Version 7.4.0

Security notice

FIxes CVE-2026-44311

What's Changed

• chore(): update major eslint to 10 by @Smrtnyk in #10956
• chore(): Fix non functional typos by @opensourcezeal in #10949
• chore(deps-dev): bump oxfmt from 0.42.0 to 0.45.0 by @dependabot[bot] in #10964
• ci(dependabot): group vite-related npm updates by @asturur in #10967
• chore(deps-dev): bump the vitest group with 4 updates by @dependabot[bot] in #10968
• chore(deps-dev): bump es-toolkit from 1.45.1 to 1.46.0 by @dependabot[bot] in #10971
• chore(deps-dev): bump postcss from 8.5.8 to 8.5.12 by @dependabot[bot] in #10972
• chore(deps-dev): bump rolldown from 1.0.0-rc.12 to 1.0.0-rc.16 by @dependabot[bot] in #10966
• fix(): Fix typecheck from security advisory merge by @asturur in #10973
• fix(): Honor viewport rotation in zoom, dimensions, and control coords by @kausters in #10977
• Version 7.4.0 by @asturur in #10980

New Contributors

• @opensourcezeal made their first contribution in #10949
• @kausters made their first contribution in #10977

Full Changelog: v731...v740

Version 7.3.1

What's Changed

Same as 7.3.0 but fixed publishing issues

• feat(): Update cron schedule for scorecard workflow by @asturur in #10952
• ci(): tighten workflow permissions for scorecard hardening by @asturur in #10953
• ci(): pin workflow dependencies for scorecard hardening by @asturur in #10954
• docs(): Revise security vulnerability reporting process by @asturur in #10955
• ci(): Change permission model and declaration to help with OSSF scorecard. by @asturur in #10959
• ci(): inline npm publish workflow and add manual dispatch by @asturur in #10960
• ci(): Publish 7.3.1 by @asturur in #10961
• ci(): Fix for publishing action by @asturur in #10962

Full Changelog: v730...v731

Version 7.3.0

In this release we changed from Rollup to Rolldown, this also changed the minifier.
If you notice some bug with your built app please report it.

New Contributors

• @mauricekindermann made their first contribution in #10851
• @multivoltage made their first contribution in #10875
• @10ef made their first contribution in #10943

What's Changed

• feat(extensions): Cropping controls with edge resize and flip support by @mauricekindermann in #10851
• fix(): Fire mouseover/mouseleave for objects that are multi selection targets by @asturur in #10874
• Gradient controls by @asturur in #10844
• chore(deps-dev): bump rollup from 4.52.4 to 4.59.0 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #10877
• chore(): Update typescript-eslint to address a recent vulnerability by @asturur in #10878
• Cleanup animation delay timeout by @jiayihu in #10830
• fix: avoid crash if loadFromJSON load config with not existing images by @multivoltage in #10875
• feat(): Support textDecoration color. by @asturur in #10880
• chore(): update vitest to 4.1.0 by @Smrtnyk in #10888
• chore(): try rolldown by @Smrtnyk in #10868
• chore(): migrate from prettier to oxfmt by @Smrtnyk in #10881
• chore(deps-dev): bump @playwright/test from 1.58.1 to 1.58.2 by @dependabot[bot] in #10885
• chore(deps-dev): bump nyc from 17.1.0 to 18.0.0 by @dependabot[bot] in #10883
• chore: simplify issue templates and remove semver devDependency by @asturur in #10892
• chore(): try to improve playwright tests speed by @Smrtnyk in #10896
• ci(): fix the coverage comment action by @asturur in #10898
• fix(): Coverage e2e part2 by @asturur in #10899
• chore(): simplify svg creation in unit tests via shared helper by @Smrtnyk in #10895
• docs(agents): add repo AGENTS guide and PR skill by @asturur in #10900
• refactor(tests): use createSVGElement helper across spec files by @Smrtnyk in #10902
• ci(): Try to enable sonarqube cloud for coverage reporting by @asturur in #10903
• ci(): fix sonarqube lcov path after artifact download by @asturur in #10910
• refactor(tests): remove coverage collection from playwright by @Smrtnyk in #10912
• chore(deps-dev): bump es-toolkit from 1.40.0 to 1.45.1 by @dependabot[bot] in #10907
• chore(deps): bump canvas from 3.2.0 to 3.2.1 by @dependabot[bot] in #10906
• chore(deps-dev): bump inquirer from 12.10.0 to 13.3.2 by @dependabot[bot] in #10909
• chore(): remove leftover babel dep by @Smrtnyk in #10914
• refactor(tests): remove coverage merge step by @Smrtnyk in #10913
• ci(): fix SonarCloud PR changed-lines coverage by @asturur in #10921
• ci(): harden privileged workflow_run actions by @asturur in #10922
• test(e2e): stabilize drag and drop event snapshots by @asturur in #10918
• refactor(tests): consolidate rectangle creation using makeRect by @Smrtnyk in #10923
• chore(deps): bump canvas from 3.2.1 to 3.2.2 by @dependabot[bot] in #10926
• chore(deps-dev): bump picomatch from 2.3.1 to 2.3.2 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #10928
• chore(deps): update devDependencies to latest versions by @Smrtnyk in #10929
• chore(): update typescript to 6 by @Smrtnyk in #10935
• refactor(test): fix dead assertions in Shadow.spec.ts by @Smrtnyk in #10932
• chore(deps-dev): bump serialize-javascript from 7.0.4 to 7.0.5 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #10936
• chore(deps): bump canvas from 3.2.2 to 3.2.3 by @dependabot[bot] in #10940
• refactor(tests): Migrate to official vitest API for custom snapshot matchers by @Smrtnyk in #10937
• fix(cropping): keep ghost scaling controls anchored on flipped images by @10ef in #10943
• Version 7.3.0 by @asturur in #10951

Full Changelog: v720...v730

Version 7.2.0

What's Changed

• chore(): Add pre-commit hook for lint/prettier/tsc by @asturur in #10834
• feat(): Cropping controls follow ups by @asturur in #10839
• chore(deps-dev): bump lodash from 4.17.21 to 4.17.23 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #10853
• chore(): update vitest by @Smrtnyk in #10858
• chore(): fix Canvas-dispose tests on firefox by @Smrtnyk in #10859
• chore(): update playwright to latest by @Smrtnyk in #10860
• test(): refactor test, put common data in shared function by @Smrtnyk in #10861
• chore(): update prettier by @Smrtnyk in #10863
• chore(): reuse more of the createPointerEvent in unit tests by @Smrtnyk in #10864
• fix(): Fix for svg export stored xss CVE-2026-27013

Full Changelog: v710...v720

Version 7.1.0

What's Changed

• feat(): Cropping controls extension by @asturur in #10825
• chore(): Render circle control tweak for code reusability and style by @asturur in #10829
• Correctly check for cache key equality in calcOwnMatrix by @jiayihu in #10831
• chore(deps-dev): bump js-yaml from 3.14.1 to 3.14.2 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #10812
• fix(Text):Double offset when exporting SVG after setting deltaY in Text by @jiao1187875445 in #10805

New Contributors

• @jiao1187875445 made their first contribution in #10805

Full Changelog: v700...v710

Version 7.0.0

No code changes compared to 7.0.0 - rc1

Version 6.9.1

Full Changelog: v690...v691

• fix(): Fix the situation where undefined + char exists when calculating couple #10816
• fix(): Fix toDataUrl writing on contextTop #10820

