Update dependency svelte to v4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
svelte (source)	^3.55.0 -> ^4.0.0

GitHub Vulnerability Alerts

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

• If the string is an attribute value:
  • " -> "
  • & -> &
  • Other characters -> No conversion
• Otherwise:
  • < -> <
  • & -> &
  • Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

---

Release Notes

sveltejs/svelte (svelte)

v4.2.19

Compare Source

Patch Changes

• fix: ensure typings for <svelte:options> are picked up (#​12902)

• fix: escape < in attribute strings (#​12989)

v4.2.18

Compare Source

Patch Changes

• chore: speed up regex (#​11922)

v4.2.17

Compare Source

Patch Changes

• fix: correctly handle falsy values of style directives in SSR mode (#​11584)

v4.2.16

Compare Source

Patch Changes

• fix: check if svelte component exists on custom element destroy (#​11489)

v4.2.15

Compare Source

Patch Changes

• support attribute selector inside :global() (#​11135)

v4.2.14

Compare Source

Patch Changes

• fix parsing camelcase container query name (#​11131)

v4.2.13

Compare Source

Patch Changes

• fix: applying :global for +,~ sibling combinator when slots are present (#​9282)

v4.2.12

Compare Source

Patch Changes

• fix: properly update svelte:component props when there are spread props (#​10604)

v4.2.11

Compare Source

Patch Changes

• fix: check that component wasn't instantiated in connectedCallback (#​10466)

v4.2.10

Compare Source

Patch Changes

• fix: add scrollend event type (#​10336)

• fix: add fetchpriority attribute type (#​10390)

• fix: Add miter-clip and arcs to stroke-linejoin attribute (#​10377)

• fix: make inline doc links valid (#​10366)

v4.2.9

Compare Source

Patch Changes

• fix: add types for popover attributes and events (#​10042)

• fix: add gamepadconnected and gamepaddisconnected events (#​9864)

• fix: make @types/estree a dependency (#​10149)

• fix: bump axobject-query (#​10167)

v4.2.8

Compare Source

Patch Changes

• fix: port over props that were set prior to initialization (#​9701)

v4.2.7

Compare Source

Patch Changes

• fix: handle spreads within static strings (#​9554)

v4.2.6

Compare Source

Patch Changes

• fix: adjust static attribute regex (#​9551)

v4.2.5

Compare Source

Patch Changes

• fix: ignore expressions in top level script/style tag attributes (#​9498)

v4.2.4

Compare Source

Patch Changes

• fix: handle closing tags inside attribute values (#​9486)

v4.2.3

Compare Source

Patch Changes

• fix: improve a11y-click-events-have-key-events message (#​9358)

• fix: more robust hydration of html tag (#​9184)

v4.2.2

Compare Source

Patch Changes

• fix: support camelCase properties on custom elements (#​9328)

• fix: add missing plaintext-only value to contenteditable type (#​9242)

• chore: upgrade magic-string to 0.30.4 (#​9292)

• fix: ignore trailing comments when comparing nodes (#​9197)

v4.2.1

Compare Source

Patch Changes

• fix: update style directive when style attribute is present and is updated via an object prop (#​9187)

• fix: css sourcemap generation with unicode filenames (#​9120)

• fix: do not add module declared variables as dependencies (#​9122)

• fix: handle svelte:element with dynamic this and spread attributes (#​9112)

• fix: silence false positive reactive component warning (#​9094)

• fix: head duplication when binding is present (#​9124)

• fix: take custom attribute name into account when reflecting property (#​9140)

• fix: add indeterminate to the list of HTMLAttributes (#​9180)

• fix: recognize option value on spread attribute (#​9125)

v4.2.0

Compare Source

Minor Changes

• feat: move svelteHTML from language-tools into core to load the correct svelte/element types (#​9070)

v4.1.2

Compare Source

Patch Changes

• fix: allow child element with slot attribute within svelte:element (#​9038)

• fix: Add data-* to svg attributes (#​9036)

v4.1.1

Compare Source

Patch Changes

• fix: svelte:component spread props change not picked up (#​9006)

v4.1.0

Compare Source

Minor Changes

• feat: add ability to extend custom element class (#​8991)

Patch Changes

• fix: ensure svelte:component evaluates props once (#​8946)

• fix: remove let:variable slot bindings from select binding dependencies (#​8969)

• fix: handle destructured primitive literals (#​8871)

• perf: optimize imports that are not mutated or reassigned (#​8948)

• fix: don't add accessor twice (#​8996)

v4.0.5

Compare Source

Patch Changes

• fix: generate type definition with nullable types (#​8924)

v4.0.4

Compare Source

Patch Changes

• fix: claim svg tags in raw mustache tags correctly (#​8910)

• fix: repair invalid raw html content during hydration (#​8912)

v4.0.3

Compare Source

Patch Changes

• fix: handle falsy srcset values (#​8901)

v4.0.2

Compare Source

Patch Changes

• fix: reflect all custom element prop updates back to attribute (#​8898)

• fix: shrink custom element baseline a bit (#​8858)

• fix: use non-destructive hydration for all @html tags (#​8880)

• fix: align disclose-version exports specification (#​8874)

• fix: check srcset when hydrating to prevent needless requests (#​8868)

v4.0.1

Compare Source

Patch Changes

• fix: ensure identifiers in destructuring contexts don't clash with existing ones (#​8840)

• fix: ensure createEventDispatcher and ActionReturn work with types from generic function parameters (#​8872)

• fix: apply transition to <svelte:element> with local transition (#​8865)

• fix: relax a11y "no redundant role" rule for li, ul, ol (#​8867)

• fix: remove tsconfig.json from published package (#​8859)

v4.0.0

Compare Source

Major Changes

• breaking: Minimum supported Node version is now Node 16 (#​8566)

• breaking: Minimum supported webpack version is now webpack 5 (#​8515)

• breaking: Bundlers must specify the browser condition when building a frontend bundle for the browser (#​8516)

• breaking: Minimum supported vite-plugin-svelte version is now 2.4.1. SvelteKit users can upgrade to 1.20.0 or newer to ensure a compatible version (#​8516)

• breaking: Minimum supported rollup-plugin-svelte version is now 7.1.5 (198dbcf)

• breaking: Minimum supported svelte-loader is now 3.1.8 (198dbcf)

• breaking: Minimum supported TypeScript version is now TypeScript 5 (it will likely work with lower versions, but we make no guarantees about that) (#​8488)

• breaking: Remove svelte/register hook, CJS runtime version and CJS compiler output (#​8613)

• breaking: Stricter types for createEventDispatcher (see PR for migration instructions) (#​7224)

• breaking: Stricter types for Action and ActionReturn (see PR for migration instructions) (#​7442)

• breaking: Stricter types for onMount - now throws a type error when returning a function asynchronously to catch potential mistakes around callback functions
  (see PR for migration instructions) (#​8136)

• breaking: Overhaul and drastically improve creating custom elements with Svelte (see PR for list of changes and migration instructions) (#​8457)

• breaking: Deprecate SvelteComponentTyped in favor of SvelteComponent (#​8512)

• breaking: Make transitions local by default to prevent confusion around page navigations (#​6686)

• breaking: Error on falsy values instead of stores passed to derived (#​7947)

• breaking: Custom store implementers now need to pass an update function additionally to the set function (#​6750)

• breaking: Do not expose default slot bindings to named slots and vice versa (#​6049)

• breaking: Change order in which preprocessors are applied (#​8618)

• breaking: The runtime now makes use of classList.toggle(name, boolean) which does not work in very old browsers (#​8629)

• breaking: apply inert to outroing elements (#​8628)

• breaking: use CustomEvent constructor instead of deprecated createEvent method (#​8775)

Minor Changes

• Add a way to modify attributes for script/style preprocessors (#​8618)

• Improve hydration speed by adding data-svelte-h attribute to detect unchanged HTML elements (#​7426)

• Add a11y no-noninteractive-element-interactions rule (#​8391)

• Add a11y-no-static-element-interactionsrule (#​8251)

• Allow #each to iterate over iterables like Set, Map etc (#​7425)

• Improve duplicate key error for keyed each blocks (#​8411)

• Warn about : in attributes and props to prevent ambiguity with Svelte directives (#​6823)

• feat: add version info to window. You can opt out by setting discloseVersion to false in the compiler options (#​8761)

• feat: smaller minified output for destructor chunks (#​8763)

Patch Changes

• Bind null option and input values consistently (#​8312)

• Allow $store to be used with changing values including nullish values (#​7555)

• Initialize stylesheet with /* empty */ to enable setting CSP directive that also works in Safari (#​7800)

• Treat slots as if they don't exist when using CSS adjacent and general sibling combinators (#​8284)

• Fix transitions so that they don't require a style-src 'unsafe-inline' Content Security Policy (CSP) (#​6662).

• Explicitly disallow var declarations extending the reactive statement scope (#​6800)

• Improve error message when trying to use animate: directives on inline components (#​8641)

• fix: export ComponentType from svelte entrypoint (#​8578)

• fix: never use html optimization for mustache tags in hydration mode (#​8744)

• fix: derived store types (#​8578)

• Generate type declarations with dts-buddy (#​8578)

• fix: ensure types are loaded with all TS settings (#​8721)

• fix: account for preprocessor source maps when calculating meta info (#​8778)

• chore: deindent cjs output for compiler (#​8785)

• warn on boolean compilerOptions.css (#​8710)

• fix: export correct SvelteComponent type (#​8721)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@types/[email protected]	None	0	5.45 kB	types
npm/@types/[email protected]	None	0	7.92 kB	types
npm/@types/[email protected]	None	0	4.02 kB	types
npm/@types/[email protected]	None	+1	2.1 MB	types
npm/@types/[email protected]	None	0	23.3 kB	types
npm/@types/[email protected]	None	0	8.65 kB	types
npm/@types/[email protected]	None	0	50.4 kB	types
npm/[email protected]	None	0	5.17 kB	qix
npm/[email protected]	None	+52	3.44 MB	ljharb
npm/[email protected]	None	+52	3.44 MB	ljharb
npm/[email protected]	Transitive: environment, eval, filesystem, network, shell, unsafe	+119	6.63 MB	novemberborn
npm/[email protected]	environment, eval, unsafe	0	632 kB	esailija
npm/[email protected]	None	0	7.45 kB	sindresorhus
npm/[email protected]	None	+1	18.8 kB	bcoe
npm/[email protected]	None	0	18.3 kB	satazor
npm/[email protected]	None	0	2.94 kB	sindresorhus
npm/[email protected]	None	0	36.3 kB	mathias
npm/[email protected]	None	0	6.23 kB	mafintosh
npm/[email protected]	None	+4	2.83 MB	paulmillr
npm/[email protected]	environment, shell	0	19.9 kB	sindresorhus
npm/[email protected]	None	0	4.84 kB	sindresorhus
npm/[email protected]	None	0	7.88 kB	sindresorhus
npm/[email protected]	None	0	3.23 kB	sindresorhus
npm/[email protected]	environment	+1	27.3 kB	scotthovestadt
npm/[email protected]	None	0	3.87 kB	sindresorhus
npm/[email protected]	None	0	3.75 kB	electerious
npm/[email protected]	environment	+1	7.55 kB	sindresorhus
npm/[email protected]	None	0	3.11 kB	sindresorhus
npm/[email protected]	None	0	7.39 kB	sindresorhus
npm/[email protected]	None	0	5.05 kB	sindresorhus
npm/[email protected]	None	0	4.37 kB	sindresorhus
npm/[email protected]	filesystem	0	3.32 kB	sindresorhus
npm/[email protected]	None	0	8.76 kB	mafintosh
npm/[email protected]	None	0	3.93 kB	bcoe
npm/[email protected]	environment, filesystem Transitive: shell	+23	3.59 MB	isaacs
npm/[email protected]	None	0	4.22 kB	bcoe
npm/[email protected]	None	0	2.69 kB	kevva
npm/[email protected]	None	0	2.3 kB	sindresorhus
npm/[email protected]	None	0	9.96 kB	isaacs
npm/[email protected]	None	0	12.3 kB	dominictarr
npm/[email protected]	None	0	2.64 kB	sindresorhus
npm/[email protected]	None	0	12.5 kB	dominictarr
npm/[email protected]	None	0	66.8 MB	typescript-bot
npm/[email protected]	None	0	4.04 kB	nexdrew
npm/[email protected]	None	0	9.62 kB	sindresorhus
npm/[email protected]	environment, filesystem, shell	0	70.5 kB	ivasilov
npm/[email protected]	filesystem	0	11 kB	oss-bot
npm/[email protected]	environment	0	57.1 kB	oss-bot
npm/[email protected]	environment, filesystem	0	229 kB	oss-bot

🚮 Removed packages: npm/@openzeppelin/[email protected], npm/@openzeppelin/[email protected]

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
High CVE	npm/[email protected]	CVE: GHSA-3xgq-45jj-v275 Regular Expression Denial of Service (ReDoS) in cross-spawn (HIGH) Affected versions: < 7.0.5 Patched version: 7.0.5	yarn.lock	🚫

View full report↗︎

Next steps

What is a CVE?

Contains a high severity Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/[email protected]