Skip to content

Latest commit

 

History

History
851 lines (468 loc) · 32.6 KB

CHANGELOG.md

File metadata and controls

851 lines (468 loc) · 32.6 KB

History

Version Release date
6.6.0 June 2024
6.5.5 (from the 6.5.x branch) June 2024
3.6.2 (from the 3.x branch) June 2024
6.5.4 November 2023
6.5.3 October 2023
6.5.2 August 2023
6.5.1 June 2023
6.5.0 June 2023
6.4.2 May 2023
6.4.1 February 2023
6.4.0 February 2023
6.3.1 January 2023
6.3.0 January 2023
3.6.1 (from the 3.x branch) November 2022
6.2.1 November 2022
3.6.0 (from the 3.x branch) June 2022
6.2.0 April 2022
6.1.3 February 2022
6.1.2 January 2022
6.1.1 January 2021
6.1.0 November 2022
6.0.1 November 2021
6.0.0 October 2021
5.2.0 August 2021
5.1.1 May 2021
5.1.0 May 2021
5.0.0 March 2021
4.1.1 February 2021
4.1.0 January 2021
4.0.6 January 2021
3.5.0 (from the 3.x branch) December 2020
4.0.5 December 2020
4.0.4 November 2020
4.0.3 November 2020
4.0.2 November 2020
4.0.1 October 2020
4.0.0 September 2020
3.4.2 June 2020
3.4.1 April 2020

Release notes

6.6.0 (2024-06-21)

Bug Fixes

  • fix websocket and webtransport send callbacks (#699) (fc21c4a)
  • properly call the send callback during upgrade (362bc78)
  • types: make socket.request writable (#697) (0efa04b)

Performance Improvements

  • do not reset the hearbeat timer on each packet (5359bae)
  • websocket: use bound callbacks (9a68c8c)

Dependencies

6.5.5 (2024-06-18)

This release contains a bump of the ws dependency, which includes an important security fix.

Advisory: https://github.com/advisories/GHSA-3h5v-q93c-6h6q

Bug Fixes

Dependencies

3.6.2 (2024-06-18)

This release contains a bump of the ws dependency, which includes an important security fix.

Advisory: https://github.com/advisories/GHSA-3h5v-q93c-6h6q

Dependencies

6.5.4 (2023-11-09)

This release contains some minor changes which should improve the memory usage of the server, notably this.

Dependencies

6.5.3 (2023-10-06)

Bug Fixes

  • improve compatibility with node16 module resolution (#689) (c6bf8c0)
  • webtransport: properly handle abruptly closed connections (ff1c861)

Dependencies

6.5.2 (2023-08-01)

Bug Fixes

  • webtransport: add proper framing (a306db0)

Dependencies

6.5.1 (2023-06-27)

Bug Fixes

  • prevent crash when accessing TextDecoder (#684) (6dd2bc4)

Credits

Huge thanks to @iowaguy for helping!

Dependencies

6.5.0 (2023-06-16)

Bug Fixes

  • uws: discard any write to an aborted uWS response (#682) (3144d27)

Features

Support for WebTransport

The Engine.IO server can now use WebTransport as the underlying transport.

WebTransport is a web API that uses the HTTP/3 protocol as a bidirectional transport. It's intended for two-way communications between a web client and an HTTP/3 server.

References:

Until WebTransport support lands in Node.js, you can use the @fails-components/webtransport package:

import { readFileSync } from "fs";
import { createServer } from "https";
import { Server } from "engine.io";
import { Http3Server } from "@fails-components/webtransport";

// WARNING: the total length of the validity period MUST NOT exceed two weeks (https://w3c.github.io/webtransport/#custom-certificate-requirements)
const cert = readFileSync("/path/to/my/cert.pem");
const key = readFileSync("/path/to/my/key.pem");

const httpsServer = createServer({
  key,
  cert
});

httpsServer.listen(3000);

const engine = new Server({
  transports: ["polling", "websocket", "webtransport"] // WebTransport is not enabled by default
});

engine.attach(httpsServer);

const h3Server = new Http3Server({
  port: 3000,
  host: "0.0.0.0",
  secret: "changeit",
  cert,
  privKey: key,
});

(async () => {
  const stream = await h3Server.sessionStream("/engine.io/");
  const sessionReader = stream.getReader();

  while (true) {
    const { done, value } = await sessionReader.read();
    if (done) {
      break;
    }
    engine.onWebTransportSession(value);
  }
})();

h3Server.startServer();

Added in 123b68c.

Credits

Huge thanks to @OxleyS for helping!

Dependencies

6.4.2 (2023-05-02)

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
  at Server.onWebSocket (build/server.js:515:67)

Please upgrade as soon as possible.

Bug Fixes

  • include error handling for Express middlewares (#674) (9395782)
  • prevent crash when provided with an invalid query param (fc480b4)
  • typings: make clientsCount public (#675) (bd6d471)
  • uws: prevent crash when using with middlewares (8b22162)

Credits

Huge thanks to @tyilo and @cieldeville for helping!

Dependencies

6.4.1 (2023-02-20)

This release contains 6e78489, which exports the BaseServer class in order to restore the compatibility with the nodenext module resolution strategy of TypeScript.

Reference: https://www.typescriptlang.org/tsconfig/#moduleResolution

Related: socketio#4621

Dependencies

6.4.0 (2023-02-06)

Features

  • add support for Express middlewares (24786e7)

This commit implements middlewares at the Engine.IO level, because Socket.IO middlewares are meant for namespace authorization and are not executed during a classic HTTP request/response cycle.

A workaround was possible by using the allowRequest option and the "headers" event, but this feels way cleaner and works with upgrade requests too.

Syntax:

engine.use((req, res, next) => {
  // do something

  next();
});

// with express-session
import session from "express-session";

engine.use(session({
  secret: "keyboard cat",
  resave: false,
  saveUninitialized: true,
  cookie: { secure: true }
}));

// with helmet
import helmet from "helmet";

engine.use(helmet());

Dependencies

6.3.1 (2023-01-12)

Dependencies

6.3.0 (2023-01-10)

Bug Fixes

  • fix the ES module wrapper (ed87609)
  • wait for all packets to be sent before closing the WebSocket connection (a65a047)

Features

The trailing slash which was added by default can now be disabled:

import { Server } from "engine.io";

const server = new Server();

server.attach(httpServer, {
  addTrailingSlash: false
});

In the example above, the clients can omit the trailing slash and use /engine.io instead of /engine.io/.

Performance Improvements

  • add the wsPreEncodedFrame option (5e34722)

This will be used when broadcasting packets at the Socket.IO level.

See also: https://github.com/socketio/socket.io-adapter/commit/5f7b47d40f9daabe4e3c321eda620bbadfe5ce96

Dependencies

3.6.1 (2022-11-20)

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

Please upgrade as soon as possible.

Bug Fixes

  • catch errors when destroying invalid upgrades (83c4071)

Dependencies

6.2.1 (2022-11-20)

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

Please upgrade as soon as possible.

Bug Fixes

  • catch errors when destroying invalid upgrades (#658) (425e833)

Dependencies

3.6.0 (2022-06-06)

Bug Fixes

Features

  • decrease the default value of maxHttpBufferSize (58e274c)

This change reduces the default value from 100 mb to a more sane 1 mb.

This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data.

See also: https://github.com/advisories/GHSA-j4f2-536g-r55m

  • increase the default value of pingTimeout (f55a79a)

6.2.0 (2022-04-17)

Features

  • add the "maxPayload" field in the handshake details (088dcb4)

So that clients in HTTP long-polling can decide how many packets they have to send to stay under the maxHttpBufferSize value.

This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as we only add a field in the JSON-encoded handshake data:

0{"sid":"lv_VI97HAXpY6yYWAAAC","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000,"maxPayload":1000000}

6.1.3 (2022-02-23)

Bug Fixes

  • typings: allow CorsOptionsDelegate as cors options (#641) (a463d26)
  • uws: properly handle chunked content (#642) (3367440)

6.1.2 (2022-01-18)

Bug Fixes

  • uws: expose additional uWebSockets.js options (#634) (49bb7cf)
  • uws: fix HTTP long-polling with CORS (45112a3)
  • uws: handle invalid websocket upgrades (8b4d6a8)

6.1.1 (2022-01-11)

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14) at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22) at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10) at writeOrBuffer (internal/streams/writable.js:358:12)

This bug was introduced by this commit, included in [email protected], so previous releases are not impacted.

Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.

Bug Fixes

  • properly handle invalid data sent by a malicious websocket client (c0e194d)

6.1.0 (2021-11-08)

Bug Fixes

  • fix payload encoding for v3 clients (ed50fc3)

Features

  • add an implementation based on uWebSockets.js (271e2df)

Performance Improvements

6.0.1 (2021-11-06)

Bug Fixes

  • fix payload encoding for v3 clients (3f42262)

6.0.0 (2021-10-08)

The codebase was migrated to TypeScript (c0d6eaa)

An ES module wrapper was also added (401f4b6).

Please note that the communication protocol was not updated, so a v5 client will be able to reach a v6 server (and vice-versa).

Reference: https://github.com/socketio/engine.io-protocol

BREAKING CHANGES

  • the default export was removed, so the following code won't work anymore:
const eioServer = require("engine.io")(httpServer);

Please use this instead:

const { Server } = require("engine.io");
const eioServer = new Server(httpServer);

Dependencies

ws version: ~8.2.3 (bumped from ~7.4.2)

5.2.0 (2021-08-29)

No change on the server-side, this matches the client release.

5.1.1 (2021-05-16)

Bug Fixes

  • properly close the websocket connection upon handshake error (4360686)

5.1.0 (2021-05-04)

Features

  • add a "connection_error" event (7096e98)
  • add the "initial_headers" and "headers" events (2527543)

Performance Improvements

  • websocket: add a "wsPreEncoded" writing option (7706b12)
  • websocket: fix write back-pressure (#618) (ad5306a)

5.0.0 (2021-03-10)

Bug Fixes

Features

  • increase the default value of pingTimeout (5a7fa13)
  • remove dynamic require() with wsEngine (edb7343)

BREAKING CHANGES

  • the syntax of the "wsEngine" option is updated

Before:

const eioServer = require("engine.io")(httpServer, {
  wsEngine: "eiows"
});

After:

const eioServer = require("engine.io")(httpServer, {
  wsEngine: require("eiows").Server
});

4.1.1 (2021-02-02)

Bug Fixes

4.1.0 (2021-01-14)

Features

  • add support for v3.x clients (663d326)

4.0.6 (2021-01-04)

Bug Fixes

  • correctly pass the options when using the Server constructor (#610) (cec2750)

3.5.0 (2020-12-30)

Features

4.0.5 (2020-12-07)

No change on the server-side, this matches the client release.

4.0.4 (2020-11-17)

No change on the server-side, this matches the client release.

4.0.3 (2020-11-17)

No change on the server-side, this matches the client release.

4.0.2 (2020-11-09)

Bug Fixes

  • add extension in the package.json main entry (#608) (17b8c2f)

4.0.1 (2020-10-21)

Bug Fixes

  • do not overwrite CORS headers upon error (fe093ba)

4.0.0 (2020-09-10)

More details about this release in the blog post: https://socket.io/blog/engine-io-4-release/

Bug Fixes

  • ignore errors when forcefully closing the socket (#601) (dcdbccb)
  • remove implicit require of uws (82cdca2)

Features

  • disable perMessageDeflate by default (078527a)

Links

3.4.2 (2020-06-04)

Bug Fixes

  • remove explicit require of uws (85e544a)

Links

3.4.1 (2020-04-17)

Bug Fixes

  • ignore errors when forcefully closing the socket (da851ec)
  • use SameSite=Strict by default (001ca62)

Links

4.0.0-alpha.1 (2020-02-12)

Links

4.0.0-alpha.0 (2020-02-12)

Features

BREAKING CHANGES

  • the handlePreflightRequest option is removed by the change.

Before:

new Server({
  handlePreflightRequest: (req, res) => {
    res.writeHead(200, {
      "Access-Control-Allow-Origin": 'https://example.com',
      "Access-Control-Allow-Methods": 'GET',
      "Access-Control-Allow-Headers": 'Authorization',
      "Access-Control-Allow-Credentials": true
    });
    res.end();
  }
})

After:

new Server({
  cors: {
    origin: "https://example.com",
    methods: ["GET"],
    allowedHeaders: ["Authorization"],
    credentials: true
  }
})
  • the syntax has changed from
new Server({
  cookieName: "test",
  cookieHttpOnly: false,
  cookiePath: "/custom"
})

to

new Server({
  cookie: {
    name: "test",
    httpOnly: false,
    path: "/custom"
  }
})

All other options (domain, maxAge, sameSite, ...) are now supported.

  • v3.x clients will not be able to connect anymore (they will send a ping packet and timeout while waiting for a pong packet).

Links