Svelte version 3.6.9 represents a minor update over its predecessor, 3.6.8, offering subtle improvements and refinements to this popular JavaScript framework for building reactive web applications. Both versions share the same core description: "Cybernetically enhanced web apps," highlighting Svelte's focus on performance and developer experience. Examining the package.json files reveals no changes in the declared dependencies or devDependencies. This stability suggests that the core tooling and development environment remain consistent between the two versions, ensuring a smooth upgrade process for existing Svelte projects.
However, digging deeper, the dist object exposes differences. While both versions maintain an equal fileCount of 240, the unpackedSize shows a slight increase from 2,823,139 bytes in 3.6.8 to 2,823,176 bytes in 3.6.9. This marginal growth hints at internal code adjustments or minor asset additions, possibly bug fixes or performance tweaks, rather than extensive feature implementations. Crucially, 3.6.9 was released on July 26, 2019, just three days after 3.6.8 (July 23rd, 2019). This short release window implies the update likely addresses critical issues or security vulnerabilities discovered soon after the previous version's release. For developers, this suggests upgrading to 3.6.9 is advisable to benefit from the latest fixes and stability improvements, although the changes are not drastic. Svelte's commitment to frequent and incremental improvements ensures a robust and refined experience for crafting performant web applications.
All the vulnerabilities related to the version 3.6.9 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag