fix: remove image scaling feature (#834)

Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com>

Author: Proximyst

CHANGELOG.md

@@ -1,3 +1,7 @@
+## 4.1.3 (2025-10-29)
+
+- fix: remove image scaling feature (CVE-2023-34152), [#834](https://github.com/grafana/grafana-image-renderer/pull/834), [Proximyst](https://github.com/proximyst)
+
 ## 4.1.2 (2025-10-24)
 
 This release does not change the current Grafana Image Renderer, it is only issued to release new tags of the `-golang` variants for further testing.

package.json

@@ -35,12 +35,13 @@
     "@opentelemetry/sdk-node": "^0.52.1",
     "@opentelemetry/semantic-conventions": "^1.25.1",
     "@puppeteer/browsers": "^2.3.1",
+    "body-parser": "^2.2.0",
     "chokidar": "^3.5.2",
+    "content-disposition": "^0.5.4",
     "dompurify": "^3.2.4",
     "express": "^4.21.1",
     "express-prom-bundle": "^6.5.0",
     "ioredis": "^5.6.1",
-    "jimp": "^0.22.12",
     "jsdom": "20.0.0",
     "lodash": "^4.17.21",
     "minimist": "^1.2.6",
@@ -52,14 +53,14 @@
     "puppeteer": "^22.8.2",
     "puppeteer-cluster": "^0.24.0",
     "rate-limiter-flexible": "^7.0.0",
-    "tar-fs": "^3.1.1",
     "unique-filename": "^2.0.1",
     "winston": "^3.8.2"
   },
   "devDependencies": {
     "@eslint/js": "^9.31.0",
     "@grafana/eslint-config": "^8.1.0",
     "@grafana/sign-plugin": "^3.1.3",
+    "@jest/reporters": "^30.2.0",
     "@stylistic/eslint-plugin-ts": "^4.4.1",
     "@types/content-disposition": "^0.5.9",
     "@types/express": "^4.17.14",
@@ -86,6 +87,7 @@
     "jest": "^29.7.0",
     "jsonwebtoken": "^9.0.2",
     "lint-staged": "13.0.3",
+    "pixelmatch": "^4.0.2",
     "prettier": "2.7.1",
     "supertest": "^7.0.0",
     "ts-jest": "^29.1.1",

plugin.json

@@ -24,8 +24,8 @@
         "url": "https://github.com/grafana/grafana-image-renderer/blob/master/LICENSE"
       }
     ],
-    "version": "4.1.2",
-    "updated": "2025-10-24"
+    "version": "4.1.3",
+    "updated": "2025-10-29"
   },
   "dependencies": {
     "grafanaDependency": ">=11.3.8"

src/browser/browser.ts

@@ -6,7 +6,6 @@ import chokidar from 'chokidar';
 import path from 'path';
 import fs from 'fs';
 import promClient from 'prom-client';
-import Jimp from 'jimp';
 import { Logger } from '../logger';
 import { RenderingConfig } from '../config/rendering';
 import { HTTPHeaders, ImageRenderOptions, RenderOptions } from '../types';
@@ -106,19 +105,7 @@ export class Browser {
     }
 
     options.deviceScaleFactor = parseFloat(((options.deviceScaleFactor as string) || '1') as string) || 1;
-
-    // Scaled thumbnails
-    if (options.deviceScaleFactor <= 0) {
-      options.scaleImage = options.deviceScaleFactor * -1;
-      options.deviceScaleFactor = 1;
-
-      if (options.scaleImage > 1) {
-        options.width *= options.scaleImage;
-        options.height *= options.scaleImage;
-      } else {
-        options.scaleImage = undefined;
-      }
-    } else if (options.deviceScaleFactor > this.config.maxDeviceScaleFactor) {
+    if (options.deviceScaleFactor > this.config.maxDeviceScaleFactor) {
       options.deviceScaleFactor = this.config.deviceScaleFactor;
     }
   }
@@ -408,24 +395,6 @@ export class Browser {
       return page.screenshot({ path: options.filePath, fullPage: options.fullPageImage, captureBeyondViewport: false });
     });
 
-    if (options.scaleImage && !isPDF) {
-      await this.performStep('imageResize', options.url, signal, async () => {
-        const scaled = `${options.filePath}_${Date.now()}_scaled.png`;
-        const w = +options.width / options.scaleImage!;
-        const h = +options.height / options.scaleImage!;
-
-        const file = await Jimp.read(options.filePath);
-        await file
-          .resize(w, h)
-          // .toFormat('webp', {
-          //   quality: 70, // 80 is default
-          // })
-          .writeAsync(scaled);
-
-        fs.renameSync(scaled, options.filePath);
-      });
-    }
-
     return { filePath: options.filePath };
   }
 

src/types.ts

@@ -24,5 +24,4 @@ export interface ImageRenderOptions extends RenderOptions {
 
   // Runtime options derived from the input
   fullPageImage?: boolean;
-  scaleImage?: number;
 }