socket.io

Bug Fixes

• typings: allow async listener in typed events (ccfd8ca)

Features

• ignore the query string when serving client JavaScript (#4024) (24fee27)

Links:

• Diff: https://github.com/socketio/socket.io/compare/4.1.3...4.2.0
• Client release: 4.2.0
• engine.io version: ~5.2.0
• ws version: ~7.4.2

Bug Fixes

• fix io.except() method (94e27cd)
• remove x-sourcemap header (a4dffc6)

Links:

• Diff: https://github.com/socketio/socket.io/compare/4.1.2...4.1.3
• Client release: 4.1.3
• engine.io version: ~5.1.0
• ws version: ~7.4.2

Bug Fixes

• typings: ensure compatibility with TypeScript 3.x (0cb6ac9)
• ensure compatibility with previous versions of the adapter (a2cf248)

Links:

• Diff: https://github.com/socketio/socket.io/compare/4.1.1...4.1.2
• Client release: 4.1.2
• engine.io version: ~5.1.0
• ws version: ~7.4.2

Bug Fixes

• typings: properly type server-side events (b84ed1e)
• typings: properly type the adapter attribute (891b187)

Links:

• Diff: https://github.com/socketio/socket.io/compare/4.1.0...4.1.1
• Client release: 4.1.1
• engine.io version: ~5.1.0
• ws version: ~7.4.2

Blog post: https://socket.io/blog/socket-io-4-1-0/

Features

• add support for inter-server communication (93cce05)
• notify upon namespace creation (499c892)
• add a "connection_error" event (7096e98, from engine.io)
• add the "initial_headers" and "headers" events (2527543, from engine.io)

Links:

• Diff: https://github.com/socketio/socket.io/compare/4.0.2...4.1.0
• Client release: 4.1.0
• engine.io version: ~5.1.0
• ws version: ~7.4.2

Bug Fixes

• typings: make "engine" attribute public (b81ce4c)
• properly export the Socket class (d65b6ee)

Links:

• Diff: https://github.com/socketio/socket.io/compare/4.0.1...4.0.2
• Client release: 4.0.2
• engine.io version: ~5.0.0
• ws version: ~7.4.2

Bug Fixes

• typings: add fallback to untyped event listener (#3834) (a11152f)
• typings: update return type from emit (#3843) (1a72ae4)

Links:

• Diff: https://github.com/socketio/socket.io/compare/4.0.0...4.0.1
• Client release: 4.0.1
• engine.io version: ~5.0.0
• ws version: ~7.4.2

Blog post: https://socket.io/blog/socket-io-4-release/
Migration guide: https://socket.io/docs/v3/migrating-from-3-x-to-4-0/

Bug Fixes

• make io.to(...) immutable (ac9e8ca)

Features

• add some utility methods (b25495c)
• add support for typed events (#3822) (0107510)
• allow to exclude specific rooms when broadcasting (#3789) (7de2e87)
• allow to pass an array to io.to(...) (085d1de)

BREAKING CHANGES

• io.to(...) now returns an immutable operator

Previously, broadcasting to a given room (by calling io.to()) would mutate the io instance, which could lead to surprising behaviors, like:

io.to("room1");
io.to("room2").emit(/* ... */); // also sent to room1

// or with async/await
io.to("room3").emit("details", await fetchDetails()); // random behavior: maybe in room3, maybe to all clients

Calling io.to() (or any other broadcast modifier) will now return an immutable instance.

Links:

• Diff: https://github.com/socketio/socket.io/compare/3.1.2...4.0.0
• Client release: 4.0.0
• engine.io version: ~5.0.0
• ws version: ~7.4.2

Bug Fixes

• ignore packets received after disconnection (494c64e)

Links:

• Diff: https://github.com/socketio/socket.io/compare/3.1.1...3.1.2
• Client release: 3.1.2
• engine.io version: ~4.1.0
• ws version: ~7.4.2

Bug Fixes

• properly parse the CONNECT packet in v2 compatibility mode (6f4bd7f)
• typings: add return types and general-case overload signatures (#3776) (9e8f288)
• typings: update the types of "query", "auth" and "headers" (4f2e9a7)

Links:

• Diff: https://github.com/socketio/socket.io/compare/3.1.0...3.1.1
• Client release: 3.1.1
• engine.io version: ~4.1.0
• ws version: ~7.4.2

In order to ease the migration to Socket.IO v3, the v3 server is now able to communicate with v2 clients:

const io = require("socket.io")({
  allowEIO3: true // false by default
});

Note: the allowEIO3 refers to the version 3 of the Engine.IO protocol which is used in Socket.IO v2

Features

• confirm a weak but matching ETag (#3485) (161091d)
• esm: export the Namespace and Socket class (#3699) (233650c)
• add support for Socket.IO v2 clients (9925746)
• add room events (155fa63)

Bug Fixes

• allow integers as event names (1c220dd)

Links:

• Diff: https://github.com/socketio/socket.io/compare/3.0.5...3.1.0
• Client release: 3.1.0
• engine.io version: ~4.1.0
• ws version: ~7.4.2

This release reverts the breaking change introduced in 2.4.0 (https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7).

If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:

• without CORS (server and client are served from the same domain):

const io = require("socket.io")(httpServer, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
  }
});

• with CORS (server and client are served from distinct domains):

io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);

In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).

Reverts

• fix(security): do not allow all origins by default (a169050)

Links:

• Diff: https://github.com/socketio/socket.io/compare/2.4.0...2.4.1
• Client release: -
• engine.io version: ~3.5.0
• ws version: ~7.4.2

Bug Fixes

• properly clear timeout on connection failure (170b739)

Reverts

• restore the socket middleware functionality (bf54327)

Links:

• Diff: https://github.com/socketio/socket.io/compare/3.0.4...3.0.5
• Client release: 3.0.5
• engine.io version: ~4.0.6
• ws version: ~7.4.2

Related blog post: https://socket.io/blog/socket-io-2-4-0/

Features (from Engine.IO)

• add support for all cookie options (19cc582)
• disable perMessageDeflate by default (5ad2736)

Bug Fixes

• security: do not allow all origins by default (f78a575)
• properly overwrite the query sent in the handshake (d33a619)

⚠️ BREAKING CHANGE ⚠️

Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (Access-Control-Allow-xxx) to any domain. This will not be the case anymore, and you now have to explicitly enable it.

Please note that you are not impacted if:

• you are using Socket.IO v2 and the origins option to restrict the list of allowed domains
• you are using Socket.IO v3 (disabled by default)

This commit also removes the support for '*' matchers and protocol-less URL:

io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000');          => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*');      => io.origins(['http://localhost:3000']);
io.origins('*:3000');                  => io.origins(['http://localhost:3000']);

To restore the previous behavior (please use with caution):

io.origins((_, callback) => {
  callback(null, true);
});

See also:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• https://socket.io/docs/v3/handling-cors/
• https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#CORS-handling

Thanks a lot to @ni8walk3r for the security report.

Links:

• Milestone: 2.4.0
• Diff: https://github.com/socketio/socket.io/compare/2.3.0...2.4.0
• Client release: 2.4.0
• engine.io version: ~3.5.0
• ws version: ~7.4.2

Links:

• Diff: https://github.com/socketio/socket.io/compare/3.0.3...3.0.4
• Client release: 3.0.4
• engine.io version: ~4.0.0
• ws version: ^7.1.2

Links:

• Diff: https://github.com/socketio/socket.io/compare/3.0.2...3.0.3
• Client release: 3.0.3
• engine.io version: ~4.0.0
• ws version: ^7.1.2

Bug Fixes

• merge Engine.IO options (43705d7)

Links:

• Diff: https://github.com/socketio/socket.io/compare/3.0.1...3.0.2
• Client release: 3.0.2
• engine.io version: ~4.0.0
• ws version: ^7.1.2

Bug Fixes

• export ServerOptions and Namespace types (#3684) (f62f180)
• typings: update the signature of the emit method (50671d9)

Links:

• Diff: https://github.com/socketio/socket.io/compare/3.0.0...3.0.1
• Client release: 3.0.1
• engine.io version: ~4.0.0
• ws version: ^7.1.2

More details about this release in the blog post: https://socket.io/blog/socket-io-3-release/

Dedicated migration guide: https://socket.io/docs/migrating-from-2-x-to-3-0/

Bug Fixes

• close clients with no namespace (91cd255)

Features

• emit an Error object upon middleware error (54bf4a4)
• serve msgpack bundle (aa7574f)
• add support for catch-all listeners (5c73733)
• make Socket#join() and Socket#leave() synchronous (129c641)
• remove prod dependency to socket.io-client (7603da7)
• move binary detection back to the parser (669592d)
• add ES6 module export (8b6b100)
• do not reuse the Engine.IO id (2875d2c)
• remove Server#set() method (029f478)
• remove Socket#rooms object (1507b41)
• remove the 'origins' option (a8c0600)
• remove the implicit connection to the default namespace (3289f7e)
• throw upon reserved event names (4bd5b23)

BREAKING CHANGES

• the Socket#use() method is removed (see 5c73733)

• Socket#join() and Socket#leave() do not accept a callback argument anymore.

Before:

socket.join("room1", () => {
 io.to("room1").emit("hello");
});

After:

socket.join("room1");
io.to("room1").emit("hello");
// or await socket.join("room1"); for custom adapters

• the "connected" map is renamed to "sockets"
• the Socket#binary() method is removed, as this use case is now covered by the ability to provide your own parser.
• the 'origins' option is removed

Before:

new Server(3000, {
  origins: ["https://example.com"]
});

The 'origins' option was used in the allowRequest method, in order to
determine whether the request should pass or not. And the Engine.IO
server would implicitly add the necessary Access-Control-Allow-xxx
headers.

After:

new Server(3000, {
  cors: {
    origin: "https://example.com",
    methods: ["GET", "POST"],
    allowedHeaders: ["content-type"]
  }
});

The already existing 'allowRequest' option can be used for validation:

new Server(3000, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.referer.startsWith("https://example.com"));
  }
});

• Socket#rooms is now a Set instead of an object

• Namespace#connected is now a Map instead of an object

• there is no more implicit connection to the default namespace:

// client-side
const socket = io("/admin");

// server-side
io.on("connect", socket => {
  // not triggered anymore
})

io.use((socket, next) => {
  // not triggered anymore
});

io.of("/admin").use((socket, next) => {
  // triggered
});

• the Server#set() method was removed

This method was kept for backward-compatibility with pre-1.0 versions.

Links:

• Diff: https://github.com/socketio/socket.io/compare/2.3.0...3.0.0
• Client release: 3.0.0
• engine.io version: ~4.0.0
• ws version: ^7.1.2

Features

• emit an Error object upon middleware error (54bf4a4)
• serve msgpack bundle (aa7574f)

Links:

• Milestone: 3.0.0
• Diff: https://github.com/socketio/socket.io/compare/3.0.0-rc3...3.0.0-rc4
• Client release: 3.0.0-rc4
• engine.io version: ~4.0.0
• ws version: ^7.1.2