New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency svelte to v3.49.0 [SECURITY] #138

Open

renovate wants to merge 1 commit into master from renovate/npm-svelte-vulnerability

renovate bot commented Sep 25, 2022 •

edited

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
svelte (source)	`3.42.4` -> `3.49.0`

GitHub Vulnerability Alerts

CVE-2022-25875

The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.

Release Notes

sveltejs/svelte (svelte)

`v3.49.0`

Improve performance of string escaping during SSR (#5701)
Add ComponentType and ComponentProps convenience types (#6770)
Add support for CSS @layer (#7504)
Export CompileOptions from svelte/compiler (#7658)
Fix DOM-less components not being properly destroyed (#7488)
Fix class: directive updates with <svelte:element> (#7521, #7571)
Harden attribute escaping during SSR (#7530)

`v3.48.0`

Allow creating cancelable custom events with createEventDispatcher (#4623)
Support {@const} tag in {#if} blocks #7241
Return the context object in setContext #7427
Allow comments inside {#each} blocks when using animate: (#3999)
Fix |local transitions in {#key} blocks (#5950)
Support svg namespace for {@html} (#7002, #7450)
Fix {@const} tag not working inside a component when there's no let: #7189
Remove extraneous leading newline inside <pre> and <textarea> (#7264)
Fix erroneous setting of textContent for <template> elements (#7297)
Fix value of let: bindings not updating in certain cases (#7440)
Fix handling of void tags in <svelte:element> (#7449)
Fix handling of boolean attributes in <svelte:element> (#7478)
Add special style scoping handling of [open] selectors on <dialog> elements (#7495)

`v3.47.0`

`v3.46.6`

`v3.46.5`

`v3.46.4`

`v3.46.3`

`v3.46.2`

Export FlipParams interface from svelte/animate (#7103)
Fix style: directive reactivity inside {#each} block (#7136)

`v3.46.1`

`v3.46.0`

`v3.45.0`

`v3.44.3`

`v3.44.2`

`v3.44.1`

`v3.44.0`

`v3.43.2`

`v3.43.1`

`v3.43.0`

`v3.42.6`

`v3.42.5`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          Update dependency svelte to 3.49.0 [SECURITY]

d9a18dd

renovate bot changed the title ~~Update dependency svelte to 3.49.0 [SECURITY]~~ Update dependency svelte to v3.49.0 [SECURITY]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment