Svelte 4.2.4 represents a minor version update over its predecessor, Svelte 4.2.3, within the Svelte framework known for building performant web applications via a compiler-based approach. Both versions share identical core dependencies, including essential tools like acorn for JavaScript parsing, css-tree for CSS processing, and magic-string for efficient string manipulation during compilation. Similarly, their development dependencies remain consistent, featuring testing frameworks like vitest and happy-dom, bundlers like rollup and esbuild, and TypeScript support, ensuring a smooth development experience with type safety.
The key difference between the two versions lies in their release date and potentially bug fixes or minor performance improvements introduced in the newer version. Svelte 4.2.4 was released on November 16, 2023, following Svelte 4.2.3 released on November 10, 2023. The unpackedSize attribute in the dist object also hints at a slight difference in the final package size, indicating potential code adjustments or optimizations.
For developers, upgrading from Svelte 4.2.3 to Svelte 4.2.4 is likely a safe and recommended move. While the core functionality and API remain the same, the newer version may include crucial bug fixes or performance enhancements that contribute to a more stable and efficient application. Staying up-to-date with minor version releases ensures developers benefit from the latest improvements and address any potential security vulnerabilities. Always consult the official Svelte changelog for a detailed list of changes made in each version, as the package metadata might not always fully communicate every refinement.
All the vulnerabilities related to the version 4.2.4 of the package
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag