6.4.0

Features

• add support for Express middlewares (24786e7)

This commit implements middlewares at the Engine.IO level, because Socket.IO middlewares are meant for namespace authorization and are not executed during a classic HTTP request/response cycle.

A workaround was possible by using the allowRequest option and the "headers" event, but this feels way cleaner and works with upgrade requests too.

Syntax:

engine.use((req, res, next) => {
  // do something

  next();
});

// with express-session
import session from "express-session";

engine.use(session({
  secret: "keyboard cat",
  resave: false,
  saveUninitialized: true,
  cookie: { secure: true }
}));

// with helmet
import helmet from "helmet";

engine.use(helmet());

Links

• Diff: 6.3.1...6.4.0
• Client release: 6.4.0
• ws version: ~8.11.0 (no change)

6.3.1

Links

• Diff: 6.3.0...6.3.1
• Client release: -
• ws version: ~8.11.0 (no change)

6.3.0

Bug Fixes

• fix the ES module wrapper (ed87609)
• wait for all packets to be sent before closing the WebSocket connection (a65a047)

Features

• add the "addTrailingSlash" option (#655) (d0fd474)

The trailing slash which was added by default can now be disabled:

import { Server } from "engine.io";

const server = new Server();

server.attach(httpServer, {
  addTrailingSlash: false
});

In the example above, the clients can omit the trailing slash and use /engine.io instead of /engine.io/.

Performance Improvements

• add the wsPreEncodedFrame option (5e34722)

This will be used when broadcasting packets at the Socket.IO level.

See also: socketio/socket.io-adapter@5f7b47d

Links

• Diff: 6.2.1...6.3.0
• Client release: 6.3.0
• ws version: ~8.11.0 (diff)

6.2.1

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

Please upgrade as soon as possible.

Bug Fixes

• catch errors when destroying invalid upgrades (#658) (425e833)

3.6.1

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

Please upgrade as soon as possible.

Bug Fixes

• catch errors when destroying invalid upgrades (83c4071)

3.6.0

Bug Fixes

• add extension in the package.json main entry (#608) (3ad0567)
• do not reset the ping timer after upgrade (1f5d469)

Features

• decrease the default value of maxHttpBufferSize (58e274c)

This change reduces the default value from 100 mb to a more sane 1 mb.

This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data.

See also: GHSA-j4f2-536g-r55m

• increase the default value of pingTimeout (f55a79a)

Links

• Diff: 3.5.0...3.6.0
• Client release: -
• ws version: ~7.4.2

6.2.0

Features

• add the "maxPayload" field in the handshake details (088dcb4)

So that clients in HTTP long-polling can decide how many packets they have to send to stay under the maxHttpBufferSize
value.

This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as
we only add a field in the JSON-encoded handshake data:

0{"sid":"lv_VI97HAXpY6yYWAAAC","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000,"maxPayload":1000000}

Links

• Diff: 6.1.3...6.2.0
• Client release: 6.2.0
• ws version: ~8.2.3

6.1.3

Bug Fixes

• typings: allow CorsOptionsDelegate as cors options (#641) (a463d26)
• uws: properly handle chunked content (#642) (3367440)

Links

• Diff: 6.1.2...6.1.3
• Client release: -
• ws version: ~8.2.3

6.1.2

Bug Fixes

• uws: expose additional uWebSockets.js options (#634) (49bb7cf)
• uws: fix HTTP long-polling with CORS (45112a3)
• uws: handle invalid websocket upgrades (8b4d6a8)

Links

• Diff: 6.1.1...6.1.2
• Client release: -
• ws version: ~8.2.3

6.1.1

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14)
at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22)
at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10)
at writeOrBuffer (internal/streams/writable.js:358:12)

This bug was introduced by this commit, included in engine.io@4.0.0, so previous releases are not impacted.

Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.

Bug Fixes

• properly handle invalid data sent by a malicious websocket client (c0e194d)

Links

• Diff: 6.1.0...6.1.1
• Client release: -
• ws version: ~8.2.3