Svelte 1.8.1 is a minor patch release following Svelte 1.8.0 in the 1.x series of this "disappearing UI framework." Analyzing the package data, both versions share the same core dependencies, including magic-string for source code manipulation. Their development dependencies are also identical, encompassing a broad range of tools crucial for building, testing, and linting the Svelte compiler. These include testing frameworks like mocha and jsdom, bundlers like rollup, and linting tools such as eslint.
The key difference lies in the releaseDate: Svelte 1.8.1 was published approximately 4 hours later than 1.8.0 on March 1st, 2017. Consequently, the dist.tarball URLs point to different files reflecting this update. Given the minimal version number change, developers can reasonably assume 1.8.1 contains bug fixes or very minor improvements over 1.8.0. Upgrading from 1.8.0 to 1.8.1 should be straightforward with minimal to no breaking changes if the patch follows semantic versioning principles.
For developers using Svelte, this signifies a stable and actively maintained framework. The consistent dependency list showcases a well-established development workflow. While the change between these versions might not introduce new features, embracing the latest patch release is generally recommended for stability and reliability in building performant web applications with Svelte's unique compile-to-JavaScript approach.
All the vulnerabilities related to the version 1.8.1 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag