Svelte version 3.17.1 represents a minor upgrade over its predecessor, version 3.17.0, both maintaining the core promise of "Cybernetically enhanced web apps". Examining the package metadata reveals subtle but potentially important distinctions for developers leveraging this popular JavaScript framework. The dependencies listed in the devDependencies object are identical, indicating no change in the tools employed for development, testing or building the Svelte library itself. This is positive news for developers as it indicates that the internal toolchain hasn't changed, minimizing the risk of compatibility issues or build disruptions.
The key difference lies in the dist object. While the fileCount remains constant at 206, the unpackedSize shows a minimal increase from 3,057,758 bytes in version 3.17.0 to 3,058,367 bytes in version 3.17.1. This suggests that a small bugfix or optimization was implemented in the latter version, adding a negligible amount to the overall package size. Furthermore, releaseDate indicates version 3.17.1 was released a day later.
While the changes seem incremental, developers should prioritize the update to 3.17.1 for its potential stability improvements or bugfixes, even if they're not explicitly documented in the metadata. Keeping up with the latest patch version ensures optimal performance and security for Svelte applications. Given the minimal scope of the changes, the upgrade process should be straightforward with a high confidence level regarding the absence of breaking alterations. Svelte remains a powerful choice for reactive web applications.
All the vulnerabilities related to the version 3.17.1 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag