Update dependency svelte to v4 [SECURITY] #381

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate wants to merge 1 commit into master from renovate/npm-svelte-vulnerability

Contributor

renovate bot commented Aug 30, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
svelte (source)	`^3.55.0` -> `^4.0.0`

GitHub Vulnerability Alerts

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

If the string is an attribute value:
- " -> "
- & -> &
- Other characters -> No conversion
Otherwise:
- < -> <
- & -> &
- Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

Release Notes

sveltejs/svelte (svelte)

`v4.2.19`

Patch Changes

fix: ensure typings for <svelte:options> are picked up (#12902)
fix: escape < in attribute strings (#12989)

`v4.2.18`

Patch Changes

chore: speed up regex (#11922)

`v4.2.17`

Patch Changes

fix: correctly handle falsy values of style directives in SSR mode (#11584)

`v4.2.16`

Patch Changes

fix: check if svelte component exists on custom element destroy (#11489)

`v4.2.15`

Patch Changes

support attribute selector inside :global() (#11135)

`v4.2.14`

Patch Changes

fix parsing camelcase container query name (#11131)

`v4.2.13`

Patch Changes

fix: applying :global for +,~ sibling combinator when slots are present (#9282)

`v4.2.12`

Patch Changes

fix: properly update svelte:component props when there are spread props (#10604)

`v4.2.11`

Patch Changes

fix: check that component wasn't instantiated in connectedCallback (#10466)

`v4.2.10`

Patch Changes

fix: add scrollend event type (#10336)
fix: add fetchpriority attribute type (#10390)
fix: Add miter-clip and arcs to stroke-linejoin attribute (#10377)
fix: make inline doc links valid (#10366)

`v4.2.9`

Patch Changes

fix: add types for popover attributes and events (#10042)
fix: add gamepadconnected and gamepaddisconnected events (#9864)
fix: make @types/estree a dependency (#10149)
fix: bump axobject-query (#10167)

`v4.2.8`

Patch Changes

fix: port over props that were set prior to initialization (#9701)

`v4.2.7`

Patch Changes

fix: handle spreads within static strings (#9554)

`v4.2.6`

Patch Changes

fix: adjust static attribute regex (#9551)

`v4.2.5`

Patch Changes

fix: ignore expressions in top level script/style tag attributes (#9498)

`v4.2.4`

Patch Changes

fix: handle closing tags inside attribute values (#9486)

`v4.2.3`

Patch Changes

fix: improve a11y-click-events-have-key-events message (#9358)
fix: more robust hydration of html tag (#9184)

`v4.2.2`

Patch Changes

fix: support camelCase properties on custom elements (#9328)
fix: add missing plaintext-only value to contenteditable type (#9242)
chore: upgrade magic-string to 0.30.4 (#9292)
fix: ignore trailing comments when comparing nodes (#9197)

`v4.2.1`

Patch Changes

fix: update style directive when style attribute is present and is updated via an object prop (#9187)
fix: css sourcemap generation with unicode filenames (#9120)
fix: do not add module declared variables as dependencies (#9122)
fix: handle svelte:element with dynamic this and spread attributes (#9112)
fix: silence false positive reactive component warning (#9094)
fix: head duplication when binding is present (#9124)
fix: take custom attribute name into account when reflecting property (#9140)
fix: add indeterminate to the list of HTMLAttributes (#9180)
fix: recognize option value on spread attribute (#9125)

`v4.2.0`

Minor Changes

feat: move svelteHTML from language-tools into core to load the correct svelte/element types (#9070)

`v4.1.2`

Patch Changes

fix: allow child element with slot attribute within svelte:element (#9038)
fix: Add data-* to svg attributes (#9036)

`v4.1.1`

Patch Changes

fix: svelte:component spread props change not picked up (#9006)

`v4.1.0`

Minor Changes

feat: add ability to extend custom element class (#8991)

Patch Changes

fix: ensure svelte:component evaluates props once (#8946)
fix: remove let:variable slot bindings from select binding dependencies (#8969)
fix: handle destructured primitive literals (#8871)
perf: optimize imports that are not mutated or reassigned (#8948)
fix: don't add accessor twice (#8996)

`v4.0.5`

Patch Changes

fix: generate type definition with nullable types (#8924)

`v4.0.4`

Patch Changes

fix: claim svg tags in raw mustache tags correctly (#8910)
fix: repair invalid raw html content during hydration (#8912)

`v4.0.3`

Patch Changes

fix: handle falsy srcset values (#8901)

`v4.0.2`

Patch Changes

fix: reflect all custom element prop updates back to attribute (#8898)
fix: shrink custom element baseline a bit (#8858)
fix: use non-destructive hydration for all @html tags (#8880)
fix: align disclose-version exports specification (#8874)
fix: check srcset when hydrating to prevent needless requests (#8868)

`v4.0.1`

Patch Changes

fix: ensure identifiers in destructuring contexts don't clash with existing ones (#8840)
fix: ensure createEventDispatcher and ActionReturn work with types from generic function parameters (#8872)
fix: apply transition to <svelte:element> with local transition (#8865)
fix: relax a11y "no redundant role" rule for li, ul, ol (#8867)
fix: remove tsconfig.json from published package (#8859)

`v4.0.0`

Major Changes

breaking: Minimum supported Node version is now Node 16 (#8566)
breaking: Minimum supported webpack version is now webpack 5 (#8515)
breaking: Bundlers must specify the browser condition when building a frontend bundle for the browser (#8516)
breaking: Minimum supported vite-plugin-svelte version is now 2.4.1. SvelteKit users can upgrade to 1.20.0 or newer to ensure a compatible version (#8516)
breaking: Minimum supported rollup-plugin-svelte version is now 7.1.5 (198dbcf)
breaking: Minimum supported svelte-loader is now 3.1.8 (198dbcf)
breaking: Minimum supported TypeScript version is now TypeScript 5 (it will likely work with lower versions, but we make no guarantees about that) (#8488)
breaking: Remove svelte/register hook, CJS runtime version and CJS compiler output (#8613)
breaking: Stricter types for createEventDispatcher (see PR for migration instructions) (#7224)
breaking: Stricter types for Action and ActionReturn (see PR for migration instructions) (#7442)
breaking: Stricter types for onMount - now throws a type error when returning a function asynchronously to catch potential mistakes around callback functions
(see PR for migration instructions) (#8136)
breaking: Overhaul and drastically improve creating custom elements with Svelte (see PR for list of changes and migration instructions) (#8457)
breaking: Deprecate SvelteComponentTyped in favor of SvelteComponent (#8512)
breaking: Make transitions local by default to prevent confusion around page navigations (#6686)
breaking: Error on falsy values instead of stores passed to derived (#7947)
breaking: Custom store implementers now need to pass an update function additionally to the set function (#6750)
breaking: Do not expose default slot bindings to named slots and vice versa (#6049)
breaking: Change order in which preprocessors are applied (#8618)
breaking: The runtime now makes use of classList.toggle(name, boolean) which does not work in very old browsers (#8629)
breaking: apply inert to outroing elements (#8628)
breaking: use CustomEvent constructor instead of deprecated createEvent method (#8775)

Minor Changes

Add a way to modify attributes for script/style preprocessors (#8618)
Improve hydration speed by adding data-svelte-h attribute to detect unchanged HTML elements (#7426)
Add a11y no-noninteractive-element-interactions rule (#8391)
Add a11y-no-static-element-interactionsrule (#8251)
Allow #each to iterate over iterables like Set, Map etc (#7425)
Improve duplicate key error for keyed each blocks (#8411)
Warn about : in attributes and props to prevent ambiguity with Svelte directives (#6823)
feat: add version info to window. You can opt out by setting discloseVersion to false in the compiler options (#8761)
feat: smaller minified output for destructor chunks (#8763)

Patch Changes

Bind null option and input values consistently (#8312)
Allow $store to be used with changing values including nullish values (#7555)
Initialize stylesheet with /* empty */ to enable setting CSP directive that also works in Safari (#7800)
Treat slots as if they don't exist when using CSS adjacent and general sibling combinators (#8284)
Fix transitions so that they don't require a style-src 'unsafe-inline' Content Security Policy (CSP) (#6662).
Explicitly disallow var declarations extending the reactive statement scope (#6800)
Improve error message when trying to use animate: directives on inline components (#8641)
fix: export ComponentType from svelte entrypoint (#8578)
fix: never use html optimization for mustache tags in hydration mode (#8744)
fix: derived store types (#8578)
Generate type declarations with dts-buddy (#8578)
fix: ensure types are loaded with all TS settings (#8721)
fix: account for preprocessor source maps when calculating meta info (#8778)
chore: deindent cjs output for compiler (#8785)
warn on boolean compilerOptions.css (#8710)
fix: export correct SvelteComponent type (#8721)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from e440eb6 to 33d712d Compare

October 10, 2024 20:15

socket-security bot commented Oct 10, 2024 •

edited

Loading

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert (click for details)
Block		`[email protected]` has a Critical CVE. CVE: GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) (CRITICAL) Affected versions: <= 6.6.0 Patched version: 6.6.1 Source: `packages/core/solidity/src/environments/hardhat/package-lock.json` Source: `packages/core/solidity/src/environments/hardhat/package.json` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`[email protected]` has a High CVE. CVE: GHSA-jr5f-v2jv-69x6 axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL (HIGH) Affected versions: >= 1.0.0, < 1.8.2 Patched version: 1.8.2 Source: `packages/core/solidity/src/environments/hardhat/package-lock.json` Source: `packages/core/solidity/src/environments/hardhat/package.json` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`[email protected]` has a High CVE. CVE: GHSA-3h5v-q93c-6h6q ws affected by a DoS when handling a request with many HTTP headers (HIGH) Affected versions: >= 7.0.0, < 7.5.10 Patched version: 7.5.10 Source: `packages/core/solidity/src/environments/hardhat/package-lock.json` Source: `packages/core/solidity/src/environments/hardhat/package.json` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`[email protected]` has a Low CVE. CVE: GHSA-977x-g7h5-7qgw Elliptic's ECDSA missing check for whether leading bit of r and s is zero (LOW) Affected versions: >= 2.0.0, <= 6.5.6 Patched version: 6.5.7 Source: `packages/core/solidity/src/environments/hardhat/package-lock.json` Source: `packages/core/solidity/src/environments/hardhat/package.json` ℹ Read more on: This package \| This alert \| What is a mild CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`[email protected]` has a Low CVE. CVE: GHSA-49q7-c7j4-3p7m Elliptic allows BER-encoded signatures (LOW) Affected versions: >= 5.2.1, <= 6.5.6 Patched version: 6.5.7 Source: `packages/core/solidity/src/environments/hardhat/package-lock.json` Source: `packages/core/solidity/src/environments/hardhat/package.json` ℹ Read more on: This package \| This alert \| What is a mild CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`[email protected]` has a Low CVE. CVE: GHSA-f7q4-pwc6-w24p Elliptic's EDDSA missing signature length check (LOW) Affected versions: >= 4.0.0, <= 6.5.6 Patched version: 6.5.7 Source: `packages/core/solidity/src/environments/hardhat/package-lock.json` Source: `packages/core/solidity/src/environments/hardhat/package.json` ℹ Read more on: This package \| This alert \| What is a mild CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`[email protected]` has a Low CVE. CVE: GHSA-fc9h-whq2-v747 Valid ECDSA signatures erroneously rejected in Elliptic (LOW) Affected versions: < 6.6.0 Patched version: 6.6.0 Source: `packages/core/solidity/src/environments/hardhat/package-lock.json` Source: `packages/core/solidity/src/environments/hardhat/package.json` ℹ Read more on: This package \| This alert \| What is a mild CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`[email protected]` has a Low CVE. CVE: GHSA-434g-2637-qmqr Elliptic's verify function omits uniqueness validation (LOW) Affected versions: < 6.5.6 Patched version: 6.5.6 Source: `packages/core/solidity/src/environments/hardhat/package-lock.json` Source: `packages/core/solidity/src/environments/hardhat/package.json` ℹ Read more on: This package \| This alert \| What is a mild CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`[email protected]` is a AI-detected potential code anomaly. Notes: The code appears to be a WebAssembly (WASM) module implementing HTTP parsing functionality. The code contains suspicious elements such as ability to handle HTTP headers, message bodies, and chunk extensions. While it may be legitimate parser code, the obfuscated nature and presence of low-level binary operations warrants careful review due to potential for misuse in HTTP request/response manipulation or header injection attacks. Confidence: 1.00 Severity: 0.60 Source: `packages/core/solidity/src/environments/hardhat/package-lock.json` Source: `packages/core/solidity/src/environments/hardhat/package.json` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from 33d712d to aa35f83 Compare

November 18, 2024 20:32

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from aa35f83 to de0c040 Compare

January 20, 2025 18:18

This was referenced Jan 20, 2025

Update dependency svelte-check to v4 #382

Closed

Update dependency svelte-preprocess to v6 #366

Closed

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch 2 times, most recently from 17b5d6c to a1ba4f1 Compare

February 26, 2025 20:20


          Update dependency svelte to v4 [SECURITY]

9bb7c98

renovate bot force-pushed the renovate/npm-svelte-vulnerability branch from a1ba4f1 to 9bb7c98 Compare

April 21, 2025 14:29

socket-security bot commented Apr 21, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@nomicfoundation/hardhat-toolbox@5.0.0
	hardhat@2.23.0 ⏵ 2.22.19

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet