Update dependency svelte to v4 [SECURITY] #41
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.31.2
->4.2.19
GitHub Vulnerability Alerts
CVE-2022-25875
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
CVE-2024-45047
Summary
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Details
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
"
->"
&
->&
<
-><
&
->&
The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a
<noscript>
tag.PoC
A vulnerable page (
+page.svelte
):If a user accesses the following URL,
then,
alert(123)
will be executed.Impact
XSS, when using an attribute within a noscript tag
Release Notes
sveltejs/svelte (svelte)
v4.2.19
Compare Source
Patch Changes
fix: ensure typings for
<svelte:options>
are picked up (#12902)fix: escape
<
in attribute strings (#12989)v4.2.18
Compare Source
Patch Changes
v4.2.17
Compare Source
Patch Changes
v4.2.16
Compare Source
Patch Changes
v4.2.15
Compare Source
Patch Changes
v4.2.14
Compare Source
Patch Changes
v4.2.13
Compare Source
Patch Changes
v4.2.12
Compare Source
Patch Changes
svelte:component
props when there are spread props (#10604)v4.2.11
Compare Source
Patch Changes
connectedCallback
(#10466)v4.2.10
Compare Source
Patch Changes
fix: add
scrollend
event type (#10336)fix: add
fetchpriority
attribute type (#10390)fix: Add
miter-clip
andarcs
tostroke-linejoin
attribute (#10377)fix: make inline doc links valid (#10366)
v4.2.9
Compare Source
Patch Changes
fix: add types for popover attributes and events (#10042)
fix: add
gamepadconnected
andgamepaddisconnected
events (#9864)fix: make
@types/estree
a dependency (#10149)fix: bump
axobject-query
(#10167)v4.2.8
Compare Source
Patch Changes
v4.2.7
Compare Source
Patch Changes
v4.2.6
Compare Source
Patch Changes
v4.2.5
Compare Source
Patch Changes
v4.2.4
Compare Source
Patch Changes
v4.2.3
Compare Source
Patch Changes
fix: improve a11y-click-events-have-key-events message (#9358)
fix: more robust hydration of html tag (#9184)
v4.2.2
Compare Source
Patch Changes
fix: support camelCase properties on custom elements (#9328)
fix: add missing plaintext-only value to contenteditable type (#9242)
chore: upgrade magic-string to 0.30.4 (#9292)
fix: ignore trailing comments when comparing nodes (#9197)
v4.2.1
Compare Source
Patch Changes
fix: update style directive when style attribute is present and is updated via an object prop (#9187)
fix: css sourcemap generation with unicode filenames (#9120)
fix: do not add module declared variables as dependencies (#9122)
fix: handle
svelte:element
with dynamic this and spread attributes (#9112)fix: silence false positive reactive component warning (#9094)
fix: head duplication when binding is present (#9124)
fix: take custom attribute name into account when reflecting property (#9140)
fix: add
indeterminate
to the list of HTMLAttributes (#9180)fix: recognize option value on spread attribute (#9125)
v4.2.0
Compare Source
Minor Changes
svelteHTML
from language-tools into core to load the correctsvelte/element
types (#9070)v4.1.2
Compare Source
Patch Changes
fix: allow child element with slot attribute within svelte:element (#9038)
fix: Add data-* to svg attributes (#9036)
v4.1.1
Compare Source
Patch Changes
svelte:component
spread props change not picked up (#9006)v4.1.0
Compare Source
Minor Changes
Patch Changes
fix: ensure
svelte:component
evaluates props once (#8946)fix: remove
let:variable
slot bindings from select binding dependencies (#8969)fix: handle destructured primitive literals (#8871)
perf: optimize imports that are not mutated or reassigned (#8948)
fix: don't add accessor twice (#8996)
v4.0.5
Compare Source
Patch Changes
v4.0.4
Compare Source
Patch Changes
fix: claim svg tags in raw mustache tags correctly (#8910)
fix: repair invalid raw html content during hydration (#8912)
v4.0.3
Compare Source
Patch Changes
v4.0.2
Compare Source
Patch Changes
fix: reflect all custom element prop updates back to attribute (#8898)
fix: shrink custom element baseline a bit (#8858)
