[SECURITY] Update dependency svelte to v4 #26
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR contains the following updates:
^3.49.0
->^4.2.19
GitHub Vulnerability Alerts
CVE-2024-45047
Summary
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Details
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
"
->"
&
->&
<
-><
&
->&
The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a
<noscript>
tag.PoC
A vulnerable page (
+page.svelte
):If a user accesses the following URL,
then,
alert(123)
will be executed.Impact
XSS, when using an attribute within a noscript tag
Svelte has a potential mXSS vulnerability due to improper HTML escaping
CVE-2024-45047 / GHSA-8266-84wp-wv5c
More information
Details
Summary
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Details
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
"
->"
&
->&
<
-><
&
->&
The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a
<noscript>
tag.PoC
A vulnerable page (
+page.svelte
):If a user accesses the following URL,
then,
alert(123)
will be executed.Impact
XSS, when using an attribute within a noscript tag
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
sveltejs/svelte (svelte)
v4.2.19
Compare Source
Patch Changes
fix: ensure typings for
<svelte:options>
are picked up (#12902)fix: escape
<
in attribute strings (#12989)v4.2.18
Compare Source
Patch Changes
v4.2.17
Compare Source
Patch Changes
v4.2.16
Compare Source
Patch Changes
v4.2.15
Compare Source
Patch Changes
v4.2.14
Compare Source
Patch Changes
v4.2.13
Compare Source
Patch Changes
v4.2.12
Compare Source
Patch Changes
svelte:component
props when there are spread props (#10604)v4.2.11
Compare Source
Patch Changes
connectedCallback
(#10466)v4.2.10
Compare Source
Patch Changes
fix: add
scrollend
event type (#10336)fix: add
fetchpriority
attribute type (#10390)fix: Add
miter-clip
andarcs
tostroke-linejoin
attribute (#10377)fix: make inline doc links valid (#10366)
v4.2.9
Compare Source
Patch Changes
fix: add types for popover attributes and events (#10042)
fix: add
gamepadconnected
andgamepaddisconnected
events (#9864)fix: make
@types/estree
a dependency (#10149)fix: bump
axobject-query
(#10167)v4.2.8
Compare Source
Patch Changes
v4.2.7
Compare Source
Patch Changes
v4.2.6
Compare Source
Patch Changes
v4.2.5
Compare Source
Patch Changes
v4.2.4
Compare Source
Patch Changes
v4.2.3
Compare Source
Patch Changes
fix: improve a11y-click-events-have-key-events message (#9358)
fix: more robust hydration of html tag (#9184)
v4.2.2
Compare Source
Patch Changes
fix: support camelCase properties on custom elements (#9328)
fix: add missing plaintext-only value to contenteditable type (#9242)
chore: upgrade magic-string to 0.30.4 (#9292)
fix: ignore trailing comments when comparing nodes (#9197)
v4.2.1
Compare Source
Patch Changes
fix: update style directive when style attribute is present and is updated via an object prop (#9187)
fix: css sourcemap generation with unicode filenames (#9120)
fix: do not add module declared variables as dependencies (#9122)
fix: handle
svelte:element
with dynamic this and spread attributes (#9112)fix: silence false positive reactive component warning (#9094)
fix: head duplication when binding is present (#9124)
fix: take custom attribute name into account when reflecting property (#9140)
fix: add
indeterminate
to the list of HTMLAttributes (#9180)fix: recognize option value on spread attribute (#9125)
v4.2.0
Compare Source
Minor Changes
svelteHTML
from language-tools into core to load the correctsvelte/element
types (#9070)v4.1.2
Compare Source
Patch Changes
fix: allow child element with slot attribute within svelte:element (#9038)
fix: Add data-* to svg attributes (#9036)
v4.1.1
Compare Source
Patch Changes
svelte:component
spread props change not picked up (#9006)v4.1.0
Compare Source
Minor Changes
Patch Changes
fix: ensure
svelte:component
evaluates props once (#8946)fix: remove
let:variable
slot bindings from select binding dependencies (#8969)fix: handle destructured primitive literals (#8871)
perf: optimize imports that are not mutated or reassigned (#8948)
fix: don't add accessor twice (#8996)
v4.0.5
Compare Source
Patch Changes
v4.0.4
Compare Source
Patch Changes
fix: claim svg tags in raw mustache tags correctly (#8910)
fix: repair invalid raw html content during hydration (#8912)
v4.0.3
Compare Source
Patch Changes
v4.0.2
Compare Source
Patch Changes
fix: reflect all custom element prop updates back to attribute (#8898)
fix: shrink custom element baseline a bit (#8858)
fix: use non-destructive hydration for all
@html
tags (#8880)fix: align
disclose-version
exports specification (#8874)fix: check srcset when hydrating to prevent needless requests (#8868)
v4.0.1
Compare Source
Patch Changes
fix: ensure identifiers in destructuring contexts don't clash with existing ones (#8840)
fix: ensure
createEventDispatcher
andActionReturn
work with types from generic function parameters (#8872)fix: apply transition to
<svelte:element>
with local transition (#8865)fix: relax a11y "no redundant role" rule for li, ul, ol (#8867)
fix: remove tsconfig.json from published package (#8859)
v4.0.0
Compare Source
Major Changes
breaking: Minimum supported Node version is now Node 16 (#8566)
breaking: Minimum supported webpack version is now webpack 5 (#8515)
breaking: Bundlers must specify the
browser
condition when building a frontend bundle for the browser (#8516)breaking: Minimum supported vite-plugin-svelte version is now 2.4.1. SvelteKit users can upgrade to 1.20.0 or newer to ensure a compatible version (#8516)
breaking: Minimum supported
rollup-plugin-svelte
version is now 7.1.5 (198dbcf)breaking: Minimum supported
svelte-loader
is now 3.1.8 (198dbcf)breaking: Minimum supported TypeScript version is now TypeScript 5 (it will likely work with lower versions, but we make no guarantees about that) (#8488)
breaking: Remove
svelte/register
hook, CJS runtime version and CJS compiler output (#8613)breaking: Stricter types for
createEventDispatcher
(see PR for migration instructions) (#7224)breaking: Stricter types for
Action
andActionReturn
(see PR for migration instructions) (#7442)breaking: Stricter types for
onMount
- now throws a type error when returning a function asynchronously to catch potential mistakes around callback functions(see PR for migration instructions) (#8136)
breaking: Overhaul and drastically improve creating custom elements with Svelte (see PR for list of changes and migration instructions) ([#8457](https://github.
com/feat: custom elements rework sveltejs/svelte#8457))
breaking: Deprecate
SvelteComponentTyped
in favor ofSvelteComponent
(#8512)breaking: Make transitions local by default to prevent confusion around page navigations (#6686)
breaking: Error on falsy values instead of stores passed to
derived
(#7947)breaking: Custom store implementers now need to pass an
update
function additionally to theset
function ([#6750](https://github.com/sveltejs/svelte/pull/6750))
breaking: Do not expose default slot bindings to named slots and vice versa (#6049)
breaking: Change order in which preprocessors are applied (#8618)
breaking: The runtime now makes use of
classList.toggle(name, boolean)
which does not work in very old browsers ([#8629](https://github.com/sveltejs/svelte/pull/8629))
breaking: apply
inert
to outroing elements (#8628)breaking: use
CustomEvent
constructor instead of deprecatedcreateEvent
method (#8775)Minor Changes
Add a way to modify attributes for script/style preprocessors (#8618)
Improve hydration speed by adding
data-svelte-h
attribute to detect unchanged HTML elements (#7426)Add
a11y no-noninteractive-element-interactions
rule (#8391)Add
a11y-no-static-element-interactions
rule (#8251)Allow
#each
to iterate over iterables likeSet
,Map
etc (#7425)Improve duplicate key error for keyed
each
blocks (#8411)Warn about
:
in attributes and props to prevent ambiguity with Svelte directives (#6823)feat: add version info to
window
. You can opt out by settingdiscloseVersion
tofalse
in the compiler options (#8761)feat: smaller minified output for destructor chunks (#8763)
Patch Changes
Bind
null
option and input values consistently (#8312)Allow
$store
to be used with changing values including nullish values (#7555)Initialize stylesheet with
/* empty */
to enable setting CSP directive that also works in Safari (#7800)Treat slots as if they don't exist when using CSS adjacent and general sibling combinators (#8284)
Fix transitions so that they don't require a
style-src 'unsafe-inline'
Content Security Policy (CSP) (#6662).Explicitly disallow
var
declarations extending the reactive statement scope (#6800)Improve error message when trying to use
animate:
directives on inline components (#8641)fix: export ComponentType from
svelte
entrypoint (#8578)fix: never use html optimization for mustache tags in hydration mode (#8744)
fix: derived store types (#8578)
Generate type declarations with dts-buddy (#8578)
fix: ensure types are loaded with all TS settings (#8721)
fix: account for preprocessor source maps when calculating meta info (#8778)
chore: deindent cjs output for compiler (#8785)
warn on boolean compilerOptions.css (#8710)
fix: export correct SvelteComponent type (#8721)
v3.59.2
Compare Source
v3.59.1
Compare Source
v3.59.0
Compare Source
v3.58.0
Compare Source
v3.57.0
Compare Source
v3.56.0
Compare Source
v3.55.1
Compare Source
v3.55.0
Compare Source
v3.54.0
Compare Source
v3.53.1
Compare Source
v3.53.0
Compare Source
v3.52.0
Compare Source
v3.51.0
Compare Source
v3.50.1
Compare Source
v3.50.0
Compare Source
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.