sveltekit-watergis-template
sveltekit-watergis-template copied to clipboard

Published 20 hours ago •

Reame
Issues

chore(deps): update dependency svelte to v4.2.19 [security]

Open renovate[bot] opened this issue 1 year ago • 1 comments

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
svelte (source)	`4.0.5` -> `4.2.19`

GitHub Vulnerability Alerts

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

If the string is an attribute value:
- " -> "
- & -> &
- Other characters -> No conversion
Otherwise:
- < -> <
- & -> &
- Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

Release Notes

sveltejs/svelte (svelte)

`v4.2.19`

Patch Changes

fix: ensure typings for <svelte:options> are picked up (#12902)
fix: escape < in attribute strings (#12989)

`v4.2.18`

Patch Changes

chore: speed up regex (#11922)

`v4.2.17`

Patch Changes

fix: correctly handle falsy values of style directives in SSR mode (#11584)

`v4.2.16`

Patch Changes

fix: check if svelte component exists on custom element destroy (#11489)

`v4.2.15`

Patch Changes

support attribute selector inside :global() (#11135)

`v4.2.14`

Patch Changes

fix parsing camelcase container query name (#11131)

`v4.2.13`

Patch Changes

fix: applying :global for +,~ sibling combinator when slots are present (#9282)

`v4.2.12`

Patch Changes

fix: properly update svelte:component props when there are spread props (#10604)

`v4.2.11`

Patch Changes

fix: check that component wasn't instantiated in connectedCallback (#10466)

`v4.2.10`

Patch Changes

fix: add scrollend event type (#10336)
fix: add fetchpriority attribute type (#10390)
fix: Add miter-clip and arcs to stroke-linejoin attribute (#10377)
fix: make inline doc links valid (#10366)

`v4.2.9`

Patch Changes

fix: add types for popover attributes and events (#10042)
fix: add gamepadconnected and gamepaddisconnected events (#9864)
fix: make @types/estree a dependency (#10149)
fix: bump axobject-query (#10167)

`v4.2.8`

Patch Changes

fix: port over props that were set prior to initialization (#9701)

`v4.2.7`

Patch Changes

fix: handle spreads within static strings (#9554)

`v4.2.6`

Patch Changes

fix: adjust static attribute regex (#9551)

`v4.2.5`

Patch Changes

fix: ignore expressions in top level script/style tag attributes (#9498)

`v4.2.4`

Patch Changes

fix: handle closing tags inside attribute values (#9486)

`v4.2.3`

Patch Changes

fix: improve a11y-click-events-have-key-events message (#9358)
fix: more robust hydration of html tag (#9184)

`v4.2.2`

Patch Changes

fix: support camelCase properties on custom elements (#9328)
fix: add missing plaintext-only value to contenteditable type (#9242)
chore: upgrade magic-string to 0.30.4 (#9292)
fix: ignore trailing comments when comparing nodes (#9197)

`v4.2.1`

Patch Changes

fix: update style directive when style attribute is present and is updated via an object prop (#9187)
fix: css sourcemap generation with unicode filenames (#9120)
fix: do not add module declared variables as dependencies (#9122)
fix: handle svelte:element with dynamic this and spread attributes (#9112)
fix: silence false positive reactive component warning (#9094)
fix: head duplication when binding is present (#9124)
fix: take custom attribute name into account when reflecting property (#9140)
fix: add indeterminate to the list of HTMLAttributes (#9180)
fix: recognize option value on spread attribute (#9125)

`v4.2.0`

Minor Changes

feat: move svelteHTML from language-tools into core to load the correct svelte/element types (#9070)

`v4.1.2`

Patch Changes

fix: allow child element with slot attribute within svelte:element (#9038)
fix: Add data-* to svg attributes (#9036)

`v4.1.1`

Patch Changes

fix: svelte:component spread props change not picked up (#9006)

`v4.1.0`

Minor Changes

feat: add ability to extend custom element class (#8991)

Patch Changes

fix: ensure svelte:component evaluates props once (#8946)
fix: remove let:variable slot bindings from select binding dependencies (#8969)
fix: handle destructured primitive literals (#8871)
perf: optimize imports that are not mutated or reassigned (#8948)
fix: don't add accessor twice (#8996)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Aug 30 '24 18:08 renovate[bot]

Deploy Preview for demo-watergis failed.

Name	Link
Latest commit	2696e6f583c9c7feb58d87efe968f31385ae28d1
Latest deploy log	https://app.netlify.com/sites/demo-watergis/deploys/6744c83ae75fd600082e95a3

Aug 30 '24 18:08 netlify[bot]