Update dependency svelte to v4 [SECURITY] #381
Conversation
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
from
e440eb6 to
33d712d
Compare
|
Caution Review the following alerts detected in dependencies. According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.
|
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
from
33d712d to
aa35f83
Compare
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
from
aa35f83 to
de0c040
Compare
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
2 times, most recently
from
17b5d6c to
a1ba4f1
Compare
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
from
a1ba4f1 to
9bb7c98
Compare
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
from
9bb7c98 to
49a51d2
Compare
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
5 times, most recently
from
7e3f2c2 to
2db0263
Compare
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
7 times, most recently
from
950f211 to
1e15d83
Compare
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
3 times, most recently
from
dacf32a to
04a37fb
Compare
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
5 times, most recently
from
44f828c to
2072ab7
Compare
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
4 times, most recently
from
137c675 to
673d179
Compare
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
4 times, most recently
from
33c7684 to
36f4993
Compare
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
from
36f4993 to
b45eb6e
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (1)
packages/ui/package.json(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: build (solidity, default)
- GitHub Check: semgrep-cloud-platform/scan
| "rollup-plugin-svelte": "^7.2.3", | ||
| "rollup-plugin-terser": "^7.0.2", | ||
| "svelte": "^3.55.0", | ||
| "svelte": "^4.0.0", |
There was a problem hiding this comment.
🧩 Analysis chain
✓ Approve the security fix, but verify build compatibility.
The version bump addresses CVE-2024-45047, a critical XSS vulnerability in Svelte's SSR that affects attribute escaping in <noscript> tags. The ^4.0.0 constraint ensures v4.2.19+ (which includes the fix) will be installed.
However, this is a major version change. Verify that:
- The build completes without errors.
- All tests pass with Svelte v4.
- The compatibility of related dependencies (rollup-plugin-svelte v7.2.3, svelte-check v3.8.6, svelte-preprocess v5.1.4) is confirmed.
🏁 Script executed:
#!/bin/bash
# Description: Verify build and test compatibility with Svelte v4.
set -e
cd packages/ui
# Check if rollup-plugin-svelte v7.2.3 is compatible with Svelte v4
echo "Checking package.json for compatible versions..."
grep -E '"(svelte|rollup-plugin-svelte|svelte-check|svelte-preprocess)"' package.json
# Try to resolve and validate dependencies (without installing)
npm list svelte rollup-plugin-svelte svelte-check svelte-preprocess 2>&1 | head -20 || echo "npm list may fail if not installed; this is expected"
# Check for known breaking changes or migration notes
echo ""
echo "Checking Svelte v4 migration documentation..."
# Look for any v4-specific documentation or migration guides in the repo
fd -e md -e txt --type f | xargs grep -l "svelte.*v4\|svelte.*4\.0\|migration" 2>/dev/null | head -5 || echo "No migration docs found"Length of output: 292
🌐 Web query:
rollup-plugin-svelte v7.2.3 Svelte v4 compatibility
💡 Result:
Yes — rollup-plugin-svelte v7.2.3 is compatible with Svelte 4. The Svelte v4 migration docs require rollup-plugin-svelte >= 7.1.5 for Rollup users, and v7.2.3 is a current 7.x release. [1][2]
Sources:
[1] rollup-plugin-svelte on npm (v7.2.3).
[2] Svelte v4 migration guide — "If you are using Rollup, upgrade to rollup-plugin-svelte 7.1.5 or higher."
🌐 Web query:
svelte-check v3.8.6 Svelte v4 support
💡 Result:
Yes — svelte-check 3.8.6 lists Svelte v4 in its peerDependencies and its 3.8.6 release notes show Svelte v4/5-related fixes, so v3.8.6 supports Svelte 4. [1][2]
Sources:
- package-lock entry showing peerDependencies include ^4.0.0. [1]
- svelte-check 3.8.6 release notes. [2]
🌐 Web query:
Svelte v4 breaking changes migration guide
💡 Result:
Here are the essential steps and breaking changes to handle when migrating to Svelte v4 — run the automatic migrator first, then address the manual items below.
Quick steps
- Run the migrator: npx svelte-migrate@latest svelte-4. [1]
- Upgrade toolchain: Node >= 16, TypeScript >= 5, Vite/SvelteKit/rollup/webpack plugin versions listed in the guide. [1]
- Update eslint to eslint-plugin-svelte (eslint-plugin-svelte3 is deprecated). [1]
Top breaking changes to check and fix
- Compiler output is ESM-only (CJS output and svelte/register removed). If you need CJS, convert ESM to CJS in a post-build step. [1]
- Stricter TypeScript typings: createEventDispatcher, Action generic types, and onMount return types now enforce correctness — update types accordingly. [1]
- Transitions are local by default and default slot bindings behavior changed — review components that relied on the old globals. [1]
- Custom elements and svelte component instance accessors changed (SvelteComponentTyped deprecated; custom-elements docs). [1]
- Browser/build config: bundlers must use the "browser" condition (misconfigured bundlers can cause lifecycle hooks like onMount not to run). Update rollup/webpack/Vite config as documented. [1]
- Store API changes: StartStopNotifier must now provide an update function; derived() throws on falsy values instead of treating them as stores. [1]
- Runtime changes affecting very old browsers: classList.toggle(name, boolean), CustomEvent constructor usage, and the inert attribute applied to outroing elements — polyfills may be necessary. [1]
- DOM removals are batched (order of removal/events may differ; MutationObserver users should verify). [1]
- Global JSX/typing namespace changes: migrate from svelte.JSX to svelteHTML / svelte/elements where applicable. [1]
If you want, I can:
- run the migrator commands you should execute,
- produce a checklist tailored to your repo (package.json, bundler, and TypeScript files) — share your repo or package.json.
🏁 Script executed:
#!/bin/bash
# Description: Examine rollup config and check for Svelte v4 breaking change patterns
echo "=== Checking rollup configuration ==="
fd -e "rollup.config" -o -e "rollup.js" | head -5
echo ""
echo "=== Checking for store API usage patterns ==="
fd -e svelte -e ts -e js | xargs grep -l "StartStopNotifier\|writable\|derived" 2>/dev/null | head -10
echo ""
echo "=== Checking for TypeScript issues (Action, createEventDispatcher) ==="
fd -e svelte -e ts | xargs grep -l "Action\|createEventDispatcher" 2>/dev/null | head -10
echo ""
echo "=== Checking for SvelteComponentTyped usage ==="
fd -e svelte -e ts -e js | xargs grep -l "SvelteComponentTyped" 2>/dev/null | head -5
echo ""
echo "=== Checking for ESM/CJS output config ==="
fd -e "package.json" --type f | xargs grep -l "exports\|module\|main" 2>/dev/null | head -10Length of output: 730
🌐 Web query:
svelte-preprocess v5.1.4 Svelte v4 support
💡 Result:
Yes — svelte-preprocess v5.1.4 is compatible with Svelte v4. The package README documents using svelte-preprocess for Svelte (and notes Svelte 4 users still need a preprocessor for TypeScript and common CSS preprocessors), and the v5.1.4 npm release is available. [1][2]
Sources:
- svelte-preprocess v5.1.4 on npm. [1]
- svelte-preprocess README / usage (compatibility notes). [2]
🏁 Script executed:
#!/bin/bash
# Description: Verify SvelteComponentTyped usage and check rollup config
echo "=== SvelteComponentTyped usage in Wiz.svelte ==="
grep -n "SvelteComponentTyped" packages/ui/src/common/Wiz.svelte -B2 -A2
echo ""
echo "=== Checking for rollup.config file ==="
find packages/ui -name "rollup.config.*" -o -name "rollup.js" | head -5
echo ""
echo "=== Checking package.json exports field ==="
cat packages/ui/package.json | grep -A5 '"exports"' || echo "No exports field found"Length of output: 500
🏁 Script executed:
#!/bin/bash
# Description: Check rollup config for Svelte v4 setup and look for alternative SvelteComponentTyped patterns
echo "=== rollup.config.mjs content (first 50 lines) ==="
head -50 packages/ui/rollup.config.mjs
echo ""
echo "=== Checking if there are other deprecated patterns in Wiz.svelte ==="
cat packages/ui/src/common/Wiz.svelte | head -50Length of output: 3433
Critical issue: SvelteComponentTyped is deprecated in Svelte v4—migration incomplete.
The version upgrade is valid and addresses CVE-2024-45047 (XSS in SSR). All dependencies (rollup-plugin-svelte v7.2.3, svelte-check v3.8.6, svelte-preprocess v5.1.4) are compatible with Svelte v4, and the rollup configuration is properly set up.
However, packages/ui/src/common/Wiz.svelte (lines 2, 25–26) uses SvelteComponentTyped, which is deprecated and removed in Svelte v4. This must be updated to the new component typing pattern before the upgrade can proceed. Run the migration tool—npx svelte-migrate@latest svelte-4—to help identify and fix all breaking changes, particularly in this file and any TypeScript type usage (createEventDispatcher, Action generics).
🤖 Prompt for AI Agents
packages/ui/src/common/Wiz.svelte (referenced lines 2, 25-26): Svelte v4 removed
SvelteComponentTyped so update the component typings and related TypeScript
usages: run the migration tool npx svelte-migrate@latest svelte-4 to auto-fix
common breaking changes, then edit Wiz.svelte to replace SvelteComponentTyped
usages with the new Svelte v4 typing patterns (use the new
Component/props/events/slots generics or export component types per the
migration output), update createEventDispatcher and Action generics to their v4
signatures, fix any resulting type errors, and re-run the typechecker/build
until type errors are resolved.
cb5dd92 to
0355647
Compare
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
7 times, most recently
from
7fe2992 to
9d0b749
Compare
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
6 times, most recently
from
8f58131 to
aecc5f7
Compare
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
2 times, most recently
from
c1d6ed3 to
8a80010
Compare
renovate
bot
force-pushed
the
renovate/npm-svelte-vulnerability
branch
from
8a80010 to
6d165f9
Compare
This PR contains the following updates:
^3.55.0->^4.0.0GitHub Vulnerability Alerts
CVE-2024-45047
Summary
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Details
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
"->"&->&<-><&->&The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a
<noscript>tag.PoC
A vulnerable page (
+page.svelte):If a user accesses the following URL,
then,
alert(123)will be executed.Impact
XSS, when using an attribute within a noscript tag
Release Notes
sveltejs/svelte (svelte)
v4.2.19Compare Source
Patch Changes
fix: ensure typings for
<svelte:options>are picked up (#12902)fix: escape
<in attribute strings (#12989)v4.2.18Compare Source
Patch Changes
v4.2.17Compare Source
Patch Changes
v4.2.16Compare Source
Patch Changes
v4.2.15Compare Source
Patch Changes
v4.2.14Compare Source
Patch Changes
v4.2.13Compare Source
Patch Changes
v4.2.12Compare Source
Patch Changes
svelte:componentprops when there are spread props (#10604)v4.2.11Compare Source
Patch Changes
connectedCallback(#10466)v4.2.10Compare Source
Patch Changes
fix: add
scrollendevent type (#10336)fix: add
fetchpriorityattribute type (#10390)fix: Add
miter-clipandarcstostroke-linejoinattribute (#10377)fix: make inline doc links valid (#10366)
v4.2.9Compare Source
Patch Changes
fix: add types for popover attributes and events (#10042)
fix: add
gamepadconnectedandgamepaddisconnectedevents (#9864)fix: make
@types/estreea dependency (#10149)fix: bump
axobject-query(#10167)v4.2.8Compare Source
Patch Changes
v4.2.7Compare Source
Patch Changes
v4.2.6Compare Source
Patch Changes
v4.2.5Compare Source
Patch Changes
v4.2.4Compare Source
Patch Changes
v4.2.3Compare Source
Patch Changes
fix: improve a11y-click-events-have-key-events message (#9358)
fix: more robust hydration of html tag (#9184)
v4.2.2Compare Source
Patch Changes
fix: support camelCase properties on custom elements (#9328)
fix: add missing plaintext-only value to contenteditable type (#9242)
chore: upgrade magic-string to 0.30.4 (#9292)
fix: ignore trailing comments when comparing nodes (#9197)
v4.2.1Compare Source
Patch Changes
fix: update style directive when style attribute is present and is updated via an object prop (#9187)
fix: css sourcemap generation with unicode filenames (#9120)
fix: do not add module declared variables as dependencies (#9122)
fix: handle
svelte:elementwith dynamic this and spread attributes (#9112)fix: silence false positive reactive component warning (#9094)
fix: head duplication when binding is present (#9124)
fix: take custom attribute name into account when reflecting property (#9140)
fix: add
indeterminateto the list of HTMLAttributes (#9180)fix: recognize option value on spread attribute (#9125)
v4.2.0Compare Source
Minor Changes
svelteHTMLfrom language-tools into core to load the correctsvelte/elementtypes (#9070)v4.1.2Compare Source
Patch Changes
fix: allow child element with slot attribute within svelte:element (#9038)
fix: Add data-* to svg attributes (#9036)
v4.1.1Compare Source
Patch Changes
svelte:componentspread props change not picked up (#9006)v4.1.0Compare Source
Minor Changes
Patch Changes
fix: ensure
svelte:componentevaluates props once (#8946)fix: remove
let:variableslot bindings from select binding dependencies (#8969)fix: handle destructured primitive literals (#8871)
perf: optimize imports that are not mutated or reassigned (#8948)
fix: don't add accessor twice (#8996)
v4.0.5Compare Source
Patch Changes
v4.0.4Compare Source
Patch Changes
fix: claim svg tags in raw mustache tags correctly (#8910)
fix: repair invalid raw html content during hydration (#8912)
v4.0.3Compare Source
Patch Changes
v4.0.2Compare Source
Patch Changes
fix: reflect all custom element prop updates back to attribute (#8898)
fix: shrink custom element baseline a bit (#8858)
fix: use non-destructive hydration for all
@htmltags (#8880)fix: align
disclose-versionexports specification (#8874)fix: check srcset when hydrating to prevent needless requests (#8868)
v4.0.1Compare Source
Patch Changes
fix: ensure identifiers in destructuring contexts don't clash with existing ones (#8840)
fix: ensure
createEventDispatcherandActionReturnwork with types from generic function parameters (#8872)fix: apply transition to
<svelte:element>with local transition (#8865)fix: relax a11y "no redundant role" rule for li, ul, ol (#8867)
fix: remove tsconfig.json from published package (#8859)
v4.0.0Compare Source
Major Changes
breaking: Minimum supported Node version is now Node 16 (#8566)
breaking: Minimum supported webpack version is now webpack 5 (#8515)
breaking: Bundlers must specify the
browsercondition when building a frontend bundle for the browser (#8516)breaking: Minimum supported vite-plugin-svelte version is now 2.4.1. SvelteKit users can upgrade to 1.20.0 or newer to ensure a compatible version (#8516)
breaking: Minimum supported
rollup-plugin-svelteversion is now 7.1.5 (198dbcf)breaking: Minimum supported
svelte-loaderis now 3.1.8 (198dbcf)breaking: Minimum supported TypeScript version is now TypeScript 5 (it will likely work with lower versions, but we make no guarantees about that) (#8488)
breaking: Remove
svelte/registerhook, CJS runtime version and CJS compiler output (#8613)breaking: Stricter types for
createEventDispatcher(see PR for migration instructions) (#7224)breaking: Stricter types for
ActionandActionReturn(see PR for migration instructions) (#7442)breaking: Stricter types for
onMount- now throws a type error when returning a function asynchronously to catch potential mistakes around callback functions(see PR for migration instructions) (#8136)
breaking: Overhaul and drastically improve creating custom elements with Svelte (see PR for list of changes and migration instructions) ([#8457](https://github.
com/feat: custom elements rework sveltejs/svelte#8457))
breaking: Deprecate
SvelteComponentTypedin favor ofSvelteComponent(#8512)breaking: Make transitions local by default to prevent confusion around page navigations (#6686)
breaking: Error on falsy values instead of stores passed to
derived(#7947)breaking: Custom store implementers now need to pass an
updatefunction additionally to thesetfunction ([#6750](https://github.com/sveltejs/svelte/pull/6750))
breaking: Do not expose default slot bindings to named slots and vice versa (#6049)
breaking: Change order in which preprocessors are applied (#8618)
breaking: The runtime now makes use of
classList.toggle(name, boolean)which does not work in very old browsers ([#8629](https://github.com/sveltejs/svelte/pull/8629))
breaking: apply
inertto outroing elements (#8628)breaking: use
CustomEventconstructor instead of deprecatedcreateEventmethod (#8775)Minor Changes
Add a way to modify attributes for script/style preprocessors (#8618)
Improve hydration speed by adding
data-svelte-hattribute to detect unchanged HTML elements (#7426)Add
a11y no-noninteractive-element-interactionsrule (#8391)Add
a11y-no-static-element-interactionsrule (#8251)Allow
#eachto iterate over iterables likeSet,Mapetc (#7425)Improve duplicate key error for keyed
eachblocks (#8411)Warn about
:in attributes and props to prevent ambiguity with Svelte directives (#6823)feat: add version info to
window. You can opt out by settingdiscloseVersiontofalsein the compiler options (#8761)feat: smaller minified output for destructor chunks (#8763)
Patch Changes
Bind
nulloption and input values consistently (#8312)Allow
$storeto be used with changing values including nullish values (#7555)Initialize stylesheet with
/* empty */to enable setting CSP directive that also works in Safari (#7800)Treat slots as if they don't exist when using CSS adjacent and general sibling combinators (#8284)
Fix transitions so that they don't require a
style-src 'unsafe-inline'Content Security Policy (CSP) (#6662).Explicitly disallow
vardeclarations extending the reactive statement scope (#6800)Improve error message when trying to use
animate:directives on inline components (#8641)fix: export ComponentType from
svelteentrypoint (#8578)fix: never use html optimization for mustache tags in hydration mode (#8744)
fix: derived store types (#8578)
Generate type declarations with dts-buddy (#8578)
fix: ensure types are loaded with all TS settings (#8721)
fix: account for preprocessor source maps when calculating meta info (#8778)
chore: deindent cjs output for compiler (#8785)
warn on boolean compilerOptions.css (#8710)
fix: export correct SvelteComponent type (#8721)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.