@wdio/visual-service@9.2.2

Patch Changes

• db33fa7: #### @wdio/image-comparison-core and @wdio/ocr-service Security: update jimp (CVE in file-type transitive dep)

  Bumped jimp to the latest version to resolve a reported vulnerability in its file-type transitive dependency (see #1130, raised by @denis-sokolov, thank you!).

  Actual impact on these packages
  file-type is used by @jimp/core solely to detect image MIME types when reading a buffer. In both @wdio/image-comparison-core and @wdio/ocr-service, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes.

  That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that.

  @wdio/visual-reporter and @wdio/visual-service

  Updated internal dependencies to pick up the jimp bump in @wdio/image-comparison-core.

  Committers: 1

  • Wim Selles (@wswebcreation)

• Updated dependencies [db33fa7]

  • @wdio/image-comparison-core@1.2.2

@wdio/visual-reporter@0.4.13

Patch Changes

• db33fa7: #### @wdio/image-comparison-core and @wdio/ocr-service Security: update jimp (CVE in file-type transitive dep)

  Bumped jimp to the latest version to resolve a reported vulnerability in its file-type transitive dependency (see #1130, raised by @denis-sokolov, thank you!).

  Actual impact on these packages
  file-type is used by @jimp/core solely to detect image MIME types when reading a buffer. In both @wdio/image-comparison-core and @wdio/ocr-service, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes.

  That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that.

  @wdio/visual-reporter and @wdio/visual-service

  Updated internal dependencies to pick up the jimp bump in @wdio/image-comparison-core.

  Committers: 1

  • Wim Selles (@wswebcreation)

@wdio/ocr-service@2.2.9

Patch Changes

• db33fa7: #### @wdio/image-comparison-core and @wdio/ocr-service Security: update jimp (CVE in file-type transitive dep)

  Bumped jimp to the latest version to resolve a reported vulnerability in its file-type transitive dependency (see #1130, raised by @denis-sokolov, thank you!).

  Actual impact on these packages
  file-type is used by @jimp/core solely to detect image MIME types when reading a buffer. In both @wdio/image-comparison-core and @wdio/ocr-service, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes.

  That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that.

  @wdio/visual-reporter and @wdio/visual-service

  Updated internal dependencies to pick up the jimp bump in @wdio/image-comparison-core.

  Committers: 1

  • Wim Selles (@wswebcreation)

@wdio/image-comparison-core@1.2.2

Patch Changes

• db33fa7: #### @wdio/image-comparison-core and @wdio/ocr-service Security: update jimp (CVE in file-type transitive dep)

  Bumped jimp to the latest version to resolve a reported vulnerability in its file-type transitive dependency (see #1130, raised by @denis-sokolov, thank you!).

  Actual impact on these packages
  file-type is used by @jimp/core solely to detect image MIME types when reading a buffer. In both @wdio/image-comparison-core and @wdio/ocr-service, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes.

  That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that.

  @wdio/visual-reporter and @wdio/visual-service

  Updated internal dependencies to pick up the jimp bump in @wdio/image-comparison-core.

  Committers: 1

  • Wim Selles (@wswebcreation)

@wdio/visual-service@9.2.1

Patch Changes

• d5afb54: ## #1129 Fix TypeError: element.getBoundingClientRect is not a function when a ChainablePromiseElement is passed to checkElement

  When checkElement (or saveElement) was called with a ChainablePromiseElement, the lazy promise-based element reference that WebdriverIO's $() returns, the element was passed directly as an argument to browser.execute() without being awaited first. browser.execute() serializes its arguments for transfer to the browser context and cannot handle a pending Promise, so it arrived in the browser as a plain empty object {} instead of a WebElement reference. This caused element.getBoundingClientRect is not a function because the browser-side scrollElementIntoView script received {} rather than a DOM element.

  Committers: 1

  • Wim Selles (@wswebcreation)

• Updated dependencies [d5afb54]

  • @wdio/image-comparison-core@1.2.1

@wdio/image-comparison-core@1.2.1

Patch Changes

• d5afb54: ## #1129 Fix TypeError: element.getBoundingClientRect is not a function when a ChainablePromiseElement is passed to checkElement

  When checkElement (or saveElement) was called with a ChainablePromiseElement, the lazy promise-based element reference that WebdriverIO's $() returns, the element was passed directly as an argument to browser.execute() without being awaited first. browser.execute() serializes its arguments for transfer to the browser context and cannot handle a pending Promise, so it arrived in the browser as a plain empty object {} instead of a WebElement reference. This caused element.getBoundingClientRect is not a function because the browser-side scrollElementIntoView script received {} rather than a DOM element.

  Committers: 1

  • Wim Selles (@wswebcreation)

@wdio/visual-service@9.2.0

Minor Changes

• 994f4da: ## #857 Support ignore regions for web screenshots

  Add ignore support to all web screenshot methods (saveScreen/checkScreen, saveElement/checkElement, saveFullPageScreen/checkFullPageScreen) so that specified elements can be blocked out during visual comparison. This brings web parity with the native-app ignore-region support that already existed.

  Changes

  • Ignore regions for full-page screenshots: new determineWebFullPageIgnoreRegions function that calculates ignore-region rectangles for full-page screenshots, including a fullPageCropTopPaddingCSS correction for mobile scroll-and-stitch scenarios where the address-bar shadow padding shifts element positions
  • Consolidated ignoreRegionPadding: moved ignoreRegionPadding into BaseWebScreenshotOptions so it is inherited by all web methods instead of being duplicated per method
  • Fix isAndroidNativeWebScreenshot type: ensure nativeWebScreenshot is always a boolean (was accidentally an object for LambdaTest capabilities), preventing ignore-region DPR scaling failures
  • Fix viewport rounding for mobile: restore Math.round() in injectWebviewOverlay and remove Math.min clamping in getMobileViewPortPosition to prevent 1-pixel crop shifts during full-page stitching
  • Fix scrollElementIntoView for scrolled pages: account for currentPosition (existing scroll offset) when computing the target scroll position, so elements are scrolled into view correctly when the page is already scrolled
  • Dismiss Chrome Start Surface on Android: when Chrome's tab-overview UI blocks the webview overlay, automatically press the Android Back button (up to 4 retries) to restore the active tab before measuring the viewport
  • Add hybrid status bar blockout: on hybrid apps the statusbar was not blocked out which could result in flaky tests regarding battery and reception

  Committers: 1

  • Wim Selles (@wswebcreation)

Patch Changes

• Updated dependencies [994f4da]
  • @wdio/image-comparison-core@1.2.0

@wdio/image-comparison-core@1.2.0

Minor Changes

• 994f4da: ## #857 Support ignore regions for web screenshots

  Add ignore support to all web screenshot methods (saveScreen/checkScreen, saveElement/checkElement, saveFullPageScreen/checkFullPageScreen) so that specified elements can be blocked out during visual comparison. This brings web parity with the native-app ignore-region support that already existed.

  Changes

  • Ignore regions for full-page screenshots: new determineWebFullPageIgnoreRegions function that calculates ignore-region rectangles for full-page screenshots, including a fullPageCropTopPaddingCSS correction for mobile scroll-and-stitch scenarios where the address-bar shadow padding shifts element positions
  • Consolidated ignoreRegionPadding: moved ignoreRegionPadding into BaseWebScreenshotOptions so it is inherited by all web methods instead of being duplicated per method
  • Fix isAndroidNativeWebScreenshot type: ensure nativeWebScreenshot is always a boolean (was accidentally an object for LambdaTest capabilities), preventing ignore-region DPR scaling failures
  • Fix viewport rounding for mobile: restore Math.round() in injectWebviewOverlay and remove Math.min clamping in getMobileViewPortPosition to prevent 1-pixel crop shifts during full-page stitching
  • Fix scrollElementIntoView for scrolled pages: account for currentPosition (existing scroll offset) when computing the target scroll position, so elements are scrolled into view correctly when the page is already scrolled
  • Dismiss Chrome Start Surface on Android: when Chrome's tab-overview UI blocks the webview overlay, automatically press the Android Back button (up to 4 retries) to restore the active tab before measuring the viewport
  • Add hybrid status bar blockout: on hybrid apps the statusbar was not blocked out which could result in flaky tests regarding battery and reception

  Committers: 1

  • Wim Selles (@wswebcreation)

@wdio/visual-service@9.1.6

Patch Changes

• 0a19d78: Fix clearRuntimeFolder clearing the actual and diff folders after each spec/feature execution instead of once before all workers start. This caused only the last spec's visual data to be present in the output when running multiple specs.

  Committers: 1

  • Wim Selles (@wswebcreation)

• ed0bea6: Fix EISDIR error when using resolveSnapshotPath with the visual service. The service now uses dirname() of the resolved path as the baseline folder, preventing it from creating a directory at a path that expect-webdriverio's snapshot service expects to be a file. Fixes #984.

  Committers: 1

  • Wim Selles (@wswebcreation)

• cbf1d22: Fix incomplete wdio-ics:options type augmentation on WebdriverIO.Capabilities. The global type declaration now uses the WdioIcsOptions interface directly, ensuring all supported properties (logName, name) are available to TypeScript users in both standalone and multiremote configurations. Fixes #732.

  Committers: 1

  • Wim Selles (@wswebcreation)

• Updated dependencies [0a19d78]

• Updated dependencies [ce74703]

  • @wdio/image-comparison-core@1.1.4

@wdio/visual-service@9.1.5

Patch Changes

• 6ed0469: ## Fix: support appium:options nested capability format and avd fallback (#1118)

  Appium caps need to be prefixed with appium:, but this can feel redundant when you have a lot of caps. So you can also put them inside the appium:options-object. This was not supported by the visual module and was reported in #1118. It is now supported.

  The following capabilities are now correctly read from both appium:-prefixed top-level format and the nested appium:options format:

  • deviceName
  • nativeWebScreenshot
  • avd (new, see below)

  Second issue that is fixed is that for Android the deviceName could be left away and the avd could be provided. This is now also supported where deviceName takes priority over avd if both are provided.

  Committers: 1

  • Wim Selles (@wswebcreation)