Version 7.0.0 rc1

What's Changed

• chore(): Update typescript 5.9, eslint, babel and rollup to latest by @asturur in #10708
• chore(): Fixes to TypeDoc for compilation by @asturur in #10709
• chore(): Remove mouse wheel console warning by setting default explicitly. by @zhe-he in #10712
• fix: The mouse enter and leave events of child elements will be executed twice. by @zhe-he in #10699
• BREAKING: chore(): Update min node version to 20, add 24 by @asturur in #10716
• BREAKING(): Deprecate fireRightClick, fireMiddleClick, stopContextMenu and change their default value. by @asturur in #10720
• Clarify MIT License by @asturur in #10725
• doc: Repair broken link in docs by targeting all demo and samples pages in old fabric docs. by @tneullas in #10723
• chore(): Format dependabot.yml with Prettier to ensure consistent code style by @Copilot in #10733
• chore(deps-dev): bump @eslint/js from 9.34.0 to 9.35.0 by @dependabot[bot] in #10729
• Update license to include 2016–2025 Fabric.js contributors by @aswind7 in #10726
• chore(deps-dev): bump serve from 14.2.4 to 14.2.5 by @dependabot[bot] in #10730
• chore(deps-dev): bump es-toolkit from 1.39.7 to 1.39.10 by @dependabot[bot] in #10731
• chore(): Pin all GitHub Actions to commit SHAs for security compliance by @Copilot in #10739
• chore(): Remove paths for codeQL let it scan all the repo by @asturur in #10738
• change CN comment to EN by @aswind7 in #10727
• fix(textarea): A form field element has neither an id nor a name attribute. by @zhe-he in #10172
• fix: After executing loadFromJSON, it unexpectedly adds an objects property to the canvas. by @zhe-he in #10741
• ci(): Foked the action find-create-update-comment in order to pin sha(s) by @asturur in #10742
• ci(): Fix CWE-829 in the coverage report action by @asturur in #10743
• ci(): fix CWE-829 in action build-stats by @asturur in #10744
• fix(): CWE-1333 CWE-400 CWE-730 in Text.ts regex by @asturur in #10745
• fix(): CWE-1333 CWE-400 CWE-730 Simplify some regexes in order to avoid slowness with craft bad string by @asturur in #10746
• fix(): Fix some weaknesses in the changelog-update action ( various CWE ) by @asturur in #10747
• fix(): build-stats action, fix for CWE-275 and some code injection by @asturur in #10749
• fix(): Add all actions a set of permissions that is restricted to the minimum necessary by @asturur in #10750
• fix(): correct process.ENV with process.env by @asturur in #10751
• chore(deps-dev): bump chalk from 5.6.0 to 5.6.2 by @dependabot[bot] in #10752
• chore(deps-dev): bump commander from 14.0.0 to 14.0.1 by @dependabot[bot] in #10754
• chore(): remove chalk by @Smrtnyk in #10758
• chore(deps-dev): bump @babel/core from 7.28.3 to 7.28.4 by @dependabot[bot] in #10753
• chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates by @dependabot[bot] in #10734
• chore(): Revisit and reduce conribution guidelines, try to streamline things by @asturur in #10759
• test(): Add new e2e import test for svg preserve aspect ratio by @asturur in #10766
• chore(deps-dev): bump @playwright/test from 1.55.0 to 1.55.1 by @dependabot[bot] in #10761
• chore(): remove fs-extra dev dependency by @Smrtnyk in #10767
• ci(): Move firefox to headless: false to see if improves passing rate. Renamed config because of deprecation warning by @asturur in #10769
• chore(): remove moment dev dependency by @Smrtnyk in #10770
• chore(): up deps by @Smrtnyk in #10771
• chore(): up dev deps by @Smrtnyk in #10773
• chore(deps-dev): bump @rollup/plugin-babel from 6.0.4 to 6.1.0 by @dependabot[bot] in #10776
• chore(deps-dev): bump @types/node from 24.7.0 to 24.7.2 by @dependabot[bot] in #10778
• BREAKING: change default originX and originY to center/center by @asturur in #10715
• chore(deps-dev): bump es-toolkit from 1.39.10 to 1.40.0 by @dependabot[bot] in #10777
• chore(): update playwright by @Smrtnyk in #10780
• fix(): Prototype pollution risk on text char cache by @asturur in #10782
• chore(): update major version of vitest by @Smrtnyk in #10786
• fix(): fix rendering of text when line height is set to 0 by @Smrtnyk in #10785
• chore(deps-dev): bump @types/micromatch from 4.0.9 to 4.0.10 by @dependabot[bot] in #10788
• chore(deps-dev): bump @vitest/ui from 4.0.2 to 4.0.3 by @dependabot[bot] in #10787
• Revert "chore(deps-dev): bump @vitest/ui from 4.0.2 to 4.0.3" by @asturur in #10792
• chore(deps-dev): bump inquirer from 12.9.6 to 12.10.0 by @dependabot[bot] in #10789
• update(AligningGuidelines): Fix some bugs and add custom features. by @zhe-he in #10120
• fix(): BREAKING Fix text positioning by @asturur in #10803
• feat(): Add configuration parameter for patternQuality in node by @asturur in #10804
• fix(): Fix the situation where undefined + char exists when calculating couple by @ccOfHome in #10816
• feat(): Multi touch gesture support with module westures by @asturur in #10813
• fix(): Fix toDataUrl writing on contextTop by @asturur in #10820
• Version 7.0 build by @asturur in #10821

New Contributors

• @tneullas made their first contribution in #10723
• @ccOfHome made their first contribution in #10816

Full Changelog: v700-beta1...v700-rc1

Version 6.9.0

What's Changed

• fix(): Backport cache prototype pollution fix to 6.x by @asturur in #10800

Techinically a breaking change of private code.
That is why the minor bump, otherwise would be a patch.

If you are not interacting with the fabric.charWidthsCache object directly, this release is not breaking

Full Changelog: v680...v690

Version 6.8.0

What's Changed

fix(): CWE-1333 CWE-400 CWE-730 Simplify some regexes in order to avoid slowness with craft bad string #10746
fix(): CWE-1333 CWE-400 CWE-730 in Text.ts regex #10745
fix(StaticCanvas): After executing loadFromJSON, it unexpectedly adds an objects property to the canvas. #10741
fix(textarea): A form field element has neither an id nor a name attribute. #10172
fix(Canvas): The mouse enter and leave events of child elements will be executed twice. #10699
chore(): Remove mouse wheel console warning by setting default explicitly. #10712
fix(): fix rendering of text when line height is set to 0 #10785

Full Changelog: v671...v680

Thanks to @Smrtnyk and @zhe-he