Svelte version 1.15.0 arrived on April 13, 2017, swiftly following version 1.14.1 which was released just the day before. Both versions maintain the core promise of Svelte: "The magical disappearing UI framework," emphasizing its compile-time approach that results in highly performant and efficient JavaScript code. Looking at the devDependencies, the versions appear almost identical, sharing a suite of tools for development, testing, and code quality. These include testing frameworks like mocha, bundlers like rollup, and linters like eslint, alongside Babel plugins for ES2015 transformations. The core tooling setup for Svelte development remains consistent between these releases.
Given the very close release dates and identical devDependencies, the changes between 1.14.1 and 1.15.0 are likely to be bug fixes, performance tweaks, or minor enhancements rather than major feature additions. For developers, this suggests a stable and actively maintained library, where incremental improvements are prioritized. While the specific changes aren't detailed in the metadata, upgrading from 1.14.1 to 1.15.0 is likely a low-risk operation, offering a potentially more refined and robust development experience without introducing breaking changes. The use of a comprehensive suite of devDependencies highlights a commitment to code quality and a smooth development workflow.
All the vulnerabilities related to the version 1.15.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag