Svelte 3.5.2 is a minor patch release following version 3.5.1, both iterations of the "cybernetically enhanced web apps" framework. While the core description and functionality of Svelte remain consistent, subtle shifts in the developer dependencies indicate underlying improvements and refinements in the build and testing processes.
A key difference lies in the @types/node dependency. Version 3.5.2 relaxes the version constraint to =8, whereas 3.5.1 specifies ^10.5.5. This suggests an adjustment in the targeted Node.js environment, potentially broadening compatibility for developers using older Node.js versions. This might be interesting for developers that have legacy systems to maintain and that want last version of Svelte that is compatible with their systems without having to do a major upgrade of their environments.
Another noticeable change is the removal of @sveltejs/svelte-repl from the devDependencies of 3.5.2. This could indicate a shift in how the REPL environment is managed or packaged, potentially streamlining the core Svelte package. Although this is a dev dependencies change, it reflects changes in the build tooling or how the Svelte team packages up the library. The fileCount decrease (187 to 190) and unpackedSize change (2802330 to 2777881) also hints to internal restructuring, maybe removing unused or duplicated files. Developers should always consult the official Svelte changelog for a comprehensive understanding of bug fixes, performance improvements, and new features included in each release. However, these dependency changes offer a glimpse into the ongoing evolution of the framework's development ecosystem.
All the vulnerabilities related to the version 3.5.2 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag