Svelte version 3.29.6 is a minor update to the popular JavaScript framework, following closely on the heels of version 3.29.5. Both versions share the same core description: "Cybernetically enhanced web apps," highlighting Svelte's focus on performance and developer experience. The devDependencies remain identical, indicating no alterations to the tools used in the development and testing of the Svelte framework itself. This suggests the update is likely focused on internal improvements, bug fixes, or very targeted enhancements rather than major feature additions or tooling changes.
The key differences lie in the release date and the unpacked size of the distributed package. Version 3.29.6 was released just shortly after 3.29.5 further suggesting a quick fix. Also, the unpacked size has increased slightly from 6001240 bytes to 6001378 bytes. This small increase means that version 3.29.6 includes either a few small additions or changes affecting the final compiled size of the library.
For developers, this suggests a low-risk update. Given the identical devDependencies, projects already configured for Svelte development should experience seamless compatibility. Since the update is of minimal impact, developers can expect the same performance characteristics and API as the previous version but probably with a little bug fixing. The focus remains on building efficient web applications with Svelte's signature component-based approach and compile-time optimizations without any changes.
All the vulnerabilities related to the version 3.29.6 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag