Svelte 3.29.1 is a patch release following version 3.29.0, both continuing the evolution of this popular JavaScript framework renowned for its cybernetically enhanced web applications. While both share the same core description and developer tooling, the key difference lies in the updated @sveltejs/eslint-config dependency. Version 3.29.1 upgrades this configuration from v5.0.0 to github:sveltejs/eslint-config#v5.4.0, suggesting improvements and refinements in linting rules and code style enforcement.
For developers, this means that upgrading to Svelte 3.29.1 will seamlessly incorporate the latest best practices recommended by the Svelte team directly into their code using ESLint. This helps maintain code quality, consistency, and reduces potential errors during development. The other devDependencies remain the same which means there are no underlying big changes on how the code is transpiled or type-checked.
Notably, the unpackedSize differs significantly between the versions: 2441181 bytes for 3.29.1 against 5984930 bytes for 3.29.0. Although the root cause of this difference cannot determined, might be related to how the package was built. This version also includes general dependency updates, bug fixes and performance improvements. Svelte remains a compelling choice for building fast and efficient web applications, known for its unique approach of compiling components to highly optimized vanilla JavaScript during build time. This release further improves the developer experience through enhanced linting, ensuring cleaner and more maintainable codebases.
All the vulnerabilities related to the version 3.29.1 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag