I've attempted the migration in January and it didn't seem so hard, but I stopped because we needed to drop node 16 support. If someone has issues in upgrading node on a particular machine we could suggest a different solution, like running fractal-web in a container.
The latest version of Svelte 3, v3.59.2, was released in June 2023, so I assume the developers don't support it anymore, not even with security fixes. I couldn't find any documentation outlining the duration of support for specific versions.
Now we have a security alert from dependabot about a minor vulnerability that was fixed in Svelte >= 4.2.19:
This is a reflected XSS, that is not a critical vulnerability, since it requires the user clicking on malicious links, for example received from a SPAM email message, and looking at the PoC I don't think we are affected in any case, however if something more serious will be discovered in the next months we might have some problems.
I think it's time to migrate to Svelte 4.
I've attempted the migration in January and it didn't seem so hard, but I stopped because we needed to drop node 16 support. If someone has issues in upgrading node on a particular machine we could suggest a different solution, like running fractal-web in a container.
The latest version of Svelte 3, v3.59.2, was released in June 2023, so I assume the developers don't support it anymore, not even with security fixes. I couldn't find any documentation outlining the duration of support for specific versions.
Now we have a security alert from dependabot about a minor vulnerability that was fixed in Svelte >= 4.2.19:
https://github.com/fractal-analytics-platform/fractal-web/security/dependabot/26
This is a reflected XSS, that is not a critical vulnerability, since it requires the user clicking on malicious links, for example received from a SPAM email message, and looking at the PoC I don't think we are affected in any case, however if something more serious will be discovered in the next months we might have some problems.