Svelte, the "magical disappearing UI framework," saw a minor version update from 1.23.1 to 1.23.2, both released on the same day (June 23, 2017). For developers using or considering Svelte, understanding these incremental changes is important for stability and compatibility.
While the core description and development dependencies remain largely the same between versions, indicating a focus on bug fixes and minor improvements rather than major feature additions. Both versions share an identical suite of development tools, including testing frameworks like Mocha and code coverage tools like NYC, as well as a comprehensive set of Babel plugins for ES2015 transpilation. This setup allows Svelte developers to write modern JavaScript while ensuring compatibility with older browsers. Other listed dependecies include Rollup, Typescript, EsLint, Prettier and others, that are helpful for developers that aim to contribute to the package or just use it.
The key difference appears to be in the release timing, with version 1.23.2 released approximately two hours after 1.23.1. This suggests that version 1.23.2 likely addresses a critical bug or issue discovered shortly after the initial release of 1.23.1. For developers, this means upgrading to 1.23.2 is highly recommended to benefit from potential bug fixes and stability improvements. The tarball URL's in the "dist" field are off course different between the 2 versions, because they are different builds.
All the vulnerabilities related to the version 1.23.2 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag