Svelte 3.7.0 represents a subtle but important step forward from version 3.6.11 in the ongoing development of this increasingly popular JavaScript framework, designed to compile component logic directly into optimized, vanilla JavaScript at build time, resulting in highly performant web applications. While the core description — "Cybernetically enhanced web apps" — remains unchanged, reflecting Svelte's focus on optimized and efficient web development, a closer inspection reveals key differences for developers.
Both versions share an identical set of dependencies and development dependencies, pointing to a consistent development environment and toolchain built around tools like Rollup, TypeScript, and ESLint. This stability ensures a smooth upgrade path for developers already working with Svelte. However, the dist object shows differences in file count and unpacked size.Svelte 3.7.0 has 193 files and unpacked size of 2,807,476 bytes while Svelte 3.6.11 has 240 files and unpacked size of 2,829,200 bytes. This suggests code optimization to reduce the package size and remove unused code in the newer version, even if the unpacked size reduction isn't drastic.
From a developer's perspective, the upgrade from 3.6.11 to 3.7.0 should be relatively seamless, focusing on underlying improvements rather than breaking API changes. The reduction in file count in 3.7.0 could lead to faster install times and a smaller footprint in deployment environments. Svelte's focus on moving the heavy lifting to compile time means that users benefit from these improvements without any runtime overhead, leading to snappier user experiences in the compiled applications.
All the vulnerabilities related to the version 3.7.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag