engine.io - npm Package Compare versions

engine.io

Package Overview

Dependencies

Maintainers

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

Comparing version 6.1.0 to 6.1.1

build/server.js

		@@ -444,4 +444,2 @@ "use strict";
		else {
		// transport error handling takes over
		websocket.removeListener("error", onUpgradeError);
		const closeConnection = (errorCode, errorContext) => abortUpgrade(socket, errorCode, errorContext);
		@@ -448,0 +446,0 @@ this.handshake(req._query.transport, req, closeConnection);

build/socket.js

		@@ -6,2 +6,3 @@ "use strict";
		const debug_1 = require("debug");
		const timers_1 = require("timers");
		const debug = (0, debug_1.default)("engine:socket");
		@@ -137,3 +138,3 @@ class Socket extends events_1.EventEmitter {
		schedulePing() {
		this.pingIntervalTimer = setTimeout(() => {
		this.pingIntervalTimer = (0, timers_1.setTimeout)(() => {
		debug("writing ping packet - expecting pong within %sms", this.server.opts.pingTimeout);
		@@ -150,4 +151,4 @@ this.sendPacket("ping");
		resetPingTimeout(timeout) {
		clearTimeout(this.pingTimeoutTimer);
		this.pingTimeoutTimer = setTimeout(() => {
		(0, timers_1.clearTimeout)(this.pingTimeoutTimer);
		this.pingTimeoutTimer = (0, timers_1.setTimeout)(() => {
		if (this.readyState === "closed")
		@@ -193,3 +194,3 @@ return;
		// set transport upgrade timer
		this.upgradeTimeoutTimer = setTimeout(() => {
		this.upgradeTimeoutTimer = (0, timers_1.setTimeout)(() => {
		debug("client did not complete upgrade - closing transport");
		@@ -240,3 +241,3 @@ cleanup();
		this.checkIntervalTimer = null;
		clearTimeout(this.upgradeTimeoutTimer);
		(0, timers_1.clearTimeout)(this.upgradeTimeoutTimer);
		this.upgradeTimeoutTimer = null;
		@@ -283,3 +284,3 @@ transport.removeListener("packet", onPacket);
		this.transport.close();
		clearTimeout(this.pingTimeoutTimer);
		(0, timers_1.clearTimeout)(this.pingTimeoutTimer);
		}
		@@ -295,7 +296,7 @@ /**
		// clear timers
		clearTimeout(this.pingIntervalTimer);
		clearTimeout(this.pingTimeoutTimer);
		(0, timers_1.clearTimeout)(this.pingIntervalTimer);
		(0, timers_1.clearTimeout)(this.pingTimeoutTimer);
		clearInterval(this.checkIntervalTimer);
		this.checkIntervalTimer = null;
		clearTimeout(this.upgradeTimeoutTimer);
		(0, timers_1.clearTimeout)(this.upgradeTimeoutTimer);
		// clean writeBuffer in next tick, so developers can still
		@@ -302,0 +303,0 @@ // grab the writeBuffer on 'close' event

CHANGELOG.md

		@@ -0,1 +1,23 @@
		## [6.1.1](https://github.com/socketio/engine.io/compare/6.1.0...6.1.1) (2022-01-11)

		:warning: This release contains an important security fix :warning:

		A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

		> RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
		> at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14)
		> at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22)
		> at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10)
		> at writeOrBuffer (internal/streams/writable.js:358:12)

		This bug was introduced by [this commit](https://github.com/socketio/engine.io/commit/f3c291fa613a9d50c924d74293035737fdace4f2), included in `engine.io@4.0.0`, so previous releases are not impacted.

		Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.

		### Bug Fixes

		* properly handle invalid data sent by a malicious websocket client ([c0e194d](https://github.com/socketio/engine.io/commit/c0e194d44933bd83bf9a4b126fca68ba7bf5098c))



		# [6.1.0](https://github.com/socketio/engine.io/compare/6.0.0...6.1.0) (2021-11-08)
		@@ -2,0 +24,0 @@

package.json

		{
		"name": "engine.io",
		"version": "6.1.0",
		"version": "6.1.1",
		"description": "The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server",
		@@ -5,0 +5,0 @@ "type": "commonjs",

Improved metrics

Worsened metrics