Svelte 3.15.0 refines the developer experience building "cybernetically enhanced web apps," building on the capabilities established in version 3.14.1. Examining the package metadata reveals some key changes that might interest developers. While both versions share a similar suite of development dependencies for tasks like linting (eslint, @typescript-eslint/*), building (rollup), and testing (mocha, jsdom), subtle version bumps and changes in file counts suggest internal adjustments.
Notably, code-red jumps from version 0.0.21 to 0.0.25 indicating updates or features in Svelte's code transformation pipeline. The jump in fileCount (from 204 to 252) and unpackedSize (from 3002650 to 3032082) in the distribution likely points to added functionality, optimizations, or potentially revised internal modules shipping with the core package.
Developers will benefit from potentially improved performance due to the code-red update. It's also worth checking the Svelte changelog for 3.15.0 to get insights into specific bug fixes, new features, and breaking changes directly impacting component development and application architecture. This update happened roughly on the 18th of November 2019, few days after the previous one. If code size or performance are very important to you, take note of the increased unpacked size of the package.
All the vulnerabilities related to the version 3.15.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag