Svelte version 1.60.3 introduces subtle yet impactful changes compared to its predecessor, 1.60.2. Both versions share the same core description as "The magical disappearing UI framework," emphasizing Svelte's unique approach to front-end development where the framework's code is compiled away into highly optimized vanilla JavaScript during the build process. This results in smaller bundle sizes and improved runtime performance, appealing to developers focused on efficiency and speed.
The devDependencies remain consistent between the two versions, indicating no changes in the tooling required for development and testing. Crucially, both versions rely on a robust set of tools including Rollup for bundling, TypeScript for type checking, and ESLint for code linting, ensuring a smooth development workflow and maintainable codebases. While the core dependencies for development are the same, the distribution details offer a glimpse into the updates. Version 1.60.3 has a slightly larger unpacked size of 2368432 bytes compared to 1.60.2's 2358601 bytes, hinting at potential bug fixes, performance enhancements, or minor feature additions within the core library. The release dates also highlight the recency of 1.60.3 (April 12, 2018) compared to 1.60.2 (April 4, 2018), suggesting a quick turnaround for addressing issues or introducing small improvements. For developers, upgrading to 1.60.3 is generally recommended to benefit from the latest optimizations and fixes, although reviewing the detailed changelog for a comprehensive understanding of the specific changes remains best practice. They both are under MIT Licenses which makes them free, and open source.
All the vulnerabilities related to the version 1.60.3 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag