Svelte 3.43.1 is a minor patch release following Svelte 3.43.0, both versions offering "Cybernetically enhanced web apps". While the core functionality remains consistent, the key differences lie in the updated development dependencies. Svelte 3.43.1 sees updates to the linting and type checking tooling. Specifically, @typescript-eslint/parser and @typescript-eslint/eslint-plugin jump from version 4.9.0 to 4.31.2, while eslint moves from 7.15.0 to 7.32.0, and eslint-plugin-import goes from 2.22.1 to 2.24.2. These upgrades likely address bug fixes, security patches, and potentially introduce new linting rules, ensuring a more robust and consistent development experience. The file count in the distribution tarball increases slightly from 229 to 233, and the unpacked size grows from 6933744 to 6935820, that can be related with those dependencies.
For developers, this means upgrading to Svelte 3.43.1 is recommended to leverage the latest improvements in the development toolchain. While these changes primarily affect the development environment, they contribute to code quality and maintainability. Developers should review their linting configurations and address any new warnings or errors introduced by the updated ESLint and TypeScript packages. The release highlights Svelte's commitment to staying up-to-date with modern development practices and providing a stable and efficient tool for building web applications. As these are minor releases, the code upgrades should be simple and direct.
All the vulnerabilities related to the version 3.43.1 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag