Svelte version 3.22.2 is a minor release following 3.22.1, both iterations of the popular JavaScript compiler turning components into highly efficient vanilla JavaScript. Examining the metadata, both versions share identical development dependencies, ranging from testing and linting tools like 'mocha', 'eslint', '@typescript-eslint/parser' and 'eslint-plugin-svelte3' to build tools such as 'rollup' and its suite of plugins for handling JSON, replacements, Sucrase, virtual modules, CommonJS, TypeScript, and Node resolution. Core utilities include 'acorn' for parsing, 'css-tree' for CSS parsing, and 'magic-string' for manipulating code. This indicates a consistent development environment emphasizing code quality, modularity, and modern JavaScript features.
The key difference lies in the release date and potentially subtle internal changes reflected in the 'unpackedSize' attribute. Version 3.22.2 was released on May 4th, 2020, while 3.22.1 was released on May 3rd, 2020. The unpacked size increased slightly from 3,134,317 bytes to 3,134,435 bytes, suggesting bug fixes, performance improvements, or minor feature enhancements. The absence of specific changelog details in the provided data means developers should consult the official Svelte changelog or release notes to understand the precise modifications. However, given the minor version bump, the changes are unlikely to introduce breaking changes for existing Svelte projects, making the update generally safe and potentially beneficial.
All the vulnerabilities related to the version 3.22.2 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag