From a41f75a669d187540177057ea7a530ea4f923357 Mon Sep 17 00:00:00 2001 From: WebdriverIO Release Bot Date: Thu, 9 Apr 2026 04:55:28 +0000 Subject: [PATCH 1/5] chore: release [skip ci] --- .changeset/modern-files-fly.md | 24 -------------------- packages/image-comparison-core/CHANGELOG.md | 21 +++++++++++++++++ packages/image-comparison-core/package.json | 2 +- packages/ocr-service/CHANGELOG.md | 21 +++++++++++++++++ packages/ocr-service/package.json | 2 +- packages/visual-reporter/CHANGELOG.md | 21 +++++++++++++++++ packages/visual-reporter/package.json | 2 +- packages/visual-service/CHANGELOG.md | 25 +++++++++++++++++++++ packages/visual-service/package.json | 2 +- 9 files changed, 92 insertions(+), 28 deletions(-) delete mode 100644 .changeset/modern-files-fly.md diff --git a/.changeset/modern-files-fly.md b/.changeset/modern-files-fly.md deleted file mode 100644 index 6c2ddc846..000000000 --- a/.changeset/modern-files-fly.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -"@wdio/image-comparison-core": patch -"@wdio/ocr-service": patch -"@wdio/visual-reporter": patch -"@wdio/visual-service": patch ---- - -#### `@wdio/image-comparison-core` and `@wdio/ocr-service` — Security: update jimp (CVE in `file-type` transitive dep) - -Bumped `jimp` to the latest version to resolve a reported vulnerability in its `file-type` transitive dependency (see [#1130](https://github.com/webdriverio/visual-testing/issues/1130), raised by [@denis-sokolov](https://github.com/denis-sokolov), thank you!). - -**Actual impact on these packages** -`file-type` is used by `@jimp/core` solely to detect image MIME types when reading a buffer. In both `@wdio/image-comparison-core` and `@wdio/ocr-service`, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes. - -That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that. - -#### `@wdio/visual-reporter` and `@wdio/visual-service` - -Updated internal dependencies to pick up the jimp bump in `@wdio/image-comparison-core`. - - -### Committers: 1 - -- Wim Selles ([@wswebcreation](https://github.com/wswebcreation)) diff --git a/packages/image-comparison-core/CHANGELOG.md b/packages/image-comparison-core/CHANGELOG.md index 54d6b5e59..681752dfc 100644 --- a/packages/image-comparison-core/CHANGELOG.md +++ b/packages/image-comparison-core/CHANGELOG.md @@ -1,5 +1,26 @@ # @wdio/image-comparison-core +## 1.2.2 + +### Patch Changes + +- db33fa7: #### `@wdio/image-comparison-core` and `@wdio/ocr-service` — Security: update jimp (CVE in `file-type` transitive dep) + + Bumped `jimp` to the latest version to resolve a reported vulnerability in its `file-type` transitive dependency (see [#1130](https://github.com/webdriverio/visual-testing/issues/1130), raised by [@denis-sokolov](https://github.com/denis-sokolov), thank you!). + + **Actual impact on these packages** + `file-type` is used by `@jimp/core` solely to detect image MIME types when reading a buffer. In both `@wdio/image-comparison-core` and `@wdio/ocr-service`, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes. + + That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that. + + #### `@wdio/visual-reporter` and `@wdio/visual-service` + + Updated internal dependencies to pick up the jimp bump in `@wdio/image-comparison-core`. + + ### Committers: 1 + + - Wim Selles ([@wswebcreation](https://github.com/wswebcreation)) + ## 1.2.1 ### Patch Changes diff --git a/packages/image-comparison-core/package.json b/packages/image-comparison-core/package.json index 1e8dc6ce2..426d23fd9 100644 --- a/packages/image-comparison-core/package.json +++ b/packages/image-comparison-core/package.json @@ -1,6 +1,6 @@ { "name": "@wdio/image-comparison-core", - "version": "1.2.1", + "version": "1.2.2", "author": "Wim Selles - wswebcreation", "description": "Image comparison core module for @wdio/visual-service - WebdriverIO visual testing framework", "keywords": [ diff --git a/packages/ocr-service/CHANGELOG.md b/packages/ocr-service/CHANGELOG.md index 2a1d03b72..331a67e15 100644 --- a/packages/ocr-service/CHANGELOG.md +++ b/packages/ocr-service/CHANGELOG.md @@ -1,5 +1,26 @@ # @wdio/ocr-service +## 2.2.9 + +### Patch Changes + +- db33fa7: #### `@wdio/image-comparison-core` and `@wdio/ocr-service` — Security: update jimp (CVE in `file-type` transitive dep) + + Bumped `jimp` to the latest version to resolve a reported vulnerability in its `file-type` transitive dependency (see [#1130](https://github.com/webdriverio/visual-testing/issues/1130), raised by [@denis-sokolov](https://github.com/denis-sokolov), thank you!). + + **Actual impact on these packages** + `file-type` is used by `@jimp/core` solely to detect image MIME types when reading a buffer. In both `@wdio/image-comparison-core` and `@wdio/ocr-service`, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes. + + That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that. + + #### `@wdio/visual-reporter` and `@wdio/visual-service` + + Updated internal dependencies to pick up the jimp bump in `@wdio/image-comparison-core`. + + ### Committers: 1 + + - Wim Selles ([@wswebcreation](https://github.com/wswebcreation)) + ## 2.2.8 ### Patch Changes diff --git a/packages/ocr-service/package.json b/packages/ocr-service/package.json index a90d9ff39..e950506a4 100644 --- a/packages/ocr-service/package.json +++ b/packages/ocr-service/package.json @@ -2,7 +2,7 @@ "name": "@wdio/ocr-service", "author": "Wim Selles - wswebcreation", "description": "A WebdriverIO service that is using Tesseract OCR for Desktop/Mobile Web and Mobile Native App tests.", - "version": "2.2.8", + "version": "2.2.9", "license": "MIT", "homepage": "https://webdriver.io/docs/visual-testing", "repository": { diff --git a/packages/visual-reporter/CHANGELOG.md b/packages/visual-reporter/CHANGELOG.md index 81c9522d0..cbdf95f58 100644 --- a/packages/visual-reporter/CHANGELOG.md +++ b/packages/visual-reporter/CHANGELOG.md @@ -1,5 +1,26 @@ # @wdio/visual-reporter +## 0.4.13 + +### Patch Changes + +- db33fa7: #### `@wdio/image-comparison-core` and `@wdio/ocr-service` — Security: update jimp (CVE in `file-type` transitive dep) + + Bumped `jimp` to the latest version to resolve a reported vulnerability in its `file-type` transitive dependency (see [#1130](https://github.com/webdriverio/visual-testing/issues/1130), raised by [@denis-sokolov](https://github.com/denis-sokolov), thank you!). + + **Actual impact on these packages** + `file-type` is used by `@jimp/core` solely to detect image MIME types when reading a buffer. In both `@wdio/image-comparison-core` and `@wdio/ocr-service`, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes. + + That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that. + + #### `@wdio/visual-reporter` and `@wdio/visual-service` + + Updated internal dependencies to pick up the jimp bump in `@wdio/image-comparison-core`. + + ### Committers: 1 + + - Wim Selles ([@wswebcreation](https://github.com/wswebcreation)) + ## 0.4.12 ### Patch Changes diff --git a/packages/visual-reporter/package.json b/packages/visual-reporter/package.json index 697a0ca61..113b4d3bd 100644 --- a/packages/visual-reporter/package.json +++ b/packages/visual-reporter/package.json @@ -2,7 +2,7 @@ "name": "@wdio/visual-reporter", "author": "Wim Selles - wswebcreation", "description": "Visual Testing HTML Report for the @wdio/visual-service module", - "version": "0.4.12", + "version": "0.4.13", "license": "MIT", "homepage": "https://webdriver.io/docs/visual-testing", "repository": { diff --git a/packages/visual-service/CHANGELOG.md b/packages/visual-service/CHANGELOG.md index 803ad8c65..095e3df4b 100644 --- a/packages/visual-service/CHANGELOG.md +++ b/packages/visual-service/CHANGELOG.md @@ -1,8 +1,33 @@ # @wdio/visual-service +## 9.2.2 + +### Patch Changes + +- db33fa7: #### `@wdio/image-comparison-core` and `@wdio/ocr-service` — Security: update jimp (CVE in `file-type` transitive dep) + + Bumped `jimp` to the latest version to resolve a reported vulnerability in its `file-type` transitive dependency (see [#1130](https://github.com/webdriverio/visual-testing/issues/1130), raised by [@denis-sokolov](https://github.com/denis-sokolov), thank you!). + + **Actual impact on these packages** + `file-type` is used by `@jimp/core` solely to detect image MIME types when reading a buffer. In both `@wdio/image-comparison-core` and `@wdio/ocr-service`, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes. + + That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that. + + #### `@wdio/visual-reporter` and `@wdio/visual-service` + + Updated internal dependencies to pick up the jimp bump in `@wdio/image-comparison-core`. + + ### Committers: 1 + + - Wim Selles ([@wswebcreation](https://github.com/wswebcreation)) + +- Updated dependencies [db33fa7] + - @wdio/image-comparison-core@1.2.2 + ## 9.2.1 ### Patch Changes + - d5afb54: ## #1129 Fix `TypeError: element.getBoundingClientRect is not a function` when a `ChainablePromiseElement` is passed to `checkElement` When `checkElement` (or `saveElement`) was called with a `ChainablePromiseElement`, the lazy promise-based element reference that WebdriverIO's `$()` returns, the element was passed directly as an argument to `browser.execute()` without being awaited first. `browser.execute()` serializes its arguments for transfer to the browser context and cannot handle a pending Promise, so it arrived in the browser as a plain empty object `{}` instead of a WebElement reference. This caused `element.getBoundingClientRect is not a function` because the browser-side `scrollElementIntoView` script received `{}` rather than a DOM element. diff --git a/packages/visual-service/package.json b/packages/visual-service/package.json index 70af167b3..e3b325a19 100644 --- a/packages/visual-service/package.json +++ b/packages/visual-service/package.json @@ -2,7 +2,7 @@ "name": "@wdio/visual-service", "author": "Wim Selles - wswebcreation", "description": "Image comparison / visual regression testing for WebdriverIO", - "version": "9.2.1", + "version": "9.2.2", "license": "MIT", "homepage": "https://webdriver.io/docs/visual-testing", "repository": { From 63812a05ba762476bcb493b9ed729af25d9a0d7d Mon Sep 17 00:00:00 2001 From: Wim Selles Date: Thu, 9 Apr 2026 07:09:06 +0200 Subject: [PATCH 2/5] Apply suggestion from @wswebcreation --- packages/image-comparison-core/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/image-comparison-core/CHANGELOG.md b/packages/image-comparison-core/CHANGELOG.md index 681752dfc..6e178986a 100644 --- a/packages/image-comparison-core/CHANGELOG.md +++ b/packages/image-comparison-core/CHANGELOG.md @@ -4,7 +4,7 @@ ### Patch Changes -- db33fa7: #### `@wdio/image-comparison-core` and `@wdio/ocr-service` — Security: update jimp (CVE in `file-type` transitive dep) +- db33fa7: #### `@wdio/image-comparison-core` and `@wdio/ocr-service` Security: update jimp (CVE in `file-type` transitive dep) Bumped `jimp` to the latest version to resolve a reported vulnerability in its `file-type` transitive dependency (see [#1130](https://github.com/webdriverio/visual-testing/issues/1130), raised by [@denis-sokolov](https://github.com/denis-sokolov), thank you!). From b679ff23e2e26b5e6c5684f5296b981b47ecbfe9 Mon Sep 17 00:00:00 2001 From: Wim Selles Date: Thu, 9 Apr 2026 07:09:32 +0200 Subject: [PATCH 3/5] Apply suggestion from @wswebcreation --- packages/visual-reporter/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/visual-reporter/CHANGELOG.md b/packages/visual-reporter/CHANGELOG.md index cbdf95f58..81c9da92b 100644 --- a/packages/visual-reporter/CHANGELOG.md +++ b/packages/visual-reporter/CHANGELOG.md @@ -4,7 +4,7 @@ ### Patch Changes -- db33fa7: #### `@wdio/image-comparison-core` and `@wdio/ocr-service` — Security: update jimp (CVE in `file-type` transitive dep) +- db33fa7: #### `@wdio/image-comparison-core` and `@wdio/ocr-service` Security: update jimp (CVE in `file-type` transitive dep) Bumped `jimp` to the latest version to resolve a reported vulnerability in its `file-type` transitive dependency (see [#1130](https://github.com/webdriverio/visual-testing/issues/1130), raised by [@denis-sokolov](https://github.com/denis-sokolov), thank you!). From 40b751bfa1e5c44a248591c9b223fba404029cb9 Mon Sep 17 00:00:00 2001 From: Wim Selles Date: Thu, 9 Apr 2026 07:09:55 +0200 Subject: [PATCH 4/5] Apply suggestion from @wswebcreation --- packages/ocr-service/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/ocr-service/CHANGELOG.md b/packages/ocr-service/CHANGELOG.md index 331a67e15..d8db55676 100644 --- a/packages/ocr-service/CHANGELOG.md +++ b/packages/ocr-service/CHANGELOG.md @@ -4,7 +4,7 @@ ### Patch Changes -- db33fa7: #### `@wdio/image-comparison-core` and `@wdio/ocr-service` — Security: update jimp (CVE in `file-type` transitive dep) +- db33fa7: #### `@wdio/image-comparison-core` and `@wdio/ocr-service` Security: update jimp (CVE in `file-type` transitive dep) Bumped `jimp` to the latest version to resolve a reported vulnerability in its `file-type` transitive dependency (see [#1130](https://github.com/webdriverio/visual-testing/issues/1130), raised by [@denis-sokolov](https://github.com/denis-sokolov), thank you!). From 032db912d32a62b8c88790ad3885c648625559cc Mon Sep 17 00:00:00 2001 From: Wim Selles Date: Thu, 9 Apr 2026 07:10:22 +0200 Subject: [PATCH 5/5] Apply suggestion from @wswebcreation --- packages/visual-service/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/visual-service/CHANGELOG.md b/packages/visual-service/CHANGELOG.md index 095e3df4b..2369e46c7 100644 --- a/packages/visual-service/CHANGELOG.md +++ b/packages/visual-service/CHANGELOG.md @@ -4,7 +4,7 @@ ### Patch Changes -- db33fa7: #### `@wdio/image-comparison-core` and `@wdio/ocr-service` — Security: update jimp (CVE in `file-type` transitive dep) +- db33fa7: #### `@wdio/image-comparison-core` and `@wdio/ocr-service` Security: update jimp (CVE in `file-type` transitive dep) Bumped `jimp` to the latest version to resolve a reported vulnerability in its `file-type` transitive dependency (see [#1130](https://github.com/webdriverio/visual-testing/issues/1130), raised by [@denis-sokolov](https://github.com/denis-sokolov), thank you!).