Update file-type from ^16 to ^21.3.3 in @jimp/core (#1400)

Kashkovsky · quanglam2807 · hipstersmoothie · web-flow · commit e1bfa9340b6a · 2026-04-07T10:47:05.000-07:00
* Update file-type from ^16 to ^21.3.1 in @jimp/core Addresses the security vulnerability in file-type <16.5.4 and <18.7.0 (GHSA-5v7r-6r5c-r473 / CVE-2024-4367) by upgrading to v21. Changes: - Update file-type dependency from ^16.0.0 to ^21.3.1 - Remove deprecated @types/file-type (types are now bundled) - Update import from default export to named export (fileTypeFromBuffer) Fixes #1399 * Bump file-type to address CVE-2026-32630 * Update packages/core/package.json Co-authored-by: Quang Lam <1548835+quanglam2807@users.noreply.github.com> * fix build --------- Co-authored-by: Quang Lam <1548835+quanglam2807@users.noreply.github.com> Co-authored-by: Andrew Lisowski <lisowski54@gmail.com>
diff --git a/packages/core/package.json b/packages/core/package.json
@@ -20,14 +20,13 @@
     "@jimp/utils": "workspace:*",
     "await-to-js": "^3.0.0",
     "exif-parser": "^0.1.12",
-    "file-type": "^16.0.0",
+    "file-type": "^21.3.3",
     "mime": "3"
   },
   "devDependencies": {
     "@jimp/config-eslint": "workspace:*",
     "@jimp/config-typescript": "workspace:*",
     "@jimp/test-utils": "workspace:*",
-    "@types/file-type": "^10.9.1",
     "@types/mime": "^3.0.4",
     "@types/node": "^18.19.48",
     "eslint": "^9.9.1",
diff --git a/packages/core/src/index.ts b/packages/core/src/index.ts
@@ -1,6 +1,5 @@
 import { Bitmap, Format, JimpClass, Edge } from "@jimp/types";
 import { cssColorToHex, scan, scanIterator } from "@jimp/utils";
-import fileType from "file-type/core.js";
 import { to } from "await-to-js";
 import { existsSync, readFile, writeFile } from "@jimp/file-ops";
 import mime from "mime/lite.js";
@@ -29,6 +28,15 @@ function bufferFromArrayBuffer(arrayBuffer: ArrayBuffer) {
   return buffer;
 }
 
+async function detectFileTypeFromBuffer(buffer: Buffer | ArrayBuffer) {
+  const { fileTypeFromBuffer } = await import("file-type");
+  return fileTypeFromBuffer(
+    buffer instanceof ArrayBuffer
+      ? buffer
+      : new Uint8Array(buffer.buffer, buffer.byteOffset, buffer.byteLength)
+  );
+}
+
 export { getExifOrientation } from "./utils/image-bitmap.js";
 export { composite } from "./utils/composite.js";
 export * from "./utils/constants.js";
@@ -334,7 +342,7 @@ export function createJimp<
       const actualBuffer =
         buffer instanceof ArrayBuffer ? bufferFromArrayBuffer(buffer) : buffer;
 
-      const mime = await fileType.fromBuffer(actualBuffer);
+      const mime = await detectFileTypeFromBuffer(actualBuffer);
 
       if (!mime || !mime.mime) {
         throw new Error("Could not find MIME for Buffer");
diff --git a/plugins/plugin-quantize/src/index.ts b/plugins/plugin-quantize/src/index.ts
@@ -59,7 +59,7 @@ export const methods = {
     } = QuantizeOptionsSchema.parse(options);
 
     const inPointContainer = utils.PointContainer.fromUint8Array(
-      image.bitmap.data,
+      new Uint8Array(image.bitmap.data.buffer),
       image.bitmap.width,
       image.bitmap.height
     );
diff --git a/plugins/wasm-avif/src/index.ts b/plugins/wasm-avif/src/index.ts
@@ -65,10 +65,10 @@ export default function avif() {
     },
     decode: async (data) => {
       await initDecoder();
-      const result = await decode(data);
+      const result = await decode(new Uint8Array(data).buffer);
 
       return {
-        data: Buffer.from(result.data),
+        data: Buffer.from(new Uint8Array(result.data.buffer, result.data.byteOffset, result.data.byteLength)),
         width: result.width,
         height: result.height,
       };
diff --git a/plugins/wasm-jpeg/src/index.ts b/plugins/wasm-jpeg/src/index.ts
@@ -97,10 +97,10 @@ export default function jpeg() {
     },
     decode: async (data) => {
       await initDecoder();
-      const result = await decode(data);
+      const result = await decode(new Uint8Array(data).buffer);
 
       return {
-        data: Buffer.from(result.data),
+        data: Buffer.from(new Uint8Array(result.data.buffer, result.data.byteOffset, result.data.byteLength)),
         width: result.width,
         height: result.height,
       };
diff --git a/plugins/wasm-png/src/index.ts b/plugins/wasm-png/src/index.ts
@@ -41,10 +41,10 @@ export default function png() {
     },
     decode: async (data) => {
       await initDecoder();
-      const result = await decode(data);
+      const result = await decode(new Uint8Array(data).buffer);
 
       return {
-        data: Buffer.from(result.data),
+        data: Buffer.from(new Uint8Array(result.data.buffer, result.data.byteOffset, result.data.byteLength)),
         width: result.width,
         height: result.height,
       };
diff --git a/plugins/wasm-webp/src/index.ts b/plugins/wasm-webp/src/index.ts
@@ -176,10 +176,10 @@ export default function png() {
     },
     decode: async (data) => {
       await initDecoder();
-      const result = await decode(data);
+      const result = await decode(new Uint8Array(data).buffer);
 
       return {
-        data: Buffer.from(result.data),
+        data: Buffer.from(new Uint8Array(result.data.buffer, result.data.byteOffset, result.data.byteLength)),
         width: result.width,
         height: result.height,
       };
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
