Skip to content

chore(deps): update dependency svelte to v4.2.19 [security] #166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency svelte to v4.2.19 [security] #166

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Aug 30, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
svelte (source) 4.2.94.2.19 age confidence

GitHub Vulnerability Alerts

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

  • If the string is an attribute value:
    • " -> "
    • & -> &
    • Other characters -> No conversion
  • Otherwise:
    • < -> &lt;
    • & -> &amp;
    • Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

Release Notes

sveltejs/svelte (svelte)

v4.2.19

Compare Source

Patch Changes

  • fix: ensure typings for <svelte:options> are picked up (#​12902)

  • fix: escape < in attribute strings (#​12989)

v4.2.18

Compare Source

Patch Changes

v4.2.17

Compare Source

Patch Changes
  • fix: correctly handle falsy values of style directives in SSR mode (#​11584)

v4.2.16

Compare Source

Patch Changes
  • fix: check if svelte component exists on custom element destroy (#​11489)

v4.2.15

Compare Source

Patch Changes
  • support attribute selector inside :global() (#​11135)

v4.2.14

Compare Source

Patch Changes
  • fix parsing camelcase container query name (#​11131)

v4.2.13

Compare Source

Patch Changes
  • fix: applying :global for +,~ sibling combinator when slots are present (#​9282)

v4.2.12

Compare Source

Patch Changes
  • fix: properly update svelte:component props when there are spread props (#​10604)

v4.2.11

Compare Source

Patch Changes
  • fix: check that component wasn't instantiated in connectedCallback (#​10466)

v4.2.10

Compare Source

Patch Changes

  • fix: add scrollend event type (#​10336)

  • fix: add fetchpriority attribute type (#​10390)

  • fix: Add miter-clip and arcs to stroke-linejoin attribute (#​10377)

  • fix: make inline doc links valid (#​10366)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link

github-actions bot commented Aug 30, 2024
edited
Loading

size-limit report 📦

Path Size Loading time (3g) Running time (snapdragon) Total time
dist/index.js 1.47 KB (0%) 30 ms (0%) 72 ms (+424.75% 🔺) 101 ms

@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from e9e205b to fef84fb Compare January 23, 2025 17:38
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from fef84fb to f27056a Compare February 9, 2025 13:45
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from f27056a to 89a7012 Compare March 3, 2025 17:27
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch 3 times, most recently from ead036d to c4153f0 Compare March 17, 2025 18:02
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from c4153f0 to 39022b7 Compare April 1, 2025 11:49
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 39022b7 to cbbb96b Compare April 8, 2025 12:23
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from cbbb96b to 873af66 Compare April 24, 2025 06:04
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 873af66 to d675e51 Compare May 19, 2025 17:10
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from d675e51 to f251bf1 Compare May 28, 2025 14:39
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from f251bf1 to db9de17 Compare June 6, 2025 04:17
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from db9de17 to 64c5ca2 Compare June 22, 2025 14:09
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 64c5ca2 to 6d807b8 Compare July 2, 2025 18:57
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch 2 times, most recently from f0fb67e to c3ff0e9 Compare August 13, 2025 16:58
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from c3ff0e9 to 9ee356d Compare August 19, 2025 18:55
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 9ee356d to 8ac835f Compare August 31, 2025 10:40
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 8ac835f to fd3fb53 Compare September 25, 2025 14:56
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from fd3fb53 to 77ae3ff Compare October 22, 2025 01:41
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 77ae3ff to d0bec6c Compare November 11, 2025 01:03
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from d0bec6c to 76530db Compare November 19, 2025 00:01
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 76530db to a9bdfa1 Compare December 3, 2025 19:56
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from a9bdfa1 to ababdd2 Compare December 31, 2025 14:46
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from ababdd2 to 021d2d7 Compare January 8, 2026 20:31
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch 2 times, most recently from c5b631f to c182c81 Compare January 23, 2026 19:29
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from c182c81 to 87c9cb5 Compare February 2, 2026 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants