208 changes: 196 additions & 12 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,16 @@
# History

## 2023

- [6.4.2](#642-2023-05-02) (May 2023)
- [6.4.1](#641-2023-02-20) (Feb 2023)
- [6.4.0](#640-2023-02-06) (Feb 2023)
- [6.3.1](#631-2023-01-12) (Jan 2023)
- [6.3.0](#630-2023-01-10) (Jan 2023)

## 2022

- [3.6.1](#361-2022-11-20) (Nov 2022) (from the [3.x](https://github.com/socketio/engine.io/tree/3.x) branch)
- [6.2.1](#621-2022-11-20) (Nov 2022)
- [3.6.0](#360-2022-06-06) (Jun 2022) (from the [3.x](https://github.com/socketio/engine.io/tree/3.x) branch)
- [6.2.0](#620-2022-04-17) (Apr 2022)
Expand Down Expand Up @@ -38,6 +47,177 @@

# Release notes

## [6.4.2](https://github.com/socketio/engine.io/compare/6.4.1...6.4.2) (2023-05-02)

:warning: This release contains an important security fix :warning:

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

```
TypeError: Cannot read properties of undefined (reading 'handlesUpgrades')
at Server.onWebSocket (build/server.js:515:67)
```

Please upgrade as soon as possible.


### Bug Fixes

* include error handling for Express middlewares ([#674](https://github.com/socketio/engine.io/issues/674)) ([9395782](https://github.com/socketio/engine.io/commit/93957828be1252c83275b56f0c7c0bd145a0ceb9))
* prevent crash when provided with an invalid query param ([fc480b4](https://github.com/socketio/engine.io/commit/fc480b4f305e16fe5972cf337d055e598372dc44))
* **typings:** make clientsCount public ([#675](https://github.com/socketio/engine.io/issues/675)) ([bd6d471](https://github.com/socketio/engine.io/commit/bd6d4713b02ff646c581872cd9ffe753acff0d73))
* **uws:** prevent crash when using with middlewares ([8b22162](https://github.com/socketio/engine.io/commit/8b2216290330b174c9e67be32765bec0c74769f9))


### Credits

Huge thanks to [@tyilo](https://github.com/tyilo) and [@cieldeville](https://github.com/cieldeville) for helping!


### Dependencies

- [`ws@~8.11.0`](https://github.com/websockets/ws/releases/tag/8.11.0) (no change)



## [6.4.1](https://github.com/socketio/engine.io/compare/6.4.0...6.4.1) (2023-02-20)

This release contains [6e78489](https://github.com/socketio/engine.io/commit/6e78489486f0d7570861fd6002a364d1ab87da4a), which exports the `BaseServer` class in order to restore the compatibility with the `nodenext` module resolution strategy of TypeScript.

Reference: https://www.typescriptlang.org/tsconfig/#moduleResolution

Related: https://github.com/socketio/socket.io/issues/4621


### Dependencies

- [`ws@~8.11.0`](https://github.com/websockets/ws/releases/tag/8.11.0) (no change)


## [6.4.0](https://github.com/socketio/engine.io/compare/6.3.1...6.4.0) (2023-02-06)


### Features

* add support for Express middlewares ([24786e7](https://github.com/socketio/engine.io/commit/24786e77c5403b1c4b5a2bc84e2af06f9187f74a))

This commit implements middlewares at the Engine.IO level, because Socket.IO middlewares are meant for namespace authorization and are not executed during a classic HTTP request/response cycle.

A workaround was possible by using the allowRequest option and the "headers" event, but this feels way cleaner and works with upgrade requests too.

Syntax:

```js
engine.use((req, res, next) => {
// do something

next();
});

// with express-session
import session from "express-session";

engine.use(session({
secret: "keyboard cat",
resave: false,
saveUninitialized: true,
cookie: { secure: true }
}));

// with helmet
import helmet from "helmet";

engine.use(helmet());
```


### Dependencies

- [`ws@~8.11.0`](https://github.com/websockets/ws/releases/tag/8.11.0) (no change)



## [6.3.1](https://github.com/socketio/engine.io/compare/6.3.0...6.3.1) (2023-01-12)


### Dependencies

- [`ws@~8.11.0`](https://github.com/websockets/ws/releases/tag/8.11.0) (no change)



## [6.3.0](https://github.com/socketio/engine.io/compare/6.2.1...6.3.0) (2023-01-10)


### Bug Fixes

* fix the ES module wrapper ([ed87609](https://github.com/socketio/engine.io/commit/ed87609bafca0e844e6b29ea1a895d95df6a544c))
* wait for all packets to be sent before closing the WebSocket connection ([a65a047](https://github.com/socketio/engine.io/commit/a65a047526401bebaa113a8c70d03f5d963eaa54))


### Features

* add the "addTrailingSlash" option ([#655](https://github.com/socketio/engine.io/issues/655)) ([d0fd474](https://github.com/socketio/engine.io/commit/d0fd4746afa396297f07bb62e539b0c1c4018d7c))

The trailing slash which was added by default can now be disabled:

```js
import { Server } from "engine.io";

const server = new Server();

server.attach(httpServer, {
addTrailingSlash: false
});
```

In the example above, the clients can omit the trailing slash and use `/engine.io` instead of `/engine.io/`.


### Performance Improvements

* add the wsPreEncodedFrame option ([5e34722](https://github.com/socketio/engine.io/commit/5e34722b0b6564d6207a56d69bc3b0a831e4dc46))

This will be used when broadcasting packets at the Socket.IO level.

See also: https://github.com/socketio/socket.io-adapter/commit/5f7b47d40f9daabe4e3c321eda620bbadfe5ce96

### Dependencies

- [`ws@~8.11.0`](https://github.com/websockets/ws/releases/tag/8.11.0) ([diff](https://github.com/websockets/ws/compare/8.2.3...8.11.0))



## [3.6.1](https://github.com/socketio/engine.io/compare/3.6.0...3.6.1) (2022-11-20)

:warning: This release contains an important security fix :warning:

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

```
Error: read ECONNRESET
at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
at emitErrorNT (internal/streams/destroy.js:106:8)
at emitErrorCloseNT (internal/streams/destroy.js:74:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
errno: -104,
code: 'ECONNRESET',
syscall: 'read'
}
```

Please upgrade as soon as possible.

### Bug Fixes

* catch errors when destroying invalid upgrades ([83c4071](https://github.com/socketio/engine.io/commit/83c4071af871fc188298d7d591e95670bf9f9085))

### Dependencies

- [`ws@~7.4.2`](https://github.com/websockets/ws/releases/tag/7.4.2) (no change)


## [6.2.1](https://github.com/socketio/engine.io/compare/6.2.0...6.2.1) (2022-11-20)

:warning: This release contains an important security fix :warning:
Expand All @@ -63,9 +243,13 @@ Please upgrade as soon as possible.

* catch errors when destroying invalid upgrades ([#658](https://github.com/socketio/engine.io/issues/658)) ([425e833](https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6))

### Dependencies

- [`ws@~8.2.3`](https://github.com/websockets/ws/releases/tag/8.2.3) (no change)



# [3.6.0](https://github.com/socketio/engine.io/compare/3.5.0...3.6.0) (2022-06-06)
## [3.6.0](https://github.com/socketio/engine.io/compare/3.5.0...3.6.0) (2022-06-06)


### Bug Fixes
Expand All @@ -88,7 +272,7 @@ See also: https://github.com/advisories/GHSA-j4f2-536g-r55m



# [6.2.0](https://github.com/socketio/engine.io/compare/6.1.3...6.2.0) (2022-04-17)
## [6.2.0](https://github.com/socketio/engine.io/compare/6.1.3...6.2.0) (2022-04-17)


### Features
Expand Down Expand Up @@ -150,7 +334,7 @@ Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.



# [6.1.0](https://github.com/socketio/engine.io/compare/6.0.0...6.1.0) (2021-11-08)
## [6.1.0](https://github.com/socketio/engine.io/compare/6.0.0...6.1.0) (2021-11-08)


### Bug Fixes
Expand Down Expand Up @@ -178,7 +362,7 @@ Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.



# [6.0.0](https://github.com/socketio/engine.io/compare/5.2.0...6.0.0) (2021-10-08)
## [6.0.0](https://github.com/socketio/engine.io/compare/5.2.0...6.0.0) (2021-10-08)

The codebase was migrated to TypeScript ([c0d6eaa](https://github.com/socketio/engine.io/commit/c0d6eaa1ba1291946dc8425d5f533d5f721862dd))

Expand Down Expand Up @@ -207,7 +391,7 @@ const eioServer = new Server(httpServer);

`ws` version: `~8.2.3` (bumped from `~7.4.2`)

# [5.2.0](https://github.com/socketio/engine.io/compare/5.1.1...5.2.0) (2021-08-29)
## [5.2.0](https://github.com/socketio/engine.io/compare/5.1.1...5.2.0) (2021-08-29)

No change on the server-side, this matches the client release.

Expand All @@ -220,7 +404,7 @@ No change on the server-side, this matches the client release.
* properly close the websocket connection upon handshake error ([4360686](https://github.com/socketio/engine.io/commit/43606865e5299747cbb31f3ed9baf4567502a879))


# [5.1.0](https://github.com/socketio/engine.io/compare/5.0.0...5.1.0) (2021-05-04)
## [5.1.0](https://github.com/socketio/engine.io/compare/5.0.0...5.1.0) (2021-05-04)


### Features
Expand All @@ -235,7 +419,7 @@ No change on the server-side, this matches the client release.
* **websocket:** fix write back-pressure ([#618](https://github.com/socketio/engine.io/issues/618)) ([ad5306a](https://github.com/socketio/engine.io/commit/ad5306aeaedf06ac7a49f791e1b76e55c35a564e))


# [5.0.0](https://github.com/socketio/engine.io/compare/4.1.1...5.0.0) (2021-03-10)
## [5.0.0](https://github.com/socketio/engine.io/compare/4.1.1...5.0.0) (2021-03-10)


### Bug Fixes
Expand Down Expand Up @@ -278,7 +462,7 @@ const eioServer = require("engine.io")(httpServer, {
* do not reset the ping timer after upgrade ([ff2b8ab](https://github.com/socketio/engine.io/commit/ff2b8aba48ebcb0de5626d3b76fddc94c398395f)), closes [/github.com/socketio/socket.io-client-swift/pull/1309#issuecomment-768475704](https://github.com//github.com/socketio/socket.io-client-swift/pull/1309/issues/issuecomment-768475704)


# [4.1.0](https://github.com/socketio/engine.io/compare/4.0.6...4.1.0) (2021-01-14)
## [4.1.0](https://github.com/socketio/engine.io/compare/4.0.6...4.1.0) (2021-01-14)


### Features
Expand All @@ -295,7 +479,7 @@ const eioServer = require("engine.io")(httpServer, {



# [3.5.0](https://github.com/socketio/engine.io/compare/3.4.2...3.5.0) (2020-12-30)
## [3.5.0](https://github.com/socketio/engine.io/compare/3.4.2...3.5.0) (2020-12-30)


### Features
Expand Down Expand Up @@ -334,7 +518,7 @@ No change on the server-side, this matches the client release.



# [4.0.0](https://github.com/socketio/engine.io/compare/v4.0.0-alpha.1...4.0.0) (2020-09-10)
## [4.0.0](https://github.com/socketio/engine.io/compare/v4.0.0-alpha.1...4.0.0) (2020-09-10)

More details about this release in the blog post: https://socket.io/blog/engine-io-4-release/

Expand Down Expand Up @@ -387,7 +571,7 @@ More details about this release in the blog post: https://socket.io/blog/engine-



# [4.0.0-alpha.1](https://github.com/socketio/engine.io/compare/v4.0.0-alpha.0...v4.0.0-alpha.1) (2020-02-12)
## [4.0.0-alpha.1](https://github.com/socketio/engine.io/compare/v4.0.0-alpha.0...v4.0.0-alpha.1) (2020-02-12)

#### Links

Expand All @@ -397,7 +581,7 @@ More details about this release in the blog post: https://socket.io/blog/engine-



# [4.0.0-alpha.0](https://github.com/socketio/engine.io/compare/3.4.0...v4.0.0-alpha.0) (2020-02-12)
## [4.0.0-alpha.0](https://github.com/socketio/engine.io/compare/3.4.0...v4.0.0-alpha.0) (2020-02-12)


### Features
Expand Down
8 changes: 8 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -338,6 +338,14 @@ A representation of a client. _Inherits from EventEmitter_.
- Fired when an error occurs.
- **Arguments**
- `Error`: error object
- `upgrading`
- Fired when the client starts the upgrade to a better transport like WebSocket.
- **Arguments**
- `Object`: the transport
- `upgrade`
- Fired when the client completes the upgrade to a better transport like WebSocket.
- **Arguments**
- `Object`: the transport
- `flush`
- Called when the write buffer is being flushed.
- **Arguments**
Expand Down
23 changes: 23 additions & 0 deletions SECURITY.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Security Policy

## Supported Versions

| Version | `socket.io` version | Supported |
|---------|---------------------|--------------------|
| 6.x | 4.x | :white_check_mark: |
| 4.x | 3.x | :white_check_mark: |
| 3.5.x | 2.4.x | :white_check_mark: |
| < 3.5.0 | < 2.4.0 | :x: |

## Reporting a Vulnerability

To report a security vulnerability in this package, please send an email to [@darrachequesne](https://github.com/darrachequesne) (see address in profile) describing the vulnerability and how to reproduce it.

We will get back to you as soon as possible and publish a fix if necessary.

:warning: IMPORTANT :warning: please do not create an issue in this repository, as attackers might take advantage of it. Thank you in advance for your responsible disclosure.

## History

- Jan 2022: [Uncaught exception in engine.io](https://github.com/socketio/engine.io/security/advisories/GHSA-273r-mgr4-v34f) (CVE-2022-21676)
- Nov 2022: [Uncaught exception in engine.io](https://github.com/socketio/engine.io/security/advisories/GHSA-r7qp-cfhv-p84w) (CVE-2022-41940)
6 changes: 6 additions & 0 deletions examples/esm-import/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
## How to use

```
$ npm link ../..
$ node index.js
```
3 changes: 3 additions & 0 deletions examples/esm-import/index.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
import { Server } from "engine.io";

console.log(Server);
6 changes: 6 additions & 0 deletions examples/esm-import/package.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"name": "esm-import",
"version": "0.0.1",
"private": true,
"type": "module"
}