Update dependency svelte to v4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
svelte (source)	3.49.0 -> 4.2.19

GitHub Vulnerability Alerts

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

• If the string is an attribute value:
  • " -> "
  • & -> &
  • Other characters -> No conversion
• Otherwise:
  • < -> <
  • & -> &
  • Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

---

Release Notes

sveltejs/svelte (svelte)

v4.2.19

Compare Source

Patch Changes

• fix: ensure typings for <svelte:options> are picked up (#​12902)

• fix: escape < in attribute strings (#​12989)

v4.2.18

Compare Source

Patch Changes

• chore: speed up regex (#​11922)

v4.2.17

Compare Source

Patch Changes

• fix: correctly handle falsy values of style directives in SSR mode (#​11584)

v4.2.16

Compare Source

Patch Changes

• fix: check if svelte component exists on custom element destroy (#​11489)

v4.2.15

Compare Source

Patch Changes

• support attribute selector inside :global() (#​11135)

v4.2.14

Compare Source

Patch Changes

• fix parsing camelcase container query name (#​11131)

v4.2.13

Compare Source

Patch Changes

• fix: applying :global for +,~ sibling combinator when slots are present (#​9282)

v4.2.12

Compare Source

Patch Changes

• fix: properly update svelte:component props when there are spread props (#​10604)

v4.2.11

Compare Source

Patch Changes

• fix: check that component wasn't instantiated in connectedCallback (#​10466)

v4.2.10

Compare Source

Patch Changes

• fix: add scrollend event type (#​10336)

• fix: add fetchpriority attribute type (#​10390)

• fix: Add miter-clip and arcs to stroke-linejoin attribute (#​10377)

• fix: make inline doc links valid (#​10366)

v4.2.9

Compare Source

Patch Changes

• fix: add types for popover attributes and events (#​10042)

• fix: add gamepadconnected and gamepaddisconnected events (#​9864)

• fix: make @types/estree a dependency (#​10149)

• fix: bump axobject-query (#​10167)

v4.2.8

Compare Source

Patch Changes

• fix: port over props that were set prior to initialization (#​9701)

v4.2.7

Compare Source

Patch Changes

• fix: handle spreads within static strings (#​9554)

v4.2.6

Compare Source

Patch Changes

• fix: adjust static attribute regex (#​9551)

v4.2.5

Compare Source

Patch Changes

• fix: ignore expressions in top level script/style tag attributes (#​9498)

v4.2.4

Compare Source

Patch Changes

• fix: handle closing tags inside attribute values (#​9486)

v4.2.3

Compare Source

Patch Changes

• fix: improve a11y-click-events-have-key-events message (#​9358)

• fix: more robust hydration of html tag (#​9184)

v4.2.2

Compare Source

Patch Changes

• fix: support camelCase properties on custom elements (#​9328)

• fix: add missing plaintext-only value to contenteditable type (#​9242)

• chore: upgrade magic-string to 0.30.4 (#​9292)

• fix: ignore trailing comments when comparing nodes (#​9197)

v4.2.1

Compare Source

Patch Changes

• fix: update style directive when style attribute is present and is updated via an object prop (#​9187)

• fix: css sourcemap generation with unicode filenames (#​9120)

• fix: do not add module declared variables as dependencies (#​9122)

• fix: handle svelte:element with dynamic this and spread attributes (#​9112)

• fix: silence false positive reactive component warning (#​9094)

• fix: head duplication when binding is present (#​9124)

• fix: take custom attribute name into account when reflecting property (#​9140)

• fix: add indeterminate to the list of HTMLAttributes (#​9180)

• fix: recognize option value on spread attribute (#​9125)

v4.2.0

Compare Source

Minor Changes

• feat: move svelteHTML from language-tools into core to load the correct svelte/element types (#​9070)

v4.1.2

Compare Source

Patch Changes

• fix: allow child element with slot attribute within svelte:element (#​9038)

• fix: Add data-* to svg attributes (#​9036)

v4.1.1

Compare Source

Patch Changes

• fix: svelte:component spread props change not picked up (#​9006)

v4.1.0

Compare Source

Minor Changes

• feat: add ability to extend custom element class (#​8991)

Patch Changes

• fix: ensure svelte:component evaluates props once (#​8946)

• fix: remove let:variable slot bindings from select binding dependencies (#​8969)

• fix: handle destructured primitive literals (#​8871)

• perf: optimize imports that are not mutated or reassigned (#​8948)

• fix: don't add accessor twice (#​8996)

v4.0.5

Compare Source

Patch Changes

• fix: generate type definition with nullable types (#​8924)

v4.0.4

Compare Source

Patch Changes

• fix: claim svg tags in raw mustache tags correctly (#​8910)

• fix: repair invalid raw html content during hydration (#​8912)

v4.0.3

Compare Source

Patch Changes

• fix: handle falsy srcset values (#​8901)

v4.0.2

Compare Source

Patch Changes

• fix: reflect all custom element prop updates back to attribute (#​8898)

• fix: shrink custom element baseline a bit (#​8858)

• fix: use non-destructive hydration for all @html tags (#​8880)

• fix: align disclose-version exports specification (#​8874)

• fix: check srcset when hydrating to prevent needless requests (#​8868)

v4.0.1

Compare Source

Patch Changes

• fix: ensure identifiers in destructuring contexts don't clash with existing ones (#​8840)

• fix: ensure createEventDispatcher and ActionReturn work with types from generic function parameters (#​8872)

• fix: apply transition to <svelte:element> with local transition (#​8865)

• fix: relax a11y "no redundant role" rule for li, ul, ol (#​8867)

• fix: remove tsconfig.json from published package (#​8859)

v4.0.0

Compare Source

Major Changes

• breaking: Minimum supported Node version is now Node 16 (#​8566)

• breaking: Minimum supported webpack version is now webpack 5 (#​8515)

• breaking: Bundlers must specify the browser condition when building a frontend bundle for the browser (#​8516)

• breaking: Minimum supported vite-plugin-svelte version is now 2.4.1. SvelteKit users can upgrade to 1.20.0 or newer to ensure a compatible version (#​8516)

• breaking: Minimum supported rollup-plugin-svelte version is now 7.1.5 (198dbcf)

• breaking: Minimum supported svelte-loader is now 3.1.8 (198dbcf)

• breaking: Minimum supported TypeScript version is now TypeScript 5 (it will likely work with lower versions, but we make no guarantees about that) (#​8488)

• breaking: Remove svelte/register hook, CJS runtime version and CJS compiler output (#​8613)

• breaking: Stricter types for createEventDispatcher (see PR for migration instructions) (#​7224)

• breaking: Stricter types for Action and ActionReturn (see PR for migration instructions) (#​7442)

• breaking: Stricter types for onMount - now throws a type error when returning a function asynchronously to catch potential mistakes around callback functions
  (see PR for migration instructions) (#​8136)

• breaking: Overhaul and drastically improve creating custom elements with Svelte (see PR for list of changes and migration instructions) (#​8457)

• breaking: Deprecate SvelteComponentTyped in favor of SvelteComponent (#​8512)

• breaking: Make transitions local by default to prevent confusion around page navigations (#​6686)

• breaking: Error on falsy values instead of stores passed to derived (#​7947)

• breaking: Custom store implementers now need to pass an update function additionally to the set function (#​6750)

• breaking: Do not expose default slot bindings to named slots and vice versa (#​6049)

• breaking: Change order in which preprocessors are applied (#​8618)

• breaking: The runtime now makes use of classList.toggle(name, boolean) which does not work in very old browsers (#​8629)

• breaking: apply inert to outroing elements (#​8628)

• breaking: use CustomEvent constructor instead of deprecated createEvent method (#​8775)

Minor Changes

• Add a way to modify attributes for script/style preprocessors (#​8618)

• Improve hydration speed by adding data-svelte-h attribute to detect unchanged HTML elements (#​7426)

• Add a11y no-noninteractive-element-interactions rule (#​8391)

• Add a11y-no-static-element-interactionsrule (#​8251)

• Allow #each to iterate over iterables like Set, Map etc (#​7425)

• Improve duplicate key error for keyed each blocks (#​8411)

• Warn about : in attributes and props to prevent ambiguity with Svelte directives (#​6823)

• feat: add version info to window. You can opt out by setting discloseVersion to false in the compiler options (#​8761)

• feat: smaller minified output for destructor chunks (#​8763)

Patch Changes

• Bind null option and input values consistently (#​8312)

• Allow $store to be used with changing values including nullish values (#​7555)

• Initialize stylesheet with /* empty */ to enable setting CSP directive that also works in Safari (#​7800)

• Treat slots as if they don't exist when using CSS adjacent and general sibling combinators (#​8284)

• Fix transitions so that they don't require a style-src 'unsafe-inline' Content Security Policy (CSP) (#​6662).

• Explicitly disallow var declarations extending the reactive statement scope (#​6800)

• Improve error message when trying to use animate: directives on inline components (#​8641)

• fix: export ComponentType from svelte entrypoint (#​8578)

• fix: never use html optimization for mustache tags in hydration mode (#​8744)

• fix: derived store types (#​8578)

• Generate type declarations with dts-buddy (#​8578)

• fix: ensure types are loaded with all TS settings (#​8721)

• fix: account for preprocessor source maps when calculating meta info (#​8778)

• chore: deindent cjs output for compiler (#​8785)

• warn on boolean compilerOptions.css (#​8710)

• fix: export correct SvelteComponent type (#​8721)

v3.59.2

Compare Source

• Fix escaping <textarea bind:value={...}> values in SSR

v3.59.1

Compare Source

• Handle dynamic values in a11y-autocomplete-valid (#​8567)

v3.59.0

Compare Source

• Add ResizeObserver bindings contentRect/contentBoxSize/borderBoxSize/devicePixelContentBoxSize (#​8022)
• Add devicePixelRatio binding for <svelte:window> (#​8285)
• Add fullscreenElement and visibilityState bindings for <svelte:document> (#​8507)
• Add a11y-autocomplete-valid warning (#​8520)
• Fix handling of width/height attributes when spreading (#​6752)
• Fix updating of interpolated style: directive when using spread (#​8438)
• Remove style: directive property when value is undefined (#​8462)
• Fix type of VERSION compiler export (#​8498)
• Relax a11y-no-redundant-roles warning (#​8536)
• Handle nested array rest destructuring (#​8552, #​8554)

v3.58.0

Compare Source

• Add bind:innerText for contenteditable elements (#​3311)
• Add support for CSS @container queries (#​6969)
• Respect preserveComments in DOM output (#​7182)
• Allow use of document for target in typings (#​7554)
• Add a11y-interactive-supports-focus warning (#​8392)
• Fix equality check when updating dynamic text (#​5931)
• Relax a11y-no-noninteractive-element-to-interactive-role warning (#​8402)
• Properly handle microdata attributes (#​8413)
• Prevent name collision when using computed destructuring variables (#​8417)
• Fix escaping <textarea value={...}> values in SSR (#​8429)

v3.57.0

Compare Source

• Add <svelte:document> (#​3310)
• Add a11y no-noninteractive-element-to-interactive-role (#​8167)
• Stop intro transition from triggering incorrectly (#​6152, #​6812)
• Support computed and literal properties when destructuring objects in the template (#​6609)
• Give style: directive precedence over style= attribute (#​7475)
• Select <option> with selected attribute when initial state is undefined (#​8361)
• Prevent derived store callbacks after store is unsubscribed from (#​8364)
• Account for bind:group members being spread across multiple control flow blocks (#​8372)
• Revert buggy reactive statement optimization (#​8374)
• Support CSS units in the fly and blur transitions (#​7623)

v3.56.0

Compare Source

• Add |stopImmediatePropagation event modifier (#​5085)
• Add axis parameter to slide transition (#​6182)
• Add readonly utility to convert writable store to readonly (#​6518)
• Add readyState binding for media elements (#​6666)
• Generate valid automatic component names when the filename contains only special characters (#​7143)
• Add naturalWidth and naturalHeight bindings (#​7771)
• Support <!-- svelte-ignore ... --> on components (#​8082)
• Add a11y warnings:
  • aria-activedescendant-has-tabindex: checks that elements with aria-activedescendant have a tabindex (#​8172)
  • role-supports-aria-props: checks that the (implicit) element role supports the given aria attributes (#​8195)
• Add data-sveltekit-replacestate and data-sveltekit-keepfocus attribute typings (#​8281)
• Compute node dimensions immediately before crossfading (#​4111)
• Fix potential infinite invalidate loop with <svelte:component> (#​4129)
• Ensure bind:offsetHeight updates initially (#​4233)
• Don't set selected options if value is unbound or not passed (#​5644)
• Validate component :global() selectors (#​6272)
• Improve warnings:
  • Make noreferrer warning less zealous (#​6289)
  • Omit a11y warnings on <video aria-hidden="true"> (#​7874)
  • Omit a11y warnings on <svelte:element> (#​7939)
  • Detect unused empty attribute CSS selectors (#​8042)
  • Omit "no child content" warning on elements with aria-label (#​8296)
• Check value equality for <input type="search"> and <input type="url"> (#​7027)
• Do not select a disabled <option> by default when the initial bound value is undefined (#​7041)
• Handle {@​html} tags inside <template> tags (#​7364)
• Ensure afterUpdate is not called after onDestroy (#​7476)
• Improve handling of inert attribute (#​7500)
• Reduce use of template literals in SSR output for better performance (#​7539)
• Ensure <input> value persists when swapping elements with spread attributes in an {#each} block (#​7578)
• Simplify generated code for reactive statements if dependencies are all static (#​7942)
• Fix race condition on <svelte:element> with transitions (#​7948)
• Allow assigning to a property of a const when destructuring (#​7964)
• Match browser behavior for decoding malformed HTML entities (#​8026)
• Ensure trusted-types CSP compatibility for Web Components (#​8134)
• Optimise <svelte:element> output code for static tag and static attribute (#​8161)
• Don't throw when calling unsubscribing from a store twice (#​8186)
• Clear inputs when bind:group value is set to undefined (#​8214)
• Fix handling of nested arrays with keyed {#each} containing a non-keyed {#each} (#​8282)

v3.55.1

Compare Source

• Fix draw transition with delay showing a dot at the beginning of the path (#​6816)
• Fix infinity runtime call stack when propagating bindings (#​7032)
• Fix static <svelte:element> optimization in production mode (#​7937)
• Fix svelte-ignore comment breaking named slot (#​8075)
• Revert change to prevent running init binding unnecessarily (#​8103)
• Fix adding duplicate event listeners with <svelte:element on:event> (#​8129)
• Improve detection of promises that are also functions (#​8162)
• Avoid mutating spread component props during SSR (#​8171)
• Add missing typing for global part attribute (#​8181)
• Add missing submitter property to on:submit event type

v3.55.0

Compare Source

• Add svelte/elements for HTML/Svelte typings (#​7649)

v3.54.0

Compare Source

• Pass options.direction argument to custom transition functions (#​3918)
• Support fallback a11y WAI-ARIA roles (#​8044)
• Prevent running init binding unnecessarily (#​5689, #​6298)
• Allow updating variables from @const declared function (#​7843)
• Do not emit a11y-no-noninteractive-tabindex warning if element has a tabpanel (#​8025)
• Fix escaping SSR'd values in style: directive (#​8085)

v3.53.1

Compare Source

• Fix exception in rel= attribute check with dynamic values (#​7994)
• Do not emit deprecation warnings for css compiler options for now (#​8009)
• Make compiler run in browser again (#​8010)
• Upgrade tslib (#​8013)

v3.53.0

Compare Source

• Check whether parentNode exists before removing child (#​6037)
• Upgrade various dependencies, notably css-tree to 2.2.1 (#​7572, #​7982)
• Extend css compiler option with 'external' | 'injected' | 'none' settings and deprecate old true | false values (#​7914)

v3.52.0

Compare Source

• Throw compile-time error when attempting to update const variable (#​4895)
• Warn when using <a target="_blank"> without rel="noreferrer" (#​6188)
• Support style:foo|important modifier (#​7365)
• Fix hydration regression with {@​html} and components in <svelte:head> (#​7941)

v3.51.0

Compare Source

• Add a11y warnings:
  • a11y-click-events-have-key-events: check if click event is accompanied by key events (#​5073)
  • a11y-no-noninteractive-tabindex: check for tabindex on non-interactive elements (#​6693)
• Warn when two-way binding to {...rest} object in {#each} block (#​6860)
• Support --style-props on <svelte:component> (#​7461)
• Supports nullish values for component event handlers (#​7568)
• Supports SVG elements with <svelte:element>(#​7613)
• Treat inert as boolean attribute (#​7785)
• Support --style-props for SVG components (#​7808)
• Fix false positive dev warnings about unset props when they are bound (#​4457)
• Fix hydration with {@​html} and components in <svelte:head> (#​4533, #​6463, #​7444)
• Support scoped style for <svelte:element> (#​7443)
• Improve error message for invalid value for <svelte:component this={...}> (#​7550)
• Improve error message when using logic blocks or tags at invalid location (#​7552)
• Warn instead of throwing error if <svelte:element> is a void tag (#​7566)
• Supports custom elements in <svelte:element> (#​7733)
• Fix calling component unmount if a component is mounted and then immediately unmounted (#​7817)
• Do not generate a11y-role-has-required-aria-props warning when elements match their semantic role (#​7837)
• Improve performance of custom element data setting in <svelte:element> (#​7869)

v3.50.1

Compare Source

• Add all global objects and functions as known globals (#​3805, #​7223)
• Fix regression with style manager (#​7828)

v3.50.0

Compare Source

• Add a11y warnings:
  • a11y-incorrect-aria-attribute-type: check ARIA state and property values (#​6978)
  • a11y-no-abstract-role: check that ARIA roles are non-abstract (#​6241)
  • a11y-no-interactive-element-to-noninteractive-role: check for non-interactive roles used on interactive elements (#​5955)
  • a11y-role-has-required-aria-props: check that elements with role attribute have all required attributes for that role (#​5852)
• Add ComponentEvents convenience type (#​7702)
• Add SveltePreprocessor utility type (#​7742)
• Enhance action typings (#​7805)
• Remove empty stylesheets created from transitions (#​4801, #​7164)
• Make a11y-label-has-associated-control warning check all descendants for input control (#​5528)
• Only show lowercase component name warnings for non-HTML/SVG elements (#​5712)
• Disallow invalid CSS selectors starting with a combinator (#​7643)
• Use Node.parentNode instead of Node.parentElement for legacy browser support (#​7723)
• Handle arrow function on <slot> inside <svelte:fragment> (#​7485)
• Improve parsing speed when encountering large blocks of whitespace (#​7675)
• Fix class: directive updates in aborted/restarted transitions (#​7764)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm ERR! code ENOTSUP
npm ERR! notsup Unsupported engine for [email protected]: wanted: {"npm":">=8.0.0","node":">=14.18.0"} (current: {"node":"20.17.0","npm":"6.14.18"})
npm ERR! notsup Not compatible with your version of node/npm: [email protected]
npm ERR! notsup Not compatible with your version of node/npm: [email protected]
npm ERR! notsup Required: {"npm":">=8.0.0","node":">=14.18.0"}
npm ERR! notsup Actual:   {"npm":"6.14.18","node":"20.17.0"}

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate/cache/others/npm/_logs/2024-08-30T19_52_28_773Z-debug.log