[Snyk] Upgrade canvas from 2.11.2 to 3.2.0

[Dustin4444]

Snyk has created this PR to upgrade canvas from 2.11.2 to 3.2.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 12 versions ahead of your current version.

• The recommended version was released 2 months ago.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	482	Proof of Concept
	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	482	No Known Exploit
	Code Injection SNYK-JS-LODASH-1040724	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-1579269	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-NORMALIZEURL-1296539	482	No Known Exploit
	Excessive Platform Resource Consumption within a Loop SNYK-JS-BRACES-6838727	482	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	482	Proof of Concept
	Information Exposure SNYK-JS-SIMPLEGET-2361683	482	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8172694	482	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ETHERS-1586048	482	Proof of Concept
	Improper Handling of Extra Parameters SNYK-JS-FOLLOWREDIRECTS-6141137	482	Proof of Concept
	Prototype Pollution SNYK-JS-INI-1048974	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	482	Proof of Concept
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	482	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELRUNTIMECOREJS3-9397696	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	482	No Known Exploit
	Denial of Service (DoS) SNYK-JS-NWSAPI-2841516	482	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHPARSE-1077067	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PROMPTS-1729737	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-TRIMOFFNEWLINES-1296850	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	482	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	482	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HOSTEDGITINFO-1088355	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTTPCACHESEMANTICS-3248783	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	482	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-2429795	482	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577916	482	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577917	482	Proof of Concept
	Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-7577918	482	Proof of Concept
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	482	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WORDWRAP-3149973	482	Proof of Concept
	Information Exposure SNYK-JS-ELLIPTIC-8720086	482	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	482	No Known Exploit

Release notes

Package name: canvas

• 3.2.0 - 2025-08-19
  

  3.2.0

  Added

  • Added ctx.lang to set the ISO language code for text
• 3.1.2 - 2025-06-26
  

  3.1.2

  Fixed

  • Fix crash when setting width/height on PDF, SVG canvas (#2520)
• 3.1.1 - 2025-06-19
  

  3.1.1

  This release also introduces arm64 prebuilds for Linux!

  Fixed

  • Fix a crash when SVGs without width or height are loaded (#2486)
  • Fix fetching prebuilds during installation on certain newer versions of Node (#2497)
  • Fixed issue with fillText that was breaking subsequent fillText calls (#2171)
  • Fix svg rendering when the image is resized (#2498)
  • Fix measureText with direction rtl textAlign start/end
  • Fix a crash in Node 24, due to external memory API change (#2514)
• 3.1.0 - 2025-01-22
  

  3.1.0

  • Replaced simple-get with Node.js builtin fetch (#2309)
  • ctx.font has a new C++ parser and is 2x-400x faster. Please file an issue if you experience different results, as caching has been removed.
  • The restriction of registering fonts before a canvas is created has been removed. You can now register a font as late as right before the fillText call (#1921)

  Added

  • Support for accessibility and links in PDFs
  • ctx.direction is implemented: 'rtl' or 'ltr' set the base direction of text
  • ctx.textAlign 'start' and 'end' are now 'right' and 'left' when ctx.direction === 'rtl'

  Fixed

  • Fix a crash in getImageData when the rectangle is entirely outside the canvas. (#2024)
  • Fix getImageData cropping the resulting ImageData when the given rectangle is partly outside the canvas. (#1849)
• 3.0.1 - 2024-12-31
  

  3.0.1

  Fixed

  • Fixed accidental depenency on ambient DOM types
• 3.0.0 - 2024-12-23
  

  3.0.0

  This release notably changes to using N-API. 🎉

  Breaking

  • Dropped support for Node.js 16.x and below.

  Changed

  • Migrated to N-API (by way of node-addon-api) and removed libuv and v8 dependencies
  • Change from node-pre-gyp to prebuild-install
  • Defer the initialization of the op variable to the default switch case to avoid a compiler warning. (#2229)
  • Use a default switch case with a null statement if some enum values aren't suppsed to be handled, this avoids a compiler warning. (#2229)
  • Migrate from librsvg's deprecated rsvg_handle_get_dimensions() and rsvg_handle_render_cairo() functions to the new rsvg_handle_get_intrinsic_size_in_pixels() and rsvg_handle_render_document() respectively. (#2229)
  • Avoid calling virtual methods in constructors/destructors to avoid bypassing virtual dispatch. (#2229)
  • Remove unused private field backend in the Backend class. (#2229)
  • Add Node.js v20 to CI. (#2237)
  • Replaced dtslint with tsd (#2313)
  • Changed PNG consts to static properties of Canvas class
  • Reverted improved font matching on Linux (#1572) because it doesn't work if fonts are installed. If you experience degraded font selection, please file an issue and use v3.0.0-rc3 in the meantime.

