Version Packages

[github-actions]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@wdio/image-comparison-core@1.2.2

Patch Changes

• db33fa7: #### @wdio/image-comparison-core and @wdio/ocr-service — Security: update jimp (CVE in file-type transitive dep)

  Bumped jimp to the latest version to resolve a reported vulnerability in its file-type transitive dependency (see #1130, raised by @denis-sokolov, thank you!).

  Actual impact on these packages
  file-type is used by @jimp/core solely to detect image MIME types when reading a buffer. In both @wdio/image-comparison-core and @wdio/ocr-service, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes.

  That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that.

  @wdio/visual-reporter and @wdio/visual-service

  Updated internal dependencies to pick up the jimp bump in @wdio/image-comparison-core.

  Committers: 1

  • Wim Selles (@wswebcreation)

@wdio/ocr-service@2.2.9

Patch Changes

• db33fa7: #### @wdio/image-comparison-core and @wdio/ocr-service — Security: update jimp (CVE in file-type transitive dep)

  Bumped jimp to the latest version to resolve a reported vulnerability in its file-type transitive dependency (see #1130, raised by @denis-sokolov, thank you!).

  Actual impact on these packages
  file-type is used by @jimp/core solely to detect image MIME types when reading a buffer. In both @wdio/image-comparison-core and @wdio/ocr-service, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes.

  That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that.

  @wdio/visual-reporter and @wdio/visual-service

  Updated internal dependencies to pick up the jimp bump in @wdio/image-comparison-core.

  Committers: 1

  • Wim Selles (@wswebcreation)

@wdio/visual-reporter@0.4.13

Patch Changes

• db33fa7: #### @wdio/image-comparison-core and @wdio/ocr-service — Security: update jimp (CVE in file-type transitive dep)

  Bumped jimp to the latest version to resolve a reported vulnerability in its file-type transitive dependency (see #1130, raised by @denis-sokolov, thank you!).

  Actual impact on these packages
  file-type is used by @jimp/core solely to detect image MIME types when reading a buffer. In both @wdio/image-comparison-core and @wdio/ocr-service, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes.

  That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that.

  @wdio/visual-reporter and @wdio/visual-service

  Updated internal dependencies to pick up the jimp bump in @wdio/image-comparison-core.

  Committers: 1

  • Wim Selles (@wswebcreation)

@wdio/visual-service@9.2.2

Patch Changes

• db33fa7: #### @wdio/image-comparison-core and @wdio/ocr-service — Security: update jimp (CVE in file-type transitive dep)

  Bumped jimp to the latest version to resolve a reported vulnerability in its file-type transitive dependency (see #1130, raised by @denis-sokolov, thank you!).

  Actual impact on these packages
  file-type is used by @jimp/core solely to detect image MIME types when reading a buffer. In both @wdio/image-comparison-core and @wdio/ocr-service, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes.

  That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that.

  @wdio/visual-reporter and @wdio/visual-service

  Updated internal dependencies to pick up the jimp bump in @wdio/image-comparison-core.

  Committers: 1

  • Wim Selles (@wswebcreation)

• Updated dependencies [db33fa7]

  • @wdio/image-comparison-core@1.2.2