Svelte version 1.55.0 arrived on February 11, 2018, just two days after version 1.54.2. Both versions share the same core description as "The magical disappearing UI framework", highlighting Svelte's key feature of compiling away into highly optimized vanilla JavaScript during build time. This approach leads to smaller bundle sizes and improved runtime performance, appealing to developers who prioritize efficiency and speed in their web applications.
Examining the devDependencies, both versions exhibit identical dependencies, encompassing essential tools for development, testing, and building. These include linters like eslint and testing frameworks like mocha and jsdom, rollup for bundling and typescript which indicates the codebase is written in typescript. The long list indicates that the package is developed using modern tooling conventions.
The most apparent difference lies in the dist section. Version 1.55.0 has an unpackedSize of 2301826 bytes, slightly larger than version 1.54.2's 2294110 bytes. While the difference is relatively small, it suggests that version 1.55.0 includes some new features, optimizations, or possibly dependency updates that resulted in a slightly larger package. This small size increase is something developers may want to keep in mind when upgrading as for bigger projects this may imply an increase to the app's bundle sizes.
The release date provides another key distinction. The 2 day gap between versions indicates that version 1.55.0 likely addresses some bug fixes or potential improvements identified shortly after the release of version 1.54.2. Developers are advised to upgrade to the newest version to ensure the latest available stable features and fixes.
All the vulnerabilities related to the version 1.55.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag