Svelte is a JavaScript compiler that turns your declarative components into highly efficient vanilla JavaScript, offering a different approach to building web applications compared to traditional frameworks like React or Vue.js. Version 3.40.1 follows closely on the heels of version 3.40.0, both described as delivering "cybernetically enhanced web apps." A quick analysis reveals minimal immediate disparities as they each utilize similar devDependencies for development, testing, and bundling like rollup, typescript etc. However, the unpacked size of 3.40.1 appears to be slightly greater than that of version 3.40.0 weighing in at 6738095 vs 6736215, implying that any changes are very fine-grained improvements and potential bug fixing or optimisations. For developers, this means that upgrading from 3.40.0 to 3.40.1 will likely be a seamless experience, with benefits focusing on edge cases and minor efficiencies. Svelte distinguishes itself by shifting work from the browser to the compile step, resulting in smaller bundle sizes and faster initial load times. This makes it a great choice for performance-critical projects and for building lightweight web applications.
If you're already using Svelte, staying updated will provide you with the most stable and optimized experience. New adopters can benefit from Svelte's efficiency and ease in developing interactive user interfaces. The consistent devDependencies between versions further solidifies the stability of the tooling ecosystem surrounding Svelte, giving developers confidence in their workflow.
All the vulnerabilities related to the version 3.40.1 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag