build(deps): bump tar, canvas and wxt

[dependabot]

Removes tar. It's no longer used after updating ancestor dependencies tar, canvas and wxt. These dependencies need to be updated together.

Removes tar

Updates canvas from 2.11.2 to 3.2.1

Release notes

Sourced from canvas's releases.

v3.2.1

3.2.1

• Fix error message HTTP response status code in image src setter
• roundRect() shape incorrect when radii were large relative to rectangle size (#2400)
• Reject loadImage when src is null or invalid (#2304)
• Fix compilation on GCC 15 by including (#2545)

v3.2.0

3.2.0

Added

• Added ctx.lang to set the ISO language code for text

v3.1.2

3.1.2

Fixed

• Fix crash when setting width/height on PDF, SVG canvas (#2520)

v3.1.1

3.1.1

This release also introduces arm64 prebuilds for Linux!

Fixed

• Fix a crash when SVGs without width or height are loaded (#2486)
• Fix fetching prebuilds during installation on certain newer versions of Node (#2497)
• Fixed issue with fillText that was breaking subsequent fillText calls (#2171)
• Fix svg rendering when the image is resized (#2498)
• Fix measureText with direction rtl textAlign start/end
• Fix a crash in Node 24, due to external memory API change (#2514)

v3.1.0

3.1.0

• Replaced simple-get with Node.js builtin fetch (#2309)
• ctx.font has a new C++ parser and is 2x-400x faster. Please file an issue if you experience different results, as caching has been removed.
• The restriction of registering fonts before a canvas is created has been removed. You can now register a font as late as right before the fillText call (#1921)

Added

• Support for accessibility and links in PDFs
• ctx.direction is implemented: 'rtl' or 'ltr' set the base direction of text
• ctx.textAlign 'start' and 'end' are now 'right' and 'left' when ctx.direction === 'rtl'

Fixed

• Fix a crash in getImageData when the rectangle is entirely outside the canvas. (#2024)
• Fix getImageData cropping the resulting ImageData when the given rectangle is partly outside the canvas. (#1849)

v3.0.1

3.0.1

... (truncated)

Changelog

Sourced from canvas's changelog.

3.2.1

• Fix error message HTTP response status code in image src setter
• roundRect() shape incorrect when radii were large relative to rectangle size (#2400)
• Reject loadImage when src is null or invalid (#2304)
• Fix compilation on GCC 15 by including (#2545)

3.2.0

Added

• Added ctx.lang to set the ISO language code for text

3.1.2

Fixed

• Fix crash when setting width/height on PDF, SVG canvas (#2520)

3.1.1

Fixed

• Fix a crash when SVGs without width or height are loaded (#2486)
• Fix fetching prebuilds during installation on certain newer versions of Node (#2497)
• Fixed issue with fillText that was breaking subsequent fillText calls (#2171)
• Fix svg rendering when the image is resized (#2498)
• Fix measureText with direction rtl textAlign start/end
• Fix a crash in Node 24, due to external memory API change (#2514)

3.1.0

Changed

• Replaced simple-get with Node.js builtin fetch (#2309)
• ctx.font has a new C++ parser and is 2x-400x faster. Please file an issue if you experience different results, as caching has been removed.
• The restriction of registering fonts before a canvas is created has been removed. You can now register a font as late as right before the fillText call (#1921)

Added

• Support for accessibility and links in PDFs
• ctx.direction is implemented: 'rtl' or 'ltr' set the base direction of text
• ctx.textAlign 'start' and 'end' are now 'right' and 'left' when ctx.direction === 'rtl'

Fixed

• Fix a crash in getImageData when the rectangle is entirely outside the canvas. (#2024)
• Fix getImageData cropping the resulting ImageData when the given rectangle is partly outside the canvas. (#1849)

3.0.1

Fixed

• Fixed accidental depenency on ambient DOM types

3.0.0

... (truncated)

Commits

• 41adf08 v3.2.1
• f2c570d Fix compilation on GCC 15 by including <cstdint> (#2545) (#2546)
• 7f34c9b Fix error message HTTP response status code in image src setter (#2532)
• 616859b fix: reject loadImage when src is null or invalid (#2518)
• 418f555 bug: incorrect roundRect() with large radii
• 9bcf363 3.2.0
• 6ce963d Set pango language through ctx.lang (#2526)
• d548caa use memcpy to avoid misaligned pointer UB
• 6353deb ci: windows-2025 image (2019 was retired)
• a862af8 3.1.2
• Additional commits viewable in compare view

Updates wxt from 0.19.29 to 0.20.13

Release notes

Sourced from wxt's releases.

wxt v0.20.13

compare changes

🚀 Enhancements

• Remove script element immediately in injectScript (#1761)
• Add modifyScript option to injectScript (#1762)
• Make injectScript return the created script element (#1838)
• Support .wxtrc config file (#1833)

🩹 Fixes

• Make injectScript wait until script is actually loaded (#1763)
• Don't return promises from unlisted scripts that do not have an async main function (#1907)

💅 Refactors

• Use script.text instead of innerHTML in injectScript (#1764)

❤️ Contributors

• Rxliuli (@​rxliuli)
• Sebastian Landwehr info@sebastianlandwehr.com
• Johan Kiviniemi (@​ion1)

wxt v0.20.12

compare changes

🚀 Enhancements

• Remove data-wxt-* attributes (#1913)
• Default to using use_dynamic_url: true for content script css files (#1993)

🩹 Fixes

• Wxt normal logs are drowned by dotenv@17.0.0 ads (#1883)
• Optimize splitShadowRootCss (#1934)
• wxt prepare fails with the error "vite_ssr_exportName is not defined" when using Vite 7 (#1884)

🏡 Chore

• Use linkedom a test instead of happy-dom (#1957)
• Add support for vite-node v5 (#2001)
• Upgrade dev and non-major prod dependencies (#2000)
• dev-deps: Upgrade happy-dom to address CVE-2025-61927 (#2002)

❤️ Contributors

• Aaron (@​aklinker1)
• Jaguar Zhou (@​aiktb)

... (truncated)

Commits

• b7b3fc5 chore(release): wxt v0.20.13
• 4b44fb8 fix: Don't return promises from unlisted scripts that do not have an async `m...
• 5d0a266 fix: Add another defineItem signature when init function is passed (#1909)
• 2466786 feat: Support .wxtrc config file (#1833)
• 25cc403 refactor: Use script.text instead of innerHTML in injectScript (#1764)
• 923312c feat: Make injectScript return the created script element (#1838)
• adeef6e fix: Make injectScript wait until script is actually loaded (#1763)
• 6f84d45 feat: Add modifyScript option to injectScript (#1762)
• 938c25c feat: Remove script element immediately in injectScript (#1761)
• 0404637 chore(release): wxt v0.20.12
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for wxt since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

.coderabbit.yml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized key(s) in object: 'labels', 'include_paths', 'exclude_paths', 'filters', 'review', 'pull_request', 'limits', 'commands', 'messages'

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}