Svelte 3.6.6 is a minor patch release following version 3.6.5 in the Svelte framework, a tool for building performant web applications that shifts work into a compile step. Both versions share the same core description: "Cybernetically enhanced web apps," highlighting Svelte's focus on optimized performance and developer experience. Version 3.6.6 builds upon the foundation established in 3.6.5, keeping the developer dependencies consistent. These dependencies include tools critical for development workflows, such as rollup for bundling, typescript for type checking, eslint for code linting, and testing frameworks like mocha and jsdom. This ensures a consistent development environment across these closely released versions.
The small version bump suggests that 3.6.6 likely addresses minor bug fixes, performance tweaks, or documentation updates. Developers upgrading from 3.6.5 can anticipate a smooth transition. While the core feature set remains the same, upgrading ensures access to the latest improvements and resolutions. Svelte, in general, is appealing due to its component-based architecture, reactivity, and ability to compile to highly optimized JavaScript. The consistency in development dependencies between these versions allows for continued use of established build pipelines and tooling configurations. Key benefits of using Svelte remain consistent: reduced bundle sizes, faster runtime performance, and a declarative approach to building user interfaces offering a straightforward upgrade for existing projects with minimal risk. The update mainly contains minor improvements.
All the vulnerabilities related to the version 3.6.6 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag