Svelte version 3.6.10 represents a minor update over its predecessor, 3.6.9, focusing on refinements and bug fixes to enhance the developer experience. Both versions share a similar core, offering the promise of "Cybernetically enhanced web apps," emphasizing Svelte's approach to compiling code into highly efficient vanilla JavaScript during the build process, resulting in faster load times and improved runtime performance for web applications.
A peek into the package.json reveals identical development dependencies, showcasing a consistent toolchain for development, testing, and linting, including tools like Rollup for bundling, TypeScript for type checking, and ESLint for code quality. Meaning that the changes are minimal, and likely focused on fixing bugs or making small internal adjustments.
The key differentiators lie in the subtle nuances. For example, the dist section reveals differences: version 3.6.10 features a slightly larger unpacked size (2823869 bytes) and a file count of 241, compared to 3.6.9's 2823176 bytes and 240 files. This suggests potential additions or adjustments to the compiled output or included assets, likely related to bug fixes or minor feature enhancements. The release date, July 30, 2019, for 3.6.10, following 3.6.9's release on July 26, 2019, indicates a rapid iteration cycle addressing immediate issues. As a developer, choosing 3.6.10 is advisable for benefiting from the latest stability improvements and bug fixes, while retaining the core performance benefits associated with the Svelte framework, ensuring a smooth and optimized development process.
All the vulnerabilities related to the version 3.6.10 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag