webdriverio · wswebcreation · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026
diff --git a/.changeset/modern-files-fly.md b/.changeset/modern-files-fly.md
diff --git a/packages/image-comparison-core/CHANGELOG.md b/packages/image-comparison-core/CHANGELOG.md
@@ -1,5 +1,26 @@
 # @wdio/image-comparison-core
 
+## 1.2.2
+
+### Patch Changes
+
+- db33fa7: #### `@wdio/image-comparison-core` and `@wdio/ocr-service` Security: update jimp (CVE in `file-type` transitive dep)
+
+  Bumped `jimp` to the latest version to resolve a reported vulnerability in its `file-type` transitive dependency (see [#1130](https://github.com/webdriverio/visual-testing/issues/1130), raised by [@denis-sokolov](https://github.com/denis-sokolov), thank you!).
+
+  **Actual impact on these packages**
+  `file-type` is used by `@jimp/core` solely to detect image MIME types when reading a buffer. In both `@wdio/image-comparison-core` and `@wdio/ocr-service`, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes.
+
+  That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that.
+
+  #### `@wdio/visual-reporter` and `@wdio/visual-service`
+
+  Updated internal dependencies to pick up the jimp bump in `@wdio/image-comparison-core`.
+
+  ### Committers: 1
+
+  - Wim Selles ([@wswebcreation](https://github.com/wswebcreation))
+
 ## 1.2.1
 
 ### Patch Changes

diff --git a/packages/image-comparison-core/package.json b/packages/image-comparison-core/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@wdio/image-comparison-core",
-  "version": "1.2.1",
+  "version": "1.2.2",
   "author": "Wim Selles - wswebcreation",
   "description": "Image comparison core module for @wdio/visual-service - WebdriverIO visual testing framework",
   "keywords": [

diff --git a/packages/ocr-service/CHANGELOG.md b/packages/ocr-service/CHANGELOG.md
@@ -1,5 +1,26 @@
 # @wdio/ocr-service
 
+## 2.2.9
+
+### Patch Changes
+
+- db33fa7: #### `@wdio/image-comparison-core` and `@wdio/ocr-service` — Security: update jimp (CVE in `file-type` transitive dep)
+
+  Bumped `jimp` to the latest version to resolve a reported vulnerability in its `file-type` transitive dependency (see [#1130](https://github.com/webdriverio/visual-testing/issues/1130), raised by [@denis-sokolov](https://github.com/denis-sokolov), thank you!).
+
+  **Actual impact on these packages**
+  `file-type` is used by `@jimp/core` solely to detect image MIME types when reading a buffer. In both `@wdio/image-comparison-core` and `@wdio/ocr-service`, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes.
+
+  That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that.
+
+  #### `@wdio/visual-reporter` and `@wdio/visual-service`
+
+  Updated internal dependencies to pick up the jimp bump in `@wdio/image-comparison-core`.
+
+  ### Committers: 1
+
+  - Wim Selles ([@wswebcreation](https://github.com/wswebcreation))
+
 ## 2.2.8
 
 ### Patch Changes

diff --git a/packages/ocr-service/package.json b/packages/ocr-service/package.json
@@ -2,7 +2,7 @@
   "name": "@wdio/ocr-service",
   "author": "Wim Selles - wswebcreation",
   "description": "A WebdriverIO service that is using Tesseract OCR for Desktop/Mobile Web and Mobile Native App tests.",
-  "version": "2.2.8",
+  "version": "2.2.9",
   "license": "MIT",
   "homepage": "https://webdriver.io/docs/visual-testing",
   "repository": {

diff --git a/packages/visual-reporter/CHANGELOG.md b/packages/visual-reporter/CHANGELOG.md
@@ -1,5 +1,26 @@
 # @wdio/visual-reporter
 
