Skip to content

chore(deps): update dependency @sveltejs/kit to v2.20.6 [security] #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency @sveltejs/kit to v2.20.6 [security] #82

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 25, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@sveltejs/kit (source) 2.5.28 -> 2.20.6 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-53262

Summary

The static error.html template for errors contains placeholders that are replaced without escaping the content first.

Details

From https://kit.svelte.dev/docs/errors:

error.html is the page that is rendered when everything else fails. It can contain the following placeholders:
%sveltekit.status% — the HTTP status
%sveltekit.error.message% — the error message

This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content that ends up being something like this inside a server handle function:

error(500, '<script>alert("boom")</script>');

Uncaught errors cannot be exploited like this, as they always render the message "Internal error".

Escaping the message string in the function that creates the html output can be done to improve safety for applications that are using custom errors on the server.

PoC

None provided

Impact

Only applications where user provided input is used in the Error message will be vulnerable, so the vast majority of applications will not be vulnerable

CVE-2024-53261

Summary

"Unsanitized input from the request URL flows into end, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)."

Details

Source of potentially tainted data is in packages/kit/src/exports/vite/dev/index.js, line 437. This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down to line 91 in packages/kit/src/exports/vite/utils.js, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate.

Another source of potentially tainted data (according to Snyk) comes from ‎packages/kit/src/exports/vite/utils.js, line 30, col 30 (i.e., the url property of req). This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down line 91 in packages/kit/src/exports/vite/utils.js, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate.

PoC

Not provided

Impact

Little to none. The Vite development is not exposed to the network by default. And even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data.

CVE-2025-32388

Summary

Unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL.

Details

SvelteKit tracks which parameters in event.url.searchParams are read inside server load functions. If the application iterates over the these parameters, the uses.search_params array included in the boot script (embedded in the server-rendered HTML) will have any search param name included in unsanitized form.

packages/kit/src/runtime/server/utils.js:150 has the stringify_uses(node) function which prints these out.

Reproduction

In a +page.server.js or +layout.server.js:

/** @&#8203;type {import('@&#8203;sveltejs/kit').Load} */
export function load(event) {
  const values = {};

  for (const key of event.url.searchParams.keys()) {
    values[key] = event.url.searchParams.get(key);
  }
}

If a user visits the page in question via a link containing ?</script/><script>window.pwned%3D1</script/>, the </script> will be included verbatim in the payload, causing the embedded script to be executed.

It is not necessary to return the parameter value from load or render it in the page, only to read it (which causes it to be tracked as a dependency) while load is running.

Impact

Any application that iterates over all values in event.url.searchParams in a load function in +page.server.js or +layout.server.js (directly or indirectly) is vulnerable to XSS.

Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.20.6

Compare Source

Patch Changes

v2.20.5

Compare Source

Patch Changes

  • allow HandleServerError hook to access getRequestEvent (#​13666)

  • fix: prevent Rollup warnings for undefined hooks (#​13687)

v2.20.4

Compare Source

Patch Changes
  • chore: remove internal class-replacement hack that isn't needed anymore (#​13664)

v2.20.3

Compare Source

Patch Changes
  • fix: only call afterNavigate once on app start when SSR is disabled (#​13593)

v2.20.2

Compare Source

Patch Changes
  • fix: allow non-prerendered API endpoint calls during reroute when prerendering (#​13616)

v2.20.1

Compare Source

Patch Changes
  • fix: avoid using top-level await (#​13607)

v2.20.0

Compare Source

Minor Changes
  • feat: add getRequestEvent to $app/server (#​13582)

v2.19.2

Compare Source

Patch Changes
  • fix: lazily load CSS for dynamically imported components (#​13564)

v2.19.1

Compare Source

Patch Changes
  • fix: allow reroute to point to prerendered route (#​13575)

v2.19.0

Compare Source

Minor Changes
Patch Changes

v2.18.0

Compare Source

Minor Changes
Patch Changes

  • fix: correct navigation history with hash router and ensure load functions are rerun on user changes to URL hash (#​13492)

  • fix: include universal load assets as server assets (#​13531)

  • fix: Include root layout and error nodes even when apps have only prerendered pages (#​13522)

  • fix: correctly preload data on mousedown/touchstart if code was preloaded on hover (#​13530)

v2.17.3

Compare Source

Patch Changes

  • fix: avoid simulated CORS errors with non-HTTP URLs (#​13493)

  • fix: correctly preload links on mousedown/touchstart (#​13486)

  • fix: load CSS when using server-side route resolution (#​13498)

  • fix: correctly find shared entry-point CSS files during inlining (#​13431)

v2.17.2

Compare Source

Patch Changes

  • fix: add promise return type to the enhance action callback (#​13420)

  • fix: change server-side route resolution endpoint (#​13461)

v2.17.1

Compare Source

Patch Changes
  • fix: make route resolution imports root-relative if paths.relative option is false (#​13412)

v2.17.0

Compare Source

Minor Changes

  • feat: validate values for cache-control and content-type headers in dev mode (#​13114)

  • feat: support server-side route resolution (#​13379)

Patch Changes

  • chore: don't error during development when using use:enhance with +server as some third party libraries make it possible to POST forms to it (#​13397)

  • fix: skip hooks for server fetch to prerendered routes (#​13377)

  • fix: ignore non-entry-point CSS files during inlining (#​13395)

  • fix: default server fetch to use prerendered paths (#​13377)

v2.16.1

Compare Source

Patch Changes

  • fix: avoid overwriting headers for sub-requests made while loading the error page (#​13341)

  • fix: correctly resolve index file entrypoints such as src/service-worker/index.js (#​13354)

  • fix: correctly handle relative anchors when using the hash router (#​13356)

v2.16.0

Compare Source

Minor Changes

  • feat: add ability to invalidate a custom identifier on goto() (#​13256)

  • feat: remove the postinstall script to support pnpm 10 (#​13304)

    NOTE: users should add "prepare": "svelte-kit sync" to their package.json in order to avoid the following warning upon first running Vite:

    ▲ [WARNING] Cannot find base config file "./.svelte-kit/tsconfig.json" [tsconfig.json]

    tsconfig.json:2:12:
      2 │   "extends": "./.svelte-kit/tsconfig.json",
        ╵              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • feat: provide PageProps and LayoutProps types (#​13308)

Patch Changes

  • perf: shorten chunk file names (#​13003)

  • fix: strip internal data before passing URL to reroute (#​13092)

  • fix: support absolute URLs and reroutes with data-sveltekit-preload-code="viewport" (#​12217)

  • fix: use current window.fetch for server load fetch requests (#​13315)

  • fix: resolve symlinks when handling routes (#​12740)

  • fix: prevent infinite reload when using the hash router and previewing /index.html (#​13296)

  • fix: service worker base path in dev mode (#​12577)

  • chore: error during development when using use:enhance with +server (#​13197)

  • chore: add most common status codes to redirect() JS documentation (#​13301)

  • fix: correctly link to assets inlined by the inlineStyleThreshold option (#​13068)

  • fix: fall back to importing dynamic dependencies relative to SvelteKit package (#​12532)

  • fix: use arrow function types over bound funcs (#​12955)

  • fix: correctly navigate when hash router is enabled and the browser encodes extra hashes (#​13321)

v2.15.3

Compare Source

Patch Changes

  • fix: fix race-condition when not using SSR when pressing back before initial load (#​12925)

  • fix: remove ":$" from virtual module ids to allow dev server to work with proxies (#​12157)

  • fix: upgrade esm-env to remove warning when NODE_ENV is not set (#​13291)

  • fix: handle Redirect thrown from root layout load function when client-side navigating to a non-existent page (#​12005)

  • fix: make param matchers generated type import end with .js (#​13286)

v2.15.2

Compare Source

Patch Changes

  • fix: correctly notify page store subscribers (#​13205)

  • fix: prerender data when there is no server load but the trailingSlash option is set from the server (#​13262)

  • fix: correctly remove navigation callbacks when returning function in onNavigate (#​13241)

v2.15.1

Compare Source

Patch Changes

  • fix: add CSP hashes/nonces to inline styles when using bundleStrategy: 'inline' (#​13232)

  • fix: silence dev/prod warning during sync (#​13244)

v2.15.0

Compare Source

Minor Changes
  • feat: add bundleStrategy: 'inline' option (#​13193)

v2.14.1

Compare Source

Patch Changes
  • fix: do not mutate URL during reroute logic (#​13222)

v2.14.0

Compare Source

Minor Changes
  • feat: add hash-based routing option (#​13191)
Patch Changes
  • fix: create new URL when calling goto(...), to handle case where URL is mutated (#​13196)

v2.13.0

Compare Source

Minor Changes
  • feat: add bundleStrategy: 'split' | 'single' option (#​13173)

v2.12.2

Compare Source

Patch Changes

  • fix: correctly resolve no hooks file when a similarly named directory exists (#​13188)

  • fix: correctly resolve $app/state on the server with Vite 5 (#​13192)

v2.12.1

Compare Source

Patch Changes
  • fix: replace navigating.current.<x> with navigating.<x> (#​13174)

v2.12.0

Compare Source

Minor Changes
Patch Changes
  • chore: specify the route ID in the error message during development when making a form action request to a route without form actions (#​13167)

v2.11.1

Compare Source

Patch Changes
  • fix: adhere to Vite build.minify setting when building the service worker (#​13143)

v2.11.0

Compare Source

Minor Changes
  • feat: transport custom types across the server/client boundary (#​13149)
Patch Changes
  • fix: correctly resolve hooks file when a similarly named directory exists (#​13144)

v2.10.1

Compare Source

Patch Changes
  • fix: export init hook from get_hooks (#​13136)

v2.10.0

Compare Source

Minor Changes
  • feat: server and client init hook (#​13103)
Patch Changes
  • fix: prevent hooks exported from hooks.js from overwriting hooks from hooks.server.js (#​13104)

v2.9.1

Compare Source

Patch Changes
  • fix: correctly match route groups preceding optional parameters (#​13099)

v2.9.0

Compare Source

Minor Changes
Patch Changes
  • fix: transform link[rel='shortcut icon'] and link[rel='apple-touch-icon'] to be absolute to avoid console error when navigating (#​13077)

v2.8.5

Compare Source

Patch Changes
  • fix: don't hydrate when falling back to error page (#​13056)

v2.8.4

Compare Source

Patch Changes
  • fix: update inline css url generation for FOUC prevention in dev (#​13007)

v2.8.3

Compare Source

Patch Changes

  • fix: ensure error messages are escaped (#​13050)

  • fix: escape values included in dev 404 page (#​13039)

v2.8.2

Compare Source

Patch Changes

  • fix: prevent duplicate fetch request when using Request with load function's fetch (#​13023)

  • fix: do not override default cookie decoder to allow users to override the cookie library version (#​13037)

v2.8.1

Compare Source

Patch Changes

  • fix: only add nonce to script-src-elem, style-src-attr and style-src-elem CSP directives when unsafe-inline is not present (#​11613)

  • fix: support HTTP/2 in dev and production. Revert the changes from #​12907 to downgrade HTTP/2 to TLS as now being unnecessary (#​12989)

v2.8.0

Compare Source

Minor Changes
  • feat: add helper to identify ActionFailure objects (#​12878)

v2.7.7

Compare Source

Patch Changes

v2.7.6

Compare Source

Patch Changes
  • fix: update broken links in JSDoc (#​12960)

v2.7.5

Compare Source

Patch Changes

  • fix: warn on invalid cookie name characters (#​12806)

  • fix: when using @vitejs/plugin-basic-ssl, set a no-op proxy config to downgrade from HTTP/2 to TLS since undici does not yet enable HTTP/2 by default (#​12907)

v2.7.4

Compare Source

Patch Changes

  • fix: ensure element is focused after subsequent clicks of the same hash link (#​12866)

  • fix: avoid preload if event default was prevented for touchstart and mousedown events (#​12887)

  • fix: avoid reloading behaviour for hash links with data-sveltekit-reload if the hash is on the same page (#​12866)

v2.7.3

Compare Source

Patch Changes

  • fix: include importer in illegal import error message (#​12820)

  • fix: don't try reading assets directly that aren't present (#​12876)

  • fix: decode non-latin characters when previewing prerendered pages (#​12874)

  • fix: better error message when a Result is returned from a form action (#​12829)

  • docs: update URLs for new svelte.dev site (#​12857)

v2.7.2

Compare Source

Patch Changes
  • fix: use absolute links in JSDoc comments (#​12718)

v2.7.1

Compare Source

Patch Changes

  • chore: upgrade to sirv 3.0 (#​12796)

  • fix: warn when form action responses are lost because SSR is off (#​12063)

v2.7.0

Compare Source

Minor Changes
  • feat: update service worker when new version is detected (#​12448)
Patch Changes

  • fix: correctly handle relative paths when fetching assets on the server (#​12113)

  • fix: decode non ASCII anchor hashes when scrolling into view (#​12699)

  • fix: page response missing CSP and Link headers when return promise in load (#​12418)

v2.6.4

Compare Source

Patch Changes

  • fix: only preload links that have a different URL than the current page (#​12773)

  • fix: revert change to replace version in generateBundle (#​12779)

  • fix: catch stack trace fixing errors thrown in web containers (#​12775)

  • fix: use absolute links in JSDoc comments (#​12772)

v2.6.3

Compare Source

Patch Changes

  • fix: ensure a changing version doesn't affect the hashes for chunks without any actual code changes (#​12700)

  • fix: prevent crash when logging URL search params in a server load function (#​12763)

  • chore: revert update dependency cookie to ^0.7.0 (#​12767)

v2.6.2

Compare Source

Patch Changes
  • chore(deps): update dependency cookie to ^0.7.0 (#​12746)

v2.6.1

Compare Source

Patch Changes
  • fix: better error message when calling push/replaceState before router is initialized (#​11968)

v2.6.0

Compare Source

Minor Changes
  • feat: support typed arrays in load functions (#​12716)
Patch Changes
  • fix: open a new tab for <form target="_blank"> and ` submissions (#​11936)

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Vienna, Automerge - "* 0-3 * * *" in timezone Europe/Vienna.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the security label Nov 25, 2024
@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented Nov 25, 2024
edited
Loading

Deploying svelte-tiny-virtual-list with  Cloudflare Pages  Cloudflare Pages

Latest commit: f42d39b
Status: ✅  Deploy successful!
Preview URL: https://49445079.svelte-tiny-virtual-list.pages.dev
Branch Preview URL: https://renovate-npm-sveltejs-kit-vu.svelte-tiny-virtual-list.pages.dev

View logs

@renovate renovate bot requested a review from jonasgeiler November 25, 2024 18:47
@renovate
chore(deps): update dependency @sveltejs/kit to v2.20.6 [security]
f42d39b 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/npm-sveltejs-kit-vulnerability branch from 9ea7c64 to f42d39b Compare April 14, 2025 23:09
@renovate renovate bot changed the title chore(deps): update dependency @sveltejs/kit to v2.8.3 [security] chore(deps): update dependency @sveltejs/kit to v2.20.6 [security] Apr 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonasgeiler jonasgeiler Awaiting requested review from jonasgeiler

Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants