chore(deps): update dependency svelte to v4 [security] #1203
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Review or Edit in CodeSandboxOpen the branch in Web Editor • VS Code • Insiders |
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
|
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/svelte@3.49.0 |
adfd822 to
f1b2725
Compare
commit: |
commit: |
f1b2725 to
e7c7b31
Compare
e7c7b31 to
fe4c758
Compare
fe4c758 to
fa16046
Compare
Contributor
Author
Renovate Ignore NotificationBecause you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.49.0->4.2.19GitHub Vulnerability Alerts
CVE-2024-45047
Summary
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Details
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
"->"&->&<-><&->&The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a
<noscript>tag.PoC
A vulnerable page (
+page.svelte):If a user accesses the following URL,
then,
alert(123)will be executed.Impact
XSS, when using an attribute within a noscript tag
Release Notes
sveltejs/svelte (svelte)
v4.2.19Compare Source
Patch Changes
fix: ensure typings for
<svelte:options>are picked up (#12902)fix: escape
<in attribute strings (#12989)v4.2.18Compare Source
Patch Changes
v4.2.17Compare Source
Patch Changes
v4.2.16Compare Source
Patch Changes
v4.2.15Compare Source
Patch Changes
v4.2.14Compare Source
Patch Changes
v4.2.13Compare Source
Patch Changes
v4.2.12Compare Source
Patch Changes
svelte:componentprops when there are spread props (#10604)v4.2.11Compare Source
Patch Changes
connectedCallback(#10466)v4.2.10Compare Source
Patch Changes
fix: add
scrollendevent type (#10336)fix: add
fetchpriorityattribute type (#10390)fix: Add
miter-clipandarcstostroke-linejoinattribute (#10377)fix: make inline doc links valid (#10366)
v4.2.9Compare Source
Patch Changes
fix: add types for popover attributes and events (#10042)
fix: add
gamepadconnectedandgamepaddisconnectedevents (#9864)fix: make
@types/estreea dependency (#10149)fix: bump
axobject-query(#10167)v4.2.8Compare Source
Patch Changes
v4.2.7Compare Source
Patch Changes
v4.2.6Compare Source
Patch Changes
v4.2.5Compare Source
Patch Changes
v4.2.4Compare Source
Patch Changes
v4.2.3Compare Source
Patch Changes
fix: improve a11y-click-events-have-key-events message (#9358)
fix: more robust hydration of html tag (#9184)
v4.2.2Compare Source
Patch Changes
fix: support camelCase properties on custom elements (#9328)
fix: add missing plaintext-only value to contenteditable type (#9242)
chore: upgrade magic-string to 0.30.4 (#9292)
fix: ignore trailing comments when comparing nodes (#9197)
v4.2.1Compare Source
Patch Changes
fix: update style directive when style attribute is present and is updated via an object prop (#9187)
fix: css sourcemap generation with unicode filenames (#9120)
fix: do not add module declared variables as dependencies (#9122)
fix: handle
svelte:elementwith dynamic this and spread attributes (#9112)fix: silence false positive reactive component warning (#9094)
fix: head duplication when binding is present (#9124)
fix: take custom attribute name into account when reflecting property (#9140)
fix: add
indeterminateto the list of HTMLAttributes (#9180)fix: recognize option value on spread attribute (#9125)
v4.2.0Compare Source
Minor Changes
svelteHTMLfrom language-tools into core to load the correctsvelte/elementtypes (#9070)v4.1.2Compare Source
Patch Changes
fix: allow child element with slot attribute within svelte:element (#9038)
fix: Add data-* to svg attributes (#9036)
v4.1.1Compare Source
Patch Changes
svelte:componentspread props change not picked up (#9006)v4.1.0Compare Source
Minor Changes
Patch Changes
fix: ensure
svelte:componentevaluates props once (#8946)fix: remove
let:variableslot bindings from select binding dependencies (#8969)fix: handle destructured primitive literals (#8871)
perf: optimize imports that are not mutated or reassigned (#8948)
fix: don't add accessor twice (#8996)
v4.0.5Compare Source
Patch Changes
v4.0.4Compare Source
Patch Changes
fix: claim svg tags in raw mustache tags correctly (#8910)
fix: repair invalid raw html content during hydration (#8912)
v4.0.3Compare Source
Patch Changes
v4.0.2Compare Source
Patch Changes
fix: reflect all custom element prop updates back to attribute (#8898)
fix: shrink custom element baseline a bit (#8858)
fix: use non-destructive hydration for all
@htmltags (#8880)fix: align
disclose-versionexports specification (#8874)fix: check srcset when hydrating to prevent needless requests (#8868)
v4.0.1Compare Source
Patch Changes
fix: ensure identifiers in destructuring contexts don't clash with existing ones (#8840)
fix: ensure
createEventDispatcherandActionReturnwork with types from generic function parameters (#8872)fix: apply transition to
<svelte:element>with local transition (#8865)fix: relax a11y "no redundant role" rule for li, ul, ol (#8867)
fix: remove tsconfig.json from published package (#8859)
v4.0.0Compare Source
Major Changes
breaking: Minimum supported Node version is now Node 16 (#8566)
breaking: Minimum supported webpack version is now webpack 5 (#8515)
breaking: Bundlers must specify the
browsercondition when building a frontend bundle for the browser (#8516)breaking: Minimum supported vite-plugin-svelte version is now 2.4.1. SvelteKit users can upgrade to 1.20.0 or newer to ensure a compatible version (#8516)
breaking: Minimum supported
rollup-plugin-svelteversion is now 7.1.5 (198dbcf)breaking: Minimum supported
svelte-loaderis now 3.1.8 (198dbcf)breaking: Minimum supported TypeScript version is now TypeScript 5 (it will likely work with lower versions, but we make no guarantees about that) (#8488)
breaking: Remove
svelte/registerhook, CJS runtime version and CJS compiler output (#8613)breaking: Stricter types for
createEventDispatcher(see PR for migration instructions) (#7224)breaking: Stricter types for
ActionandActionReturn(see PR for migration instructions) (#7442)breaking: Stricter types for
onMount- now throws a type error when returning a function asynchronously to catch potential mistakes around callback functions(see PR for migration instructions) (#8136)
breaking: Overhaul and drastically improve creating custom elements with Svelte (see PR for list of changes and migration instructions) (#8457)
breaking: Deprecate
SvelteComponentTypedin favor ofSvelteComponent(#8512)breaking: Make transitions local by default to prevent confusion around page navigations (#6686)
breaking: Error on falsy values instead of stores passed to
derived(#7947)breaking: Custom store implementers now need to pass an
updatefunction additionally to thesetfunction (#6750)breaking: Do not expose default slot bindings to named slots and vice versa (#6049)
breaking: Change order in which preprocessors are applied (#8618)
breaking: The runtime now makes use of
classList.toggle(name, boolean)which does not work in very old browsers (#8629)breaking: apply
inertto outroing elements (#8628)breaking: use
CustomEventconstructor instead of deprecatedcreateEventmethod (#8775)Minor Changes
Add a way to modify attributes for script/style preprocessors (#8618)
Improve hydration speed by adding
data-svelte-hattribute to detect unchanged HTML elements (#7426)Add
a11y no-noninteractive-element-interactionsrule (#8391)Add
a11y-no-static-element-interactionsrule (#8251)Allow
#eachto iterate over iterables likeSet,Mapetc (#7425)Improve duplicate key error for keyed
eachblocks (#8411)Warn about
:in attributes and props to prevent ambiguity with Svelte directives (#6823)feat: add version info to
window. You can opt out by settingdiscloseVersiontofalsein the compiler options (#8761)feat: smaller minified output for destructor chunks (#8763)
Patch Changes
Bind
nulloption and input values consistently (#8312)Allow
$storeto be used with changing values including nullish values (#7555)Initialize stylesheet with
/* empty */to enable setting CSP directive that also works in Safari (#7800)Treat slots as if they don't exist when using CSS adjacent and general sibling combinators (#8284)
Fix transitions so that they don't require a
style-src 'unsafe-inline'Content Security Policy (CSP) (#6662).Explicitly disallow
vardeclarations extending the reactive statement scope (#6800)Improve error message when trying to use
animate:directives on inline components (#8641)fix: export ComponentType from
svelteentrypoint (#8578)fix: never use html optimization for mustache tags in hydration mode (#8744)
fix: derived store types (#8578)
Generate type declarations with dts-buddy (#8578)
fix: ensure types are loaded with all TS settings (#8721)
fix: account for preprocessor source maps when calculating meta info (#8778)
chore: deindent cjs output for compiler (#8785)
warn on boolean compilerOptions.css (#8710)
fix: export correct SvelteComponent type (#8721)
v3.59.2Compare Source
<textarea bind:value={...}>values in SSRv3.59.1Compare Source
a11y-autocomplete-valid(#8567)v3.59.0Compare Source
ResizeObserverbindingscontentRect/contentBoxSize/borderBoxSize/devicePixelContentBoxSize(#8022)devicePixelRatiobinding for<svelte:window>(#8285)fullscreenElementandvisibilityStatebindings for<svelte:document>(#8507)a11y-autocomplete-validwarning (#8520)width/heightattributes when spreading (#6752)style:directive when using spread (#8438)style:directive property when value isundefined(#8462)VERSIONcompiler export (#8498)a11y-no-redundant-roleswarning (#8536)v3.58.0Compare Source
bind:innerTextforcontenteditableelements (#3311)@containerqueries (#6969)preserveCommentsin DOM output (#7182)documentfortargetin typings (#7554)a11y-interactive-supports-focuswarning (#8392)a11y-no-noninteractive-element-to-interactive-rolewarning (#8402)<textarea value={...}>values in SSR (#8429)v3.57.0Compare Source
<svelte:document>(#3310)no-noninteractive-element-to-interactive-role(#8167)style:directive precedence overstyle=attribute (#7475)<option>withselectedattribute when initial state isundefined(#8361)bind:groupmembers being spread across multiple control flow blocks (#8372)flyandblurtransitions (#7623)v3.56.0Compare Source
|stopImmediatePropagationevent modifier (#5085)axisparameter toslidetransition (#6182)readonlyutility to convertwritablestore to readonly (#6518)readyStatebinding for media elements (#6666)naturalWidthandnaturalHeightbindings (#7771)<!-- svelte-ignore ... -->on components (#8082)aria-activedescendant-has-tabindex: checks that elements witharia-activedescendanthave atabindex(#8172)role-supports-aria-props: checks that the (implicit) element role supports the given aria attributes (#8195)data-sveltekit-replacestateanddata-sveltekit-keepfocusattribute typings (#8281)<svelte:component>(#4129)bind:offsetHeightupdates initially (#4233):global()selectors (#6272)noreferrerwarning less zealous (#6289)<video aria-hidden="true">(#7874)<svelte:element>(#7939)aria-label(#8296)<input type="search">and<input type="url">(#7027)<option>by default when the initial bound value is undefined (#7041){@​html}tags inside<template>tags (#7364)afterUpdateis not called afteronDestroy(#7476)inertattribute (#7500)<input>value persists when swapping elements with spread attributes in an{#each}block (#7578)<svelte:element>with transitions (#7948)constwhen destructuring (#7964)trusted-typesCSP compatibility for Web Components (#8134)<svelte:element>output code for static tag and static attribute (#8161)bind:groupvalue is set toundefined(#8214){#each}containing a non-keyed{#each}(#8282)v3.55.1Compare Source
drawtransition with delay showing a dot at the beginning of the path (#6816)<svelte:element>optimization in production mode (#7937)svelte-ignorecomment breaking named slot (#8075)<svelte:element on:event>(#8129)partattribute (#8181)submitterproperty toon:submitevent typev3.55.0Compare Source
svelte/elementsfor HTML/Svelte typings (#7649)v3.54.0Compare Source
options.directionargument to custom transition functions (#3918)@constdeclared function (#7843)a11y-no-noninteractive-tabindexwarning if element has atabpanel(#8025)style:directive (#8085)v3.53.1Compare Source
rel=attribute check with dynamic values (#7994)csscompiler options for now (#8009)tslib(#8013)v3.53.0Compare Source
parentNodeexists before removing child (#6037)css-treeto2.2.1(#7572, #7982)csscompiler option with'external' | 'injected' | 'none'settings and deprecate oldtrue | falsevalues (#7914)v3.52.0Compare Source
constvariable (#4895)<a target="_blank">withoutrel="noreferrer"(#6188)style:foo|importantmodifier (#7365){@​html}and components in<svelte:head>(#7941)v3.51.0Compare Source
a11y-click-events-have-key-events: check if click event is accompanied by key events (#5073)a11y-no-noninteractive-tabindex: check for tabindex on non-interactive elements (#6693){...rest}object in{#each}block (#6860)--style-propson<svelte:component>(#7461)<svelte:element>(#7613)inertas boolean attribute (#7785)--style-propsfor SVG components (#7808){@​html}and components in<svelte:head>(#4533, #6463, #7444)<svelte:element>(#7443)<svelte:component this={...}>(#7550)<svelte:element>is a void tag (#7566)<svelte:element>(#7733)a11y-role-has-required-aria-propswarning when elements match their semantic role (#7837)<svelte:element>(#7869)v3.50.1Compare Source
v3.50.0Compare Source
a11y-incorrect-aria-attribute-type: check ARIA state and property values (#6978)a11y-no-abstract-role: check that ARIA roles are non-abstract (#6241)a11y-no-interactive-element-to-noninteractive-role: check for non-interactive roles used on interactive elements (#5955)a11y-role-has-required-aria-props: check that elements withroleattribute have all required attributes for that role (#5852)ComponentEventsconvenience type (#7702)SveltePreprocessorutility type (#7742)a11y-label-has-associated-controlwarning check all descendants for input control (#5528)Node.parentNodeinstead ofNode.parentElementfor legacy browser support (#7723)<slot>inside<svelte:fragment>(#7485)class:directive updates in aborted/restarted transitions (#7764)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.