techcal.dev chore(deps): update dependency svelte to v4.2.19 [security]

This PR contains the following updates:

Package	Change	Age	Confidence
svelte (source)	`4.2.8` -> `4.2.19`

GitHub Vulnerability Alerts

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

If the string is an attribute value:
- " -> "
- & -> &
- Other characters -> No conversion
Otherwise:
- < -> <
- & -> &
- Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

Release Notes

sveltejs/svelte (svelte)

`v4.2.19`

Compare Source

Patch Changes

fix: ensure typings for <svelte:options> are picked up (#12902)
fix: escape < in attribute strings (#12989)

`v4.2.18`

Compare Source

Patch Changes

chore: speed up regex (#11922)

`v4.2.17`

Compare Source

Patch Changes

fix: correctly handle falsy values of style directives in SSR mode (#11584)

`v4.2.16`

Compare Source

Patch Changes

fix: check if svelte component exists on custom element destroy (#11489)

`v4.2.15`

Compare Source

Patch Changes

support attribute selector inside :global() (#11135)

`v4.2.14`

Compare Source

Patch Changes

fix parsing camelcase container query name (#11131)

`v4.2.13`

Compare Source

Patch Changes

fix: applying :global for +,~ sibling combinator when slots are present (#9282)

`v4.2.12`

Compare Source

Patch Changes

fix: properly update svelte:component props when there are spread props (#10604)

`v4.2.11`

Compare Source

Patch Changes

fix: check that component wasn't instantiated in connectedCallback (#10466)

`v4.2.10`

Compare Source

Patch Changes

fix: add scrollend event type (#10336)
fix: add fetchpriority attribute type (#10390)
fix: Add miter-clip and arcs to stroke-linejoin attribute (#10377)
fix: make inline doc links valid (#10366)

`v4.2.9`

Compare Source

Patch Changes

fix: add types for popover attributes and events (#10042)
fix: add gamepadconnected and gamepaddisconnected events (#9864)
fix: make @types/estree a dependency (#10149)
fix: bump axobject-query (#10167)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Aug 31 '24 02:08 renovate[bot]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders
Open Preview

Aug 31 '24 02:08 codesandbox[bot]

Visit the preview URL for this PR (updated for commit 989ac20):

_{(expires Tue, 28 Oct 2025 10:58:12 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: 7b89b43096a0297d669b0d75e88f6129966a431d}

Aug 31 '24 02:08 github-actions[bot]