Svelte version 1.23.4 marks a minor update from version 1.23.3 in the ongoing development of this "magical disappearing UI framework." Inspecting the metadata reveals that the core dependencies remain virtually identical between the two releases. Both versions rely on a comprehensive suite of development tools, encompassing testing frameworks like Mocha and code coverage tools (nyc, codecov), linters (eslint), module bundlers (Rollup), and various Babel plugins for ES2015 transformations. This consistent dependency structure suggests that the changes between 1.23.3 and 1.23.4 likely involve bug fixes, performance enhancements, or minor feature tweaks rather than significant architectural shifts.
For developers using Svelte, this means that upgrading from 1.23.3 to 1.23.4 should be a relatively seamless experience, minimizing the risk of breaking changes. The continued reliance on established tools such as Rollup and Babel reinforces Svelte's commitment to modern JavaScript development workflows. The framework targets developers seeking a component-based approach to building user interfaces, with a focus on delivering highly optimized and performant code. Considering the release dates less than an hour apart, the newer version is likely a patch addressing last-minute issues discovered in the earlier release. Check the official Svelte changelog for detailed release notes to understand the exact nature of the improvements and ensure a smooth transition.
All the vulnerabilities related to the version 1.23.4 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag