Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency @sveltejs/kit to v2.8.3 [security] #505

Merged
merged 2 commits into from
Nov 25, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 25, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@sveltejs/kit (source) 2.5.24 -> 2.8.3 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-mh2x-fcqh-fmqv

Summary

The static error.html template for errors contains placeholders that are replaced without escaping the content first.

Details

From https://kit.svelte.dev/docs/errors:

error.html is the page that is rendered when everything else fails. It can contain the following placeholders:
%sveltekit.status% — the HTTP status
%sveltekit.error.message% — the error message

This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content that ends up being something like this inside a server handle function:

error(500, '<script>alert("boom")</script>');

Uncaught errors cannot be exploited like this, as they always render the message "Internal error".

Escaping the message string in the function that creates the html output can be done to improve safety for applications that are using custom errors on the server.

PoC

None provided

Impact

Only applications where user provided input is used in the Error message will be vulnerable, so the vast majority of applications will not be vulnerable

GHSA-rjjv-87mx-6x3h

Summary

"Unsanitized input from the request URL flows into end, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)."

Details

Source of potentially tainted data is in packages/kit/src/exports/vite/dev/index.js, line 437. This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down to line 91 in packages/kit/src/exports/vite/utils.js, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate.

Another source of potentially tainted data (according to Snyk) comes from ‎packages/kit/src/exports/vite/utils.js, line 30, col 30 (i.e., the url property of req). This potentially tainted data is passed through a number of steps (which I could detail if you'd like) all the way down line 91 in packages/kit/src/exports/vite/utils.js, which performs an operation that Snyk believes an attacker shouldn't be allowed to manipulate.

PoC

Not provided

Impact

Little to none. The Vite development is not exposed to the network by default. And even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data.


Release Notes

sveltejs/kit (@​sveltejs/kit)

v2.8.3

Compare Source

Patch Changes
  • fix: ensure error messages are escaped (#​13050)

  • fix: escape values included in dev 404 page (#​13039)

v2.8.2

Compare Source

Patch Changes
  • fix: prevent duplicate fetch request when using Request with load function's fetch (#​13023)

  • fix: do not override default cookie decoder to allow users to override the cookie library version (#​13037)

v2.8.1

Compare Source

Patch Changes
  • fix: only add nonce to script-src-elem, style-src-attr and style-src-elem CSP directives when unsafe-inline is not present (#​11613)

  • fix: support HTTP/2 in dev and production. Revert the changes from #​12907 to downgrade HTTP/2 to TLS as now being unnecessary (#​12989)

v2.8.0

Compare Source

Minor Changes
  • feat: add helper to identify ActionFailure objects (#​12878)

v2.7.7

Compare Source

Patch Changes

v2.7.6

Compare Source

Patch Changes
  • fix: update broken links in JSDoc (#​12960)

v2.7.5

Compare Source

Patch Changes
  • fix: warn on invalid cookie name characters (#​12806)

  • fix: when using @vitejs/plugin-basic-ssl, set a no-op proxy config to downgrade from HTTP/2 to TLS since undici does not yet enable HTTP/2 by default (#​12907)

v2.7.4

Compare Source

Patch Changes
  • fix: ensure element is focused after subsequent clicks of the same hash link (#​12866)

  • fix: avoid preload if event default was prevented for touchstart and mousedown events (#​12887)

  • fix: avoid reloading behaviour for hash links with data-sveltekit-reload if the hash is on the same page (#​12866)

v2.7.3

Compare Source

Patch Changes
  • fix: include importer in illegal import error message (#​12820)

  • fix: don't try reading assets directly that aren't present (#​12876)

  • fix: decode non-latin characters when previewing prerendered pages (#​12874)

  • fix: better error message when a Result is returned from a form action (#​12829)

  • docs: update URLs for new svelte.dev site (#​12857)

v2.7.2

Compare Source

Patch Changes
  • fix: use absolute links in JSDoc comments (#​12718)

v2.7.1

Compare Source

Patch Changes
  • chore: upgrade to sirv 3.0 (#​12796)

  • fix: warn when form action responses are lost because SSR is off (#​12063)

v2.7.0

Compare Source

Minor Changes
  • feat: update service worker when new version is detected (#​12448)
Patch Changes
  • fix: correctly handle relative paths when fetching assets on the server (#​12113)

  • fix: decode non ASCII anchor hashes when scrolling into view (#​12699)

  • fix: page response missing CSP and Link headers when return promise in load (#​12418)

v2.6.4

Compare Source

Patch Changes
  • fix: only preload links that have a different URL than the current page (#​12773)

  • fix: revert change to replace version in generateBundle (#​12779)

  • fix: catch stack trace fixing errors thrown in web containers (#​12775)

  • fix: use absolute links in JSDoc comments (#​12772)

v2.6.3

Compare Source

Patch Changes
  • fix: ensure a changing version doesn't affect the hashes for chunks without any actual code changes (#​12700)

  • fix: prevent crash when logging URL search params in a server load function (#​12763)

  • chore: revert update dependency cookie to ^0.7.0 (#​12767)

v2.6.2

Compare Source

Patch Changes
  • chore(deps): update dependency cookie to ^0.7.0 (#​12746)

v2.6.1

Compare Source

Patch Changes
  • fix: better error message when calling push/replaceState before router is initialized (#​11968)

v2.6.0

Compare Source

Minor Changes
  • feat: support typed arrays in load functions (#​12716)
Patch Changes
  • fix: open a new tab for <form target="_blank"> and ` submissions (#​11936)

v2.5.28

Compare Source

Patch Changes
  • fix: import node:process instead of using globals (#​12641)

v2.5.27

Compare Source

Patch Changes
  • fix: asynchronously instantiate components when using Svelte 5 (#​12613)

  • fix: use {@&#8203;render ...} tag when generating default fallback page for svelte 5 apps (#​12653)

  • fix: emulate event.platform even when the route does not exist (#​12513)

v2.5.26

Compare Source

Patch Changes
  • fix: exclude service worker directory from tsconfig (#​12196)

v2.5.25

Compare Source

Patch Changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Copy link

cloudflare-workers-and-pages bot commented Nov 25, 2024

Deploying svelte-hydrated with  Cloudflare Pages  Cloudflare Pages

Latest commit: 20aab0f
Status: ✅  Deploy successful!
Preview URL: https://1ba59a56.svelte-hydrated.pages.dev
Branch Preview URL: https://renovate-npm-sveltejs-kit-vu.svelte-hydrated.pages.dev

View logs

@wraith-ci
Copy link
Contributor

wraith-ci bot commented Nov 25, 2024

Wraith CI 👻 Retry Request

Check the box to re-trigger CI.

  • Wraith CI
  • Wraith CI / PR

Copy link

coderabbitai bot commented Nov 25, 2024

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.


🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

Copy link

socket-security bot commented Nov 25, 2024

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@sveltejs/[email protected] environment, eval Transitive: filesystem +18 1.65 MB svelte-admin

🚮 Removed packages: npm/@sveltejs/[email protected]

View full report↗︎

Copy link
Contributor Author

renovate bot commented Nov 25, 2024

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@wraith-ci wraith-ci bot requested a review from jill64 November 25, 2024 16:13
@wraith-ci wraith-ci bot enabled auto-merge November 25, 2024 16:14
@wraith-ci wraith-ci bot merged commit 9e476c1 into main Nov 25, 2024
8 checks passed
@wraith-ci wraith-ci bot deleted the renovate/npm-sveltejs-kit-vulnerability branch November 25, 2024 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants