Svelte 4.2.13 represents a minor update to the popular Svelte JavaScript framework, building upon the foundation established by version 4.2.12. Both versions share the same core dependencies crucial for Svelte's functionality, including acorn for parsing, code-red for code generation, and css-tree for CSS parsing, ensuring continued compatibility and a seamless upgrade experience. Development dependencies such as Rollup, Vitest, and Typescript also remain consistent, indicating no significant changes to the development workflow or testing environment.
The key difference lies in the updated release date, indicating bug fixes, security patches, or minor performance improvements incorporated into version 4.2.13. While the dependency list is identical, the unpacked size of the distribution differs slightly, hinting at subtle adjustments to the codebase.
For developers, upgrading to version 4.2.13 offers all the benefits of Svelte, known for its performance, developer experience, and component-based architecture, with the added assurance of the latest refinements. These refinements might include solutions to edge-case issues, enhanced stability, or further optimizations. By staying current, developers can leverage the most reliable and performant version of the framework. While the specific nature of the changes isn't explicitly detailed, the update promises a smoother and potentially more efficient development experience. The release exemplifies Svelte's commitment to stability and continuous improvement.
All the vulnerabilities related to the version 4.2.13 of the package
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag