First off, love svelte, the team is really doing a good job focusing on developer ergonomics.
That said, I’m not surprised to see a list of CVEs impacting devalue. After running into some (seemingly arbitrary) limitations, I skimmed the code and it definitely felt like there was some sketchiness to it, given how it handles user inputs. If I were nefarious or a security researcher it would definitely be a focal point for me.
I want to ask simply for curiosity. Knowing you felt this way about that code, and I'm assuming knew that it had some level of relative importance to Svelte as a whole, how did that inform your decision making, if at all?
My decision making to use svelte? TBH I looked at source only well after I was far enough along development to be committed to it as a framework.
That said, I don’t have any regrets, it’s a pleasure to use svelte and I trust the team’s direction. This particular app is already locked down to internal/trusted users. For something more public or security critical it may warrant a deeper dive and more consideration.
It’s probably comparable to other js frameworks, and auditing every package before you use them will leave you in analysis paralysis. I have a low opinion of software in general, but svelte isn’t a particular standout in that aspect.
That said, I’m not surprised to see a list of CVEs impacting devalue. After running into some (seemingly arbitrary) limitations, I skimmed the code and it definitely felt like there was some sketchiness to it, given how it handles user inputs. If I were nefarious or a security researcher it would definitely be a focal point for me.