Svelte 3.39.0 brings several updates compared to the previous stable version, 3.38.3, impacting developers' workflows and potentially improving application performance. A notable change lies in the updated dependencies. Acorn jumps from version 7.4.0 to 8.4.1, suggesting improvements in JavaScript parsing capabilities within Svelte. Periscopic updates to version 3.0.4 from 2.0.1, which might mean enhanced static analysis during compilation. Estree-walker sees a significant jump from 1.0.0 to 3.0.0, indicating potentially substantial improvements in traversing and manipulating the JavaScript abstract syntax tree (AST). @sveltejs/eslint-config is updated from version v5.6.0 to v5.7.0. Code-red also has a version bump, from 0.1.4 to 0.2.2.
These dependency upgrades typically translate to improved performance, bug fixes, and potentially new features within Svelte's compilation process. For example, the Acorn update could lead to better handling of newer JavaScript syntax, while the Estree-walker update might result in faster and more efficient code analysis. The updated eslint config could provide updated linting messages during the development phase, helping developers create better code. The increase in fileCount from 221 to 229 and unpackedSize from 6511471 to 6721023 suggests overall growth in the package, possibly due to added features, better performance or more complete code coverage within the core library.
All the vulnerabilities related to the version 3.39.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag