Skip to content

chore(deps): update dependency svelte to v4.2.19 [security] #166

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency svelte to v4.2.19 [security] #166

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 30, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
svelte (source) 4.2.9 -> 4.2.19 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

  • If the string is an attribute value:
    • " -> "
    • & -> &
    • Other characters -> No conversion
  • Otherwise:
    • < -> &lt;
    • & -> &amp;
    • Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

Release Notes

sveltejs/svelte (svelte)

v4.2.19

Compare Source

Patch Changes

  • fix: ensure typings for <svelte:options> are picked up (#​12902)

  • fix: escape < in attribute strings (#​12989)

v4.2.18

Compare Source

Patch Changes

v4.2.17

Compare Source

Patch Changes
  • fix: correctly handle falsy values of style directives in SSR mode (#​11584)

v4.2.16

Compare Source

Patch Changes
  • fix: check if svelte component exists on custom element destroy (#​11489)

v4.2.15

Compare Source

Patch Changes
  • support attribute selector inside :global() (#​11135)

v4.2.14

Compare Source

Patch Changes
  • fix parsing camelcase container query name (#​11131)

v4.2.13

Compare Source

Patch Changes
  • fix: applying :global for +,~ sibling combinator when slots are present (#​9282)

v4.2.12

Compare Source

Patch Changes
  • fix: properly update svelte:component props when there are spread props (#​10604)

v4.2.11

Compare Source

Patch Changes
  • fix: check that component wasn't instantiated in connectedCallback (#​10466)

v4.2.10

Compare Source

Patch Changes

  • fix: add scrollend event type (#​10336)

  • fix: add fetchpriority attribute type (#​10390)

  • fix: Add miter-clip and arcs to stroke-linejoin attribute (#​10377)

  • fix: make inline doc links valid (#​10366)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 30, 2024
edited
Loading

size-limit report 📦

Path Size Loading time (3g) Running time (snapdragon) Total time
dist/index.js 1.47 KB (0%) 30 ms (0%) 49 ms (+116.58% 🔺) 79 ms

@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from e9e205b to fef84fb Compare January 23, 2025 17:38
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from fef84fb to f27056a Compare February 9, 2025 13:45
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from f27056a to 89a7012 Compare March 3, 2025 17:27
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch 3 times, most recently from ead036d to c4153f0 Compare March 17, 2025 18:02
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from c4153f0 to 39022b7 Compare April 1, 2025 11:49
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 39022b7 to cbbb96b Compare April 8, 2025 12:23
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from cbbb96b to 873af66 Compare April 24, 2025 06:04
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants