Svelte is a UI framework known for its "disappearing" nature, compiling code to highly efficient vanilla JavaScript during the build process. Comparing versions 2.14.3 and 2.14.2 reveals several interesting differences for developers. Both versions share an identical set of development dependencies, including tools for testing (Mocha, NYC), linting (ESLint), bundling (Rollup), and TypeScript support. These tools suggest a commitment to code quality, modern JavaScript development practices, and type safety.
However, the dist object offers some insights into differences. svelte@2.14.3 has a fileCount of 12 and an unpacked size of 956464 bytes, while svelte@2.14.2 has a fileCount of 15 and an unpacked size of 974345 bytes. The newer version has fewer files and a smaller unpacked size, which *could* imply optimizations in the compiled output or a refactoring of the package structure. Developers generally like smaller package sizes that may result in faster downloads and potentially improved performance. Note that this is a small difference, and may not have a large impact.
Finally, the releaseDate field shows that version 2.14.3 was released on October 24, 2018, a day after version 2.14.2. The rapid release suggests a likely bug fix, and a quick update for users is recommended. Because there are no breaking changes reflected in the data, users should have a smooth updating experince.
All the vulnerabilities related to the version 2.14.3 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag