Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency svelte to v4.2.19 [security] #144

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 30, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
svelte (source) 4.0.5 -> 4.2.19 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

  • If the string is an attribute value:
    • " -> "
    • & -> &
    • Other characters -> No conversion
  • Otherwise:
    • < -> &lt;
    • & -> &amp;
    • Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag


Release Notes

sveltejs/svelte (svelte)

v4.2.19

Compare Source

Patch Changes
  • fix: ensure typings for <svelte:options> are picked up (#​12902)

  • fix: escape < in attribute strings (#​12989)

v4.2.18

Compare Source

Patch Changes

v4.2.17

Compare Source

Patch Changes
  • fix: correctly handle falsy values of style directives in SSR mode (#​11584)

v4.2.16

Compare Source

Patch Changes
  • fix: check if svelte component exists on custom element destroy (#​11489)

v4.2.15

Compare Source

Patch Changes
  • support attribute selector inside :global() (#​11135)

v4.2.14

Compare Source

Patch Changes
  • fix parsing camelcase container query name (#​11131)

v4.2.13

Compare Source

Patch Changes
  • fix: applying :global for +,~ sibling combinator when slots are present (#​9282)

v4.2.12

Compare Source

Patch Changes
  • fix: properly update svelte:component props when there are spread props (#​10604)

v4.2.11

Compare Source

Patch Changes
  • fix: check that component wasn't instantiated in connectedCallback (#​10466)

v4.2.10

Compare Source

Patch Changes
  • fix: add scrollend event type (#​10336)

  • fix: add fetchpriority attribute type (#​10390)

  • fix: Add miter-clip and arcs to stroke-linejoin attribute (#​10377)

  • fix: make inline doc links valid (#​10366)

v4.2.9

Compare Source

Patch Changes
  • fix: add types for popover attributes and events (#​10042)

  • fix: add gamepadconnected and gamepaddisconnected events (#​9864)

  • fix: make @types/estree a dependency (#​10149)

  • fix: bump axobject-query (#​10167)

v4.2.8

Compare Source

Patch Changes
  • fix: port over props that were set prior to initialization (#​9701)

v4.2.7

Compare Source

Patch Changes
  • fix: handle spreads within static strings (#​9554)

v4.2.6

Compare Source

Patch Changes
  • fix: adjust static attribute regex (#​9551)

v4.2.5

Compare Source

Patch Changes
  • fix: ignore expressions in top level script/style tag attributes (#​9498)

v4.2.4

Compare Source

Patch Changes
  • fix: handle closing tags inside attribute values (#​9486)

v4.2.3

Compare Source

Patch Changes
  • fix: improve a11y-click-events-have-key-events message (#​9358)

  • fix: more robust hydration of html tag (#​9184)

v4.2.2

Compare Source

Patch Changes
  • fix: support camelCase properties on custom elements (#​9328)

  • fix: add missing plaintext-only value to contenteditable type (#​9242)

  • chore: upgrade magic-string to 0.30.4 (#​9292)

  • fix: ignore trailing comments when comparing nodes (#​9197)

v4.2.1

Compare Source

Patch Changes
  • fix: update style directive when style attribute is present and is updated via an object prop (#​9187)

  • fix: css sourcemap generation with unicode filenames (#​9120)

  • fix: do not add module declared variables as dependencies (#​9122)

  • fix: handle svelte:element with dynamic this and spread attributes (#​9112)

  • fix: silence false positive reactive component warning (#​9094)

  • fix: head duplication when binding is present (#​9124)

  • fix: take custom attribute name into account when reflecting property (#​9140)

  • fix: add indeterminate to the list of HTMLAttributes (#​9180)

  • fix: recognize option value on spread attribute (#​9125)

v4.2.0

Compare Source

Minor Changes
  • feat: move svelteHTML from language-tools into core to load the correct svelte/element types (#​9070)

v4.1.2

Compare Source

Patch Changes
  • fix: allow child element with slot attribute within svelte:element (#​9038)

  • fix: Add data-* to svg attributes (#​9036)

v4.1.1

Compare Source

Patch Changes
  • fix: svelte:component spread props change not picked up (#​9006)

v4.1.0

Compare Source

Minor Changes
  • feat: add ability to extend custom element class (#​8991)
Patch Changes
  • fix: ensure svelte:component evaluates props once (#​8946)

  • fix: remove let:variable slot bindings from select binding dependencies (#​8969)

  • fix: handle destructured primitive literals (#​8871)

  • perf: optimize imports that are not mutated or reassigned (#​8948)

  • fix: don't add accessor twice (#​8996)


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Copy link

netlify bot commented Aug 30, 2024

Deploy Preview for demo-watergis failed.

Name Link
🔨 Latest commit 2696e6f
🔍 Latest deploy log https://app.netlify.com/sites/demo-watergis/deploys/6744c83ae75fd600082e95a3

@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 388ddbc to ba1bce6 Compare September 18, 2024 01:47
@renovate renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from ba1bce6 to 2696e6f Compare November 25, 2024 18:55
@renovate renovate bot changed the title chore(deps): update dependency svelte to v4.2.19 [security] chore(deps): update dependency svelte to v4.2.19 [security] - autoclosed Dec 8, 2024
@renovate renovate bot closed this Dec 8, 2024
@renovate renovate bot deleted the renovate/npm-svelte-vulnerability branch December 8, 2024 18:38
@renovate renovate bot changed the title chore(deps): update dependency svelte to v4.2.19 [security] - autoclosed chore(deps): update dependency svelte to v4.2.19 [security] Dec 8, 2024
@renovate renovate bot reopened this Dec 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants