Svelte version 2.10.1 is a minor patch release following closely on the heels of version 2.10.0, both iterations of the "magical disappearing UI framework". Upon inspection of the provided data, the core functionalities and developer dependencies remain seemingly identical between the two versions, suggesting that the update from 2.10.0 to 2.10.1 is likely focused on bug fixes and minor improvements rather than introducing substantial new features or API changes.
For developers utilizing Svelte, this implies a low-risk upgrade path. The shared dependency structure – including tools like Rollup, TypeScript, and ESLint – indicates that the build and development workflow established in 2.10.0 will remain consistent in 2.10.1. The absence of dependency version bumps suggests that developers are unlikely to encounter compatibility issues due to the upgrade.
The differing releaseDate and slightly larger unpackedSize of version 2.10.1 further points to internal adjustments and refinements. Developers should review the official Svelte changelog for a detailed account of the resolved issues. While the differences appear subtle, promptly adopting patch releases like 2.10.1 is a recommended practice to ensure a stable and reliable development environment. Ultimately, the quick iteration suggests a commitment to maintaining quality and addressing user feedback efficiently.
All the vulnerabilities related to the version 2.10.1 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag