Svelte 3.40.0 arrives as a minor version update, following closely on the heels of version 3.39.0, both maintaining the core mission of empowering developers to build cybernetically enhanced web applications. While the package description and the extensive list of development dependencies remain largely unchanged, reflecting a consistent tooling and testing environment, subtle differences indicate ongoing improvements. Crucially, both versions share identical development dependencies, ensuring a seamless transition for developers already working within the Svelte ecosystem. These dev dependencies cover a wide range of concerns, from linting and code formatting with ESLint and Prettier, to module bundling with Rollup and TypeScript support.
The change in version number from 3.39.0 to 3.40.0 usually signifies bug fixes, performance enhancements, or minor feature additions. The unpackedSize varies slightly from 6721023 to 6736215, with a difference of 15192 bytes which hints at the inclusion of new features or small improvements. Developers should consult the official Svelte changelog or release notes to understand the precise nature of these changes and how they might impact their projects. The time difference in releaseDate indicates that version 3.40 was released shortly after 3.39. The best way to ensure to make the most of the framework is to check for any significant improvements of the package.
All the vulnerabilities related to the version 3.40.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag