search

hugh-mend / juice-shop

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
http://owasp-juice.shop
MIT License
0 stars 0 forks source link

Update dependency socket.io to v4 (master) - autoclosed #694

Closed mend-for-github-com[bot] closed 3 months ago

mend-for-github-com[bot] commented 5 months ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
socket.io ^2.3.0 -> ^4.6.2 age adoption passing confidence

By merging this PR, the below issues will be automatically resolved and closed:

Severity CVSS Score CVE GitHub Issue
High 7.5 CVE-2024-37890 #692
High 7.3 CVE-2024-38355 #693
Low 3.7 CVE-2017-16137 #681

Release Notes

socketio/socket.io (socket.io) ### [`v4.6.2`](https://togithub.com/socketio/socket.io/releases/tag/4.6.2) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.6.1...4.6.2) ##### Bug Fixes - **exports:** move `types` condition to the top ([#​4698](https://togithub.com/socketio/socket.io/issues/4698)) ([3d44aae](https://togithub.com/socketio/socket.io/commit/3d44aae381af38349fdb808d510d9f47a0c2507e)) ##### Links - Diff: https://github.com/socketio/socket.io/compare/4.6.1...4.6.2 - Client release: [4.6.2](https://togithub.com/socketio/socket.io-client/releases/tag/4.6.2) - [`engine.io@~6.4.2`](https://togithub.com/socketio/engine.io/releases/tag/6.4.2) ([diff](https://togithub.com/socketio/engine.io/compare/6.4.1...6.4.2)) - [`ws@~8.11.0`](https://togithub.com/websockets/ws/releases/tag/8.11.0) (no change) ### [`v4.6.1`](https://togithub.com/socketio/socket.io/releases/tag/4.6.1) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.6.0...4.6.1) ##### Bug Fixes - properly handle manually created dynamic namespaces ([0d0a7a2](https://togithub.com/socketio/socket.io/commit/0d0a7a22b5ff95f864216c529114b7dd41738d1e)) - **types:** fix nodenext module resolution compatibility ([#​4625](https://togithub.com/socketio/socket.io/issues/4625)) ([d0b22c6](https://togithub.com/socketio/socket.io/commit/d0b22c630208669aceb7ae013180c99ef90279b0)) ##### Links - Diff: https://github.com/socketio/socket.io/compare/4.6.0...4.6.1 - Client release: [4.6.1](https://togithub.com/socketio/socket.io-client/releases/tag/4.6.1) - [`engine.io@~6.4.1`](https://togithub.com/socketio/engine.io/releases/tag/6.4.1) ([diff](https://togithub.com/socketio/engine.io/compare/6.4.0...6.4.1)) - [`ws@~8.11.0`](https://togithub.com/websockets/ws/releases/tag/8.11.0) (no change) ### [`v4.6.0`](https://togithub.com/socketio/socket.io/releases/tag/4.6.0) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.5.4...4.6.0) ##### Bug Fixes - add timeout method to remote socket ([#​4558](https://togithub.com/socketio/socket.io/issues/4558)) ([0c0eb00](https://togithub.com/socketio/socket.io/commit/0c0eb0016317218c2be3641e706cfaa9bea39a2d)) - **typings:** properly type emits with timeout ([f3ada7d](https://togithub.com/socketio/socket.io/commit/f3ada7d8ccc02eeced2b9b9ac8e4bc921eb630d2)) ##### Features ##### Promise-based acknowledgements This commit adds some syntactic sugar around acknowledgements: - `emitWithAck()` ```js try { const responses = await io.timeout(1000).emitWithAck("some-event"); console.log(responses); // one response per client } catch (e) { // some clients did not acknowledge the event in the given delay } io.on("connection", async (socket) => { // without timeout const response = await socket.emitWithAck("hello", "world"); // with a specific timeout try { const response = await socket.timeout(1000).emitWithAck("hello", "world"); } catch (err) { // the client did not acknowledge the event in the given delay } }); ``` - `serverSideEmitWithAck()` ```js try { const responses = await io.timeout(1000).serverSideEmitWithAck("some-event"); console.log(responses); // one response per server (except itself) } catch (e) { // some servers did not acknowledge the event in the given delay } ``` Added in [184f3cf](https://togithub.com/socketio/socket.io/commit/184f3cf7af57acc4b0948eee307f25f8536eb6c8). ##### Connection state recovery This feature allows a client to reconnect after a temporary disconnection and restore its state: - id - rooms - data - missed packets Usage: ```js import { Server } from "socket.io"; const io = new Server({ connectionStateRecovery: { // default values maxDisconnectionDuration: 2 * 60 * 1000, skipMiddlewares: true, }, }); io.on("connection", (socket) => { console.log(socket.recovered); // whether the state was recovered or not }); ``` Here's how it works: - the server sends a session ID during the handshake (which is different from the current `id` attribute, which is public and can be freely shared) - the server also includes an offset in each packet (added at the end of the data array, for backward compatibility) - upon temporary disconnection, the server stores the client state for a given delay (implemented at the adapter level) - upon reconnection, the client sends both the session ID and the last offset it has processed, and the server tries to restore the state The in-memory adapter already supports this feature, and we will soon update the Postgres and MongoDB adapters. We will also create a new adapter based on [Redis Streams](https://redis.io/docs/data-types/streams/), which will support this feature. Added in [54d5ee0](https://togithub.com/socketio/socket.io/commit/54d5ee05a684371191e207b8089f09fc24eb5107). ##### Compatibility (for real) with Express middlewares This feature implements middlewares at the Engine.IO level, because Socket.IO middlewares are meant for namespace authorization and are not executed during a classic HTTP request/response cycle. Syntax: ```js io.engine.use((req, res, next) => { // do something next(); }); // with express-session import session from "express-session"; io.engine.use(session({ secret: "keyboard cat", resave: false, saveUninitialized: true, cookie: { secure: true } })); // with helmet import helmet from "helmet"; io.engine.use(helmet()); ``` A workaround was possible by using the allowRequest option and the "headers" event, but this feels way cleaner and works with upgrade requests too. Added in [24786e7](https://togithub.com/socketio/engine.io/commit/24786e77c5403b1c4b5a2bc84e2af06f9187f74a). ##### Error details in the disconnecting and disconnect events The `disconnect` event will now contain additional details about the disconnection reason. ```js io.on("connection", (socket) => { socket.on("disconnect", (reason, description) => { console.log(description); }); }); ``` Added in [8aa9499](https://togithub.com/socketio/socket.io/commit/8aa94991cee5518567d6254eec04b23f81510257). ##### Automatic removal of empty child namespaces This commit adds a new option, "cleanupEmptyChildNamespaces". With this option enabled (disabled by default), when a socket disconnects from a dynamic namespace and if there are no other sockets connected to it then the namespace will be cleaned up and its adapter will be closed. ```js import { createServer } from "node:http"; import { Server } from "socket.io"; const httpServer = createServer(); const io = new Server(httpServer, { cleanupEmptyChildNamespaces: true }); ``` Added in [5d9220b](https://togithub.com/socketio/socket.io/commit/5d9220b69adf73e086c27bbb63a4976b348f7c4c). ##### A new "addTrailingSlash" option The trailing slash which was added by default can now be disabled: ```js import { createServer } from "node:http"; import { Server } from "socket.io"; const httpServer = createServer(); const io = new Server(httpServer, { addTrailingSlash: false }); ``` In the example above, the clients can omit the trailing slash and use `/socket.io` instead of `/socket.io/`. Added in [d0fd474](https://togithub.com/socketio/engine.io/commit/d0fd4746afa396297f07bb62e539b0c1c4018d7c). ##### Performance Improvements - precompute the WebSocket frames when broadcasting ([da2b542](https://togithub.com/socketio/socket.io/commit/da2b54279749adc5279c9ac4742b01b36c01cff0)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.5.4...4.6.0 - Client release: [4.6.0](https://togithub.com/socketio/socket.io-client/releases/tag/4.6.0) - [`engine.io@~6.4.0`](https://togithub.com/socketio/engine.io/releases/tag/6.4.0) ([diff](https://togithub.com/socketio/engine.io/compare/6.2.0...6.2.1)) - [`ws@~8.11.0`](https://togithub.com/websockets/ws/releases/tag/8.11.0) ([diff](https://togithub.com/websockets/ws/compare/8.2.3...8.11.0)) ### [`v4.5.4`](https://togithub.com/socketio/socket.io/releases/tag/4.5.4) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.5.3...4.5.4) This release contains a bump of: - `engine.io` in order to fix [CVE-2022-41940](https://togithub.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w) - `socket.io-parser` in order to fix [CVE-2022-2421](https://togithub.com/advisories/GHSA-qm95-pgcg-qqfq). ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.5.3...4.5.4 - Client release: [4.5.4](https://togithub.com/socketio/socket.io-client/releases/tag/4.5.4) - [`engine.io@~6.2.1`](https://togithub.com/socketio/engine.io-client/tree/6.2.1) ([diff](https://togithub.com/socketio/engine.io/compare/6.2.0...6.2.1)) - [`ws@~8.2.3`](https://togithub.com/websockets/ws/releases/tag/8.2.3) ### [`v4.5.3`](https://togithub.com/socketio/socket.io/releases/tag/4.5.3) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.5.2...4.5.3) ##### Bug Fixes - **typings:** accept an HTTP2 server in the constructor ([d3d0a2d](https://togithub.com/socketio/socket.io/commit/d3d0a2d5beaff51fd145f810bcaf6914213f8a06)) - **typings:** apply types to "io.timeout(...).emit()" calls ([e357daf](https://togithub.com/socketio/socket.io/commit/e357daf5858560bc84e7e50cd36f0278d6721ea1)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.5.2...4.5.3 - Client release: [4.5.3](https://togithub.com/socketio/socket.io-client/releases/tag/4.5.3) - engine.io version: `~6.2.0` - ws version: `~8.2.3` ### [`v4.5.2`](https://togithub.com/socketio/socket.io/releases/tag/4.5.2) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.5.1...4.5.2) ##### Bug Fixes - prevent the socket from joining a room after disconnection ([18f3fda](https://togithub.com/socketio/socket.io/commit/18f3fdab12947a9fee3e9c37cfc1da97027d1473)) - **uws:** prevent the server from crashing after upgrade ([ba497ee](https://togithub.com/socketio/socket.io/commit/ba497ee3eb52c4abf1464380d015d8c788714364)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.5.1...4.5.2 - Client release: [4.5.2](https://togithub.com/socketio/socket.io-client/releases/tag/4.5.2) - engine.io version: `~6.2.0` - ws version: `~8.2.3` ### [`v4.5.1`](https://togithub.com/socketio/socket.io/releases/tag/4.5.1) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.5.0...4.5.1) ##### Bug Fixes - forward the local flag to the adapter when using fetchSockets() ([30430f0](https://togithub.com/socketio/socket.io/commit/30430f0985f8e7c49394543d4c84913b6a15df60)) - **typings:** add HTTPS server to accepted types ([#​4351](https://togithub.com/socketio/socket.io/issues/4351)) ([9b43c91](https://togithub.com/socketio/socket.io/commit/9b43c9167cff817c60fa29dbda2ef7cd938aff51)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.5.0...4.5.1 - Client release: [4.5.1](https://togithub.com/socketio/socket.io-client/releases/tag/4.5.1) - engine.io version: `~6.2.0` - ws version: `~8.2.3` ### [`v4.5.0`](https://togithub.com/socketio/socket.io/releases/tag/4.5.0) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.4.1...4.5.0) ##### Bug Fixes - **typings:** ensure compatibility with TypeScript 3.x ([#​4259](https://togithub.com/socketio/socket.io/issues/4259)) ([02c87a8](https://togithub.com/socketio/socket.io/commit/02c87a85614e217b8e7b93753f315790ae9d99f6)) ##### Features - add support for catch-all listeners for outgoing packets ([531104d](https://togithub.com/socketio/socket.io/commit/531104d332690138b7aab84d5583d6204132c8b4)) This is similar to `onAny()`, but for outgoing packets. Syntax: ```js socket.onAnyOutgoing((event, ...args) => { console.log(event); }); ``` - broadcast and expect multiple acks ([8b20457](https://togithub.com/socketio/socket.io/commit/8b204570a94979bbec307f23ca078f30f5cf07b0)) Syntax: ```js io.timeout(1000).emit("some-event", (err, responses) => { // ... }); ``` - add the "maxPayload" field in the handshake details ([088dcb4](https://togithub.com/socketio/engine.io/commit/088dcb4dff60df39785df13d0a33d3ceaa1dff38)) So that clients in HTTP long-polling can decide how many packets they have to send to stay under the maxHttpBufferSize value. This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as we only add a field in the JSON-encoded handshake data: 0{"sid":"lv_VI97HAXpY6yYWAAAC","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000,"maxPayload":1000000} ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.4.1...4.5.0 - Client release: [4.5.0](https://togithub.com/socketio/socket.io-client/releases/tag/4.5.0) - engine.io version: `~6.2.0` ([diff](https://togithub.com/socketio/engine.io/compare/6.1.0...6.2.0)) - ws version: `~8.2.3` ### [`v4.4.1`](https://togithub.com/socketio/socket.io/releases/tag/4.4.1) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.4.0...4.4.1) ##### Bug Fixes - **types:** make `RemoteSocket.data` type safe ([#​4234](https://togithub.com/socketio/socket.io/issues/4234)) ([770ee59](https://togithub.com/socketio/socket.io/commit/770ee5949fb47c2556876c622f06c862573657d6)) - **types:** pass `SocketData` type to custom namespaces ([#​4233](https://togithub.com/socketio/socket.io/issues/4233)) ([f2b8de7](https://togithub.com/socketio/socket.io/commit/f2b8de71919e1b4d3e57f15a459972c1d1064787)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.4.0...4.4.1 - Client release: [4.4.1](https://togithub.com/socketio/socket.io-client/releases/tag/4.4.1) - engine.io version: `~6.1.0` ([diff](https://togithub.com/socketio/engine.io/compare/6.0.0...6.1.0)) - ws version: `~8.2.3` ### [`v4.4.0`](https://togithub.com/socketio/socket.io/releases/tag/4.4.0) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.3.2...4.4.0) ##### Bug Fixes - only set 'connected' to true after middleware execution ([02b0f73](https://togithub.com/socketio/socket.io/commit/02b0f73e2c64b09c72c5fbf7dc5f059557bdbe50)) ##### Features - add an implementation based on uWebSockets.js ([c0d8c5a](https://togithub.com/socketio/socket.io/commit/c0d8c5ab234d0d2bef0d0dec472973cc9662f647)) ```js const { App } = require("uWebSockets.js"); const { Server } = require("socket.io"); const app = new App(); const io = new Server(); io.attachApp(app); io.on("connection", (socket) => { // ... }); app.listen(3000, (token) => { if (!token) { console.warn("port already in use"); } }); ``` - add timeout feature ([f0ed42f](https://togithub.com/socketio/socket.io/commit/f0ed42f18cabef20ad976aeec37077b6bf3837a5)) ```js socket.timeout(5000).emit("my-event", (err) => { if (err) { // the client did not acknowledge the event in the given delay } }); ``` - add type information to `socket.data` ([#​4159](https://togithub.com/socketio/socket.io/issues/4159)) ([fe8730c](https://togithub.com/socketio/socket.io/commit/fe8730ca0f15bc92d5de81cf934c89c76d6af329)) ```js interface SocketData { name: string; age: number; } const io = new Server(); io.on("connection", (socket) => { socket.data.name = "john"; socket.data.age = 42; }); ``` ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.3.2...4.4.0 - Client release: [4.4.0](https://togithub.com/socketio/socket.io-client/releases/tag/4.4.0) - engine.io version: `~6.1.0` ([diff](https://togithub.com/socketio/engine.io/compare/6.0.0...6.1.0)) - ws version: `~8.2.3` ### [`v4.3.2`](https://togithub.com/socketio/socket.io/releases/tag/4.3.2) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.3.1...4.3.2) ##### Bug Fixes - fix race condition in dynamic namespaces ([#​4137](https://togithub.com/socketio/socket.io/issues/4137)) ([9d86397](https://togithub.com/socketio/socket.io/commit/9d86397243bcbb5775a29d96e5ef03e17148a8e7)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.3.1...4.3.2 - Client release: [4.3.2](https://togithub.com/socketio/socket.io-client/releases/tag/4.3.2) - engine.io version: `~6.0.0` - ws version: `~8.2.3` ### [`v4.3.1`](https://togithub.com/socketio/socket.io/releases/tag/4.3.1) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.3.0...4.3.1) ##### Bug Fixes - fix server attachment ([#​4127](https://togithub.com/socketio/socket.io/issues/4127)) ([0ef2a4d](https://togithub.com/socketio/socket.io/commit/0ef2a4d02c9350aff163df9cb61aece89c4dac0f)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.3.0...4.3.1 - Client release: [4.3.1](https://togithub.com/socketio/socket.io-client/releases/tag/4.3.1) - engine.io version: `~6.0.0` - ws version: `~8.2.3` ### [`v4.3.0`](https://togithub.com/socketio/socket.io/releases/tag/4.3.0) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.2.0...4.3.0) For this release, most of the work was done on the client side, see [here](https://togithub.com/socketio/socket.io-client/releases/tag/4.3.0). ##### Bug Fixes - **typings:** add name field to cookie option ([#​4099](https://togithub.com/socketio/socket.io/issues/4099)) ([033c5d3](https://togithub.com/socketio/socket.io/commit/033c5d399a2b985afad32c1e4b0c16d764e248cd)) - send volatile packets with binary attachments ([dc81fcf](https://togithub.com/socketio/socket.io/commit/dc81fcf461cfdbb5b34b1a5a96b84373754047d5)) ##### Features - serve ESM bundle ([60edecb](https://togithub.com/socketio/socket.io/commit/60edecb3bd33801803cdcba0aefbafa381a2abb3)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.2.0...4.3.0 - Client release: [4.3.0](https://togithub.com/socketio/socket.io-client/releases/tag/4.3.0) - engine.io version: `~6.0.0` ([diff](https://togithub.com/socketio/engine.io/compare/5.2.0...6.0.0)) - ws version: `~8.2.3` ([diff](https://togithub.com/websockets/ws/compare/7.4.2...8.2.3)) ### [`v4.2.0`](https://togithub.com/socketio/socket.io/releases/tag/4.2.0) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.1.3...4.2.0) ##### Bug Fixes - **typings:** allow async listener in typed events ([ccfd8ca](https://togithub.com/socketio/socket.io/commit/ccfd8caba6d38b7ba6c5114bd8179346ed07671c)) ##### Features - ignore the query string when serving client JavaScript ([#​4024](https://togithub.com/socketio/socket.io/issues/4024)) ([24fee27](https://togithub.com/socketio/socket.io/commit/24fee27ba36485308f8e995879c10931532c814e)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.1.3...4.2.0 - Client release: [4.2.0](https://togithub.com/socketio/socket.io-client/releases/tag/4.2.0) - engine.io version: `~5.2.0` - ws version: `~7.4.2` ### [`v4.1.3`](https://togithub.com/socketio/socket.io/releases/tag/4.1.3) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.1.2...4.1.3) ##### Bug Fixes - fix io.except() method ([94e27cd](https://togithub.com/socketio/socket.io/commit/94e27cd072c8a4eeb9636f6ffbb7a21d382f36b0)) - remove x-sourcemap header ([a4dffc6](https://togithub.com/socketio/socket.io/commit/a4dffc6527f412d51a786ae5bf2e9080fe1ca63c)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.1.2...4.1.3 - Client release: [4.1.3](https://togithub.com/socketio/socket.io-client/releases/tag/4.1.3) - engine.io version: `~5.1.0` - ws version: `~7.4.2` ### [`v4.1.2`](https://togithub.com/socketio/socket.io/releases/tag/4.1.2) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.1.1...4.1.2) ##### Bug Fixes - **typings:** ensure compatibility with TypeScript 3.x ([0cb6ac9](https://togithub.com/socketio/socket.io/commit/0cb6ac95b49a27483b6f1b6402fa54b35f82e36f)) - ensure compatibility with previous versions of the adapter ([a2cf248](https://togithub.com/socketio/socket.io/commit/a2cf2486c366cb62293101c10520c57f6984a3fc)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.1.1...4.1.2 - Client release: [4.1.2](https://togithub.com/socketio/socket.io-client/releases/tag/4.1.2) - engine.io version: `~5.1.0` - ws version: `~7.4.2` ### [`v4.1.1`](https://togithub.com/socketio/socket.io/releases/tag/4.1.1) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.1.0...4.1.1) ##### Bug Fixes - **typings:** properly type server-side events ([b84ed1e](https://togithub.com/socketio/socket.io/commit/b84ed1e41c9053792caf58974c5de9395bfd509f)) - **typings:** properly type the adapter attribute ([891b187](https://togithub.com/socketio/socket.io/commit/891b1870e92d1ec38910f03bb839817e2d6be65a)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.1.0...4.1.1 - Client release: [4.1.1](https://togithub.com/socketio/socket.io-client/releases/tag/4.1.1) - engine.io version: `~5.1.0` - ws version: `~7.4.2` ### [`v4.1.0`](https://togithub.com/socketio/socket.io/releases/tag/4.1.0) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.0.2...4.1.0) Blog post: https://socket.io/blog/socket-io-4-1-0/ ##### Features - add support for inter-server communication ([93cce05](https://togithub.com/socketio/socket.io/commit/93cce05fb3faf91f21fa71212275c776aa161107)) - notify upon namespace creation ([499c892](https://togithub.com/socketio/socket.io/commit/499c89250d2db1ab7725ab2b74840e188c267c46)) - add a "connection_error" event ([7096e98](https://togithub.com/socketio/engine.io/commit/7096e98a02295a62c8ea2aa56461d4875887092d), from `engine.io`) - add the "initial_headers" and "headers" events ([2527543](https://togithub.com/socketio/engine.io/commit/252754353a0e88eb036ebb3082e9d6a9a5f497db), from `engine.io`) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.0.2...4.1.0 - Client release: [4.1.0](https://togithub.com/socketio/socket.io-client/releases/tag/4.1.0) - engine.io version: `~5.1.0` - ws version: `~7.4.2` ### [`v4.0.2`](https://togithub.com/socketio/socket.io/releases/tag/4.0.2) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.0.1...4.0.2) ##### Bug Fixes - **typings:** make "engine" attribute public ([b81ce4c](https://togithub.com/socketio/socket.io/commit/b81ce4c9d0b00666361498e2ba5e0d007d5860b8)) - properly export the Socket class ([d65b6ee](https://togithub.com/socketio/socket.io/commit/d65b6ee84c8e91deb61c3c1385eb19afa196a909)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.0.1...4.0.2 - Client release: [4.0.2](https://togithub.com/socketio/socket.io-client/releases/tag/4.0.2) - engine.io version: `~5.0.0` - ws version: `~7.4.2` ### [`v4.0.1`](https://togithub.com/socketio/socket.io/releases/tag/4.0.1) [Compare Source](https://togithub.com/socketio/socket.io/compare/4.0.0...4.0.1) ##### Bug Fixes - **typings:** add fallback to untyped event listener ([#​3834](https://togithub.com/socketio/socket.io/issues/3834)) ([a11152f](https://togithub.com/socketio/socket.io/commit/a11152f42b281df83409313962f60f230239c79e)) - **typings:** update return type from emit ([#​3843](https://togithub.com/socketio/socket.io/issues/3843)) ([1a72ae4](https://togithub.com/socketio/socket.io/commit/1a72ae4fe27a14cf60916f991a2c94da91d9e54a)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/4.0.0...4.0.1 - Client release: [4.0.1](https://togithub.com/socketio/socket.io-client/releases/tag/4.0.1) - engine.io version: `~5.0.0` - ws version: `~7.4.2` ### [`v4.0.0`](https://togithub.com/socketio/socket.io/releases/tag/4.0.0) [Compare Source](https://togithub.com/socketio/socket.io/compare/3.1.2...4.0.0) Blog post: https://socket.io/blog/socket-io-4-release/ Migration guide: https://socket.io/docs/v3/migrating-from-3-x-to-4-0/ ##### Bug Fixes - make io.to(...) immutable ([ac9e8ca](https://togithub.com/socketio/socket.io/commit/ac9e8ca6c71e00d4af45ee03f590fe56f3951186)) ##### Features - add some utility methods ([b25495c](https://togithub.com/socketio/socket.io/commit/b25495c069031674da08e19aed68922c7c7a0e28)) - add support for typed events ([#​3822](https://togithub.com/socketio/socket.io/issues/3822)) ([0107510](https://togithub.com/socketio/socket.io/commit/0107510ba8a0f148c78029d8be8919b350feb633)) - allow to exclude specific rooms when broadcasting ([#​3789](https://togithub.com/socketio/socket.io/issues/3789)) ([7de2e87](https://togithub.com/socketio/socket.io/commit/7de2e87e888d849eb2dfc5e362af4c9e86044701)) - allow to pass an array to io.to(...) ([085d1de](https://togithub.com/socketio/socket.io/commit/085d1de9df909651de8b313cc6f9f253374b702e)) ##### BREAKING CHANGES - `io.to(...)` now returns an immutable operator Previously, broadcasting to a given room (by calling `io.to()`) would mutate the io instance, which could lead to surprising behaviors, like: ```js io.to("room1"); io.to("room2").emit(/* ... */); // also sent to room1 // or with async/await io.to("room3").emit("details", await fetchDetails()); // random behavior: maybe in room3, maybe to all clients ``` Calling `io.to()` (or any other broadcast modifier) will now return an immutable instance. ##### Links: - Diff: https://github.com/socketio/socket.io/compare/3.1.2...4.0.0 - Client release: [4.0.0](https://togithub.com/socketio/socket.io-client/releases/tag/4.0.0) - engine.io version: `~5.0.0` - ws version: `~7.4.2` ### [`v3.1.2`](https://togithub.com/socketio/socket.io/releases/tag/3.1.2) [Compare Source](https://togithub.com/socketio/socket.io/compare/3.1.1...3.1.2) ##### Bug Fixes - ignore packets received after disconnection ([494c64e](https://togithub.com/socketio/socket.io/commit/494c64e44f645cbd24c645f1186d203789e84af0)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/3.1.1...3.1.2 - Client release: [3.1.2](https://togithub.com/socketio/socket.io-client/releases/tag/3.1.2) - engine.io version: `~4.1.0` - ws version: `~7.4.2` ### [`v3.1.1`](https://togithub.com/socketio/socket.io/releases/tag/3.1.1) [Compare Source](https://togithub.com/socketio/socket.io/compare/3.1.0...3.1.1) ##### Bug Fixes - properly parse the CONNECT packet in v2 compatibility mode ([6f4bd7f](https://togithub.com/socketio/socket.io/commit/6f4bd7f8e7c41a075a8014565330a77c38b03a8d)) - **typings:** add return types and general-case overload signatures ([#​3776](https://togithub.com/socketio/socket.io/issues/3776)) ([9e8f288](https://togithub.com/socketio/socket.io/commit/9e8f288ca9f14f91064b8d3cce5946f7d23d407c)) - **typings:** update the types of "query", "auth" and "headers" ([4f2e9a7](https://togithub.com/socketio/socket.io/commit/4f2e9a716d9835b550c8fd9a9b429ebf069c2895)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/3.1.0...3.1.1 - Client release: [3.1.1](https://togithub.com/socketio/socket.io-client/releases/tag/3.1.1) - engine.io version: `~4.1.0` - ws version: `~7.4.2` ### [`v3.1.0`](https://togithub.com/socketio/socket.io/releases/tag/3.1.0) [Compare Source](https://togithub.com/socketio/socket.io/compare/3.0.5...3.1.0) In order to ease the migration to Socket.IO v3, the v3 server is now able to communicate with v2 clients: ```js const io = require("socket.io")({ allowEIO3: true // false by default }); ``` Note: the `allowEIO3` refers to the version 3 of the Engine.IO protocol which is used in Socket.IO v2 ##### Features - confirm a weak but matching ETag ([#​3485](https://togithub.com/socketio/socket.io/issues/3485)) ([161091d](https://togithub.com/socketio/socket.io/commit/161091dd4c9e1b1610ac3d45d964195e63d92b94)) - **esm:** export the Namespace and Socket class ([#​3699](https://togithub.com/socketio/socket.io/issues/3699)) ([233650c](https://togithub.com/socketio/socket.io/commit/233650c22209708b5fccc4349c38d2fa1b465d8f)) - add support for Socket.IO v2 clients ([9925746](https://togithub.com/socketio/socket.io/commit/9925746c8ee3a6522bd640b5d586c83f04f2f1ba)) - add room events ([155fa63](https://togithub.com/socketio/socket.io-adapter/commit/155fa6333a504036e99a33667dc0397f6aede25e)) ##### Bug Fixes - allow integers as event names ([1c220dd](https://togithub.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/3.0.5...3.1.0 - Client release: [3.1.0](https://togithub.com/socketio/socket.io-client/releases/tag/3.1.0) - engine.io version: `~4.1.0` - ws version: `~7.4.2` ### [`v3.0.5`](https://togithub.com/socketio/socket.io/releases/tag/3.0.5) [Compare Source](https://togithub.com/socketio/socket.io/compare/3.0.4...3.0.5) ##### Bug Fixes - properly clear timeout on connection failure ([170b739](https://togithub.com/socketio/socket.io/commit/170b739f147cb6c92b423729b877e242e376927d)) ##### Reverts - restore the socket middleware functionality ([bf54327](https://togithub.com/socketio/socket.io/commit/bf5432742158e4d5ba2722cff4a614967dffa5b9)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/3.0.4...3.0.5 - Client release: [3.0.5](https://togithub.com/socketio/socket.io-client/releases/tag/3.0.5) - engine.io version: `~4.0.6` - ws version: `~7.4.2` ### [`v3.0.4`](https://togithub.com/socketio/socket.io/releases/tag/3.0.4) [Compare Source](https://togithub.com/socketio/socket.io/compare/3.0.3...3.0.4) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/3.0.3...3.0.4 - Client release: [3.0.4](https://togithub.com/socketio/socket.io-client/releases/tag/3.0.4) - engine.io version: `~4.0.0` - ws version: `^7.1.2` ### [`v3.0.3`](https://togithub.com/socketio/socket.io/releases/tag/3.0.3) [Compare Source](https://togithub.com/socketio/socket.io/compare/3.0.2...3.0.3) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/3.0.2...3.0.3 - Client release: [3.0.3](https://togithub.com/socketio/socket.io-client/releases/tag/3.0.3) - engine.io version: `~4.0.0` - ws version: `^7.1.2` ### [`v3.0.2`](https://togithub.com/socketio/socket.io/releases/tag/3.0.2) [Compare Source](https://togithub.com/socketio/socket.io/compare/3.0.1...3.0.2) ##### Bug Fixes - merge Engine.IO options ([43705d7](https://togithub.com/socketio/socket.io/commit/43705d7a9149833afc69edc937ea7f8c9aabfeef)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/3.0.1...3.0.2 - Client release: [3.0.2](https://togithub.com/socketio/socket.io-client/releases/tag/3.0.2) - engine.io version: `~4.0.0` - ws version: `^7.1.2` ### [`v3.0.1`](https://togithub.com/socketio/socket.io/releases/tag/3.0.1) [Compare Source](https://togithub.com/socketio/socket.io/compare/3.0.0...3.0.1) ##### Bug Fixes - export ServerOptions and Namespace types ([#​3684](https://togithub.com/socketio/socket.io/issues/3684)) ([f62f180](https://togithub.com/socketio/socket.io/commit/f62f180edafdd56d8a8a277e092bc66df0c5f07f)) - **typings:** update the signature of the emit method ([50671d9](https://togithub.com/socketio/socket.io/commit/50671d984a81535a6a15c704546ca7465e2ea295)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/3.0.0...3.0.1 - Client release: [3.0.1](https://togithub.com/socketio/socket.io-client/releases/tag/3.0.1) - engine.io version: `~4.0.0` - ws version: `^7.1.2` ### [`v3.0.0`](https://togithub.com/socketio/socket.io/releases/tag/3.0.0) [Compare Source](https://togithub.com/socketio/socket.io/compare/2.5.1...3.0.0) More details about this release in the blog post: https://socket.io/blog/socket-io-3-release/ Dedicated migration guide: https://socket.io/docs/migrating-from-2-x-to-3-0/ ##### Bug Fixes - close clients with no namespace ([91cd255](https://togithub.com/socketio/socket.io/commit/91cd255ba76ff6a780c62740f9f5cd3a76f5d7c7)) ##### Features - emit an Error object upon middleware error ([54bf4a4](https://togithub.com/socketio/socket.io/commit/54bf4a44e9e896dfb64764ee7bd4e8823eb7dc7b)) - serve msgpack bundle ([aa7574f](https://togithub.com/socketio/socket.io/commit/aa7574f88471aa30ae472a5cddf1000a8baa70fd)) - add support for catch-all listeners ([5c73733](https://togithub.com/socketio/socket.io/commit/5c737339858d59eab4b5ee2dd6feff0e82c4fe5a)) - make Socket#join() and Socket#leave() synchronous ([129c641](https://togithub.com/socketio/socket.io/commit/129c6417bd818bc8b4e1b831644323876e627c13)) - remove prod dependency to socket.io-client ([7603da7](https://togithub.com/socketio/socket.io/commit/7603da71a535481e3fc60e38b013abf78516d322)) - move binary detection back to the parser ([669592d](https://togithub.com/socketio/socket.io/commit/669592d120409a5cf00f128070dee6d22259ba4f)) - add ES6 module export ([8b6b100](https://togithub.com/socketio/socket.io/commit/8b6b100c284ccce7d85e55659e3397f533916847)) - do not reuse the Engine.IO id ([2875d2c](https://togithub.com/socketio/socket.io/commit/2875d2cfdfa463e64cb520099749f543bbc4eb15)) - remove Server#set() method ([029f478](https://togithub.com/socketio/socket.io/commit/029f478992f59b1eb5226453db46363a570eea46)) - remove Socket#rooms object ([1507b41](https://togithub.com/socketio/socket.io/commit/1507b416d584381554d1ed23c9aaf3b650540071)) - remove the 'origins' option ([a8c0600](https://togithub.com/socketio/socket.io/commit/a8c06006098b512ba1b8b8df82777349db486f41)) - remove the implicit connection to the default namespace ([3289f7e](https://togithub.com/socketio/socket.io/commit/3289f7ec376e9ec88c2f90e2735c8ca8d01c0e97)) - throw upon reserved event names ([4bd5b23](https://togithub.com/socketio/socket.io/commit/4bd5b2339a66a5a675e20f689fff2e70ff12d236)) ##### BREAKING CHANGES - the Socket#use() method is removed (see [5c73733](https://togithub.com/socketio/socket.io/commit/5c737339858d59eab4b5ee2dd6feff0e82c4fe5a)) - Socket#join() and Socket#leave() do not accept a callback argument anymore. Before: ```js socket.join("room1", () => { io.to("room1").emit("hello"); }); ``` After: ```js socket.join("room1"); io.to("room1").emit("hello"); // or await socket.join("room1"); for custom adapters ``` - the "connected" map is renamed to "sockets" - the Socket#binary() method is removed, as this use case is now covered by the ability to provide your own parser. - the 'origins' option is removed Before: ```js new Server(3000, { origins: ["https://example.com"] }); ``` The 'origins' option was used in the allowRequest method, in order to determine whether the request should pass or not. And the Engine.IO server would implicitly add the necessary Access-Control-Allow-xxx headers. After: ```js new Server(3000, { cors: { origin: "https://example.com", methods: ["GET", "POST"], allowedHeaders: ["content-type"] } }); ``` The already existing 'allowRequest' option can be used for validation: ```js new Server(3000, { allowRequest: (req, callback) => { callback(null, req.headers.referer.startsWith("https://example.com")); } }); ``` - Socket#rooms is now a Set instead of an object - Namespace#connected is now a Map instead of an object - there is no more implicit connection to the default namespace: ```js // client-side const socket = io("/admin"); // server-side io.on("connect", socket => { // not triggered anymore }) io.use((socket, next) => { // not triggered anymore }); io.of("/admin").use((socket, next) => { // triggered }); ``` - the Server#set() method was removed This method was kept for backward-compatibility with pre-1.0 versions. ##### Links: - Diff: https://github.com/socketio/socket.io/compare/2.3.0...3.0.0 - Client release: [3.0.0](https://togithub.com/socketio/socket.io-client/releases/tag/3.0.0) - engine.io version: `~4.0.0` - ws version: `^7.1.2` ### [`v2.5.1`](https://togithub.com/socketio/socket.io/releases/tag/2.5.1) [Compare Source](https://togithub.com/socketio/socket.io/compare/2.5.0...2.5.1) ##### Bug Fixes - add a noop handler for the error event ([d30630b](https://togithub.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/2.5.0...2.5.1 - Client release: `-` - engine.io version: `~3.6.0` (no change) - ws version: `~7.5.10` ### [`v2.5.0`](https://togithub.com/socketio/socket.io/releases/tag/2.5.0) [Compare Source](https://togithub.com/socketio/socket.io/compare/2.4.1...2.5.0) :warning: WARNING :warning: The default value of the `maxHttpBufferSize` option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service. Security advisory: https://github.com/advisories/GHSA-j4f2-536g-r55m ##### Bug Fixes - fix race condition in dynamic namespaces ([05e1278](https://togithub.com/socketio/socket.io/commit/05e1278cfa99f3ecf3f8f0531ffe57d850e9a05b)) - ignore packet received after disconnection ([22d4bdf](https://togithub.com/socketio/socket.io/commit/22d4bdf00d1a03885dc0171125faddfaef730066)) - only set 'connected' to true after middleware execution ([226cc16](https://togithub.com/socketio/socket.io/commit/226cc16165f9fe60f16ff4d295fb91c8971cde35)) - prevent the socket from joining a room after disconnection ([f223178](https://togithub.com/socketio/socket.io/commit/f223178eb655a7713303b21a78f9ef9e161d6458)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/2.4.1...2.5.0 - Client release: [2.5.0](https://togithub.com/socketio/socket.io-client/releases/tag/2.5.0) - engine.io version: `~3.6.0` ([diff](https://togithub.com/socketio/engine.io/compare/3.5.0...3.6.0)) - ws version: `~7.4.2` ### [`v2.4.1`](https://togithub.com/socketio/socket.io/releases/tag/2.4.1) [Compare Source](https://togithub.com/socketio/socket.io/compare/2.4.0...2.4.1) This release reverts the breaking change introduced in `2.4.0` (https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7). If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests: - without CORS (server and client are served from the same domain): ```js const io = require("socket.io")(httpServer, { allowRequest: (req, callback) => { callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed } }); ``` - with CORS (server and client are served from distinct domains): ```js io.origins(["http://localhost:3000"]); // for local development io.origins(["https://example.com"]); ``` In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default). ##### Reverts - fix(security): do not allow all origins by default ([a169050](https://togithub.com/socketio/socket.io/commit/a1690509470e9dd5559cec4e60908ca6c23e9ba0)) ##### Links: - Diff: https://github.com/socketio/socket.io/compare/2.4.0...2.4.1 - Client release: - - engine.io version: `~3.5.0` - ws version: `~7.4.2` ### [`v2.4.0`](https://togithub.com/socketio/socket.io/releases/tag/2.4.0) [Compare Source](https://togithub.com/socketio/socket.io/compare/2.3.0...2.4.0) Related blog post: https://socket.io/blog/socket-io-2-4-0/ ##### Features (from Engine.IO) - add support for all cookie options ([19cc582](https://togithub.com/socketio/engine.io/commit/19cc58264a06dca47ed401fbaca32dcdb80a903b)) - disable perMessageDeflate by default ([5ad2736](https://togithub.com/socketio/engine.io/commit/5ad273601eb66c7b318542f87026837bf9dddd21)) ##### Bug Fixes - **security:** do not allow all origins by default ([f78a575](https://togithub.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7)) - properly overwrite the query sent in the handshake ([d33a619](https://togithub.com/socketio/socket.io/commit/d33a619905a4905c153d4fec337c74da5b533a9e)) :warning: **BREAKING CHANGE** :warning: Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (`Access-Control-Allow-xxx`) to **any** domain. This will not be the case anymore, and you now have to explicitly enable it. Please note that you are not impacted if: - you are using Socket.IO v2 and the `origins` option to restrict the list of allowed domains - you are using Socket.IO v3 (disabled by default) This commit also removes the support for '\*' matchers and protocol-less URL: io.origins('https://example.com:443'); => io.origins(['https://example.com']); io.origins('localhost:3000'); => io.origins(['http://localhost:3000']); io.origins('http://localhost:*'); => io.origins(['http://localhost:3000']); io.origins('*:3000'); => io.origins(['http://localhost:3000']); To restore the previous behavior (please use with caution): ```js io.origins((_, callback) => { callback(null, true); }); ``` See also: - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS - https://socket.io/docs/v3/handling-cors/ - https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#CORS-handling Thanks a lot to [@​ni8walk3r](https://togithub.com/ni8walk3r) for the security report. ##### Links: - Milestone: [2.4.0](https://togithub.com/socketio/socket.io/milestone/22) - Diff: https://github.com/socketio/socket.io/compare/2.3.0...2.4.0 - Client release: [2.4.0](https://togithub.com/socketio/socket.io-client/releases/tag/2.4.0) - engine.io version: `~3.5.0` - ws version: `~7.4.2`