Svelte 3.4.0 represents a minor version update over its predecessor, Svelte 3.3.0, offering incremental improvements and refinements for developers building web applications. Both versions maintain the core promise of Svelte: crafting cybernetically enhanced web applications by shifting work from the browser to the compiler. The developer experience remains largely consistent, leveraging the same powerful tools and paradigms for component creation and reactive programming.
The key differences between the two versions are subtle but important. While the dependencies field remains empty for both, indicating no runtime dependencies, the devDependencies might contain minute upgrades intended to improve the developer experience, testing, or build process for Svelte itself. Developers integrating Svelte into their projects will likely not see any dramatic changes in API or core functionality between these versions.
The dist metadata hints at some internal changes: fileCount increases from 20 to 21, and unpackedSize grows slightly, suggesting additions or modifications in the compiled output and internal tooling. These adjustments usually translate to better performance, improved bug fixes, and optimizations, though end-user applications might not display significant differences. Keep in mind that package managers can leverage these details to operate better. Finally, the release date is within a few days, suggesting minor improvements rather than major features. Developers tracking Svelte's evolution should check the official changelog for a comprehensive overview of introduced bug fixes and enhancements.
All the vulnerabilities related to the version 3.4.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag