Svelte version 3.6.3 represents a minor iteration over its predecessor, 3.6.2, both maintaining the core essence of Svelte as a cybernetically enhanced framework for building web applications. Examining the package metadata, the primary differences lie in the details of the distribution and release timing, with no apparent changes in dependencies or development dependencies. Version 3.6.3 was released on July 2nd, 2019, while 3.6.2 came out on June 29th, 2019, indicating a short interval between releases. The unpacked size of version 3.6.3 is slightly larger at 2817299 bytes compared to 2815594 bytes for version 3.6.2 suggesting some internal adjustments or additions were made, albeit not reflected in explicit dependency updates.
For developers, these small changes usually imply bug fixes, performance improvements, or minor feature tweaks rather than breaking changes. If using Svelte, upgrading from 3.6.2 to 3.6.3 should be a straightforward process. While neither version introduces significant alterations to the core API or development workflow, utilizing the most recent patch release is recommended to benefit from the latest optimizations and resolutions. Considering Svelte's nature as a compiler that shifts work to the build step, such subtle upgrades contribute to a more refined and efficient experience resulting in faster and lighter web apps. Always refer to the official Svelte changelog for detailed specifics on version updates when migrating between different versions.
All the vulnerabilities related to the version 3.6.3 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag