Svelte version 2.13.0 introduces subtle refinements over the previous stable release, 2.12.1, continuing to solidify its position as a "magical disappearing UI framework." Both versions share the same core development dependencies, indicating a consistent tooling and build process. Developers will appreciate that essential tools like Rollup, TypeScript, ESLint, and Prettier remain integral to the Svelte development experience. However, a notable difference lies in the distribution details. Svelte 2.13.0 boasts a significantly smaller unpacked size highlighting potential optimizations in code generation or asset handling.
While both versions retain the same MIT license, author (Rich Harris), and repository, developers should investigate the reduced unpacked size in 2.13.0 for performance gains. This optimization could translate to faster load times and improved overall application performance, especially beneficial for users on slower network connections or devices. The file count in the distributed tarball is also slightly different which might indicate a change in how the package is structured.
For developers already using Svelte, upgrading to 2.13.0 may offer a smoother development experience due to optimizations. A review of the changelog or release notes (found on the Svelte GitHub repository) is recommended to understand the specific bug fixes, performance enhancements, or new features incorporated in this version, allowing developers to fully leverage the improvements. Date of release are really close to each other meaning that the changes may be not impactful and require little effort to perform the update.
All the vulnerabilities related to the version 2.13.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag