chore(deps): update dependency svelte to v3.59.2 [security] #107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate wants to merge 1 commit into master from renovate/npm-svelte-vulnerability

renovate bot commented Sep 25, 2022 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
svelte (source)	`3.22.2` → `3.59.2`

GitHub Vulnerability Alerts

CVE-2022-25875

The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

If the string is an attribute value:
- " -> "
- & -> &
- Other characters -> No conversion
Otherwise:
- < -> <
- & -> &
- Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

GHSA-gw32-9rmw-qwww

Summary

A server-side rendered <textarea> with two-way bound value does not have its value correctly escaped in the rendered HTML.

Details

In SSR, <textarea bind:value={...}> does not have its value escaped when it is rendered into the HTML as <textarea>...</textarea>.

PoC

Put this in a server-side-rendered Svelte component:

<script>
  let value = `test'"></textarea><script` + `>alert('BIM');</sc` + `ript>`;
</script>

<textarea bind:value />

Impact

Only affects SSR
Needs a <textarea bind:value> filled by user content via two-way binding

Release Notes

sveltejs/svelte (svelte)

`v3.59.2`

`v3.59.1`

`v3.59.0`

`v3.58.0`

`v3.57.0`

`v3.56.0`

`v3.55.1`

`v3.55.0`

`v3.54.0`

`v3.53.1`

`v3.53.0`

`v3.52.0`

`v3.51.0`

`v3.50.1`

`v3.50.0`

`v3.49.0`

`v3.48.0`

`v3.47.0`

`v3.46.6`

`v3.46.5`

`v3.46.4`

`v3.46.3`

`v3.46.2`

`v3.46.1`

`v3.46.0`

`v3.45.0`

`v3.44.3`

`v3.44.2`

`v3.44.1`

`v3.44.0`

`v3.43.2`

`v3.43.1`

`v3.43.0`

`v3.42.6`

`v3.42.5`

`v3.42.4`

`v3.42.3`

`v3.42.2`

`v3.42.1`

`v3.42.0`

`v3.41.0`

`v3.40.3`

`v3.40.2`

`v3.40.1`

`v3.40.0`

`v3.39.0`

`v3.38.3`

`v3.38.2`

`v3.38.1`

`v3.38.0`

`v3.37.0`

`v3.36.0`

`v3.35.0`

`v3.34.0`

`v3.33.0`

`v3.32.3`

`v3.32.2`

`v3.32.1`

`v3.32.0`

`v3.31.2`

`v3.31.1`

`v3.31.0`

`v3.30.1`

`v3.30.0`

`v3.29.7`

`v3.29.6`

`v3.29.5`

`v3.29.4`

`v3.29.3`

`v3.29.2`

`v3.29.1`

`v3.29.0`

`v3.28.0`

`v3.27.0`

`v3.26.0`

`v3.25.1`

`v3.25.0`

`v3.24.1`

`v3.24.0`

`v3.23.2`

`v3.23.1`

`v3.23.0`

`v3.22.3`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

vercel bot commented Sep 25, 2022 •

edited

Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
simple-user-cms	Error		Jan 17, 2026 1:54am

vercel bot had a problem deploying to Preview

September 25, 2022 12:57

Failure

renovate bot changed the title ~~chore(deps): update dependency svelte to 3.49.0 [security]~~ chore(deps): update dependency svelte to v3.49.0 [security]

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 7bd40db to 836fba0 Compare

August 30, 2024 17:01

renovate bot changed the title ~~chore(deps): update dependency svelte to v3.49.0 [security]~~ chore(deps): update dependency svelte to v4 [security]

vercel bot had a problem deploying to Preview

August 30, 2024 17:01

Failure

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 836fba0 to 08e25c2 Compare

August 10, 2025 13:53

vercel bot had a problem deploying to Preview

August 10, 2025 13:54

Failure

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 08e25c2 to caed5ab Compare

August 13, 2025 13:49

vercel bot had a problem deploying to Preview

August 13, 2025 13:49

Failure

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from caed5ab to a4fbeb6 Compare

August 31, 2025 13:50

vercel bot had a problem deploying to Preview

August 31, 2025 13:50

Failure

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from a4fbeb6 to 35615e2 Compare

September 25, 2025 20:51

vercel bot had a problem deploying to Preview

September 25, 2025 20:52

Failure

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 35615e2 to c6ee2fb Compare

November 11, 2025 00:30

vercel bot had a problem deploying to Preview

November 11, 2025 00:30

Failure

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from c6ee2fb to 8bd520e Compare

November 18, 2025 16:03

vercel bot had a problem deploying to Preview

November 18, 2025 16:03

Failure


          chore(deps): update dependency svelte to v3.59.2 [security]

8909a35

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 8bd520e to 8909a35 Compare

January 17, 2026 01:54

renovate bot changed the title ~~chore(deps): update dependency svelte to v4 [security]~~ chore(deps): update dependency svelte to v3.59.2 [security]

vercel bot had a problem deploying to Preview

January 17, 2026 01:54

Failure

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet