chore(deps): update dependency svelte to v4.2.19 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
svelte (source)	4.0.5 -> 4.2.19

GitHub Vulnerability Alerts

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

• If the string is an attribute value:
  • " -> "
  • & -> &
  • Other characters -> No conversion
• Otherwise:
  • < -> <
  • & -> &
  • Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

---

Release Notes

sveltejs/svelte (svelte)

v4.2.19

Compare Source

Patch Changes

• fix: ensure typings for <svelte:options> are picked up (#​12902)

• fix: escape < in attribute strings (#​12989)

v4.2.18

Compare Source

Patch Changes

• chore: speed up regex (#​11922)

v4.2.17

Compare Source

Patch Changes

• fix: correctly handle falsy values of style directives in SSR mode (#​11584)

v4.2.16

Compare Source

Patch Changes

• fix: check if svelte component exists on custom element destroy (#​11489)

v4.2.15

Compare Source

Patch Changes

• support attribute selector inside :global() (#​11135)

v4.2.14

Compare Source

Patch Changes

• fix parsing camelcase container query name (#​11131)

v4.2.13

Compare Source

Patch Changes

• fix: applying :global for +,~ sibling combinator when slots are present (#​9282)

v4.2.12

Compare Source

Patch Changes

• fix: properly update svelte:component props when there are spread props (#​10604)

v4.2.11

Compare Source

Patch Changes

• fix: check that component wasn't instantiated in connectedCallback (#​10466)

v4.2.10

Compare Source

Patch Changes

• fix: add scrollend event type (#​10336)

• fix: add fetchpriority attribute type (#​10390)

• fix: Add miter-clip and arcs to stroke-linejoin attribute (#​10377)

• fix: make inline doc links valid (#​10366)

v4.2.9

Compare Source

Patch Changes

• fix: add types for popover attributes and events (#​10042)

• fix: add gamepadconnected and gamepaddisconnected events (#​9864)

• fix: make @types/estree a dependency (#​10149)

• fix: bump axobject-query (#​10167)

v4.2.8

Compare Source

Patch Changes

• fix: port over props that were set prior to initialization (#​9701)

v4.2.7

Compare Source

Patch Changes

• fix: handle spreads within static strings (#​9554)

v4.2.6

Compare Source

Patch Changes

• fix: adjust static attribute regex (#​9551)

v4.2.5

Compare Source

Patch Changes

• fix: ignore expressions in top level script/style tag attributes (#​9498)

v4.2.4

Compare Source

Patch Changes

• fix: handle closing tags inside attribute values (#​9486)

v4.2.3

Compare Source

Patch Changes

• fix: improve a11y-click-events-have-key-events message (#​9358)

• fix: more robust hydration of html tag (#​9184)

v4.2.2

Compare Source

Patch Changes

• fix: support camelCase properties on custom elements (#​9328)

• fix: add missing plaintext-only value to contenteditable type (#​9242)

• chore: upgrade magic-string to 0.30.4 (#​9292)

• fix: ignore trailing comments when comparing nodes (#​9197)

v4.2.1

Compare Source

Patch Changes

• fix: update style directive when style attribute is present and is updated via an object prop (#​9187)

• fix: css sourcemap generation with unicode filenames (#​9120)

• fix: do not add module declared variables as dependencies (#​9122)

• fix: handle svelte:element with dynamic this and spread attributes (#​9112)

• fix: silence false positive reactive component warning (#​9094)

• fix: head duplication when binding is present (#​9124)

• fix: take custom attribute name into account when reflecting property (#​9140)

• fix: add indeterminate to the list of HTMLAttributes (#​9180)

• fix: recognize option value on spread attribute (#​9125)

v4.2.0

Compare Source

Minor Changes

• feat: move svelteHTML from language-tools into core to load the correct svelte/element types (#​9070)

v4.1.2

Compare Source

Patch Changes

• fix: allow child element with slot attribute within svelte:element (#​9038)

• fix: Add data-* to svg attributes (#​9036)

v4.1.1

Compare Source

Patch Changes

• fix: svelte:component spread props change not picked up (#​9006)

v4.1.0

Compare Source

Minor Changes

• feat: add ability to extend custom element class (#​8991)

Patch Changes

• fix: ensure svelte:component evaluates props once (#​8946)

• fix: remove let:variable slot bindings from select binding dependencies (#​8969)

• fix: handle destructured primitive literals (#​8871)

• perf: optimize imports that are not mutated or reassigned (#​8948)

• fix: don't add accessor twice (#​8996)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

❌ Deploy Preview for demo-watergis failed.

Name	Link
🔨 Latest commit	ba1bce6
🔍 Latest deploy log	https://app.netlify.com/sites/demo-watergis/deploys/66ea311a11618b000832466b