Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
@kingsds/engine.io-client
Advanced tools
This is the client for Engine.IO, the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO.
You can find an engine.io.js
file in this repository, which is a
standalone build you can use as follows:
<script src="/path/to/engine.io.js"></script>
<script>
// eio = Socket
const socket = eio('ws://localhost');
socket.on('open', () => {
socket.on('message', (data) => {});
socket.on('close', () => {});
});
</script>
Engine.IO is a commonjs module, which means you can include it by using
require
on the browser and package using browserify:
install the client package
$ npm install engine.io-client
write your app code
const { Socket } = require('engine.io-client');
const socket = new Socket('ws://localhost');
socket.on('open', () => {
socket.on('message', (data) => {});
socket.on('close', () => {});
});
build your app bundle
$ browserify app.js > bundle.js
include on your page
<script src="/path/to/bundle.js"></script>
<script src="/path/to/engine.io.js"></script>
<script>
const socket = eio('ws://localhost/');
socket.binaryType = 'blob';
socket.on('open', () => {
socket.send(new Int8Array(5));
socket.on('message', (blob) => {});
socket.on('close', () => {});
});
</script>
Add engine.io-client
to your package.json
and then:
const { Socket } = require('engine.io-client');
const socket = new Socket('ws://localhost');
socket.on('open', () => {
socket.on('message', (data) => {});
socket.on('close', () => {});
});
const opts = {
key: fs.readFileSync('test/fixtures/client.key'),
cert: fs.readFileSync('test/fixtures/client.crt'),
ca: fs.readFileSync('test/fixtures/ca.crt')
};
const { Socket } = require('engine.io-client');
const socket = new Socket('ws://localhost', opts);
socket.on('open', () => {
socket.on('message', (data) => {});
socket.on('close', () => {});
});
const opts = {
extraHeaders: {
'X-Custom-Header-For-My-Project': 'my-secret-access-token',
'Cookie': 'user_session=NI2JlCKF90aE0sJZD9ZzujtdsUqNYSBYxzlTsvdSUe35ZzdtVRGqYFr0kdGxbfc5gUOkR9RGp20GVKza; path=/; expires=Tue, 07-Apr-2015 18:18:08 GMT; secure; HttpOnly'
}
};
const { Socket } = require('engine.io-client');
const socket = new Socket('ws://localhost', opts);
socket.on('open', () => {
socket.on('message', (data) => {});
socket.on('close', () => {});
});
In the browser, the WebSocket object does not support additional headers.
In case you want to add some headers as part of some authentication mechanism, you can use the transportOptions
attribute.
Please note that in this case the headers won't be sent in the WebSocket upgrade request.
// WILL NOT WORK in the browser
const socket = new Socket('http://localhost', {
extraHeaders: {
'X-Custom-Header-For-My-Project': 'will not be sent'
}
});
// WILL NOT WORK
const socket = new Socket('http://localhost', {
transports: ['websocket'], // polling is disabled
transportOptions: {
polling: {
extraHeaders: {
'X-Custom-Header-For-My-Project': 'will not be sent'
}
}
}
});
// WILL WORK
const socket = new Socket('http://localhost', {
transports: ['polling', 'websocket'],
transportOptions: {
polling: {
extraHeaders: {
'X-Custom-Header-For-My-Project': 'will be used'
}
}
}
});
Engine
message
event.The client class. Mixes in Emitter.
Exposed as eio
in the browser standalone build.
protocol
(Number): protocol revision numberbinaryType
(String) : can be set to 'arraybuffer' or 'blob' in browsers,
and buffer
or arraybuffer
in Node. Blob is only used in browser if it's
supported.open
message
String
| ArrayBuffer
: utf-8 encoded data or ArrayBuffer containing
binary dataclose
open
event does not occur (i.e. due to connection error or close()
).error
flush
drain
drain
event of transport if writeBuffer is emptyupgradeError
upgrade
ping
pong
String
uriObject
: optional, options objectagent
(http.Agent
): http.Agent
to use, defaults to false
(NodeJS only)upgrade
(Boolean
): defaults to true, whether the client should try
to upgrade the transport from long-polling to something better.forceBase64
(Boolean
): forces base 64 encoding for polling transport even when XHR2 responseType is available and WebSocket even if the used standard supports binary.withCredentials
(Boolean
): defaults to false
, whether to include credentials (cookies, authorization headers, TLS client certificates, etc.) with cross-origin XHR polling requests.timestampRequests
(Boolean
): whether to add the timestamp with each
transport request. Note: polling requests are always stamped unless this
option is explicitly set to false
(false
)timestampParam
(String
): timestamp parameter (t
)path
(String
): path to connect to, default is /engine.io
transports
(Array
): a list of transports to try (in order).
Defaults to ['polling', 'websocket']
. Engine
always attempts to connect directly with the first one, provided the
feature detection test for it passes.transportOptions
(Object
): hash of options, indexed by transport name, overriding the common options for the given transportrememberUpgrade
(Boolean
): defaults to false.
If true and if the previous websocket connection to the server succeeded,
the connection attempt will bypass the normal upgrade process and will initially
try websocket. A connection attempt following a transport error will use the
normal upgrade process. It is recommended you turn this on only when using
SSL/TLS connections, or if you know that your network does not block websockets.pfx
(String
|Buffer
): Certificate, Private key and CA certificates to use for SSL. Can be used in Node.js client environment to manually specify certificate information.key
(String
): Private key to use for SSL. Can be used in Node.js client environment to manually specify certificate information.passphrase
(String
): A string of passphrase for the private key or pfx. Can be used in Node.js client environment to manually specify certificate information.cert
(String
): Public x509 certificate to use. Can be used in Node.js client environment to manually specify certificate information.ca
(String
|Array
): An authority certificate or array of authority certificates to check the remote host against.. Can be used in Node.js client environment to manually specify certificate information.ciphers
(String
): A string describing the ciphers to use or exclude. Consult the cipher format list for details on the format. Can be used in Node.js client environment to manually specify certificate information.rejectUnauthorized
(Boolean
): If true, the server certificate is verified against the list of supplied CAs. An 'error' event is emitted if verification fails. Verification happens at the connection level, before the HTTP request is sent. Can be used in Node.js client environment to manually specify certificate information.perMessageDeflate
(Object|Boolean
): parameters of the WebSocket permessage-deflate extension
(see ws module api docs). Set to false
to disable. (true
)
threshold
(Number
): data is compressed only if the byte size is above this value. This option is ignored on the browser. (1024
)extraHeaders
(Object
): Headers that will be passed for each request to the server (via xhr-polling and via websockets). These values then can be used during handshake or for special proxies. Can only be used in Node.js client environment.onlyBinaryUpgrades
(Boolean
): whether transport upgrades should be restricted to transports supporting binary data (false
)forceNode
(Boolean
): Uses NodeJS implementation for websockets - even if there is a native Browser-Websocket available, which is preferred by default over the NodeJS implementation. (This is useful when using hybrid platforms like nw.js or electron) (false
, NodeJS only)localAddress
(String
): the local IP address to connect toautoUnref
(Boolean
): whether the transport should be unref
'd upon creation. This calls unref
on the underlying timers and sockets so that the program is allowed to exit if they are the only timers/sockets in the event system (Node.js only)useNativeTimers
(Boolean
): Whether to always use the native timeouts. This allows the client to reconnect when the native timeout functions are overridden, such as when mock clocks are installed with @sinonjs/fake-timers
.requestTimeout
(Number
): Timeout for xhr-polling requests in milliseconds (0
)protocols
(Array
): a list of subprotocols (see MDN reference)closeOnBeforeunload
(Boolean
): whether to silently close the connection when the beforeunload
event is emitted in the browser (defaults to true
)send
String
| ArrayBuffer
| ArrayBufferView
| Blob
: data to sendObject
: optional, options objectFunction
: optional, callback upon drain
compress
(Boolean
): whether to compress sending data. This option is ignored and forced to be true
on the browser. (true
)close
The transport class. Private. Inherits from EventEmitter.
poll
: emitted by polling transports upon starting a new requestpollComplete
: emitted by polling transports upon completing a requestdrain
: emitted by polling transports upon a buffer drainengine.io-client
is used to test
engine. Running the engine.io
test suite ensures the client works and vice-versa.
Browser tests are run using zuul. You can run the tests locally using the following command.
./node_modules/.bin/zuul --local 8080 -- test/index.js
Additionally, engine.io-client
has a standalone test suite you can run
with make test
which will run node.js and browser tests. You must have zuul setup with
a saucelabs account.
The support channels for engine.io-client
are the same as socket.io
:
To contribute patches, run tests or benchmarks, make sure to clone the repository:
git clone git://github.com/socketio/engine.io-client.git
Then:
cd engine.io-client
npm install
See the Tests
section above for how to run tests before submitting any patches.
MIT - Copyright (c) 2014 Automattic, Inc.
FAQs
Client for the realtime Engine
We found that @kingsds/engine.io-client demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.