  Added

  • Added string tags to support class detection
  • Throw Cairo errors in canvas.toBuffer()

  Fixed

  • Fix a case of use-after-free. (#2229)
  • Fix usage of garbage value by filling the allocated memory entirely with zeros if it's not modified. (#2229)
  • Fix a potential memory leak. (#2229)
  • Fix the wrong type of setTransform
  • Fix the improper parsing of rgb functions issue. (#2300)
  • Fix issue related to improper parsing of leading and trailing whitespaces in CSS color. (#2301)
  • RGB functions should support real numbers now instead of just integers. (#2339)
  • Allow alternate or properly escaped quotes within font-family names
  • Fix TextMetrics type to include alphabeticBaseline, emHeightAscent, and emHeightDescent properties
  • Fix class properties should have defaults as standard js classes (#2390)
  • Fixed Exif orientation in JPEG files being ignored (#1670)
  • Align DOMMatrix/DOMPoint to spec by adding missing methods
• 3.0.0-rc3 - 2024-12-07
  

  This release notably changes to using N-API. 🎉

  Breaking

  • Dropped support for Node.js 16.x and below.

  Changed

  • Migrated to N-API (by way of node-addon-api) and removed libuv and v8 dependencies
  • Change from node-pre-gyp to prebuild-install
  • Defer the initialization of the op variable to the default switch case to avoid a compiler warning. (#2229)
  • Use a default switch case with a null statement if some enum values aren't suppsed to be handled, this avoids a compiler warning. (#2229)
  • Migrate from librsvg's deprecated rsvg_handle_get_dimensions() and rsvg_handle_render_cairo() functions to the new rsvg_handle_get_intrinsic_size_in_pixels() and rsvg_handle_render_document() respectively. (#2229)
  • Avoid calling virtual methods in constructors/destructors to avoid bypassing virtual dispatch. (#2229)
  • Remove unused private field backend in the Backend class. (#2229)
  • Add Node.js v20 to CI. (#2237)
  • Replaced dtslint with tsd (#2313)
  • Changed PNG consts to static properties of Canvas class

  Added

  • Added string tags to support class detection
  • Throw Cairo errors in canvas.toBuffer()

  Fixed

  • Fix a case of use-after-free. (#2229)
  • Fix usage of garbage value by filling the allocated memory entirely with zeros if it's not modified. (#2229)
  • Fix a potential memory leak. (#2229)
  • Fix the wrong type of setTransform
  • Fix the improper parsing of rgb functions issue. (#2300)
  • Fix issue related to improper parsing of leading and trailing whitespaces in CSS color. (#2301)
  • RGB functions should support real numbers now instead of just integers. (#2339)
  • Allow alternate or properly escaped quotes within font-family names
  • Fix TextMetrics type to include alphabeticBaseline, emHeightAscent, and emHeightDescent properties
  • Fix class properties should have defaults as standard js classes (#2390)
  • Fixed Exif orientation in JPEG files being ignored (#1670)
• 3.0.0-rc2 - 2024-06-20
  

  Note

  Prebuilds are currently only available for Linux (x64, glibc), macOS (x64) and Windows (x64). Please give this version a try and let us know if you run into issues!

  npm install canvas@next

  ---

  This release notably changes to using N-API. 🎉

  Breaking

  • Dropped support for Node.js 16.x and below.

  Changed

  • Migrated to N-API (by way of node-addon-api) and removed libuv and v8 dependencies
  • Change from node-pre-gyp to prebuild-install
  • Defer the initialization of the op variable to the default switch case to avoid a compiler warning. (#2229)
  • Use a default switch case with a null statement if some enum values aren't suppsed to be handled, this avoids a compiler warning. (#2229)
  • Migrate from librsvg's deprecated rsvg_handle_get_dimensions() and rsvg_handle_render_cairo() functions to the new rsvg_handle_get_intrinsic_size_in_pixels() and rsvg_handle_render_document() respectively. (#2229)
  • Avoid calling virtual methods in constructors/destructors to avoid bypassing virtual dispatch. (#2229)
  • Remove unused private field backend in the Backend class. (#2229)
  • Add Node.js v20 to CI. (#2237)
  • Replaced dtslint with tsd (#2313)

  Added

  • Added string tags to support class detection

  Fixed

  • Fix a case of use-after-free. (#2229)
  • Fix usage of garbage value by filling the allocated memory entirely with zeros if it's not modified. (#2229)
  • Fix a potential memory leak. (#2229)
  • Fix the wrong type of setTransform
• 3.0.0-rc1e - 2024-06-20
• 3.0.0-rc1d - 2024-06-19
• 3.0.0-rc1c - 2024-06-19
• 3.0.0-rc1b - 2024-06-19
• 2.11.2 - 2023-04-02

from canvas GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch snyk-upgrade-41dee3f3a748bf83b5e7dc59e960e16b

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}