Svelte version 3.17.3 introduces subtle yet noteworthy improvements over its predecessor, 3.17.2, designed to enhance the development experience. Both versions retain the core description as "Cybernetically enhanced web apps," highlighting Svelte's commitment to building efficient and modern web applications. Examining the devDependencies, we observe identical dependency versions across both releases, suggesting that the changes likely reside within Svelte's core code rather than relying on updated tooling.
The dist object reveals tangible differences. Svelte 3.17.3 boasts a fileCount of 208, slightly higher than 3.17.2's 206, indicating a few added or modified files within the package. Similarly, the unpackedSize increases from 3,064,709 bytes in 3.17.2 to 3,066,564 bytes in 3.17.3. This suggests minor additions, optimizations, or bug fixes contributing to a slightly larger overall size. The release dates also set them apart, with 3.17.3 being published on "2020-01-23T15:09:40.031Z", while 3.17.2 was released on "2020-01-21T02:20:21.563Z".
For Svelte developers, the update from 3.17.2 to 3.17.3 likely addresses small bugs or introduces nuanced enhancements. While the dependency versions remain consistent, the increased file count and unpacked size suggest internal tweaks that potentially improve performance, stability, or developer ergonomics. Since the core dependencies are the same developers don't need to worry about peer dependecy incompatibilities. Developers should consult the official changelog for a comprehensive list of the changes, but these incremental updates are a normal sign of active development.
All the vulnerabilities related to the version 3.17.3 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag