Snyk has created this PR to upgrade @babel/runtime from 7.28.4 to 7.28.6.

See this package in npm:
@babel/runtime

See this project in Snyk:
https://app.snyk.io/org/mrrio/project/50515eb1-b03b-4f42-9f17-cce1a33d5d1a?utm_source=github&utm_medium=referral&page=upgrade-pr

Co-authored-by: snyk-bot <[email protected]>

* fix

* fix

* add regression tests and revert dist changes

* prettier

---------

Co-authored-by: Lukas Holländer <[email protected]>

* Sanitize JavaScript input in addJS function

Sanitize input JavaScript to prevent errors with parentheses.

* don't escape already escaped parentheses, add test cases

---------

Co-authored-by: Lukas Holländer <[email protected]>

Bumps [rollup](https://github.com/rollup/rollup) from 2.79.2 to 2.80.0.
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/v2.80.0/CHANGELOG.md)
- [Commits](rollup/rollup@v2.79.2...v2.80.0)

---
updated-dependencies:
- dependency-name: rollup
  dependency-version: 2.80.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.1.2 to 3.1.5.
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v3.1.2...v3.1.5)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Lukas Holländer <[email protected]>

* Fix popup rendering for new window outputs

* Encode filename in data URI, add edge case tests

- Encode options.filename in datauristring to prevent data URI
  structure corruption via semicolons/commas
- Add tests: SRI on default pdfobject URL, data URI filename encoding,
  malicious pdfJsUrl attribute injection attempt

* Fix SRI test: split into default and custom URL cases

The previous test claimed to cover both default and custom URL
paths but only checked the default. Now split into two separate
tests that each verify what they claim.

---------

Co-authored-by: Doruk <[email protected]>

* Fix FreeText annotation style string escaping

* Remove dist artifacts from FreeText fix PR

* Harden FreeText color: add hex validation, fix double #, expand tests

- Validate color as hex pattern (3-8 hex chars), fallback to 000000
  for non-hex input as defense-in-depth alongside pdfEscape
- Strip leading # before concatenation to prevent double ## in output
- Add tests: injection rejection, backslash bypass, valid hex colors,
  double # prevention, non-hex fallback

* Update freetext.pdf reference for double # fix

The reference file had color:##ff0000 (double #) which was
a pre-existing bug. Now that we strip the leading # before
concatenation, the output is color:#ff0000 and the reference
must match.

* Revert "Update freetext.pdf reference for double # fix"

This reverts commit b6139558ededb872a663f62898d68f0f2d35bde5.

* Revert "Harden FreeText color: add hex validation, fix double #, expand tests"

This reverts commit 0b8baf967c5089ec40f0a86c3d59cb47fcc0823e.

---------

Co-authored-by: Doruk <[email protected]>
Co-authored-by: Lukas Holländer <[email protected]>