Svelte is a UI framework known for its "disappearing" nature, meaning it shifts the workload from the browser to the compile step, resulting in highly performant web applications. Comparing versions 1.20.0 and 1.20.1, developers will find subtle but potentially impactful changes. The core functionality remains consistent, indicated by the shared description. Both versions rely on a robust suite of development dependencies, including tools like Rollup for bundling, Babel for JavaScript transpilation, and ESLint for code linting, ensuring a modern development workflow. The dependency lists for both versions are identical, suggesting that the core build process and tooling remained unchanged between releases.
The key difference lies in the release date. Version 1.20.1 was released shortly after 1.20.0, indicating a possible bug fix or minor enhancement. While the specific nature of the fix isn't explicitly stated in the provided metadata, the rapid release suggests it addresses a critical issue discovered soon after the initial 1.20.0 release or some small enhancements. For developers, upgrading to 1.20.1 is advisable to benefit from the latest stability improvements. Both versions maintain an MIT license, offering flexibility for use in various projects. The continued use of the same development dependencies reflects a commitment to a stable and well-supported development environment. Therefore, users looking for a reliable and efficient web development experience should definitely consider Svelte as their go-to tool.
All the vulnerabilities related to the version 1.20.1 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag