Svelte 3.46.0 offers subtle but important enhancements over its predecessor, version 3.45.0. Both versions, described as "cybernetically enhanced web apps," share a core set of development dependencies essential for building and maintaining the Svelte compiler. These dependencies, encompassing tools like rollup, typescript, and various ESLint plugins, facilitate code bundling, type checking, and code linting, ensuring code quality.
The key differences lie in the dist section, particularly the fileCount and unpackedSize. Svelte 3.46.0 features 235 files and an unpacked size of 7,071,299 bytes, a slight increase compared to version 3.45.0, which has 234 files and an unpacked size of 6,981,343 bytes. While seemingly minor, this increase suggests potential bug fixes, performance improvements, or added features bundled within the newer release. Developers should consider this as a sign of ongoing maintenance and refinement of the framework to improve overall stability and functionality.
For developers, these updates translate to a more robust and potentially optimized development experience. While the core functionality and development workflow remain consistent, upgrading to the latest version is generally recommended, primarily because of security measures, bug fixes, and to make sure to get the most recent features needed to improve performance of complex components and web apps in general, all of this contributing to a smoother and more efficient development workflow and enhanced application stability. Svelte continues to evolve, addressing issues and incorporating improvements to offer a compelling and cutting-edge framework for building modern web applications.
All the vulnerabilities related to the version 3.46.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag