Svelte 3.38.3 is a minor update to the Svelte JavaScript framework, a tool known for its "cybernetically enhanced web apps" and its approach to compiling components into highly efficient vanilla JavaScript during build time. Comparing it to the previous version, 3.38.2, the core functionalities and development dependencies remain largely the same, ensuring a smooth transition for developers already working with Svelte. Both versions rely on a robust ecosystem of development tools, encompassing linters (ESLint), bundlers (Rollup), testing frameworks (Mocha), and TypeScript support, reinforcing Svelte's commitment to modern development practices.
The key difference lies in the distribution metadata. Version 3.38.3 has a slightly smaller unpacked size (6511471 bytes) and has one less file than version 3.38.2 (6612383 bytes and 222 files respectively). While seemingly small, this might imply internal optimizations or adjustments in how the package is structured or bundled. Developers should expect a faster installation time with the latest version. The releaseDate also indicates a more recent build, suggesting bug fixes or incremental improvements. Developers interested in harnessing Svelte's reactivity, component-based architecture, and speed benefits will find both versions solid starting points. The Svelte team's continuous updates, reflected in these version increments, underscore the framework's active maintenance and responsiveness to the evolving needs of web developers.
All the vulnerabilities related to the version 3.38.3 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag