New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency svelte to v4.2.19 [security] #838

Closed

renovate wants to merge 1 commit into master from renovate/npm-svelte-vulnerability

Contributor

renovate bot commented Aug 30, 2024

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
svelte (source)	`^3.0.0 \|\| ^4.0.0` -> `^4.2.19 ^4.2.19`
svelte (source)	`4.2.18` -> `4.2.19`

GitHub Vulnerability Alerts

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

If the string is an attribute value:
- " -> "
- & -> &
- Other characters -> No conversion
Otherwise:
- < -> <
- & -> &
- Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

Release Notes

sveltejs/svelte (svelte)

`v4.2.19`

Patch Changes

fix: ensure typings for <svelte:options> are picked up (#12902)
fix: escape < in attribute strings (#12989)

`v4.2.18`

Patch Changes

chore: speed up regex (#11922)

`v4.2.17`

Patch Changes

fix: correctly handle falsy values of style directives in SSR mode (#11584)

`v4.2.16`

Patch Changes

fix: check if svelte component exists on custom element destroy (#11489)

`v4.2.15`

Patch Changes

support attribute selector inside :global() (#11135)

`v4.2.14`

Patch Changes

fix parsing camelcase container query name (#11131)

`v4.2.13`

Patch Changes

fix: applying :global for +,~ sibling combinator when slots are present (#9282)

`v4.2.12`

Patch Changes

fix: properly update svelte:component props when there are spread props (#10604)

`v4.2.11`

Patch Changes

fix: check that component wasn't instantiated in connectedCallback (#10466)

`v4.2.10`

Patch Changes

fix: add scrollend event type (#10336)
fix: add fetchpriority attribute type (#10390)
fix: Add miter-clip and arcs to stroke-linejoin attribute (#10377)
fix: make inline doc links valid (#10366)

`v4.2.9`

Patch Changes

fix: add types for popover attributes and events (#10042)
fix: add gamepadconnected and gamepaddisconnected events (#9864)
fix: make @types/estree a dependency (#10149)
fix: bump axobject-query (#10167)

`v4.2.8`

Patch Changes

fix: port over props that were set prior to initialization (#9701)

`v4.2.7`

Patch Changes

fix: handle spreads within static strings (#9554)

`v4.2.6`

Patch Changes

fix: adjust static attribute regex (#9551)

`v4.2.5`

Patch Changes

fix: ignore expressions in top level script/style tag attributes (#9498)

`v4.2.4`

Patch Changes

fix: handle closing tags inside attribute values (#9486)

`v4.2.3`

Patch Changes

fix: improve a11y-click-events-have-key-events message (#9358)
fix: more robust hydration of html tag (#9184)

`v4.2.2`

Patch Changes

fix: support camelCase properties on custom elements (#9328)
fix: add missing plaintext-only value to contenteditable type (#9242)
chore: upgrade magic-string to 0.30.4 (#9292)
fix: ignore trailing comments when comparing nodes (#9197)

`v4.2.1`

Patch Changes

fix: update style directive when style attribute is present and is updated via an object prop (#9187)
fix: css sourcemap generation with unicode filenames (#9120)
fix: do not add module declared variables as dependencies (#9122)
fix: handle svelte:element with dynamic this and spread attributes (#9112)
fix: silence false positive reactive component warning (#9094)
fix: head duplication when binding is present (#9124)
fix: take custom attribute name into account when reflecting property (#9140)
fix: add indeterminate to the list of HTMLAttributes (#9180)
fix: recognize option value on spread attribute (#9125)

`v4.2.0`

Minor Changes

feat: move svelteHTML from language-tools into core to load the correct svelte/element types (#9070)

`v4.1.2`

Patch Changes

fix: allow child element with slot attribute within svelte:element (#9038)
fix: Add data-* to svg attributes (#9036)

`v4.1.1`

Patch Changes

fix: svelte:component spread props change not picked up (#9006)

`v4.1.0`

Minor Changes

feat: add ability to extend custom element class (#8991)

Patch Changes

fix: ensure svelte:component evaluates props once (#8946)
fix: remove let:variable slot bindings from select binding dependencies (#8969)
fix: handle destructured primitive literals (#8871)
perf: optimize imports that are not mutated or reassigned (#8948)
fix: don't add accessor twice (#8996)

`v4.0.5`

Patch Changes

fix: generate type definition with nullable types (#8924)

`v4.0.4`

Patch Changes

fix: claim svg tags in raw mustache tags correctly (#8910)
fix: repair invalid raw html content during hydration (#8912)

`v4.0.3`

Patch Changes

fix: handle falsy srcset values (#8901)

`v4.0.2`

Patch Changes

fix: reflect all custom element prop updates back to attribute (#8898)
fix: shrink custom element baseline a bit (#8858)
fix: use non-destructive hydration for all @html tags (#8880)
fix: align disclose-version exports specification (#8874)
fix: check srcset when hydrating to prevent needless requests (#8868)

`v4.0.1`

Patch Changes

fix: ensure identifiers in destructuring contexts don't clash with existing ones (#8840)
fix: ensure createEventDispatcher and ActionReturn work with types from generic function parameters (#8872)
fix: apply transition to <svelte:element> with local transition (#8865)
fix: relax a11y "no redundant role" rule for li, ul, ol (#8867)
fix: remove tsconfig.json from published package (#8859)

`v4.0.0`

Major Changes

breaking: Minimum supported Node version is now Node 16 (#8566)
breaking: Minimum supported webpack version is now webpack 5 (#8515)
breaking: Bundlers must specify the browser condition when building a frontend bundle for the browser (#8516)
breaking: Minimum supported vite-plugin-svelte version is now 2.4.1. SvelteKit users can upgrade to 1.20.0 or newer to ensure a compatible version (#8516)
breaking: Minimum supported rollup-plugin-svelte version is now 7.1.5 (198dbcf)
breaking: Minimum supported svelte-loader is now 3.1.8 (198dbcf)
breaking: Minimum supported TypeScript version is now TypeScript 5 (it will likely work with lower versions, but we make no guarantees about that) (#8488)
breaking: Remove svelte/register hook, CJS runtime version and CJS compiler output (#8613)
breaking: Stricter types for createEventDispatcher (see PR for migration instructions) (#7224)
breaking: Stricter types for Action and ActionReturn (see PR for migration instructions) (#7442)
breaking: Stricter types for onMount - now throws a type error when returning a function asynchronously to catch potential mistakes around callback functions
(see PR for migration instructions) (#8136)
breaking: Overhaul and drastically improve creating custom elements with Svelte (see PR for list of changes and migration instructions) (#8457)
breaking: Deprecate SvelteComponentTyped in favor of SvelteComponent (#8512)
breaking: Make transitions local by default to prevent confusion around page navigations (#6686)
breaking: Error on falsy values instead of stores passed to derived (#7947)
breaking: Custom store implementers now need to pass an update function additionally to the set function (#6750)
breaking: Do not expose default slot bindings to named slots and vice versa (#6049)
breaking: Change order in which preprocessors are applied (#8618)
breaking: The runtime now makes use of classList.toggle(name, boolean) which does not work in very old browsers (#8629)
breaking: apply inert to outroing elements (#8628)
breaking: use CustomEvent constructor instead of deprecated createEvent method (#8775)

Minor Changes

Add a way to modify attributes for script/style preprocessors (#8618)
Improve hydration speed by adding data-svelte-h attribute to detect unchanged HTML elements (#7426)
Add a11y no-noninteractive-element-interactions rule (#8391)
Add a11y-no-static-element-interactionsrule (#8251)
Allow #each to iterate over iterables like Set, Map etc (#7425)
Improve duplicate key error for keyed each blocks (#8411)
Warn about : in attributes and props to prevent ambiguity with Svelte directives (#6823)
feat: add version info to window. You can opt out by setting discloseVersion to false in the compiler options (#8761)
feat: smaller minified output for destructor chunks (#8763)

Patch Changes

Bind null option and input values consistently (#8312)
Allow $store to be used with changing values including nullish values (#7555)
Initialize stylesheet with /* empty */ to enable setting CSP directive that also works in Safari (#7800)
Treat slots as if they don't exist when using CSS adjacent and general sibling combinators (#8284)
Fix transitions so that they don't require a style-src 'unsafe-inline' Content Security Policy (CSP) (#6662).
Explicitly disallow var declarations extending the reactive statement scope (#6800)
Improve error message when trying to use animate: directives on inline components (#8641)
fix: export ComponentType from svelte entrypoint (#8578)
fix: never use html optimization for mustache tags in hydration mode (#8744)
fix: derived store types (#8578)
Generate type declarations with dts-buddy (#8578)
fix: ensure types are loaded with all TS settings (#8721)
fix: account for preprocessor source maps when calculating meta info (#8778)
chore: deindent cjs output for compiler (#8785)
warn on boolean compilerOptions.css (#8710)
fix: export correct SvelteComponent type (#8721)

`v3.59.2`

Fix escaping <textarea bind:value={...}> values in SSR

`v3.59.1`

Handle dynamic values in a11y-autocomplete-valid (#8567)

`v3.59.0`

Add ResizeObserver bindings contentRect/contentBoxSize/borderBoxSize/devicePixelContentBoxSize (#8022)
Add devicePixelRatio binding for <svelte:window> (#8285)
Add fullscreenElement and visibilityState bindings for <svelte:document> (#8507)
Add a11y-autocomplete-valid warning (#8520)
Fix handling of width/height attributes when spreading (#6752)
Fix updating of interpolated style: directive when using spread (#8438)
Remove style: directive property when value is undefined (#8462)
Fix type of VERSION compiler export (#8498)
Relax a11y-no-redundant-roles warning (#8536)
Handle nested array rest destructuring (#8552, #8554)

`v3.58.0`

Add bind:innerText for contenteditable elements (#3311)
Add support for CSS @container queries (#6969)
Respect preserveComments in DOM output (#7182)
Allow use of document for target in typings (#7554)
Add a11y-interactive-supports-focus warning (#8392)
Fix equality check when updating dynamic text (#5931)
Relax a11y-no-noninteractive-element-to-interactive-role warning (#8402)
Properly handle microdata attributes (#8413)
Prevent name collision when using computed destructuring variables (#8417)
Fix escaping <textarea value={...}> values in SSR (#8429)

`v3.57.0`

Add <svelte:document> (#3310)
Add a11y no-noninteractive-element-to-interactive-role (#8167)
Stop intro transition from triggering incorrectly (#6152, #6812)
Support computed and literal properties when destructuring objects in the template (#6609)
Give style: directive precedence over style= attribute (#7475)
Select <option> with selected attribute when initial state is undefined (#8361)
Prevent derived store callbacks after store is unsubscribed from (#8364)
Account for bind:group members being spread across multiple control flow blocks (#8372)
Revert buggy reactive statement optimization (#8374)
Support CSS units in the fly and blur transitions (#7623)

`v3.56.0`

Add |stopImmediatePropagation event modifier (#5085)
Add axis parameter to slide transition (#6182)
Add readonly utility to convert writable store to readonly (#6518)
Add readyState binding for media elements (#6666)
Generate valid automatic component names when the filename contains only special characters (#7143)
Add naturalWidth and naturalHeight bindings (#7771)
Support  on components (#8082)
Add a11y warnings:
- aria-activedescendant-has-tabindex: checks that elements with aria-activedescendant have a tabindex (#8172)
- role-supports-aria-props: checks that the (implicit) element role supports the given aria attributes (#8195)
Add data-sveltekit-replacestate and data-sveltekit-keepfocus attribute typings (#8281)
Compute node dimensions immediately before crossfading (#4111)
Fix potential infinite invalidate loop with <svelte:component> (#4129)
Ensure bind:offsetHeight updates initially (#4233)
Don't set selected options if value is unbound or not passed (#5644)
Validate component :global() selectors (#6272)
Improve warnings:
- Make noreferrer warning less zealous (#6289)
- Omit a11y warnings on <video aria-hidden="true"> (#7874)
- Omit a11y warnings on <svelte:element> (#7939)
- Detect unused empty attribute CSS selectors (#8042)
- Omit "no child content" warning on elements with aria-label (#8296)
Check value equality for <input type="search"> and <input type="url"> (#7027)
Do not select a disabled <option> by default when the initial bound value is undefined (#7041)
Handle {@html} tags inside <template> tags (#7364)
Ensure afterUpdate is not called after onDestroy (#7476)
Improve handling of inert attribute (#7500)
Reduce use of template literals in SSR output for better performance (#7539)
Ensure <input> value persists when swapping elements with spread attributes in an {#each} block (#7578)
Simplify generated code for reactive statements if dependencies are all static (#7942)
Fix race condition on <svelte:element> with transitions (#7948)
Allow assigning to a property of a const when destructuring (#7964)
Match browser behavior for decoding malformed HTML entities (#8026)
Ensure trusted-types CSP compatibility for Web Components (#8134)
Optimise <svelte:element> output code for static tag and static attribute (#8161)
Don't throw when calling unsubscribing from a store twice (#8186)
Clear inputs when bind:group value is set to undefined (#8214)
Fix handling of nested arrays with keyed {#each} containing a non-keyed {#each} (#8282)

`v3.55.1`

Fix draw transition with delay showing a dot at the beginning of the path (#6816)
Fix infinity runtime call stack when propagating bindings (#7032)
Fix static <svelte:element> optimization in production mode (#7937)
Fix svelte-ignore comment breaking named slot (#8075)
Revert change to prevent running init binding unnecessarily (#8103)
Fix adding duplicate event listeners with <svelte:element on:event> (#8129)
Improve detection of promises that are also functions (#8162)
Avoid mutating spread component props during SSR (#8171)
Add missing typing for global part attribute (#8181)
Add missing submitter property to on:submit event type

`v3.55.0`

Add svelte/elements for HTML/Svelte typings (#7649)

`v3.54.0`

Pass options.direction argument to custom transition functions (#3918)
Support fallback a11y WAI-ARIA roles (#8044)
Prevent running init binding unnecessarily (#5689, #6298)
Allow updating variables from @const declared function (#7843)
Do not emit a11y-no-noninteractive-tabindex warning if element has a tabpanel (#8025)
Fix escaping SSR'd values in style: directive (#8085)

`v3.53.1`

Fix exception in rel= attribute check with dynamic values (#7994)
Do not emit deprecation warnings for css compiler options for now (#8009)
Make compiler run in browser again (#8010)
Upgrade tslib (#8013)

`v3.53.0`

Check whether parentNode exists before removing child (#6037)
Upgrade various dependencies, notably css-tree to 2.2.1 (#7572, #7982)
Extend css compiler option with 'external' | 'injected' | 'none' settings and deprecate old true | false values (#7914)

`v3.52.0`

Throw compile-time error when attempting to update const variable (#4895)
Warn when using <a target="_blank"> without rel="noreferrer" (#6188)
Support style:foo|important modifier (#7365)
Fix hydration regression with {@html} and components in <svelte:head> (#7941)

`v3.51.0`

Add a11y warnings:
- a11y-click-events-have-key-events: check if click event is accompanied by key events (#5073)
- a11y-no-noninteractive-tabindex: check for tabindex on non-interactive elements (#6693)
Warn when two-way binding to {...rest} object in {#each} block (#6860)
Support --style-props on <svelte:component> (#7461)
Supports nullish values for component event handlers (#7568)
Supports SVG elements with <svelte:element>(#7613)
Treat inert as boolean attribute (#7785)
Support --style-props for SVG components (#7808)
Fix false positive dev warnings about unset props when they are bound (#4457)
Fix hydration with {@html} and components in <svelte:head> (#4533, #6463, #7444)
Support scoped style for <svelte:element> (#7443)
Improve error message for invalid value for <svelte:component this={...}> (#7550)
Improve error message when using logic blocks or tags at invalid location (#7552)
Warn instead of throwing error if <svelte:element> is a void tag (#7566)
Supports custom elements in <svelte:element> (#7733)
Fix calling component unmount if a component is mounted and then immediately unmounted (#7817)
Do not generate a11y-role-has-required-aria-props warning when elements match their semantic role (#7837)
Improve performance of custom element data setting in <svelte:element> (#7869)

`v3.50.1`

Add all global objects and functions as known globals (#3805, #7223)
Fix regression with style manager (#7828)

`v3.50.0`

Add a11y warnings:
- a11y-incorrect-aria-attribute-type: check ARIA state and property values (#6978)
- a11y-no-abstract-role: check that ARIA roles are non-abstract (#6241)
- a11y-no-interactive-element-to-noninteractive-role: check for non-interactive roles used on interactive elements (#5955)
- a11y-role-has-required-aria-props: check that elements with role attribute have all required attributes for that role (#5852)
Add ComponentEvents convenience type (#7702)
Add SveltePreprocessor utility type (#7742)
Enhance action typings (#7805)
Remove empty stylesheets created from transitions (#4801, #7164)
Make a11y-label-has-associated-control warning check all descendants for input control (#5528)
Only show lowercase component name warnings for non-HTML/SVG elements (#5712)
Disallow invalid CSS selectors starting with a combinator (#7643)
Use Node.parentNode instead of Node.parentElement for legacy browser support (#7723)
Handle arrow function on <slot> inside <svelte:fragment> (#7485)
Improve parsing speed when encountering large blocks of whitespace (#7675)
Fix class: directive updates in aborted/restarted transitions (#7764)

`v3.49.0`

Improve performance of string escaping during SSR (#5701)
Add ComponentType and ComponentProps convenience types (#6770)
Add support for CSS @layer (#7504)
Export CompileOptions from svelte/compiler (#7658)
Fix DOM-less components not being properly destroyed (#7488)
Fix class: directive updates with <svelte:element> (#7521, #7571)
Harden attribute escaping during SSR (#7530)

`v3.48.0`

Allow creating cancelable custom events with createEventDispatcher (#4623)
Support {@const} tag in {#if} blocks #7241
Return the context object in setContext #7427
Allow comments inside {#each} blocks when using animate: (#3999)
Fix |local transitions in {#key} blocks (#5950)
Support svg namespace for {@html} (#7002, #7450)
Fix {@const} tag not working inside a component when there's no let: #7189
Remove extraneous leading newline inside <pre> and <textarea> (#7264)
Fix erroneous setting of textContent for <template> elements (#7297)
Fix value of let: bindings not updating in certain cases (#7440)
Fix handling of void tags in <svelte:element> (#7449)
Fix handling of boolean attributes in <svelte:element> (#7478)
Add special style scoping handling of [open] selectors on <dialog> elements (#7495)

`v3.47.0`

`v3.46.6`

`v3.46.5`

`v3.46.4`

`v3.46.3`

`v3.46.2`

Export FlipParams interface from svelte/animate (#7103)
Fix style: directive reactivity inside {#each} block (#7136)

`v3.46.1`

`v3.46.0`

`v3.45.0`

`v3.44.3`

`v3.44.2`

`v3.44.1`

`v3.44.0`

`v3.43.2`

`v3.43.1`

`v3.43.0`

`v3.42.6`

`v3.42.5`

`v3.42.4`

`v3.42.3`

`v3.42.2`

`v3.42.1`

`v3.42.0`

`v3.41.0`

Support export { ... } from syntax in components (#2214)
Support export let { ... } = syntax in components (#5612)
Support {#await ... then/catch} without a variable for the resolved/rejected value (#6270)

`v3.40.3`

`v3.40.2`

Fix dynamic autofocus={...} attribute handling (#4995)
Add filename to combined source map if needed (#6089)
In AST, parse empty attribute values as an empty string (#6286)
Fix tracking whether transition has started (#6399)
Fix incorrect scoping of :global() selectors (#6550)

`v3.40.1`

`v3.40.0`

Support rendering a component in a shadow DOM (#5869)
Fix :root selector being erroneously scoped to component (#4767)
Fix .end in AST for expressions inside attributes (#6258)
Fix one-way <select> binding when it has a spread attribute (#6433)
Various hydration improvements and fixes (#6449)
Use smaller versions of internal helpers when compiling without hydration support (#6462)
Fix two-way binding of values when updating through synchronous component accessors (#6502)

`v3.39.0`

`v3.38.3`

`v3.38.2`

`v3.38.1`

`v3.38.0`

`v3.37.0`

`v3.36.0`

`v3.35.0`

`v3.34.0`

`v3.33.0`

`v3.32.3`

`v3.32.2`

`v3.32.1`

`v3.32.0`

`v3.31.2`

`v3.31.1`

`v3.31.0`

`v3.30.1`

`v3.30.0`

`v3.29.7`

`v3.29.6`

`v3.29.5`

`v3.29.4`

`v3.29.3`

`v3.29.2`

`v3.29.1`

`v3.29.0`

`v3.28.0`

`v3.27.0`

`v3.26.0`

`v3.25.1`

`v3.25.0`

`v3.24.1`

[Compare Source

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          chore(deps): update dependency svelte to v4.2.19 [security]

17d95a0

renovate bot added bot security labels

maxmilton closed this

Contributor Author

renovate bot commented Sep 1, 2024 •

edited

Loading

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (4.2.19). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

renovate bot deleted the renovate/npm-svelte-vulnerability branch

September 1, 2024 02:24

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels