Svelte 2.9.6 is a minor release in the Svelte 2 series, building upon version 2.9.5 of this "magical disappearing UI framework." While the core functionality remains largely consistent between the two, subtle differences exist that impact developers. Both versions share the same set of core development dependencies, including tools for bundling (Rollup), linting (ESLint), testing (Mocha, JSDOM, Nightmare), and TypeScript support. This consistent dependency stack ensures a familiar development experience when upgrading. Looking at the dist sections there is a slightly bigger unpacked size, with the newest version being around 1.5kb bigger.
The key differences often lie in bug fixes, performance improvements, and minor feature additions. These incremental changes, while not always immediately apparent, contribute to a more stable and refined development experience. Developers should consult the official Svelte changelog or release notes for a comprehensive list of specific changes in 2.9.6. While the package.json files for both versions are virtually identical, indicating no dependency updates, the newer release brings cumulative improvements since 2.9.5 improving the overall stability. Always review the official Svelte changelog when upgrading to understand the nuances between versions and ensure a smooth transition in your projects.
All the vulnerabilities related to the version 2.9.6 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag