Svelte version 3.8.0 introduces subtle but impactful changes compared to its predecessor, 3.7.1, primarily focusing on developer experience and tooling. While both versions share the same core description of "Cybernetically enhanced web apps," the key differences lie within their development dependencies. Most dependencies remains the same but version 3.8.0 removes the ts-node dependency, which suggests potential adjustments in the build or testing processes.
For developers, this likely translates to revised workflows or configurations when contributing to the Svelte core or developing custom tools around it. The core functionality around component development remains consistent, ensuring a smooth upgrade for most users. Both versions rely heavily on a robust suite of development tools, including Rollup for bundling, TypeScript for type checking, ESLint for code linting, and various Rollup plugins for code transformation and optimization such as rollup-plugin-typescript, @typescript-eslint/parser and @typescript-eslint/eslint-plugin ensuring code quality and maintainability.
Although the core development experience should remain familiar, this version increment suggests internal improvements and refinements to the Svelte compiler and associated tooling. Developers should review the official Svelte changelog for 3.8.0 for a complete list of changes and any potential breaking changes, particularly those affecting custom tooling or build processes.The filesize also see a small increase on the unpacked version.
All the vulnerabilities related to the version 3.8.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag