@wdio/visual-service@9.2.3

Patch Changes

• c56e1ae: ## #1146 Fix BiDi element screenshots missing composited layers (scrollbars, fixed/sticky overlays)

  Root cause

  When checkElement / saveElement is used with the WebDriver BiDi protocol, the screenshot was taken with browsingContext.captureScreenshot using origin: 'document'. This renders the document layout independently of the browser's compositor, which means composited layers are never included — element-level scrollbars, position: fixed / position: sticky overlays, and elements with a will-change CSS property all render as invisible or without their correct visual state.

  The switch to origin: 'document' was introduced in an earlier fix (commit 227f10a) to avoid a zero dimensions error that occurred when origin: 'viewport' was used for elements that were outside the visible viewport. That fix was correct for out-of-viewport elements, but it also silently broke composited-layer capture for all elements.

  Fix: new biDiOrigin method option

  A new method-level option biDiOrigin has been added to saveElement / checkElement. It is BiDi-only and ignored for the legacy WebDriver screenshot path.

  Value	Behaviour
  'document' (default)	Previous behaviour — works for any element position but composited layers (scrollbars, overlays, will-change) are not captured
  'viewport'	Captures the composited frame as the browser painted it — scrollbars, fixed/sticky overlays and will-change layers are included. The element must be visible in the viewport; descriptive errors are thrown when it is not

  Usage

  // Capture an element with its scrollbar / overlay visible:
  await browser.checkElement(element, "myTag", { biDiOrigin: "viewport" });
  await browser.saveElement(element, "myTag", { biDiOrigin: "viewport" });

  Error messages when biDiOrigin: 'viewport' cannot produce a valid screenshot

  Element larger than the viewport — must fall back to 'document':

  [BiDi viewport screenshot] The element dimensions (1400x800px) exceed the viewport (1280x720px).
  You must use the default `biDiOrigin: 'document'` for this element.
  Note: with `'document'` origin, composited layers such as scrollbars, fixed/sticky overlays,
  and elements using `will-change` may not appear in the screenshot.
  

  Element not in the viewport at all — needs scrolling:

  [BiDi viewport screenshot] The element is not in the viewport
  (element: x=0, y=900, 300x200px; viewport: 1280x720px).
  Call `element.scrollIntoView()` before taking the screenshot, or set `autoElementScroll: true`.
  

  Element partially outside the viewport but fits — needs to be scrolled fully into view:

  [BiDi viewport screenshot] The element is not fully visible in the viewport
  (element: x=-20, y=100, 300x200px; viewport: 1280x720px).
  The element fits within the viewport — scroll it fully into view by calling
  `element.scrollIntoView()` or setting `autoElementScroll: true`.
  

  Committers: 1

  • Wim Selles (@wswebcreation)

• Updated dependencies [c56e1ae]

  • @wdio/image-comparison-core@1.2.3

@wdio/image-comparison-core@1.2.3

Patch Changes

• c56e1ae: ## #1146 Fix BiDi element screenshots missing composited layers (scrollbars, fixed/sticky overlays)

  Root cause

  When checkElement / saveElement is used with the WebDriver BiDi protocol, the screenshot was taken with browsingContext.captureScreenshot using origin: 'document'. This renders the document layout independently of the browser's compositor, which means composited layers are never included — element-level scrollbars, position: fixed / position: sticky overlays, and elements with a will-change CSS property all render as invisible or without their correct visual state.

  The switch to origin: 'document' was introduced in an earlier fix (commit 227f10a) to avoid a zero dimensions error that occurred when origin: 'viewport' was used for elements that were outside the visible viewport. That fix was correct for out-of-viewport elements, but it also silently broke composited-layer capture for all elements.

  Fix: new biDiOrigin method option

  A new method-level option biDiOrigin has been added to saveElement / checkElement. It is BiDi-only and ignored for the legacy WebDriver screenshot path.

  Value	Behaviour
  'document' (default)	Previous behaviour — works for any element position but composited layers (scrollbars, overlays, will-change) are not captured
  'viewport'	Captures the composited frame as the browser painted it — scrollbars, fixed/sticky overlays and will-change layers are included. The element must be visible in the viewport; descriptive errors are thrown when it is not

  Usage

  // Capture an element with its scrollbar / overlay visible:
  await browser.checkElement(element, "myTag", { biDiOrigin: "viewport" });
  await browser.saveElement(element, "myTag", { biDiOrigin: "viewport" });

  Error messages when biDiOrigin: 'viewport' cannot produce a valid screenshot

  Element larger than the viewport — must fall back to 'document':

  [BiDi viewport screenshot] The element dimensions (1400x800px) exceed the viewport (1280x720px).
  You must use the default `biDiOrigin: 'document'` for this element.
  Note: with `'document'` origin, composited layers such as scrollbars, fixed/sticky overlays,
  and elements using `will-change` may not appear in the screenshot.
  

  Element not in the viewport at all — needs scrolling:

  [BiDi viewport screenshot] The element is not in the viewport
  (element: x=0, y=900, 300x200px; viewport: 1280x720px).
  Call `element.scrollIntoView()` before taking the screenshot, or set `autoElementScroll: true`.
  

  Element partially outside the viewport but fits — needs to be scrolled fully into view:

  [BiDi viewport screenshot] The element is not fully visible in the viewport
  (element: x=-20, y=100, 300x200px; viewport: 1280x720px).
  The element fits within the viewport — scroll it fully into view by calling
  `element.scrollIntoView()` or setting `autoElementScroll: true`.
  

  Committers: 1

  • Wim Selles (@wswebcreation)

@wdio/visual-service@9.2.2

Patch Changes

• db33fa7: #### @wdio/image-comparison-core and @wdio/ocr-service Security: update jimp (CVE in file-type transitive dep)

  Bumped jimp to the latest version to resolve a reported vulnerability in its file-type transitive dependency (see #1130, raised by @denis-sokolov, thank you!).

  Actual impact on these packages
  file-type is used by @jimp/core solely to detect image MIME types when reading a buffer. In both @wdio/image-comparison-core and @wdio/ocr-service, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes.

  That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that.

  @wdio/visual-reporter and @wdio/visual-service

  Updated internal dependencies to pick up the jimp bump in @wdio/image-comparison-core.

  Committers: 1

  • Wim Selles (@wswebcreation)

• Updated dependencies [db33fa7]

  • @wdio/image-comparison-core@1.2.2

@wdio/visual-reporter@0.4.13

Patch Changes

• db33fa7: #### @wdio/image-comparison-core and @wdio/ocr-service Security: update jimp (CVE in file-type transitive dep)

  Bumped jimp to the latest version to resolve a reported vulnerability in its file-type transitive dependency (see #1130, raised by @denis-sokolov, thank you!).

  Actual impact on these packages
  file-type is used by @jimp/core solely to detect image MIME types when reading a buffer. In both @wdio/image-comparison-core and @wdio/ocr-service, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes.

  That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that.

  @wdio/visual-reporter and @wdio/visual-service

  Updated internal dependencies to pick up the jimp bump in @wdio/image-comparison-core.

  Committers: 1

  • Wim Selles (@wswebcreation)

@wdio/ocr-service@2.2.9

Patch Changes

• db33fa7: #### @wdio/image-comparison-core and @wdio/ocr-service Security: update jimp (CVE in file-type transitive dep)

  Bumped jimp to the latest version to resolve a reported vulnerability in its file-type transitive dependency (see #1130, raised by @denis-sokolov, thank you!).

  Actual impact on these packages
  file-type is used by @jimp/core solely to detect image MIME types when reading a buffer. In both @wdio/image-comparison-core and @wdio/ocr-service, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes.

  That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that.

  @wdio/visual-reporter and @wdio/visual-service

  Updated internal dependencies to pick up the jimp bump in @wdio/image-comparison-core.

  Committers: 1

  • Wim Selles (@wswebcreation)

@wdio/image-comparison-core@1.2.2

Patch Changes

• db33fa7: #### @wdio/image-comparison-core and @wdio/ocr-service Security: update jimp (CVE in file-type transitive dep)

  Bumped jimp to the latest version to resolve a reported vulnerability in its file-type transitive dependency (see #1130, raised by @denis-sokolov, thank you!).

  Actual impact on these packages
  file-type is used by @jimp/core solely to detect image MIME types when reading a buffer. In both @wdio/image-comparison-core and @wdio/ocr-service, every image passed to jimp originates from either WebDriver screenshots (browser-controlled base64 data) or local files written by the framework itself. There is no code path where untrusted external input is fed directly into jimp, which removes the exploitability that the CVE describes.

  That said, the reputational and compliance risk was real, security scanners flag the package as vulnerable, enterprise users hit audit failures, and some organisations block installation of packages with known CVEs. The update addresses all of that.

  @wdio/visual-reporter and @wdio/visual-service

  Updated internal dependencies to pick up the jimp bump in @wdio/image-comparison-core.

  Committers: 1

  • Wim Selles (@wswebcreation)

@wdio/visual-service@9.2.1

Patch Changes

• d5afb54: ## #1129 Fix TypeError: element.getBoundingClientRect is not a function when a ChainablePromiseElement is passed to checkElement

  When checkElement (or saveElement) was called with a ChainablePromiseElement, the lazy promise-based element reference that WebdriverIO's $() returns, the element was passed directly as an argument to browser.execute() without being awaited first. browser.execute() serializes its arguments for transfer to the browser context and cannot handle a pending Promise, so it arrived in the browser as a plain empty object {} instead of a WebElement reference. This caused element.getBoundingClientRect is not a function because the browser-side scrollElementIntoView script received {} rather than a DOM element.

  Committers: 1

  • Wim Selles (@wswebcreation)

• Updated dependencies [d5afb54]

  • @wdio/image-comparison-core@1.2.1

@wdio/image-comparison-core@1.2.1

Patch Changes

• d5afb54: ## #1129 Fix TypeError: element.getBoundingClientRect is not a function when a ChainablePromiseElement is passed to checkElement

  When checkElement (or saveElement) was called with a ChainablePromiseElement, the lazy promise-based element reference that WebdriverIO's $() returns, the element was passed directly as an argument to browser.execute() without being awaited first. browser.execute() serializes its arguments for transfer to the browser context and cannot handle a pending Promise, so it arrived in the browser as a plain empty object {} instead of a WebElement reference. This caused element.getBoundingClientRect is not a function because the browser-side scrollElementIntoView script received {} rather than a DOM element.

  Committers: 1

  • Wim Selles (@wswebcreation)

@wdio/visual-service@9.2.0

Minor Changes

• 994f4da: ## #857 Support ignore regions for web screenshots

  Add ignore support to all web screenshot methods (saveScreen/checkScreen, saveElement/checkElement, saveFullPageScreen/checkFullPageScreen) so that specified elements can be blocked out during visual comparison. This brings web parity with the native-app ignore-region support that already existed.

  Changes

  • Ignore regions for full-page screenshots: new determineWebFullPageIgnoreRegions function that calculates ignore-region rectangles for full-page screenshots, including a fullPageCropTopPaddingCSS correction for mobile scroll-and-stitch scenarios where the address-bar shadow padding shifts element positions
  • Consolidated ignoreRegionPadding: moved ignoreRegionPadding into BaseWebScreenshotOptions so it is inherited by all web methods instead of being duplicated per method
  • Fix isAndroidNativeWebScreenshot type: ensure nativeWebScreenshot is always a boolean (was accidentally an object for LambdaTest capabilities), preventing ignore-region DPR scaling failures
  • Fix viewport rounding for mobile: restore Math.round() in injectWebviewOverlay and remove Math.min clamping in getMobileViewPortPosition to prevent 1-pixel crop shifts during full-page stitching
  • Fix scrollElementIntoView for scrolled pages: account for currentPosition (existing scroll offset) when computing the target scroll position, so elements are scrolled into view correctly when the page is already scrolled
  • Dismiss Chrome Start Surface on Android: when Chrome's tab-overview UI blocks the webview overlay, automatically press the Android Back button (up to 4 retries) to restore the active tab before measuring the viewport
  • Add hybrid status bar blockout: on hybrid apps the statusbar was not blocked out which could result in flaky tests regarding battery and reception

  Committers: 1

  • Wim Selles (@wswebcreation)

Patch Changes

• Updated dependencies [994f4da]
  • @wdio/image-comparison-core@1.2.0

@wdio/image-comparison-core@1.2.0

Minor Changes

• 994f4da: ## #857 Support ignore regions for web screenshots

  Add ignore support to all web screenshot methods (saveScreen/checkScreen, saveElement/checkElement, saveFullPageScreen/checkFullPageScreen) so that specified elements can be blocked out during visual comparison. This brings web parity with the native-app ignore-region support that already existed.

  Changes

  • Ignore regions for full-page screenshots: new determineWebFullPageIgnoreRegions function that calculates ignore-region rectangles for full-page screenshots, including a fullPageCropTopPaddingCSS correction for mobile scroll-and-stitch scenarios where the address-bar shadow padding shifts element positions
  • Consolidated ignoreRegionPadding: moved ignoreRegionPadding into BaseWebScreenshotOptions so it is inherited by all web methods instead of being duplicated per method
  • Fix isAndroidNativeWebScreenshot type: ensure nativeWebScreenshot is always a boolean (was accidentally an object for LambdaTest capabilities), preventing ignore-region DPR scaling failures
  • Fix viewport rounding for mobile: restore Math.round() in injectWebviewOverlay and remove Math.min clamping in getMobileViewPortPosition to prevent 1-pixel crop shifts during full-page stitching
  • Fix scrollElementIntoView for scrolled pages: account for currentPosition (existing scroll offset) when computing the target scroll position, so elements are scrolled into view correctly when the page is already scrolled
  • Dismiss Chrome Start Surface on Android: when Chrome's tab-overview UI blocks the webview overlay, automatically press the Android Back button (up to 4 retries) to restore the active tab before measuring the viewport
  • Add hybrid status bar blockout: on hybrid apps the statusbar was not blocked out which could result in flaky tests regarding battery and reception

  Committers: 1

  • Wim Selles (@wswebcreation)