Svelte version 2.6.2 is a minor update to the popular "magical disappearing UI framework," building upon the solid foundation of version 2.6.1. Both versions share the same core mission: to provide a performant and elegant way to build web applications. The package description remains consistent between the releases, emphasizing the core value proposition of Svelte.
Examining the devDependencies, we observe a similar set of tools used for development and testing in both versions, showcasing a stable toolchain. These include popular libraries and utilities such as rollup for bundling, typescript for type-safe coding, eslint for code linting, and mocha for testing. The versions of these dependencies remain the same, indicating a focus on stability and minimal disruption during the upgrade.
The key differentiating factor lies in the dist property. While both packages contain 15 files, the unpackedSize shows a slight increase in v2.6.2 (2591653 bytes) compared to v2.6.1 (2585005 bytes). This suggests that the newer version incorporates minor improvements, bug fixes, or perhaps slightly expanded functionality, leading to a small increment in the overall size. Importantly, Svelte 2.6.2 was released on May 16, 2018, a couple of days after the previous version. If you are a developer using Svelte, it's recommended to upgrade to 2.6.2 to benefit from the latest refinements and ensure you have the most stable experience. Although there are not big changes, it is beneficial to have the most updated and stable version.
All the vulnerabilities related to the version 2.6.2 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag