New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(package): Update dependency svelte to v3 [SECURITY] #51

Open

renovate wants to merge 1 commit into master from renovate/npm-svelte-vulnerability

Contributor

renovate bot commented Sep 25, 2022 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
svelte (source)	`^2.16.1` -> `^3.0.0`

GitHub Vulnerability Alerts

CVE-2022-25875

The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.

Release Notes

sveltejs/svelte

`v3.49.0`

Improve performance of string escaping during SSR (#5701)
Add ComponentType and ComponentProps convenience types (#6770)
Add support for CSS @layer (#7504)
Export CompileOptions from svelte/compiler (#7658)
Fix DOM-less components not being properly destroyed (#7488)
Fix class: directive updates with <svelte:element> (#7521, #7571)
Harden attribute escaping during SSR (#7530)

`v3.48.0`

Allow creating cancelable custom events with createEventDispatcher (#4623)
Support {@const} tag in {#if} blocks #7241
Return the context object in setContext #7427
Allow comments inside {#each} blocks when using animate: (#3999)
Fix |local transitions in {#key} blocks (#5950)
Support svg namespace for {@html} (#7002, #7450)
Fix {@const} tag not working inside a component when there's no let: #7189
Remove extraneous leading newline inside <pre> and <textarea> (#7264)
Fix erroneous setting of textContent for <template> elements (#7297)
Fix value of let: bindings not updating in certain cases (#7440)
Fix handling of void tags in <svelte:element> (#7449)
Fix handling of boolean attributes in <svelte:element> (#7478)
Add special style scoping handling of [open] selectors on <dialog> elements (#7495)

`v3.47.0`

Add support for dynamic elements through <svelte:element> (#2324)
Miscellaneous variable context fixes in {@const} (#7222)
Fix {#key} block not being reactive when the key variable is not otherwise used (#7408)
Add Symbol as a known global (#7418)

`v3.46.6`

Actually include action TypeScript interface in published package (#7407)

`v3.46.5`

Add TypeScript interfaces for typing actions (#6538)
Do not generate unused-export-let warning inside <script context="module"> blocks (#7055)
Do not collapse whitespace-only CSS vars (#7152)
Add aria-description to the list of allowed ARIA attributes (#7301)
Fix attribute escaping during SSR (#7327)
Prevent .innerHTML optimization from being used when style: directive is present (#7386)

`v3.46.4`

Avoid maximum call stack size exceeded errors on large components (#4694)
Preserve leading space with preserveWhitespace: true (#4731)
Preserve leading space in <pre> tags (#6437)
Improve error message when trying to use style: directives on inline components (#7177)
Add FormData as a known global (#7199)
Mark css/instance/module AST properties as optional in types (#7204)

`v3.46.3`

Ignore whitespace in {#each} blocks when containing elements with animate: (#5477)
Throw compiler error when variable in context="instance" collides with import in context="module" (#7090)
Fix compiler crash when {@const} contains arrow functions (#7134)

`v3.46.2`

Export FlipParams interface from svelte/animate (#7103)
Fix style: directive reactivity inside {#each} block (#7136)

`v3.46.1`

Handle style:kebab-case directives (#7122)
Improve AST produced for style: directives (#7127)

`v3.46.0`

Implement {@const} tag (RFC #33, #6413)
Implement style: directive (RFC #42, #5923)
Fix style manager conflicts when using multiple Svelte instances (#7026)
Fix hydration when using {@html} (#7115)

`v3.45.0`

Fix non-boolean attribute rendering in SSR to render truthy values as-is (#6121)
Fix binding to a member expression also invalidating the member property (#6921)
Fix default values in {#each}/etc. destructurings not being considered references for the purposes of compiler warnings (#6964)
Fix {:else if} value incorrectly being cached (#7043)
Add a11y-no-redundant-roles warning (#7067)
Fix code generation error with arrow functions whose bodies are object destructuring assignments (#7087)

`v3.44.3`

Fix bind:this binding inside onMount for manually instantiated component (#6760)
Prevent cursor jumps with one-way binding for other type="text"-like <input>s (#6941)
Exclude async loops from loopGuardTimeout (#6945)

`v3.44.2`

Fix overly restrictive preprocessor types (#6904)
More specific typing for crossfade function - returns a tuple, not an array (#6926)
Add URLSearchParams as a known global (#6938)
Add types field to exports map (#6939)

`v3.44.1`

Fix code generation when a multi-line return statement contains comments (code-red#36)
Fix code generation when for/if/while statements have empty bodies (#6884)

`v3.44.0`

Add enableSourcemap compiler option (#6835)

`v3.43.2`

Fix regression where user-specified imports were not rewritten according to the sveltePath option (#6834)

`v3.43.1`

Prevent a rejecting promise used in {#await} during SSR from appearing as an unhandled rejection (#6789)

`v3.43.0`

Use export map to expose no-op versions of lifecycle functions for SSR (#6743)
Prefer context passed to component constructor, even when running synchronously in another component (#6753)
Handle preprocessors that return empty sourcemaps (#6757)

`v3.42.6`

Hide private preprocess typings (#6622)
Fix reactive function in {:else if} expression not being properly re-run (#6727)

`v3.42.5`

In draw transition, account for stroke-linecap in determining length (#4540)
Fix regression with destructuring assignments with default values (#6699)

`v3.42.4`

Only apply optimized src attribute handling when in an html namespace (#6575)
Fix styles for transitions and animations being attached to the wrong document in <iframe>s (#6637)
Fix <select> with a {...spread} attribute that didn't provide a value key getting its value improperly unset (#6675)

`v3.42.3`

Add BigInt as a known global (#6671)
Fix regression where onDestroy in svelte/ssr was improperly a no-op (#6676)

`v3.42.2`

Collapse whitespace in class and style attributes (#6004)
Deselect all <option>s in a <select> where the bound value doesn't match any of them (#6126)
In hydrated components, only rely on helpers for creating the types of elements present in the component (#6555)
Add HTMLElement and SVGElement as known globals (#6643)
Account for scaling in flip animations (#6657)

`v3.42.1`

Fix regression with reordering keyed {#each} blocks when compiling with hydration enabled (#6561)

`v3.42.0`

Allow use:actions to be used on <svelte:body> (#3163)
Improve parser errors for certain invalid components (#6259, #6288)
Fix paths in generator JS sourcemaps to be relative (#6598)
Fix overzealous warnings about context="module" variables not being reactive (#6606)

`v3.41.0`

Support export { ... } from syntax in components (#2214)
Support export let { ... } = syntax in components (#5612)
Support {#await ... then/catch} without a variable for the resolved/rejected value (#6270)

`v3.40.3`

Fix <slot> data when a transition is cancelled before completing (#5394)
Fix destructuring into variables beginning with $ so that they result in store updates (#5653)
Fix in: transition configuration not properly updating when it's changed after its initial creation (#6505)
Fix applying :global() for > selector combinator (#6550)
Fix mounting component at detached DOM node (#6567)

`v3.40.2`

Fix dynamic autofocus={...} attribute handling (#4995)
Add filename to combined source map if needed (#6089)
In AST, parse empty attribute values as an empty string (#6286)
Fix tracking whether transition has started (#6399)
Fix incorrect scoping of :global() selectors (#6550)

`v3.40.1`

Fix store reactivity regression when using reactive statements (#6557)

`v3.40.0`

Support rendering a component in a shadow DOM (#5869)
Fix :root selector being erroneously scoped to component (#4767)
Fix .end in AST for expressions inside attributes (#6258)
Fix one-way <select> binding when it has a spread attribute (#6433)
Various hydration improvements and fixes (#6449)
Use smaller versions of internal helpers when compiling without hydration support (#6462)
Fix two-way binding of values when updating through synchronous component accessors (#6502)

`v3.39.0`

Support bind:group in SSR (#4621)
Add a11y warning a11y-mouse-events-have-key-events which checks that mouseover/mouseout are accompanied by focus/blur event handlers (#5938)
Make it possible to silence more warnings (#5954)
Add |trusted event modifier (#6137)
Add varsReport compiler option to include all variables reference in the component in the variables report (#6192)
Add errorMode compiler option to try to continue compiling when an error is detected (#6194)
Expose svelte/ssr which exports lifecycle methods as no-ops (#6416)
Add getAllContexts (#6447)
Throw proper error for export default function() {} and export default class {} rather than crashing the compiler (#3275)
Fix SSR rendering of falsy input values (#4551)
Fix preserveComments in SSR mode (#4730)
Do not warn if context="module" variables are not the only dependencies in reactive statements (#5954)
Stop checking a11y-media-has-caption a11y warning on <audio> elements (#6054)
Fix erroneous "unknown prop" warning when using slot on a component (#6065)
Add sourcemaps to all HTML elements (#6092)
Relax derived function signature (#6178)
Throw compiler error when passing empty directive names (#6299)
Fix compiler error when using :where() inside :global() (#6434)
Fix ordering of elements in keyed {#each} (#6444)
Remove deprecated a11y warning a11y-no-onchange warning (#6457)
Fix :global() with pseudo element not being seen as global (#6468)
Allow :global() to contain multiple selectors when it is not part of a larger selector (#6477)
Make <script> and <style> end tag parsing more robust (#6511)

`v3.38.3`

Speed up hydration by reducing amount of element reorderings (#4308)
Fix escaping attribute values when using a spread in SSR (#5756)
Throw compiler error when :global() contains multiple selectors (#5907)
Give explicit error rather than crashing when an attribute shorthand {} is empty (#6086)
Make <textarea> end tag parsing more robust (#6276)
Fix :global(...):some-pseudoclass selectors not being seen as global (#6306)
Fix type signatures of writable and readable so it's possible to call them without arguments (#6291, #6345)
Preserve this in bubbled events (#6310)
Fix slot props not updating when transition is aborted (#6386)
Fix generic props relationship in SvelteComponentTyped (#6400)

`v3.38.2`

Revert hydration optimisation for the time being (#6279)

`v3.38.1`

Fix hydration regression (#6274)

`v3.38.0`

Avoid recreating DOM elements during hydration (#1067)
Support passing CSS custom properties to component (#5628)
Support :global() as part of compound CSS selectors (#6222)
Fix updating <slot> contents when there's an aborted transition (#3542)
Fix setting boolean attributes on custom elements (#5951)
Add missing function overload for derived to allow explicitly setting an initial value for non-async derived stores (#6172)
Fix dynamic href values erroneously triggering a11y warnings (#5990)
Fix scope leak when updating an {#await} block (#6173)
Pass full markup source to script/style preprocessors (#6169)
Fix crossfade types to mark fallback as optional (#6201)
Add missing "context" typing to SvelteComponent constructor options (#6236)
Don't automatically switch to svg namespace when in foreign namespace (#6257)

`v3.37.0`

Allow root-level context to be passed to the component constructor (#6032)

`v3.36.0`

Add this: void typing to store functions (#6094)
Export Spring, Tweened and EasingFunction interfaces (#6070, #6056)
Export interfaces for transition parameters (#5207)
Export store's useful TypeScript definitions (#5864)
Fix previous breaking change to svelte/preprocess types location (#6100)
Fix missing slotted elements in AST (#6066)

`v3.35.0`

Implement slotted components and <svelte:fragment slot="..."> (#1037, #2079)
Fix reactivity bug where slot="..." is specified after attributes that should be reactive (#5626)

`v3.34.0`

Add a cssHash option for controlling the classname used for CSS scoping (#570)

`v3.33.0`

In custom elements, call onMount functions when connecting and clean up when disconnecting (#1152, #2227, #4522)
Allow destructured defaults to refer to other variables (#5066)
Do not emit contextual-store warnings for function parameters or declared variables (#6008)

`v3.32.3`

Fix removal of lone :host selectors (#5982)

`v3.32.2`

Fix unnecessary additional invalidation with <Component bind:prop={obj.foo}/> (#3075, #4447, #5555)
Fix scoping of selectors with :global() and ~ sibling combinators (#5499)
Fix removal of :host selectors as unused when compiling to a custom element (#5946)

`v3.32.1`

Warn when using module variables reactively, and close weird reactivity loophole (#5847)
Throw a parser error for class: directives with an empty class name (#5858)
Fix extraneous store subscription in SSR mode (#5883)
Don't emit update code for class: directives whose expression is not dynamic (#5919)
Fix type inference for derived stores (#5935)
Make parameters of built-in animations and transitions optional (#5936)
Make SvelteComponentDev typings more forgiving (#5937)
Fix foreign elements incorrectly disallowing bind:this (#5942)

`v3.32.0`

Allow multiple instances of the same action on an element (#5516)
Support foreign namespace, which disables certain HTML5-specific behaviour and checks (#5652)
Support inline comment sourcemaps in code from preprocessors (#5854)

`v3.31.2`

Rework SSR store handling to subscribe and unsubscribe as in DOM mode (#3375, #3582, #3636)
Fix error when removing elements that are already transitioning out (#5789, #5808)
Fix duplicate content race condition with {#await} blocks and out transitions (#5815)
Deconflict variable names used for contextual actions (#5834)

`v3.31.1`

Fix scrolling of element with resize listener by making the <iframe> have z-index: -1 (#5448)
Fix location of automatically declared reactive variables (#5749)
Warn when using className or htmlFor attributes (#5777)
Fix checkbox bind:group in keyed {#each} where the array can be reordered (#5779)
Fix checkbox bind:group in nested {#each} contexts (#5811)
Add graphics roles as known ARIA roles (#5822)
Fix local transitions if a parent has a cancelled outro transition (#5829)
Support use:obj.some.deep.function as actions (#5844)

`v3.31.0`

Use a separate SvelteComponentTyped interface for typed components (#5738)

`v3.30.1`

Support consuming decoded sourcemaps as created by the source-map library's SourceMapGenerator (#5722)
Actually export hasContext (#5726)

`v3.30.0`

Add a typed SvelteComponent interface (#5431)
Support spread into <slot> props (#5456)
Fix setting reactive dependencies which don't appear in the template to undefined (#5538)
Support preprocessor sourcemaps during compilation (#5584)
Fix ordering of elements when using {#if} inside {#key} (#5680)
Add hasContext lifecycle function (#5690)
Fix missing walk types in svelte/compiler (#5696)

`v3.29.7`

Include ./register in exports map (#5670)

`v3.29.6`

Include ./package.json in export map (#5659)

`v3.29.5`

Fix $$props and $$restProps when compiling to a custom element (#5482)
Include an export map in package.json (#5556)
Fix function calls in <slot> props that use contextual values (#5565)
Fix handling aborted transitions in {:else} blocks (#5573)
Add Element and Node to known globals (#5586)
Fix $$slots when compiling to custom elements (#5594)
Fix internal imports so that we're exposing a valid ES module (#5617)

`v3.29.4`

Fix code generation error with ?? alongside logical operators (#5558)

`v3.29.3`

Hopefully actually republish with proper UMD build for use in the REPL

`v3.29.2`

Republish with proper UMD build for use in the REPL

`v3.29.1`

Fix compiler hanging on <slot slot="..."> (#5475)
Fix types on get function in svelte/store (#5483)
Add missing end field on ASTs for non-top-level <style> elements (#5487)
Fix {#if} inside {#await} with destructuring (#5508)
Fix types on lifecycle hooks (#5529)

`v3.29.0`

Support <slot slot="..."> (#2079)
Fix unmounting components with a bidirectional transition with a delay (#4954)
Add types to get function in svelte/store (#5269)
Add a warning when a component looks like it's trying to use another component without beginning with a capital letter (#5302)
Add EventSource to known globals (#5463)
Fix compiler exception with ~/+ combinators and {...spread} attributes (#5465)

`v3.28.0`

Add {#key} block for keying arbitrary content on an expression (#1469)

`v3.27.0`

Add |nonpassive event modifier, explicitly passing passive: false (#2068)
Scope CSS selectors with ~ and + combinators (#3104)
Fix keyed {#each} not reacting to key changing (#5444)
Fix destructuring into store values (#5449)
Fix erroneous missing-declaration warning with use:obj.method (#5451)

`v3.26.0`

Support use:obj.method as actions (#3935)
Support _ as numeric separator (#5407)
Fix assignments to properties on store values (#5412)
Add special style scoping handling of [open] selectors on <details> elements (#5421)
Support import.meta in template expressions (#5422)

`v3.25.1`

Fix specificity of certain styles involving a child selector (#4795)
Fix transitions that are parameterised with stores (#5244)
Fix scoping of styles involving child selector and * (#5370)
Fix destructuring which reassigns stores (#5388)
Fix {#await}s with no {:catch} getting stuck unresolved if the promise rejects (#5401)

`v3.25.0`

Use null rather than undefined for coerced bound value of <input type="number"> (#1701)
Expose object of which slots have received content in $$slots (#2106)
Correctly disallow using lifecycle hooks after synchronous component initialisation (#4259, #4899)
Re-throw an unhandled rejection when an {#await} block with no {:catch} gets a rejection (#5129)
Add types to createEventDispatcher (#5211)
In SSR mode, do not automatically declare variables for reactive assignments to member expressions (#5247)
Include selector in message of unused-css-selector warning (#5252)
Fix using <Namespaced.Component/>s in child {#await}/{#each} contexts (#5255)
Fix using <svelte:component> in {:catch} (#5259)
Fix setting one-way bound <input> value to undefined when it has spread attributes (#5270)
Fix deep two-way bindings inside an {#each} involving a store (#5286)
Use valid XHTML for elements that are optimised and inserted with .innerHTML (#5315)
Fix reactivity of $$props in slot fallback content (#5367)

`v3.24.1`

Prevent duplicate invalidation with certain two-way component bindings (#3180, #5117, #5144)
Fix reactivity when passing $$props to a <slot> (#3364)
Fix transitions on {#each} {:else} (#4970)
Fix unneeded invalidation of $$props and $$restProps (#4993, #5118)
Provide better compiler error message when mismatched tags are due to autoclosing of tags (#5049)
Add a11y-label-has-associated-control warning (#5074)
Add a11y-media-has-caption warning (#5075)
Fix bind:group when using contextual reference (#5174)

`v3.24.0`

Support nullish coalescing (??) and optional chaining (?.) operators (#1972)
Support import.meta (#4379)
Fix only setting <input> values when they're changed when there are spread attributes (#4418)
Fix placement of {@html} when used at the root of a slot, at the root of a component, or in <svelte:head> (#5012, #5071)
Fix certain handling of two-way bound contenteditable elements (#5018)
Fix handling of imported value that is used as a store and is also mutated (#5019)
Do not display a11y-missing-content warning on elements with contenteditable bindings (#5020)
Fix handling of this in inline function expressions in the template (#5033)
Fix collapsing HTML with static content (#5040)
Prevent use of $store at compile time when top-level store has been shadowed (#5048)
Update <select> with one-way value binding when the available <option>s change (#5051)
Fix published tweened types so the .set() and .update() options are optional (#5062)
Fix contextual bind:this inside {#each} block (#5067)
Preprocess self-closing <script> and <style> tags (#5080)
Fix types for animation- and transition-related param objects so each param is optional (#5083)

`v3.23.2`

Fix bind:group inside {#each} (#3243)
Don't crash when using an arrow function as a statement (#4617)
Deconflict bind:this variable (#4636)

`v3.23.1`

Fix checkbox bind:group when multiple options have the same value (#4397)
Fix bind:this to the value of an {#each} block (#4517)
Fix reactivity when assigning to contextual {#each} variable (#4574, #4744)
Fix binding to contextual {#each} values that shadow outer names (#4757)
Work around EdgeHTML DOM issue when removing attributes during hydration (#4911)
Throw CSS parser error when :global() does not contain a selector (#4930)

`v3.23.0`

Update <select> with bind:value when the available <option>s change (#1764)
Add muted binding for media elements (#2998)
Fix inconsistencies when setting a two-way bound <input> to undefined (#3569)
Fix setting <select multiple> when there are spread attributes (#4392)
Fix let-less <slot> with context overflow (#4624)
Fix resize listening on certain older browsers (#4752)
Add a11y-no-onchange warning (#4788)
Fix use: actions being recreated when a keyed {#each} is reordered (#4693)
Fix {@html} when using tags that can only appear inside certain tags (#4852)
Fix reactivity when binding directly to {#each} context (#4879)

`v3.22.3`

Support default values and trailing commas in destructuring {#await} (#4560, #4810)
Fix handling of tweened store when set using duration: 0 (#4799, #4846)
Fix setting value attribute with bind:group and attribute spread (#4803)
Fix issue with compound {#if} block involving static condition, dynamic condition, and inline component (#4840)
Update a11y warnings per ARIA 1.2 working draft (#4844)

`v3.22.2`

Fix compiler exception with a11y-img-redundant-alt and value-less alt attribute (#4777)

`v3.22.1`

Fix compiler exception with a11y-img-redundant-alt and dynamic alt attribute (#4770)

`v3.22.0`

Fix misaligned line numbers in source maps (#3906)
Make setting a tweened store using duration: 0 instantly update the value (#4399)
Fix reactivity with imported values that are then mutated (#4555)
Fix contextual dynamic bind:this inside {#each} block (#4686)
Do not display a11y warning about missing href for <a> with name or id (#4697)
Disable infinite loop guard inside generators (#4698)
Display a11y-invalid-attribute warning for href="javascript:..." (#4733)
Implement a11y-img-redundant-alt warning (#4750)
Fix variable name conflict with component called <Anchor> (#4768)

`v3.21.0`

Support dimension bindings in cross-origin environments (#2147)
Fix several related outro bugs (#3202, #3410, #3685, #4620, #4630)
Try using globalThis rather than globals for the benefit of non-Node servers and web workers (#3561, #4545)
Support {#await ... catch ...} syntax shorthand (#3623)
Fix attaching of JS debugging comments to HTML comments (#4565)
Fix <svelte:component/> within <slot/> (#4597)
Fix bug with updating simple {#if} blocks (#4629)
Fix issues with <input type="number"> updates (#4631, #4687)
Prevent illegal attribute names (#4648)
Fix {#if} block directly within <slot/> (#4703)

`v3.20.1`

Fix compiler regression with slots (#4562)

`v3.20.0`

Allow destructuring in {#await} blocks (#1851)
Allow <svelte:self> to be used in a slot (#2798)
Ex

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          chore(package): Update dependency svelte to 3.49.0 [SECURITY]

f842cb5

renovate bot changed the title ~~chore(package): Update dependency svelte to 3.49.0 [SECURITY]~~ chore(package): Update dependency svelte to v3 [SECURITY]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet