Skip to content

Commit d1ffb41

Browse files
Merge pull request #513 from ejarocki-cloudlinux/master
JS: add Svelte
2 parents e648532 + 54e0763 commit d1ffb41

1 file changed

Lines changed: 268 additions & 0 deletions

File tree

Lines changed: 268 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,268 @@
1+
# Svelte
2+
3+
Endless Lifecycle Support (ELS) for Svelte from TuxCare provides security fixes for Svelte versions that have reached their end of life. This allows you to continue running Svelte applications without vulnerability concerns, even after official support has ended.
4+
5+
## Supported Svelte Versions
6+
7+
* Svelte 0.3.0, 1.64.1, 2.16.1, 3.59.2, 4.2.20
8+
9+
## Connection to ELS for Svelte Library
10+
11+
This guide outlines the steps needed to integrate the TuxCare ELS for the Svelte library.
12+
13+
## Step 1: Get Token
14+
15+
You need a token in order to use TuxCare ELS Svelte library. Anonymous access is disabled. To receive the token, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com).
16+
17+
## Step 2: Set Up ELS for Svelte
18+
19+
TuxCare provides ELS for Svelte as an NPM package, hosted on a secure internal registry. Follow the steps below to add it to your project and get started.
20+
21+
1. Navigate to the root directory of your Svelte project.
22+
2. Create a `.npmrc` file or update it if it already exists.
23+
24+
**Example:**
25+
26+
```text
27+
my-svelte-project/
28+
├── node_modules/
29+
├── package.json
30+
├── .npmrc ⚠️ ← Create it here
31+
└── package-lock.json
32+
```
33+
34+
3. Use an editor of your choice (e.g., VS Code) to add the following registry address line:
35+
36+
```text
37+
registry=https://registry.npmjs.org/
38+
@els-js:registry=https://nexus.repo.tuxcare.com/repository/els_js/
39+
//nexus.repo.tuxcare.com/repository/els_js/:_auth=${TOKEN}
40+
```
41+
42+
:::warning
43+
Replace ${TOKEN} with the token you received from [sales@tuxcare.com](mailto:sales@tuxcare.com).
44+
:::
45+
46+
4. Update your `package.json` file to replace your Svelte dependencies with the TuxCare packages. You can do this in two ways:
47+
48+
* **Option 1: Manual update**
49+
50+
Manually update your `package.json` file by replacing your Svelte dependencies with the TuxCare packages. This method gives you full control over which packages to update.
51+
52+
<TableTabs label="Choose Svelte version: " >
53+
54+
<template #svelte_0.3.0>
55+
56+
```text
57+
"dependencies": {
58+
"svelte": "npm:@els-js/svelte@>=0.3.0-tuxcare.1"
59+
},
60+
"overrides": {
61+
"svelte@0.3.0": "npm:@els-js/svelte@>=0.3.0-tuxcare.1"
62+
}
63+
```
64+
65+
</template>
66+
67+
<template #svelte_1.64.1>
68+
69+
```text
70+
"dependencies": {
71+
"svelte": "npm:@els-js/svelte@>=1.64.1-tuxcare.1"
72+
},
73+
"overrides": {
74+
"svelte@1.64.1": "npm:@els-js/svelte@>=1.64.1-tuxcare.1"
75+
}
76+
```
77+
78+
</template>
79+
80+
<template #svelte_2.16.1>
81+
82+
```text
83+
"dependencies": {
84+
"svelte": "npm:@els-js/svelte@>=2.16.1-tuxcare.1"
85+
},
86+
"overrides": {
87+
"svelte@2.16.1": "npm:@els-js/svelte@>=2.16.1-tuxcare.1"
88+
}
89+
```
90+
91+
</template>
92+
93+
<template #svelte_3.59.2>
94+
95+
```text
96+
"dependencies": {
97+
"svelte": "npm:@els-js/svelte@>=3.59.2-tuxcare.1"
98+
},
99+
"overrides": {
100+
"svelte@3.59.2": "npm:@els-js/svelte@>=3.59.2-tuxcare.1"
101+
}
102+
```
103+
104+
</template>
105+
106+
<template #svelte_4.2.20>
107+
108+
```text
109+
"dependencies": {
110+
"svelte": "npm:@els-js/svelte@>=4.2.20-tuxcare.1"
111+
},
112+
"overrides": {
113+
"svelte@4.2.20": "npm:@els-js/svelte@>=4.2.20-tuxcare.1"
114+
}
115+
```
116+
117+
</template>
118+
119+
</TableTabs>
120+
121+
* **Option 2: TuxCare Patcher (Automated)**
122+
123+
Install the Patcher globally and run it. The TuxCare Patcher automatically detects the Svelte version in your `package.json` and updates your `dependencies` and `overrides` to use the corresponding TuxCare `@els-js/*` packages.
124+
125+
```text
126+
npm install -g @els-js/tuxcare-patcher --userconfig ./.npmrc
127+
tuxcare-patch-js
128+
```
129+
130+
The patcher will update your `package.json`, for example, from:
131+
132+
```text
133+
"dependencies": {
134+
"svelte": "^4.2.20"
135+
}
136+
```
137+
138+
to:
139+
140+
```text
141+
"dependencies": {
142+
"svelte": "npm:@els-js/svelte@>=4.2.20-tuxcare.1"
143+
},
144+
"overrides": {
145+
"svelte@4.2.20": "npm:@els-js/svelte@>=4.2.20-tuxcare.1"
146+
}
147+
```
148+
149+
5. You need to remove the `node_modules` directory and the `package-lock.json` file, and also clear the `npm cache` before installing the patched packages. Use the following commands:
150+
151+
```text
152+
rm -rf node_modules package-lock.json && npm cache clean --force
153+
```
154+
155+
6. Run the following command to install the ELS version of the Svelte library (token for the TuxCare repository will be automatically picked up from your `.npmrc` file):
156+
157+
```text
158+
npm install
159+
```
160+
161+
## Step 3: Verify Installation
162+
163+
1. To confirm the TuxCare Svelte library is set up correctly, use npm to list the project's dependencies:
164+
165+
```text
166+
npm list
167+
```
168+
169+
2. After reviewing the dependencies, run your application to ensure everything works correctly.
170+
171+
The `npm` tool should be able to identify and resolve dependencies from the TuxCare ELS for Svelte repository.
172+
173+
## Vulnerability Exploitability eXchange (VEX)
174+
175+
VEX is a machine-readable format that tells you if a known vulnerability is actually exploitable in your product. It reduces false positives, helps prioritize real risks.
176+
177+
TuxCare provides VEX for Svelte ELS versions: [security.tuxcare.com/vex/cyclonedx/els_lang_javascript/svelte/](https://security.tuxcare.com/vex/cyclonedx/els_lang_javascript/svelte/).
178+
179+
## Software Bill of Materials (SBOM)
180+
181+
For each published ELS package and version, TuxCare generates SBOM files. Those artifacts are published to TuxCare Nexus.
182+
183+
You can browse SBOM files for Svelte here:
184+
185+
[https://nexus.repo.tuxcare.com/#browse/browse:els-js-sbom:svelte](https://nexus.repo.tuxcare.com/#browse/browse:els-js-sbom:svelte)
186+
187+
Use the credentials you received for TuxCare ELS ([Step 1: Get Token](#step-1:-get-token)) to access Nexus.
188+
189+
## How to Upgrade to a Newer Version of TuxCare Packages
190+
191+
If you have already installed a package with a `tuxcare.1` suffix and want to upgrade to a newer release (for example, `tuxcare.3`), remove node_modules, clear the npm cache to avoid conflicts, and then run the installation command:
192+
193+
```text
194+
rm -rf node_modules package-lock.json && npm cache clean --force
195+
npm install
196+
```
197+
198+
## Resolved CVEs
199+
200+
Fixes for the following **direct** vulnerabilities in the `svelte` package are available in ELS for Svelte from TuxCare versions:
201+
202+
<TableTabs label="Choose Svelte version: " >
203+
204+
<template #svelte_0.3.0>
205+
206+
| CVE ID | CVE Type | Severity | Affected Libraries | Vulnerable Versions |
207+
| :------------: | :------: |:--------:|:------------------:| :----------------: |
208+
| CVE-2022-25875 | Direct | Medium | svelte | < 3.49.0 |
209+
| CVE-2024-45047 | Direct | Medium | svelte | < 4.2.19 |
210+
| CVE-2026-27125 | Direct | Medium | svelte | < 5.51.5 |
211+
| CVE-2026-27122 | Direct | Medium | svelte | < 5.51.5 |
212+
| CVE-2026-27121 | Direct | Medium | svelte | < 5.51.5 |
213+
| CVE-2026-27901 | Direct | Medium | svelte | < 5.53.5 |
214+
215+
</template>
216+
217+
<template #svelte_1.64.1>
218+
219+
| CVE ID | CVE Type | Severity | Affected Libraries | Vulnerable Versions |
220+
| :------------: | :------: |:--------:|:------------------:| :----------------: |
221+
| CVE-2022-25875 | Direct | Medium | svelte | < 3.49.0 |
222+
| CVE-2024-45047 | Direct | Medium | svelte | < 4.2.19 |
223+
| CVE-2026-27125 | Direct | Medium | svelte | < 5.51.5 |
224+
| CVE-2026-27122 | Direct | Medium | svelte | < 5.51.5 |
225+
| CVE-2026-27121 | Direct | Medium | svelte | < 5.51.5 |
226+
| CVE-2026-27901 | Direct | Medium | svelte | < 5.53.5 |
227+
228+
</template>
229+
230+
<template #svelte_2.16.1>
231+
232+
| CVE ID | CVE Type | Severity | Affected Libraries | Vulnerable Versions |
233+
| :------------: | :------: |:--------:|:------------------:| :----------------: |
234+
| CVE-2022-25875 | Direct | Medium | svelte | < 3.49.0 |
235+
| CVE-2024-45047 | Direct | Medium | svelte | < 4.2.19 |
236+
| CVE-2026-27125 | Direct | Medium | svelte | < 5.51.5 |
237+
| CVE-2026-27122 | Direct | Medium | svelte | < 5.51.5 |
238+
| CVE-2026-27121 | Direct | Medium | svelte | < 5.51.5 |
239+
| CVE-2026-27901 | Direct | Medium | svelte | < 5.53.5 |
240+
241+
</template>
242+
243+
<template #svelte_3.59.2>
244+
245+
| CVE ID | CVE Type | Severity | Affected Libraries | Vulnerable Versions |
246+
| :------------: | :------: |:--------:|:------------------:| :----------------: |
247+
| CVE-2024-45047 | Direct | Medium | svelte | < 4.2.19 |
248+
| CVE-2026-27125 | Direct | Medium | svelte | < 5.51.5 |
249+
| CVE-2026-27122 | Direct | Medium | svelte | < 5.51.5 |
250+
| CVE-2026-27121 | Direct | Medium | svelte | < 5.51.5 |
251+
| CVE-2026-27901 | Direct | Medium | svelte | < 5.53.5 |
252+
253+
</template>
254+
255+
<template #svelte_4.2.20>
256+
257+
| CVE ID | CVE Type | Severity | Affected Libraries | Vulnerable Versions |
258+
| :------------: | :------: |:--------:|:------------------:| :----------------: |
259+
| CVE-2026-27125 | Direct | Medium | svelte | < 5.51.5 |
260+
| CVE-2026-27122 | Direct | Medium | svelte | < 5.51.5 |
261+
| CVE-2026-27121 | Direct | Medium | svelte | < 5.51.5 |
262+
| CVE-2026-27901 | Direct | Medium | svelte | < 5.53.5 |
263+
264+
</template>
265+
266+
</TableTabs>
267+
268+
If you are interested in the TuxCare Endless Lifecycle Support, contact [sales@tuxcare.com](mailto:sales@tuxcare.com).

0 commit comments

Comments
 (0)