Svelte 3.38.1 represents a minor but potentially impactful upgrade over its predecessor, version 3.38.0. Both versions share the core characteristics that make Svelte attractive: a component-based approach to building web applications with an emphasis on performance through compile-time transformations. The description "Cybernetically enhanced web apps" remains consistent, highlighting Svelte's goal of creating highly optimized and efficient applications.
While the core development dependencies remain largely unchanged, subtle differences emerge upon closer inspection. The unpackedSize property in the dist object offers a hint that alterations, however small, have been implemented which could impact the size of your resulting application. Svelte developers will appreciate the continuous improvements reflected in these small changes as they may positively affect runtime performance and resource utilization.
The release dates also indicate a quick follow-up release, just one day after 3.38.0 which suggests that version 3.38.1 includes crucial bug fixes or small but significant enhancements. Developers already using Svelte should consider this a recommended update to benefit from these latest fixes. For those new to Svelte, either version provides a solid foundation upon which to construct modern web interfaces, however, the updated release is generally preferable. Both versions come with comprehensive suite of development dependencies, ensuring a modern and well-supported environment for efficient application creation.
All the vulnerabilities related to the version 3.38.1 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag