Version Details and Security Vulnerabilities

📦

svelte

4.2.17

Comparision Betweeen 4.2.17 and 4.2.16

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

250

Unpacked Size

2.51 MB

Version 4.2.17 Details

Svelte's update from version 4.2.16 to 4.2.17 involves subtle backend tweaks, primarily impacting the package's distribution and internal organization. The core functionality and API exposed to developers remain consistent between these versions, ensuring a seamless transition for those already utilizing Svelte. Key dependencies related to web app enhancement stay unchanged, with packages like acorn, css-tree, magic-string, and those related to accessibility (aria-query, axobject-query), source map handling and code remapping being identical. This means existing Svelte applications will function without requiring code modifications due to this update.

The critical difference lies in the dist object which describes the package distribution details. 4.2.17z was released on May 13, 2024 while 4.2.16 was released on May 7, 2024. While the fileCount remains consistent at 250, the unpackedSize value saw a slight increase from 2,632,863 bytes to 2,632,899, suggesting minor alterations in the packaged files. These alterations are unlikely to affect the developer experience directly, and point towards improvements in documentation, build processes, or internal tooling. Therefore, upgrading from 4.2.16 to 4.2.17 is a low-risk operation, presenting stability and incremental improvements without introducing breaking changes.

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

svelte

4.2.17

Comparision Betweeen 4.2.17 and 4.2.16

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

250

Unpacked Size

2.51 MB

Version 4.2.17 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 4.2.17 of the package svelte.

All Security Vulnerabilities

All the vulnerabilities related to the version 4.2.17 of the package

Summary:

Svelte has a potential mXSS vulnerability due to improper HTML escaping

Details:

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

If the string is an attribute value:
- " -> "
- & -> &
- Other characters -> No conversion
Otherwise:
- < -> <
- & -> &
- Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

Details about svelte@4.2.17

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 4.2.17 of the package svelte.

All Security Vulnerabilities

All the vulnerabilities related to the version 4.2.17 of the package

Summary:

Svelte has a potential mXSS vulnerability due to improper HTML escaping

Details:

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

If the string is an attribute value:
- " -> "
- & -> &
- Other characters -> No conversion
Otherwise:
- < -> <
- & -> &
- Other characters -> No conversion

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

Details about svelte@4.2.17

Version Details and Security Vulnerabilities

svelte

Comparision Betweeen 4.2.17 and 4.2.16

Version 4.2.17 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

svelte

Comparision Betweeen 4.2.17 and 4.2.16

Version 4.2.17 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Summary

Details

PoC

Impact

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Summary

Details

PoC

Impact

Version Details and Security Vulnerabilities

svelte

Comparision Betweeen 4.2.17 and 4.2.16

Version 4.2.17 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

svelte

Comparision Betweeen 4.2.17 and 4.2.16

Version 4.2.17 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

svelte@4.2.17 GHSA-8266-84wp-wv5c 5.1

Summary

Details

PoC

Impact

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

svelte@4.2.17 GHSA-8266-84wp-wv5c 5.1

Summary

Details

PoC

Impact