fix: use non-destructive hydration for all
@html
tags (#8880)fix: align
disclose-version
exports specification (#8874)fix: check srcset when hydrating to prevent needless requests (#8868)
v4.0.1
Compare Source
Patch Changes
fix: ensure identifiers in destructuring contexts don't clash with existing ones (#8840)
fix: ensure
createEventDispatcher
andActionReturn
work with types from generic function parameters (#8872)fix: apply transition to
<svelte:element>
with local transition (#8865)fix: relax a11y "no redundant role" rule for li, ul, ol (#8867)
fix: remove tsconfig.json from published package (#8859)
v4.0.0
Compare Source
Major Changes
breaking: Minimum supported Node version is now Node 16 (#8566)
breaking: Minimum supported webpack version is now webpack 5 (#8515)
breaking: Bundlers must specify the
browser
condition when building a frontend bundle for the browser (#8516)breaking: Minimum supported vite-plugin-svelte version is now 2.4.1. SvelteKit users can upgrade to 1.20.0 or newer to ensure a compatible version (#8516)
breaking: Minimum supported
rollup-plugin-svelte
version is now 7.1.5 (198dbcf)breaking: Minimum supported
svelte-loader
is now 3.1.8 (198dbcf)breaking: Minimum supported TypeScript version is now TypeScript 5 (it will likely work with lower versions, but we make no guarantees about that) (#8488)
breaking: Remove
svelte/register
hook, CJS runtime version and CJS compiler output (#8613)breaking: Stricter types for
createEventDispatcher
(see PR for migration instructions) (#7224)breaking: Stricter types for
Action
andActionReturn
(see PR for migration instructions) (#7442)breaking: Stricter types for
onMount
- now throws a type error when returning a function asynchronously to catch potential mistakes around callback functions(see PR for migration instructions) (#8136)
breaking: Overhaul and drastically improve creating custom elements with Svelte (see PR for list of changes and migration instructions) (#8457)
breaking: Deprecate
SvelteComponentTyped
in favor ofSvelteComponent
(#8512)breaking: Make transitions local by default to prevent confusion around page navigations (#6686)
breaking: Error on falsy values instead of stores passed to
derived
(#7947)breaking: Custom store implementers now need to pass an
update
function additionally to theset
function (#6750)breaking: Do not expose default slot bindings to named slots and vice versa (#6049)
breaking: Change order in which preprocessors are applied (#8618)
breaking: The runtime now makes use of
classList.toggle(name, boolean)
which does not work in very old browsers (#8629)breaking: apply
inert
to outroing elements (#8628)breaking: use
CustomEvent
constructor instead of deprecatedcreateEvent
method (#8775)Minor Changes
Add a way to modify attributes for script/style preprocessors (#8618)
Improve hydration speed by adding
data-svelte-h
attribute to detect unchanged HTML elements (#7426)Add
a11y no-noninteractive-element-interactions
rule (#8391)Add
a11y-no-static-element-interactions
rule (#8251)Allow
#each
to iterate over iterables likeSet
,Map
etc (#7425)Improve duplicate key error for keyed
each
blocks (#8411)Warn about
:
in attributes and props to prevent ambiguity with Svelte directives (#6823)feat: add version info to
window
. You can opt out by settingdiscloseVersion
tofalse
in the compiler options (#8761)feat: smaller minified output for destructor chunks (#8763)
Patch Changes
Bind
null
option and input values consistently (#8312)Allow
$store
to be used with changing values including nullish values (#7555)Initialize stylesheet with
/* empty */
to enable setting CSP directive that also works in Safari (#7800)Treat slots as if they don't exist when using CSS adjacent and general sibling combinators (#8284)
Fix transitions so that they don't require a
style-src 'unsafe-inline'
Content Security Policy (CSP) (#6662).Explicitly disallow
var
declarations extending the reactive statement scope (#6800)Improve error message when trying to use
animate:
directives on inline components (#8641)fix: export ComponentType from
svelte
entrypoint (#8578)fix: never use html optimization for mustache tags in hydration mode (#8744)
fix: derived store types (#8578)
Generate type declarations with dts-buddy (#8578)
fix: ensure types are loaded with all TS settings (#8721)
fix: account for preprocessor source maps when calculating meta info (#8778)
chore: deindent cjs output for compiler (#8785)
warn on boolean compilerOptions.css (#8710)
fix: export correct SvelteComponent type (#8721)
v3.59.2
Compare Source
<textarea bind:value={...}>
values in SSRv3.59.1
Compare Source
a11y-autocomplete-valid
(#8567)v3.59.0
Compare Source
ResizeObserver
bindingscontentRect
/contentBoxSize
/borderBoxSize
/devicePixelContentBoxSize
(#8022)devicePixelRatio
binding for<svelte:window>
(#8285)fullscreenElement
andvisibilityState
bindings for<svelte:document>
(#8507)a11y-autocomplete-valid
warning (#8520)width
/height
attributes when spreading (#6752)style:
directive when using spread (#8438)style:
directive property when value isundefined
(#8462)VERSION
compiler export (#8498)a11y-no-redundant-roles
warning (#8536)v3.58.0
Compare Source
bind:innerText
forcontenteditable
elements (#3311)@container
queries (#6969)preserveComments
in DOM output (#7182)document
fortarget
in typings (#7554)a11y-interactive-supports-focus
warning (#8392)a11y-no-noninteractive-element-to-interactive-role
warning (#8402)<textarea value={...}>
values in SSR (#8429)v3.57.0
Compare Source
<svelte:document>
(#3310)no-noninteractive-element-to-interactive-role
(#8167)style:
directive precedence overstyle=
attribute (#7475)<option>
withselected
attribute when initial state isundefined
(#8361)bind:group
members being spread across multiple control flow blocks (#8372)fly
andblur
transitions (#7623)v3.56.0
Compare Source
|stopImmediatePropagation
event modifier (#5085)axis
parameter toslide
transition (#6182)readonly
utility to convertwritable
store to readonly (#6518)readyState
binding for media elements (#6666)naturalWidth
andnaturalHeight
bindings (#7771)<!-- svelte-ignore ... -->
on components (#8082)aria-activedescendant-has-tabindex
: checks that elements witharia-activedescendant
have atabindex
(#8172)role-supports-aria-props
: checks that the (implicit) element role supports the given aria attributes (#8195)data-sveltekit-replacestate
anddata-sveltekit-keepfocus
attribute typings (#8281)<svelte:component>
(#4129)bind:offsetHeight
updates initially (#4233):global()
selectors (#6272)noreferrer
warning less zealous (#6289)<video aria-hidden="true">
(#7874)<svelte:element>
(#7939)aria-label
(#8296)<input type="search">
and<input type="url">
(#7027)<option>
by default when the initial bound value is undefined (#7041){@​html}
tags inside<template>
tags (#7364)afterUpdate
is not called afteronDestroy
(#7476)inert
attribute (#7500)<input>
value persists when swapping elements with spread attributes in an{#each}
block (#7578)<svelte:element>
with transitions (#7948)const
when destructuring (#7964)trusted-types
CSP compatibility for Web Components (#8134)<svelte:element>
output code for static tag and static attribute (#8161)bind:group
value is set toundefined
(#8214){#each}
containing a non-keyed{#each}
(#8282)v3.55.1
Compare Source
draw
transition with delay showing a dot at the beginning of the path (#6816)<svelte:element>
optimization in production mode (#7937)svelte-ignore
comment breaking named slot (#8075)<svelte:element on:event>
(#8129)part
attribute (#8181)submitter
property toon:submit
event typev3.55.0
Compare Source
svelte/elements
for HTML/Svelte typings (#7649)v3.54.0
Compare Source
options.direction
argument to custom transition functions (#3918)@const
declared function (#7843)a11y-no-noninteractive-tabindex
warning if element has atabpanel
(#8025)style:
directive (#8085)v3.53.1
Compare Source
rel=
attribute check with dynamic values (#7994)css
compiler options for now (#8009)tslib
(#8013)v3.53.0
Compare Source
parentNode
exists before removing child (#6037)css-tree
to2.2.1
(#7572, #7982)css
compiler option with'external' | 'injected' | 'none'
settings and deprecate oldtrue | false
values (#7914)v3.52.0
Compare Source
const
variable (#4895)<a target="_blank">
withoutrel="noreferrer"
(#6188)style:foo|important
modifier (#7365){@​html}
and components in<svelte:head>
(#7941)v3.51.0
Compare Source
a11y-click-events-have-key-events
: check if click event is accompanied by key events (#5073)a11y-no-noninteractive-tabindex
: check for tabindex on non-interactive elements (#6693){...rest}
object in{#each}
block (#6860)--style-props
on<svelte:component>
(#7461)<svelte:element>
(#7613)inert
as boolean attribute (#7785)--style-props
for SVG components (#7808){@​html}
and components in<svelte:head>
(#4533, #6463, #7444)<svelte:element>
(#7443)<svelte:component this={...}>
(#7550)<svelte:element>
is a void tag (#7566)<svelte:element>
(#7733)a11y-role-has-required-aria-props
warning when elements match their semantic role (#7837)<svelte:element>
(#7869)v3.50.1
Compare Source
v3.50.0
Compare Source
a11y-incorrect-aria-attribute-type
: check ARIA state and property values (#6978)a11y-no-abstract-role
: check that ARIA roles are non-abstract (#6241)a11y-no-interactive-element-to-noninteractive-role
: check for non-interactive roles used on interactive elements (#5955)a11y-role-has-required-aria-props
: check that elements withrole
attribute have all required attributes for that role (#5852)ComponentEvents
convenience type (#7702)SveltePreprocessor
utility type (#7742)a11y-label-has-associated-control
warning check all descendants for input control (#5528)Node.parentNode
instead ofNode.parentElement
for legacy browser support (#7723)<slot>
inside<svelte:fragment>
(#7485)class:
directive updates in aborted/restarted transitions (#7764)v3.49.0
Compare Source
ComponentType
andComponentProps
convenience types (#6770)@layer
(#7504)CompileOptions
fromsvelte/compiler
(#7658)class:
directive updates with<svelte:element>
(#7521, #7571)v3.48.0
Compare Source
createEventDispatcher
(#4623){@​const}
tag in{#if}
blocks #7241setContext
#7427{#each}
blocks when usinganimate:
(#3999)|local
transitions in{#key}
blocks (#5950){@​html}
(#7002, #7450){@​const}
tag not working inside a component when there's nolet:
#7189<pre>
and<textarea>
(#7264)textContent
for<template>
elements (#7297)let:
bindings not updating in certain cases (#7440)<svelte:element>
(#7449)<svelte:element>
(#7478)[open]
selectors on<dialog>
elements (#7495)v3.47.0
Compare Source
v3.46.6
Compare Source
v3.46.5
Compare Source
v3.46.4
Compare Source
v3.46.3
Compare Source
v3.46.2
Compare Source
FlipParams
interface fromsvelte/animate
(#7103)style:
directive reactivity inside{#each}
block (#7136)v3.46.1
Compare Source
v3.46.0
Compare Source
v3.45.0
Compare Source
v3.44.3
Compare Source
v3.44.2
Compare Source
v3.44.1
Compare Source
v3.44.0
Compare Source
v3.43.2
Compare Source
v3.43.1
Compare Source
v3.43.0
Compare Source
v3.42.6
Compare Source
v3.42.5
Compare Source
v3.42.4
Compare Source
v3.42.3
Compare Source
v3.42.2
Compare Source
v3.42.1
Compare Source
v3.42.0
Compare Source
v3.41.0
Compare Source
export { ... } from
syntax in components (#2214)export let { ... } =
syntax in components (#5612){#await ... then/catch}
without a variable for the resolved/rejected value (#6270)v3.40.3
Compare Source
v3.40.2
Compare Source
autofocus={...}
attribute handling (#4995):global()
selectors (#6550)v3.40.1
Compare Source
v3.40.0
Compare Source
:root
selector being erroneously scoped to component (#4767).end
in AST for expressions inside attributes (#6258)<select>
binding when it has a spread attribute (#6433)v3.39.0
Compare Source
v3.38.3
Compare Source
v3.38.2
Compare Source
v3.38.1
Compare Source
v3.38.0
Compare Source
v3.37.0
Compare Source
v3.36.0
Compare Source
v3.35.0
Compare Source
v3.34.0
Compare Source
v3.33.0
Compare Source
v3.32.3
Compare Source
v3.32.2
Compare Source
v3.32.1
Compare Source
v3.32.0
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.