chore(deps): update dependency svelte to v4.2.19 [security]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
svelte (source)	`4.2.8` -> `4.2.19`

GitHub Vulnerability Alerts

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

If the string is an attribute value:
- " -> "
- & -> &
- Other characters -> No conversion
Otherwise:
- < -> <
- & -> &
- Other characters -> No conversion

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

Release Notes

sveltejs/svelte (svelte)

### [`v4.2.19`](https://redirect.github.com/sveltejs/svelte/releases/tag/svelte%404.2.19) [Compare Source](https://redirect.github.com/sveltejs/svelte/compare/svelte@4.2.18...svelte@4.2.19) ##### Patch Changes - fix: ensure typings for `` are picked up ([#12902](https://redirect.github.com/sveltejs/svelte/pull/12902)) - fix: escape `<` in attribute strings ([#12989](https://redirect.github.com/sveltejs/svelte/pull/12989)) ### [`v4.2.18`](https://redirect.github.com/sveltejs/svelte/releases/tag/svelte%404.2.18) [Compare Source](https://redirect.github.com/sveltejs/svelte/compare/svelte@4.2.17...svelte@4.2.18) ##### Patch Changes - chore: speed up regex ([#11922](https://redirect.github.com/sveltejs/svelte/pull/11922)) ### [`v4.2.17`](https://redirect.github.com/sveltejs/svelte/releases/tag/svelte%404.2.17) [Compare Source](https://redirect.github.com/sveltejs/svelte/compare/svelte@4.2.16...svelte@4.2.17) ##### Patch Changes - fix: correctly handle falsy values of style directives in SSR mode ([#11584](https://redirect.github.com/sveltejs/svelte/pull/11584)) ### [`v4.2.16`](https://redirect.github.com/sveltejs/svelte/releases/tag/svelte%404.2.16) [Compare Source](https://redirect.github.com/sveltejs/svelte/compare/svelte@4.2.15...svelte@4.2.16) ##### Patch Changes - fix: check if svelte component exists on custom element destroy ([#11489](https://redirect.github.com/sveltejs/svelte/pull/11489)) ### [`v4.2.15`](https://redirect.github.com/sveltejs/svelte/releases/tag/svelte%404.2.15) [Compare Source](https://redirect.github.com/sveltejs/svelte/compare/svelte@4.2.14...svelte@4.2.15) ##### Patch Changes - support attribute selector inside :global() ([#11135](https://redirect.github.com/sveltejs/svelte/pull/11135)) ### [`v4.2.14`](https://redirect.github.com/sveltejs/svelte/releases/tag/svelte%404.2.14) [Compare Source](https://redirect.github.com/sveltejs/svelte/compare/svelte@4.2.13...svelte@4.2.14) ##### Patch Changes - fix parsing camelcase container query name ([#11131](https://redirect.github.com/sveltejs/svelte/pull/11131)) ### [`v4.2.13`](https://redirect.github.com/sveltejs/svelte/releases/tag/svelte%404.2.13) [Compare Source](https://redirect.github.com/sveltejs/svelte/compare/svelte@4.2.12...svelte@4.2.13) ##### Patch Changes - fix: applying :global for +,~ sibling combinator when slots are present ([#9282](https://redirect.github.com/sveltejs/svelte/pull/9282)) ### [`v4.2.12`](https://redirect.github.com/sveltejs/svelte/releases/tag/svelte%404.2.12) [Compare Source](https://redirect.github.com/sveltejs/svelte/compare/svelte@4.2.11...svelte@4.2.12) ##### Patch Changes - fix: properly update `svelte:component` props when there are spread props ([#10604](https://redirect.github.com/sveltejs/svelte/pull/10604)) ### [`v4.2.11`](https://redirect.github.com/sveltejs/svelte/releases/tag/svelte%404.2.11) [Compare Source](https://redirect.github.com/sveltejs/svelte/compare/svelte@4.2.10...svelte@4.2.11) ##### Patch Changes - fix: check that component wasn't instantiated in `connectedCallback` ([#10466](https://redirect.github.com/sveltejs/svelte/pull/10466)) ### [`v4.2.10`](https://redirect.github.com/sveltejs/svelte/releases/tag/svelte%404.2.10) [Compare Source](https://redirect.github.com/sveltejs/svelte/compare/svelte@4.2.9...svelte@4.2.10) ##### Patch Changes - fix: add `scrollend` event type ([#10336](https://redirect.github.com/sveltejs/svelte/pull/10336)) - fix: add `fetchpriority` attribute type ([#10390](https://redirect.github.com/sveltejs/svelte/pull/10390)) - fix: Add `miter-clip` and `arcs` to `stroke-linejoin` attribute ([#10377](https://redirect.github.com/sveltejs/svelte/pull/10377)) - fix: make inline doc links valid ([#10366](https://redirect.github.com/sveltejs/svelte/pull/10366)) ### [`v4.2.9`](https://redirect.github.com/sveltejs/svelte/releases/tag/svelte%404.2.9) [Compare Source](https://redirect.github.com/sveltejs/svelte/compare/svelte@4.2.8...svelte@4.2.9) ##### Patch Changes - fix: add types for popover attributes and events ([#10042](https://redirect.github.com/sveltejs/svelte/pull/10042)) - fix: add `gamepadconnected` and `gamepaddisconnected` events ([#9864](https://redirect.github.com/sveltejs/svelte/pull/9864)) - fix: make `@types/estree` a dependency ([#10149](https://redirect.github.com/sveltejs/svelte/pull/10149)) - fix: bump `axobject-query` ([#10167](https://redirect.github.com/sveltejs/svelte/pull/10167))

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

oplik0 / solo2-desktop