engine.io - npm Package Versions

published 6.4.2 • last year

Changelog

6.4.2 (2023-05-02)

:warning: This release contains an important security fix :warning:

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
  at Server.onWebSocket (build/server.js:515:67)

Please upgrade as soon as possible.

Bug Fixes

include error handling for Express middlewares (#674) (9395782)
prevent crash when provided with an invalid query param (fc480b4)
typings: make clientsCount public (#675) (bd6d471)
uws: prevent crash when using with middlewares (8b22162)

Credits

Huge thanks to @tyilo and @cieldeville for helping!

Dependencies

ws@~8.11.0 (no change)

6.4.1

published 6.4.1 • last year

Changelog

6.4.1 (2023-02-20)

This release contains 6e78489, which exports the BaseServer class in order to restore the compatibility with the nodenext module resolution strategy of TypeScript.

Reference: https://www.typescriptlang.org/tsconfig/#moduleResolution

Related: https://github.com/socketio/socket.io/issues/4621

Dependencies

ws@~8.11.0 (no change)

6.4.0

published 6.4.0 • last year

Changelog

6.4.0 (2023-02-06)

Features

add support for Express middlewares (24786e7)

This commit implements middlewares at the Engine.IO level, because Socket.IO middlewares are meant for namespace authorization and are not executed during a classic HTTP request/response cycle.

A workaround was possible by using the allowRequest option and the "headers" event, but this feels way cleaner and works with upgrade requests too.

Syntax:

engine.use((req, res, next) => {
  // do something

  next();
});

// with express-session
import session from "express-session";

engine.use(session({
  secret: "keyboard cat",
  resave: false,
  saveUninitialized: true,
  cookie: { secure: true }
}));

// with helmet
import helmet from "helmet";

engine.use(helmet());

Dependencies

ws@~8.11.0 (no change)

6.3.1

published 6.3.1 • last year

Changelog

6.3.1 (2023-01-12)

Dependencies

ws@~8.11.0 (no change)

6.3.0

published 6.3.0 • last year

Changelog

6.3.0 (2023-01-10)

Bug Fixes

fix the ES module wrapper (ed87609)
wait for all packets to be sent before closing the WebSocket connection (a65a047)

Features

add the "addTrailingSlash" option (#655) (d0fd474)

The trailing slash which was added by default can now be disabled:

import { Server } from "engine.io";

const server = new Server();

server.attach(httpServer, {
  addTrailingSlash: false
});

In the example above, the clients can omit the trailing slash and use /engine.io instead of /engine.io/.

Performance Improvements

add the wsPreEncodedFrame option (5e34722)

This will be used when broadcasting packets at the Socket.IO level.

See also: https://github.com/socketio/socket.io-adapter/commit/5f7b47d40f9daabe4e3c321eda620bbadfe5ce96

Dependencies

ws@~8.11.0 (diff)

3.6.1

published 3.6.1 • 2 years ago

Changelog

3.6.1 (2022-11-20)

:warning: This release contains an important security fix :warning:

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

Please upgrade as soon as possible.

Bug Fixes

catch errors when destroying invalid upgrades (83c4071)

Dependencies

ws@~7.4.2 (no change)

6.2.1

published 6.2.1 • 2 years ago

Changelog

6.2.1 (2022-11-20)

:warning: This release contains an important security fix :warning:

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

Please upgrade as soon as possible.

Bug Fixes

catch errors when destroying invalid upgrades (#658) (425e833)

Dependencies

ws@~8.2.3 (no change)

3.6.0

published 3.6.0 • 2 years ago

Changelog

3.6.0 (2022-06-06)

Bug Fixes

add extension in the package.json main entry (#608) (3ad0567)
do not reset the ping timer after upgrade (1f5d469), closes /github.com/socketio/socket.io-client-swift/pull/1309#issuecomment-768475704

Features

decrease the default value of maxHttpBufferSize (58e274c)

This change reduces the default value from 100 mb to a more sane 1 mb.

This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data.

See also: https://github.com/advisories/GHSA-j4f2-536g-r55m

increase the default value of pingTimeout (f55a79a)

6.2.0

published 6.2.0 • 2 years ago

Changelog

6.2.0 (2022-04-17)

Features

add the "maxPayload" field in the handshake details (088dcb4)

So that clients in HTTP long-polling can decide how many packets they have to send to stay under the maxHttpBufferSize value.

This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as we only add a field in the JSON-encoded handshake data:

0{"sid":"lv_VI97HAXpY6yYWAAAC","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000,"maxPayload":1000000}

6.2.0-alpha.1