Svelte version 3.10.1 is a minor patch release following 3.10.0, both iterations of the cybernetically enhanced web app framework. Examining the metadata, the core dependencies remain consistent between the two versions, suggesting no significant API changes or feature additions. Developers can expect largely identical functionality from both. The packages share the same suite of devDependencies, from testing tools like Mocha and C8, linting with ESLint, to module bundlers in Rollup and build tools like Typescript, ensuring a consistent development environment regardless of the specific minor version.
The key differences lie in the dist property. Version 3.10.1 has a slightly smaller unpacked size (2,814,103 bytes) compared to 3.10.0 (2,820,711 bytes) and one more file. This hints at internal optimizations or bug fixes in the latter version that don't fundamentally alter the framework's capabilities or require code modifications for existing projects. Furthermore, the release date indicates a one-day gap between the two, with 3.10.1 released subsequent to 3.10.0, which usually signifies a reaction to an issue discovered in the first release. For developers this suggests upgrading to 3.10.1, providing access to potential bug fixes and internal improvements without introducing breaking changes. The core value proposition of Svelte, focusing on writing less code and shipping performant web applications, persists in both versions.
All the vulnerabilities related to the version 3.10.1 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag