Svelte version 1.37.0 is a minor update to the "magical disappearing UI framework," building upon the foundation laid by version 1.36.0. Examining the package metadata reveals that both versions share an identical set of development dependencies, indicating a focus on internal tooling and testing rather than significant feature additions or breaking changes in the core library. Developers already familiar with Svelte 1.36.0 can likely upgrade to 1.37.0 without encountering compatibility issues, as the update primarily involves refinements and bug fixes.
Both versions rely on a robust suite of tools for development, including Rollup for bundling, ESLint for code linting, and TypeScript for type checking. The consistent dependency list across versions suggests a stable and well-maintained development environment. Crucially, the release dates indicate a rapid iteration cycle, with version 1.37.0 released mere hours after its predecessor. This demonstrates the Svelte team's commitment to addressing issues and delivering incremental improvements quickly.
For developers considering Svelte, these versions represent a stable point in the framework's evolution. While the visible changes between these specific versions might be subtle, the speed of iteration and commitment to a strong development workflow make Svelte a compelling choice for building performant web applications. The shared dependency manifest also provides insight into the technologies used for Svelte's development, offering a valuable learning opportunity for developers looking to deepen their understanding of modern web development practices.
All the vulnerabilities related to the version 1.37.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag