svelte-portabletext
svelte-portabletext copied to clipboard
portabletext
fix(lockfile): update dependency svelte to v4.2.19 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| svelte (source) | 4.2.17 -> 4.2.19 |
GitHub Vulnerability Alerts
CVE-2024-45047
Summary
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Details
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
- If the string is an attribute value:
"->"&->&- Other characters -> No conversion
- Otherwise:
<-><&->&- Other characters -> No conversion
The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
PoC
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
Impact
XSS, when using an attribute within a noscript tag
Release Notes
sveltejs/svelte (svelte)
v4.2.19
Patch Changes
-
fix: ensure typings for
<svelte:options>are picked up (#12902) -
fix: escape
<in attribute strings (#12989)
v4.2.18
Patch Changes
- chore: speed up regex (#11922)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate using a curated preset maintained by 
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Comments | Updated (UTC) |
|---|---|---|---|---|
| svelte-portabletext | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | Dec 8, 2024 9:48pm |
![vercel[bot] avatar](https://avatars.githubusercontent.com/in/8329?v=4 "Published by a pub.dev verified publisher"){kind=small}
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
| Package | New capabilities | Transitives | Size | Publisher |
|---|---|---|---|---|
| npm/[email protected] | Transitive: unsafe | +20 |
6.42 MB | svelte-admin |
🚮 Removed packages: npm/[email protected]
![socket-security[bot] avatar](https://avatars.githubusercontent.com/in/156372?v=4 "Published by a pub.dev verified publisher"){kind=small}
⚠️ Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: package-lock.json