Update dependency svelte to v4.2.19 [SECURITY] #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate wants to merge 1 commit into main from renovate/npm-svelte-vulnerability

Contributor

renovate bot commented Aug 30, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
svelte (source)	`4.0.1` → `4.2.19`

GitHub Vulnerability Alerts

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

If the string is an attribute value:
- " -> "
- & -> &
- Other characters -> No conversion
Otherwise:
- < -> <
- & -> &
- Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

Release Notes

sveltejs/svelte (svelte)

`v4.2.19`

Patch Changes

fix: ensure typings for <svelte:options> are picked up (#12902)
fix: escape < in attribute strings (#12989)

`v4.2.18`

Patch Changes

chore: speed up regex (#11922)

`v4.2.17`

Patch Changes

fix: correctly handle falsy values of style directives in SSR mode (#11584)

`v4.2.16`

Patch Changes

fix: check if svelte component exists on custom element destroy (#11489)

`v4.2.15`

Patch Changes

support attribute selector inside :global() (#11135)

`v4.2.14`

Patch Changes

fix parsing camelcase container query name (#11131)

`v4.2.13`

Patch Changes

fix: applying :global for +,~ sibling combinator when slots are present (#9282)

`v4.2.12`

Patch Changes

fix: properly update svelte:component props when there are spread props (#10604)

`v4.2.11`

Patch Changes

fix: check that component wasn't instantiated in connectedCallback (#10466)

`v4.2.10`

Patch Changes

fix: add scrollend event type (#10336)
fix: add fetchpriority attribute type (#10390)
fix: Add miter-clip and arcs to stroke-linejoin attribute (#10377)
fix: make inline doc links valid (#10366)

`v4.2.9`

Patch Changes

fix: add types for popover attributes and events (#10042)
fix: add gamepadconnected and gamepaddisconnected events (#9864)
fix: make @types/estree a dependency (#10149)
fix: bump axobject-query (#10167)

`v4.2.8`

Patch Changes

fix: port over props that were set prior to initialization (#9701)

`v4.2.7`

Patch Changes

fix: handle spreads within static strings (#9554)

`v4.2.6`

Patch Changes

fix: adjust static attribute regex (#9551)

`v4.2.5`

Patch Changes

fix: ignore expressions in top level script/style tag attributes (#9498)

`v4.2.4`

Patch Changes

fix: handle closing tags inside attribute values (#9486)

`v4.2.3`

Patch Changes

fix: improve a11y-click-events-have-key-events message (#9358)
fix: more robust hydration of html tag (#9184)

`v4.2.2`

Patch Changes

fix: support camelCase properties on custom elements (#9328)
fix: add missing plaintext-only value to contenteditable type (#9242)
chore: upgrade magic-string to 0.30.4 (#9292)
fix: ignore trailing comments when comparing nodes (#9197)

`v4.2.1`

Patch Changes

fix: update style directive when style attribute is present and is updated via an object prop (#9187)
fix: css sourcemap generation with unicode filenames (#9120)
fix: do not add module declared variables as dependencies (#9122)
fix: handle svelte:element with dynamic this and spread attributes (#9112)
fix: silence false positive reactive component warning (#9094)
fix: head duplication when binding is present (#9124)
fix: take custom attribute name into account when reflecting property (#9140)
fix: add indeterminate to the list of HTMLAttributes (#9180)
fix: recognize option value on spread attribute (#9125)

`v4.2.0`

Minor Changes

feat: move svelteHTML from language-tools into core to load the correct svelte/element types (#9070)

`v4.1.2`

Patch Changes

fix: allow child element with slot attribute within svelte:element (#9038)
fix: Add data-* to svg attributes (#9036)

`v4.1.1`

Patch Changes

fix: svelte:component spread props change not picked up (#9006)

`v4.1.0`

Minor Changes

feat: add ability to extend custom element class (#8991)

Patch Changes

fix: ensure svelte:component evaluates props once (#8946)
fix: remove let:variable slot bindings from select binding dependencies (#8969)
fix: handle destructured primitive literals (#8871)
perf: optimize imports that are not mutated or reassigned (#8948)
fix: don't add accessor twice (#8996)

`v4.0.5`

Patch Changes

fix: generate type definition with nullable types (#8924)

`v4.0.4`

Patch Changes

fix: claim svg tags in raw mustache tags correctly (#8910)
fix: repair invalid raw html content during hydration (#8912)

`v4.0.3`

Patch Changes

fix: handle falsy srcset values (#8901)

`v4.0.2`

Patch Changes

fix: reflect all custom element prop updates back to attribute (#8898)
fix: shrink custom element baseline a bit (#8858)
fix: use non-destructive hydration for all @html tags (#8880)
fix: align disclose-version exports specification (#8874)
fix: check srcset when hydrating to prevent needless requests (#8868)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 6d1b0f5 to 871444a Compare

January 23, 2025 22:39

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 871444a to bc50f41 Compare

March 11, 2025 11:24

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from bc50f41 to d375ccb Compare

April 1, 2025 11:23

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from d375ccb to eb28bca Compare

May 28, 2025 09:54

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from eb28bca to 1071659 Compare

June 4, 2025 10:13

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 1071659 to ebcfe34 Compare

June 22, 2025 13:26

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from ebcfe34 to 28a41db Compare

July 2, 2025 15:42

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 28a41db to ac915dd Compare

August 13, 2025 11:57

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from ac915dd to 3260c82 Compare

August 31, 2025 12:48

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 3260c82 to 77017d3 Compare

September 25, 2025 19:54


          Update dependency svelte to v4.2.19 [SECURITY]

4c8e627

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 77017d3 to 4c8e627 Compare

November 11, 2025 02:33

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet