Svelte version 3.35.0 introduces subtle enhancements and refinements over its predecessor, version 3.34.0. While the core functionality remains consistent, developers will notice a slight increase in the unpacked size of the package, growing from 6,558,219 bytes to 6,583,816 bytes. This indicates internal adjustments, such as bug fixes, performance improvements, or added features that didn't warrant a major or minor version bump. The file count within the package also sees a minor increase, suggesting modifications likely touch various modules.
Both versions share the same robust set of development dependencies, ensuring a consistent development experience. These dependencies encompass tools for code linting (ESLint), bundling (Rollup), testing (Mocha, jsdom), and TypeScript support, reflecting Svelte's commitment to modern web development best practices. Crucially, the @sveltejs/eslint-config, crucial for maintaining code style and identifying potential issues in Svelte components, is held at version v5.6.0 for both, ensuring stylistic consistency. Furthermore developers can still rely on the same author and license. The release dates indicate a relatively short interval between the two versions, showcasing active development. Although the changes between versions are not dramatic, staying updated helps developers benefit from the latest fixes and performance tweaks within the Svelte ecosystem. Always review changelogs for detailed insights into specific changes.
All the vulnerabilities related to the version 3.35.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag