Svelte version 3.6.4 presents a minor update over its predecessor, 3.6.3, primarily focusing on refinements and dependency adjustments to enhance the developer experience. Both versions share the core "Cybernetically enhanced web apps" ethos, offering a compiler-based approach to building fast and efficient web applications.
Looking at the differences, the key changes reside in the devDependencies. Version 3.6.4 updates eslint from version 5.16.0 to 6.0.1 and eslint-plugin-import from version 2.17.3 to 2.18.0, bringing in potential improvements and new rules for code linting and import handling. Furthermore, @typescript-eslint/parser and @typescript-eslint/eslint-plugin are upgraded from 1.9.0 to 1.11.0, indicating enhancements in TypeScript linting and parsing capabilities, leading to a more robust and reliable development process. fileCount also increased by 1 and unpackedSize increased by 408 units, both of them maybe related with the updates in the devDependencies.
For developers, these updates translate to a smoother and more consistent coding experience, especially when working with larger TypeScript projects. The improved linting rules can help catch potential errors early on, making the codebase more maintainable. While the core functionality of Svelte remains consistent between these versions, the updated development dependencies in 3.6.4 provide a slightly more modern and refined toolset for building performant web applications. Svelte continues to enable developers to write less boilerplate code and ship highly optimized applications by shifting the work from the browser to the compilation step.
All the vulnerabilities related to the version 3.6.4 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag