engine.io
Advanced tools
Changelog
6.4.2 (2023-05-02)
:warning: This release contains an important security fix :warning:
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
at Server.onWebSocket (build/server.js:515:67)
Please upgrade as soon as possible.
Huge thanks to @tyilo and @cieldeville for helping!
ws@~8.11.0
(no change)Changelog
6.4.1 (2023-02-20)
This release contains 6e78489, which exports the BaseServer
class in order to restore the compatibility with the nodenext
module resolution strategy of TypeScript.
Reference: https://www.typescriptlang.org/tsconfig/#moduleResolution
Related: https://github.com/socketio/socket.io/issues/4621
ws@~8.11.0
(no change)Changelog
6.4.0 (2023-02-06)
This commit implements middlewares at the Engine.IO level, because Socket.IO middlewares are meant for namespace authorization and are not executed during a classic HTTP request/response cycle.
A workaround was possible by using the allowRequest option and the "headers" event, but this feels way cleaner and works with upgrade requests too.
Syntax:
engine.use((req, res, next) => {
// do something
next();
});
// with express-session
import session from "express-session";
engine.use(session({
secret: "keyboard cat",
resave: false,
saveUninitialized: true,
cookie: { secure: true }
}));
// with helmet
import helmet from "helmet";
engine.use(helmet());
ws@~8.11.0
(no change)Changelog
6.3.0 (2023-01-10)
The trailing slash which was added by default can now be disabled:
import { Server } from "engine.io";
const server = new Server();
server.attach(httpServer, {
addTrailingSlash: false
});
In the example above, the clients can omit the trailing slash and use /engine.io
instead of /engine.io/
.
This will be used when broadcasting packets at the Socket.IO level.
See also: https://github.com/socketio/socket.io-adapter/commit/5f7b47d40f9daabe4e3c321eda620bbadfe5ce96
Changelog
3.6.1 (2022-11-20)
:warning: This release contains an important security fix :warning:
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
Error: read ECONNRESET
at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
at emitErrorNT (internal/streams/destroy.js:106:8)
at emitErrorCloseNT (internal/streams/destroy.js:74:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
errno: -104,
code: 'ECONNRESET',
syscall: 'read'
}
Please upgrade as soon as possible.
ws@~7.4.2
(no change)Changelog
6.2.1 (2022-11-20)
:warning: This release contains an important security fix :warning:
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
Error: read ECONNRESET
at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
at emitErrorNT (internal/streams/destroy.js:106:8)
at emitErrorCloseNT (internal/streams/destroy.js:74:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
errno: -104,
code: 'ECONNRESET',
syscall: 'read'
}
Please upgrade as soon as possible.
ws@~8.2.3
(no change)Changelog
3.6.0 (2022-06-06)
This change reduces the default value from 100 mb to a more sane 1 mb.
This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data.
See also: https://github.com/advisories/GHSA-j4f2-536g-r55m
Changelog
6.2.0 (2022-04-17)
So that clients in HTTP long-polling can decide how many packets they have to send to stay under the maxHttpBufferSize value.
This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as we only add a field in the JSON-encoded handshake data:
0{"sid":"lv_VI97HAXpY6yYWAAAC","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000,"maxPayload":1000000}