+## 0.4.13
+
+### Patch Changes
+
+- db33fa7: #### `@wdio/image-comparison-core` and `@wdio/ocr-service` Security: update jimp (CVE in `file-type` transitive dep)
+
+  Bumped `jimp` to the latest version to resolve a reported vulnerability in its `file-type` transitive dependency (see [#1130](https://github.com/webdriverio/visual-testing/issues/1130), raised by [@denis-sokolov](https://github.com/denis-sokolov), thank you!).
+
+  **Actual impact on these packages**
+  `file-type` is used by `@jimp/core` solely to detect image MIME types when reading a buffer. In both `@wdio/image-comparison-core` and `@wdio/ocr-service`, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes.
+
+  That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that.
+
+  #### `@wdio/visual-reporter` and `@wdio/visual-service`
+
+  Updated internal dependencies to pick up the jimp bump in `@wdio/image-comparison-core`.
+
+  ### Committers: 1
+
+  - Wim Selles ([@wswebcreation](https://github.com/wswebcreation))
+
 ## 0.4.12
 
 ### Patch Changes

diff --git a/packages/visual-reporter/package.json b/packages/visual-reporter/package.json
@@ -2,7 +2,7 @@
   "name": "@wdio/visual-reporter",
   "author": "Wim Selles - wswebcreation",
   "description": "Visual Testing HTML Report for the @wdio/visual-service module",
-  "version": "0.4.12",
+  "version": "0.4.13",
   "license": "MIT",
   "homepage": "https://webdriver.io/docs/visual-testing",
   "repository": {

diff --git a/packages/visual-service/CHANGELOG.md b/packages/visual-service/CHANGELOG.md
@@ -1,8 +1,33 @@
 # @wdio/visual-service
 
+## 9.2.2
+
+### Patch Changes
+
+- db33fa7: #### `@wdio/image-comparison-core` and `@wdio/ocr-service` — Security: update jimp (CVE in `file-type` transitive dep)
+
+  Bumped `jimp` to the latest version to resolve a reported vulnerability in its `file-type` transitive dependency (see [#1130](https://github.com/webdriverio/visual-testing/issues/1130), raised by [@denis-sokolov](https://github.com/denis-sokolov), thank you!).
+
+  **Actual impact on these packages**
+  `file-type` is used by `@jimp/core` solely to detect image MIME types when reading a buffer. In both `@wdio/image-comparison-core` and `@wdio/ocr-service`, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes.
+
+  That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that.
+
+  #### `@wdio/visual-reporter` and `@wdio/visual-service`
+
+  Updated internal dependencies to pick up the jimp bump in `@wdio/image-comparison-core`.
+
+  ### Committers: 1
+
+  - Wim Selles ([@wswebcreation](https://github.com/wswebcreation))
+
+- Updated dependencies [db33fa7]
+  - @wdio/image-comparison-core@1.2.2
+
 ## 9.2.1
 
 ### Patch Changes
+
 - d5afb54: ## #1129 Fix `TypeError: element.getBoundingClientRect is not a function` when a `ChainablePromiseElement` is passed to `checkElement`
 
   When `checkElement` (or `saveElement`) was called with a `ChainablePromiseElement`, the lazy promise-based element reference that WebdriverIO's `$()` returns, the element was passed directly as an argument to `browser.execute()` without being awaited first. `browser.execute()` serializes its arguments for transfer to the browser context and cannot handle a pending Promise, so it arrived in the browser as a plain empty object `{}` instead of a WebElement reference. This caused `element.getBoundingClientRect is not a function` because the browser-side `scrollElementIntoView` script received `{}` rather than a DOM element.

diff --git a/packages/visual-service/package.json b/packages/visual-service/package.json
@@ -2,7 +2,7 @@
   "name": "@wdio/visual-service",
   "author": "Wim Selles - wswebcreation",
   "description": "Image comparison / visual regression testing for WebdriverIO",
-  "version": "9.2.1",
+  "version": "9.2.2",
   "license": "MIT",
   "homepage": "https://webdriver.io/docs/visual-testing",
   "repository": {