Update file-type from ^16 to ^21.3.3 in @jimp/core#1400
Merged
hipstersmoothie merged 4 commits intojimp-dev:mainfrom Apr 7, 2026
Merged
Update file-type from ^16 to ^21.3.3 in @jimp/core#1400hipstersmoothie merged 4 commits intojimp-dev:mainfrom
hipstersmoothie merged 4 commits intojimp-dev:mainfrom
Conversation
Addresses the security vulnerability in file-type <16.5.4 and <18.7.0 (GHSA-5v7r-6r5c-r473 / CVE-2024-4367) by upgrading to v21. Changes: - Update file-type dependency from ^16.0.0 to ^21.3.1 - Remove deprecated @types/file-type (types are now bundled) - Update import from default export to named export (fileTypeFromBuffer) Fixes jimp-dev#1399
quanglam2807
approved these changes
Mar 12, 2026
Contributor
quanglam2807
left a comment
There was a problem hiding this comment.
Please merge this PR!
dotrongkhang2000
approved these changes
Mar 12, 2026
quanghung309
approved these changes
Mar 12, 2026
duonganh203
approved these changes
Mar 12, 2026
HongAnTran
approved these changes
Mar 12, 2026
|
@hipstersmoothie would it be possible to take a look at this PR ? Thanks in advance! |
Contributor
Author
|
The new file-type CVE has arrived while we’re waiting for the PR to be merged: GHSA-j47w-4g3g-c36v Bumped file-type to 21.3.3 |
Contributor
|
@crutchcorn pls review this PR. |
Co-authored-by: Quang Lam <[email protected]>
joaomarcelofm
approved these changes
Mar 25, 2026
iresstai
approved these changes
Apr 2, 2026
hipstersmoothie
approved these changes
Apr 7, 2026
6688799 to
218ea58
Compare
218ea58 to
9d91eb2
Compare
Collaborator
|
🚀 PR was released in |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #1399
Updates the
file-typedependency in@jimp/corefrom^16.0.0to^21.3.1to address the security vulnerability GHSA-5v7r-6r5c-r473 (CVE-2024-4367), which affectsfile-typeversions<16.5.4and<18.7.0.Changes
packages/core/package.json: Bumpfile-typefrom^16.0.0to^21.3.1; remove deprecated@types/file-typedev dependency (types are now bundled infile-typeitself)packages/core/src/index.ts: Update import from default export (import fileType from "file-type/core.js") to named export (import { fileTypeFromBuffer } from "file-type/core.js"), and replacefileType.fromBuffer(...)withfileTypeFromBuffer(...)Notes
file-typev21 is ESM-only, which is compatible with@jimp/coresince it already uses"type": "module"and builds withtshy@types/file-typepackage is deprecated asfile-typenow ships its own type definitions