Svelte 3.49.0 represents a minor version update focusing on refinements and compatibility within the Svelte ecosystem. Comparing it against the previous stable version, 3.48.0, we observe several key development dependency upgrades indicating improvements in the tooling and build processes. Most notably, eslint jumps from version 7.32.0 to version 8.0.0, reflecting a shift to newer linting rules and potentially improved code quality enforcement. Similarly, @typescript-eslint/parser and @typescript-eslint/eslint-plugin are upgraded from version 4.31.2 to version 5.22.0 suggesting better typescript support and integration which can allow to catch more typing erros. Moreover, eslint-plugin-import moves from 2.24.2 to 2.26.0. Finally eslint-plugin-svelte3 moves from 3.2.1 to 4.0.0.
These updates, while primarily under-the-hood, are valuable for developers. Newer eslint and TypeScript tooling versions enable more robust static analysis, helping prevent errors and maintain code consistency. Furthermore, staying up-to-date with these tools often unlocks access to new language features and best practices. The upgrade in the eslint-plugin-svelte3 may bring new or improved linting rules specifically for Svelte code, ensuring higher-quality Svelte components.
While the core Svelte runtime might not have undergone drastic changes, version 3.49.0 provides a more refined and reliable development experience through its upgraded tooling. The increased unpacked size likely reflects these improvements and possibly small additions to the compiler or supporting libraries. Users should see improved build processes and potentially better support for modern JavaScript and TypeScript features.
All the vulnerabilities related to the version 3.49.0 of the package
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag