Svelte versions 3.5.3 and 3.5.2 are closely related, with developers likely experiencing a seamless transition between them. Both versions share the same core description: "Cybernetically enhanced web apps," indicating a continued focus on Svelte's core mission of building performant web applications. Crucially, both versions list identical dependencies and devDependencies, from testing frameworks like Mocha and c8 to build tools like Rollup and Typescript, meaning no tooling upgrades are immediately required for developers moving between these versions. The development environment and build processes remain consistent.
The key difference lies in the details around their release. Version 3.5.3 was released on June 19, 2019, at 23:45:26.489Z, whereas version 3.5.2 was released earlier the same day at 03:19:37.948Z. The "dist" section, containing package details, also reveals a tiny variation in "unpackedSize": 2777995 bytes for version 3.5.3 compared to 2777881 bytes for version 3.5.2. This suggests that version 3.5.3 includes slight improvements or bug fixes that resulted in a slightly bigger file size. For developers, this minor update likely represents a patch release that addresses small issues or optimizations instead of introducing major new features, potentially making the upgrade a stability improvement. Users are thus likely to benefit from a more refined experience, with developers encouraged to upgrade to 3.5.3 to benefit from any fixes.
All the vulnerabilities related to the version 3.5.3 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag