Svelte version 2.10.0 introduces subtle improvements over its predecessor, version 2.9.11, catering to developers seeking a lightweight and efficient UI framework. Both versions share the same core philosophy: a "magical disappearing UI framework" that compiles components into highly optimized vanilla JavaScript at build time, leading to exceptional runtime performance and a smaller bundle size for the end user. Key features remain consistent, including reactive statements, component-based architecture, and a streamlined templating syntax.
Examining the devDependencies reveals minimal changes, suggesting primarily bug fixes and minor internal adjustments rather than significant API alterations. While the dependency list appears identical in versions and versions, the unpacked size of 2.10.0 is slightly larger, implying potential updates of the internal code.
For developers, upgrading from 2.9.11 to 2.10.0 should be a straightforward process with low risk of introducing breaking changes. The similarity in dependencies indicates that existing build configurations and tooling should remain compatible. The primary benefits of upgrading lie in potential performance improvements and bug fixes that enhance the overall stability and reliability of Svelte applications, making it an efficient UI library for web applications. The release date difference suggests that the newer version incorporates the latest refinements. Developers should consult the official Svelte changelog for a detailed list of specific modifications.
All the vulnerabilities related to the version 2.10.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag