Svelte 1.10.3 is a minor patch release over version 1.10.2 of the "magical disappearing UI framework," designed to enhance stability and potentially address minor bugs, ensuring a smoother development experience. Both versions share the same core dependencies like "magic-string" for manipulating strings, essential for Svelte's compilation process. The devDependencies, crucial for development and testing, remain consistent across both versions. These include tools like "rollup" for bundling, "eslint" for code linting, "mocha" for testing, and various plugins for Babel and Rollup that facilitate modern JavaScript development and ensure code quality.
While the core functionality and development environment appear unchanged, the update from 1.10.2 to 1.10.3 likely incorporates subtle improvements or bug fixes that aren't explicitly outlined in the provided metadata. Developers using Svelte should generally upgrade to the latest patch version to benefit from the most up-to-date and stable codebase. Checking the official Svelte changelog or release notes on the GitHub repository (https://github.com/sveltejs/svelte.git) is recommended for detailed insights into the specific changes included in version 1.10.3. By staying current, developers can minimize potential issues and ensure compatibility with the broader Svelte ecosystem and supporting tools. The release date difference indicates a rapid response to feedback, signaling an active and responsive development team.
All the vulnerabilities related to the version 1.10.3 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag