Svelte 3.46.6 and 3.46.5 are closely related versions of the popular Svelte JavaScript framework, designed for building reactive web applications. Both versions share the core description of "Cybernetically enhanced web apps," highlighting Svelte's focus on performance and developer experience through its unique compile-time approach.
Looking at the package metadata, the devDependencies sections are virtually identical. All development dependencies like acorn, jsdom, rollup, @typescript-eslint/parser, and various Rollup plugins, remain at the same versions. This suggests that the core toolchain and development environment required to build Svelte applications haven't changed between these minor releases.
The main differences appear in the dist section. svelte@3.46.6 has a fileCount of 243 and an unpackedSize of 7103843 bytes, while svelte@3.46.5 has a fileCount of 239 and an unpackedSize of 7103568 bytes. The increased file count and unpacked size in the newer version suggest the inclusion of additional files or modifications to existing ones, likely related to bug fixes, minor feature additions, or internal improvements. These changes are relatively small, indicating a patch release addressing specific issues rather than introducing major new features. The releaseDate also differs - 3.46.6 was released a day later than 3.46.5
For developers, upgrading from 3.46.5 to 3.46.6 is likely a safe and recommended move to benefit from any bug fixes or small improvements introduced in the newer version. Given the identical dev dependencies, the upgrade process should be seamless without requiring modifications to their existing development setup.
All the vulnerabilities related to the version 3.46.6 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag