 4.0.5 - [Release notes](https://github.com/form-data/form-data/releases) - [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md) - [Commits](https://github.com/form-data/form-data/commits/v4.0.5) Updates `http-proxy-middleware` from 2.0.6 to 2.0.9 - [Release notes](https://github.com/chimurai/http-proxy-middleware/releases) - [Changelog](https://github.com/chimurai/http-proxy-middleware/blob/v2.0.9/CHANGELOG.md) - [Commits](chimurai/http-proxy-middleware@v2.0.6...v2.0.9) Removes `ip` Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) Updates `nanoid` from 3.3.7 to 3.3.11 - [Release notes](https://github.com/ai/nanoid/releases) - [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md) - [Commits](ai/nanoid@3.3.7...3.3.11) Updates `path-to-regexp` from 0.1.7 to 0.1.12 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](pillarjs/path-to-regexp@v0.1.7...v0.1.12) Updates `playwright` from 1.40.1 to 1.58.2 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.40.1...v1.58.2) Updates `send` from 0.18.0 to 0.19.2 - [Release notes](https://github.com/pillarjs/send/releases) - [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md) - [Commits](pillarjs/send@0.18.0...0.19.2) Updates `serve-static` from 1.15.0 to 1.16.3 - [Release notes](https://github.com/expressjs/serve-static/releases) - [Changelog](https://github.com/expressjs/serve-static/blob/master/HISTORY.md) - [Commits](expressjs/serve-static@v1.15.0...v1.16.3) Updates `tar` from 6.2.0 to 7.5.9 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v6.2.0...v7.5.9) Updates `tough-cookie` from 2.5.0 to 5.1.2 - [Release notes](https://github.com/salesforce/tough-cookie/releases) - [Changelog](https://github.com/salesforce/tough-cookie/blob/master/CHANGELOG.md) - [Commits](salesforce/tough-cookie@v2.5.0...v5.1.2) Updates `webpack-dev-middleware` from 5.3.3 to 7.4.5 - [Release notes](https://github.com/webpack/webpack-dev-middleware/releases) - [Changelog](https://github.com/webpack/webpack-dev-middleware/blob/main/CHANGELOG.md) - [Commits](webpack/webpack-dev-middleware@v5.3.3...v7.4.5) Updates `ws` from 8.16.0 to 8.19.0 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.16.0...8.19.0) --- updated-dependencies: - dependency-name: webpack-dev-server dependency-version: 5.2.3 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: glob dependency-version: 12.0.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: webpack dependency-version: 5.104.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: webpack-dev-server dependency-version: 5.2.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: axios dependency-version: 1.13.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: fabric dependency-version: 7.2.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: vue dependency-version: 3.0.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: ajv dependency-version: 6.14.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: body-parser dependency-version: 1.20.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.14.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 1.1.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: cookie dependency-version: 0.7.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: cross-spawn dependency-version: 7.0.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: dset dependency-version: 3.1.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: express dependency-version: 4.22.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: form-data dependency-version: 4.0.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: http-proxy-middleware dependency-version: 2.0.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ip dependency-version: dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: nanoid dependency-version: 3.3.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: path-to-regexp dependency-version: 0.1.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: playwright dependency-version: 1.58.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: send dependency-version: 0.19.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: serve-static dependency-version: 1.16.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tough-cookie dependency-version: 5.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: webpack-dev-middleware dependency-version: 7.4.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ws dependency-version: 8.19.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 23, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 2 directories with 28 updates#1

Bump the npm_and_yarn group across 2 directories with 28 updates#1
dependabot[bot] wants to merge 1 commit into5.xfrom
dependabot/npm_and_yarn/packages/craftcms-webpack/npm_and_yarn-2570aa770b

dependabot bot commented on behalf of github Feb 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Feb 23, 2026

v5.2.3

5.2.3 (2026-01-12)

Bug Fixes

v5.2.2

5.2.2 (2025-06-03)

Bug Fixes

v5.2.1

5.2.1 (2025-03-26)

Security

Bug Fixes

v5.2.0

5.2.0 (2024-12-11)

Features

Bug Fixes

5.2.3 (2026-01-12)

Bug Fixes

5.2.2 (2025-06-03)

Bug Fixes

5.2.1 (2025-03-26)

Security

Bug Fixes

5.2.0 (2024-12-11)

Features

Bug Fixes

5.1.0 (2024-09-03)

changeglob

13

12

11.1

11.0

10.4

10.3

10.2

10.1

v5.104.1

5.104.1

Patch Changes

v5.104.0

5.104.0

Minor Changes

Patch Changes

v5.103.0

Features

5.104.1

Patch Changes

5.104.0

Minor Changes

Patch Changes

v5.2.3

5.2.3 (2026-01-12)

Bug Fixes

v5.2.2

5.2.2 (2025-06-03)

Bug Fixes

v5.2.1

5.2.1 (2025-03-26)

Security

Bug Fixes

v5.2.0

5.2.0 (2024-12-11)

Features

Bug Fixes

5.2.3 (2026-01-12)

Bug Fixes

5.2.2 (2025-06-03)

Bug Fixes

5.2.1 (2025-03-26)

Security

Bug Fixes

5.2.0 (2024-12-11)

Features

Bug Fixes

5.1.0 (2024-09-03)

v1.13.5

Release 1.13.5

Highlights

Changes

Security