chore(deps): update dependency svelte to v4.2.19 [security]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
svelte (source)	4.2.18 -> 4.2.19

GitHub Vulnerability Alerts

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

• If the string is an attribute value:
  • " -> "
  • & -> &
  • Other characters -> No conversion
• Otherwise:
  • < -> <
  • & -> &
  • Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

---

Release Notes

sveltejs/svelte (svelte)

### [`v4.2.19`](https://redirect.github.com/sveltejs/svelte/releases/tag/svelte%404.2.19) [Compare Source](https://redirect.github.com/sveltejs/svelte/compare/svelte@4.2.18...svelte@4.2.19) ##### Patch Changes - fix: ensure typings for `` are picked up ([#​12902](https://redirect.github.com/sveltejs/svelte/pull/12902)) - fix: escape `<` in attribute strings ([#​12989](https://redirect.github.com/sveltejs/svelte/pull/12989))

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[nx-cloud[bot]]

☁️ Nx Cloud Report

CI is running/has finished running commands for commit 9ed1d36aceb225fea00976089a809809578770f2. As they complete they will appear below. Click to see the status, the terminal output, and the build insights.

📂 See all runs for this CI Pipeline Execution

---

✅ Successfully ran 2 targets

- [`nx affected --targets=test:sherif,test:knip,test:eslint,test:lib,test:types,test:build,build --parallel=3`](https://cloud.nx.app/runs/oAlhfgTZTf?utm_source=pull-request&utm_medium=comment) - [`nx run-many --target=build --exclude=examples/** --exclude=integrations/**`](https://cloud.nx.app/runs/mTvFUPhXCj?utm_source=pull-request&utm_medium=comment)

---

Sent with 💌 from NxCloud.

[pkg-pr-new[bot]]

Open in Stackblitz

More templates

- [@tanstack/query-example-angular-basic](https://pkg.pr.new/template/0910eb28-ac35-48d7-8dce-6566f82614ec) - [@tanstack/query-example-angular-infinite-query-with-max-pages](https://pkg.pr.new/template/5f848f7a-0c55-4455-87a7-f975def51359) - [@tanstack/query-example-angular-pagination](https://pkg.pr.new/template/a5226ca1-ce54-4ba4-aed5-bb7b6d29fb7b) - [@tanstack/query-example-angular-router](https://pkg.pr.new/template/f3784721-c715-4471-b9e9-4519ab8a1c9e) - [@tanstack/query-example-angular-rxjs](https://pkg.pr.new/template/6bcfee60-32b3-4374-a7b2-bdb0ca0bff57) - [@tanstack/query-example-angular-simple](https://pkg.pr.new/template/7b6e7901-18fa-4414-ba4d-1cdafb4e22c2) - [@tanstack/query-example-react-algolia](https://pkg.pr.new/template/bca26b01-630f-4acd-a0d7-fbd4fa4912c1) - [@tanstack/query-example-react-auto-refetching](https://pkg.pr.new/template/d8598e38-075e-466e-9702-c0eed4fe5aec) - [@tanstack/query-example-react-basic](https://pkg.pr.new/template/48d5ff15-f630-4a39-9883-49895834ba61) - [@tanstack/query-example-react-basic-graphql-request](https://pkg.pr.new/template/4fc51df1-18d6-4c32-8674-1ac5d6188d09) - [@tanstack/query-example-react-default-query-function](https://pkg.pr.new/template/9942dc32-652b-4acd-9b32-fe3df139a4d2) - [@tanstack/query-example-react-devtools-panel](https://pkg.pr.new/template/3ebbacf5-2a2c-463b-b4ce-f6c43c9fa055) - [@tanstack/query-example-react-infinite-query-with-max-pages](https://pkg.pr.new/template/ef33eb2a-249a-4cfa-a91c-5a5452b4e503) - [@tanstack/query-example-react-load-more-infinite-scroll](https://pkg.pr.new/template/b9168b1a-9a3f-4ff6-aea1-c3d5ddfe8332) - [@tanstack/query-example-react-nextjs](https://pkg.pr.new/template/346c7616-00d2-43c8-bcfb-8bb61c527854) - [@tanstack/query-example-react-nextjs-app-prefetching](https://pkg.pr.new/template/bb6ebd88-ae2d-4c92-8f36-d96e154f27fb) - [@tanstack/query-example-nextjs-suspense-streaming](https://pkg.pr.new/template/868738dd-60ca-4d68-8844-5edd41c87189) - [@tanstack/query-example-react-offline](https://pkg.pr.new/template/89478648-1c89-4723-bc4e-607ceaeb9026) - [@tanstack/query-example-react-optimistic-updates-ui](https://pkg.pr.new/template/95b0c3f1-2f78-40e1-8ba8-155836f9b65f) - [@tanstack/query-example-react-optimistic-updates-cache](https://pkg.pr.new/template/7f4008d6-9719-4ad6-8a9d-83b44f96002d) - [@tanstack/query-example-react-pagination](https://pkg.pr.new/template/b9126797-cd9d-48ed-9bf4-fee550c3b9c5) - [@tanstack/query-example-react-playground](https://pkg.pr.new/template/752f6b0d-3ead-49a1-acea-6ca7bef9a85b) - [@tanstack/query-example-react-prefetching](https://pkg.pr.new/template/d195eff4-aa2e-4cab-aeda-658af5b22cce) - [@tanstack/query-example-react-react-native](https://pkg.pr.new/template/f36c742d-03ca-4be9-a128-4a7b8bb51764) - [@tanstack/query-example-react-router](https://pkg.pr.new/template/d39bf954-3402-4de9-871c-2ee116c72d48) - [@tanstack/query-example-react-shadow-dom](https://pkg.pr.new/template/4a7ba3cc-661b-46cc-9ff4-b36ce7c05b40) - [@tanstack/query-example-react-rick-morty](https://pkg.pr.new/template/c5b4c954-24c0-49a2-a87c-be15c2a0209a) - [@tanstack/query-example-react-simple](https://pkg.pr.new/template/593c32c6-e597-4922-a992-9f8a8ed59331) - [@tanstack/query-example-react-star-wars](https://pkg.pr.new/template/36e5b3e5-507f-4c90-8a86-4d4386849b6f) - [@tanstack/query-example-react-suspense](https://pkg.pr.new/template/2b5a78f9-2f3e-47b1-b5ef-f97adb4ee528) - [@tanstack/query-example-svelte-auto-refetching](https://pkg.pr.new/template/1641fe2d-420c-4845-8f0a-efe0bc62ab42) - [@tanstack/query-example-svelte-basic](https://pkg.pr.new/template/90887c84-b080-4327-9c4d-9f7b5142a438) - [@tanstack/query-example-svelte-load-more-infinite-scroll](https://pkg.pr.new/template/64f03a15-a214-403a-b93f-c00982744ee1) - [@tanstack/query-example-svelte-optimistic-updates](https://pkg.pr.new/template/8ba3fac4-726d-4a0a-a12d-8d5466918cd0) - [@tanstack/query-example-svelte-playground](https://pkg.pr.new/template/3f37cfea-fc5e-4e42-a2a4-7e46580d7207) - [@tanstack/query-example-svelte-simple](https://pkg.pr.new/template/9eb6a850-5fb8-435e-8cd5-9c6553a3c89d) - [@tanstack/query-example-svelte-ssr](https://pkg.pr.new/template/7794c0ac-be93-4012-a54b-dfc1011f5ff7) - [@tanstack/query-example-svelte-star-wars](https://pkg.pr.new/template/5ceae8e9-a635-4141-825d-d7cb6f90d90c) - [@tanstack/query-example-solid-astro](https://pkg.pr.new/template/b21763eb-0bb7-40de-aabd-9f20d5018db6) - [@tanstack/query-example-solid-basic](https://pkg.pr.new/template/b5f8c924-283a-456f-a88e-a2b6f4949e0c) - [@tanstack/query-example-solid-default-query-function](https://pkg.pr.new/template/03767c5c-4a85-422a-ac27-ad75d4dbd3e8) - [@tanstack/query-example-solid-basic-graphql-request](https://pkg.pr.new/template/57ae0ca3-2bff-40e7-8468-ee322e54e125) - [@tanstack/query-example-solid-simple](https://pkg.pr.new/template/8864e1d3-54f6-4df2-9633-763a845e78c1) - [@tanstack/query-example-solid-start-streaming](https://pkg.pr.new/template/2103ea3e-2a4c-45f2-b90c-19ad891d550d) - [@tanstack/query-example-vue-2.6-basic](https://pkg.pr.new/template/4a2ad335-abf8-437a-b7b6-35c3e7f12db0) - [@tanstack/query-example-vue-2.7-basic](https://pkg.pr.new/template/fac56a88-bd25-441f-a93f-0752d5bc8dd0) - [@tanstack/query-example-vue-basic](https://pkg.pr.new/template/cbfd6127-07cd-494f-9142-29a4288d4570) - [@tanstack/query-example-vue-dependent-queries](https://pkg.pr.new/template/ecfda9ae-2de7-4198-8022-aecce2ffd41f) - [@tanstack/query-example-vue-nuxt3](https://pkg.pr.new/template/9f413e1b-91e2-4370-8f50-655d07aa7264) - [@tanstack/query-example-vue-persister](https://pkg.pr.new/template/0d24d448-275a-443b-824d-f07f9696e643) - [@tanstack/query-example-vue-simple](https://pkg.pr.new/template/41880c17-1e71-45c2-814c-4f917f78e94e)

@tanstack/angular-query-devtools-experimental

``` pnpm add https://pkg.pr.new/@tanstack/angular-query-devtools-experimental@8129 ```

@tanstack/eslint-plugin-query

``` pnpm add https://pkg.pr.new/@tanstack/eslint-plugin-query@8129 ```

@tanstack/angular-query-experimental

``` pnpm add https://pkg.pr.new/@tanstack/angular-query-experimental@8129 ```

@tanstack/query-async-storage-persister

``` pnpm add https://pkg.pr.new/@tanstack/query-async-storage-persister@8129 ```

@tanstack/query-broadcast-client-experimental

``` pnpm add https://pkg.pr.new/@tanstack/query-broadcast-client-experimental@8129 ```

@tanstack/query-core

``` pnpm add https://pkg.pr.new/@tanstack/query-core@8129 ```

@tanstack/query-devtools

``` pnpm add https://pkg.pr.new/@tanstack/query-devtools@8129 ```

@tanstack/query-persist-client-core

``` pnpm add https://pkg.pr.new/@tanstack/query-persist-client-core@8129 ```

@tanstack/query-sync-storage-persister

``` pnpm add https://pkg.pr.new/@tanstack/query-sync-storage-persister@8129 ```

@tanstack/react-query-devtools

``` pnpm add https://pkg.pr.new/@tanstack/react-query-devtools@8129 ```

@tanstack/react-query

``` pnpm add https://pkg.pr.new/@tanstack/react-query@8129 ```

@tanstack/react-query-next-experimental

``` pnpm add https://pkg.pr.new/@tanstack/react-query-next-experimental@8129 ```

@tanstack/react-query-persist-client

``` pnpm add https://pkg.pr.new/@tanstack/react-query-persist-client@8129 ```

@tanstack/solid-query

``` pnpm add https://pkg.pr.new/@tanstack/solid-query@8129 ```

@tanstack/solid-query-persist-client

``` pnpm add https://pkg.pr.new/@tanstack/solid-query-persist-client@8129 ```

@tanstack/solid-query-devtools

``` pnpm add https://pkg.pr.new/@tanstack/solid-query-devtools@8129 ```

@tanstack/svelte-query

``` pnpm add https://pkg.pr.new/@tanstack/svelte-query@8129 ```

@tanstack/svelte-query-devtools

``` pnpm add https://pkg.pr.new/@tanstack/svelte-query-devtools@8129 ```

@tanstack/svelte-query-persist-client

``` pnpm add https://pkg.pr.new/@tanstack/svelte-query-persist-client@8129 ```

@tanstack/vue-query

``` pnpm add https://pkg.pr.new/@tanstack/vue-query@8129 ```

@tanstack/vue-query-devtools

``` pnpm add https://pkg.pr.new/@tanstack/vue-query-devtools@8129 ```

commit: 9ed1d36

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 45.41%. Comparing base (08a568d) to head (9ed1d36). Report is 1 commits behind head on main.

Additional details and impacted files

[](https://app.codecov.io/gh/TanStack/query/pull/8129?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) ```diff @@ Coverage Diff @@ ## main #8129 +/- ## ======================================= Coverage 45.41% 45.41% ======================================= Files 200 200 Lines 7456 7456 Branches 1696 1697 +1 ======================================= Hits 3386 3386 Misses 3694 3694 Partials 376 376 ``` | [Components](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=components&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | Coverage Δ | | |---|---|---| | [@tanstack/angular-query-devtools-experimental](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `∅ <ø> (∅)` | | | [@tanstack/angular-query-experimental](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `86.58% <ø> (ø)` | | | [@tanstack/eslint-plugin-query](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `87.82% <ø> (ø)` | | | [@tanstack/query-async-storage-persister](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `43.85% <ø> (ø)` | | | [@tanstack/query-broadcast-client-experimental](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `∅ <ø> (∅)` | | | [@tanstack/query-codemods](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `0.00% <ø> (ø)` | | | [@tanstack/query-core](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `93.00% <ø> (ø)` | | | [@tanstack/query-devtools](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `4.79% <ø> (ø)` | | | [@tanstack/query-persist-client-core](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `57.73% <ø> (ø)` | | | [@tanstack/query-sync-storage-persister](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `82.50% <ø> (ø)` | | | [@tanstack/react-query](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `93.12% <ø> (ø)` | | | [@tanstack/react-query-devtools](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `10.00% <ø> (ø)` | | | [@tanstack/react-query-next-experimental](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `∅ <ø> (∅)` | | | [@tanstack/react-query-persist-client](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `100.00% <ø> (ø)` | | | [@tanstack/solid-query](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `78.20% <ø> (ø)` | | | [@tanstack/solid-query-devtools](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `∅ <ø> (∅)` | | | [@tanstack/solid-query-persist-client](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `100.00% <ø> (ø)` | | | [@tanstack/svelte-query](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `87.33% <ø> (ø)` | | | [@tanstack/svelte-query-devtools](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `∅ <ø> (∅)` | | | [@tanstack/svelte-query-persist-client](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `100.00% <ø> (ø)` | | | [@tanstack/vue-query](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `71.51% <ø> (ø)` | | | [@tanstack/vue-query-devtools](https://app.codecov.io/gh/TanStack/query/pull/8129/components?src=pr&el=component&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=TanStack) | `∅ <ø> (∅)` | |