Sourced from socket.io's releases.

2.5.0

⚠️ WARNING ⚠️

The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

Security advisory: GHSA-j4f2-536g-r55m

Bug Fixes

• fix race condition in dynamic namespaces (05e1278)
• ignore packet received after disconnection (22d4bdf)
• only set 'connected' to true after middleware execution (226cc16)
• prevent the socket from joining a room after disconnection (f223178)

Links:

• Diff: socketio/socket.io@2.4.1...2.5.0
• Client release: 2.5.0
• engine.io version: ~3.6.0 (diff)
• ws version: ~7.4.2

2.4.1

This release reverts the breaking change introduced in 2.4.0 (socketio/socket.io@f78a575).

If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:

• without CORS (server and client are served from the same domain):

const io = require("socket.io")(httpServer, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
  }
});

• with CORS (server and client are served from distinct domains):

io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);

In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).

Reverts

• fix(security): do not allow all origins by default (a169050)

Links:

... (truncated)

Sourced from socket.io's changelog.

2.5.0 (2022-06-26)

Bug Fixes

• fix race condition in dynamic namespaces (05e1278)
• ignore packet received after disconnection (22d4bdf)
• only set 'connected' to true after middleware execution (226cc16)
• prevent the socket from joining a room after disconnection (f223178)

2.4.1 (2021-01-07)

Reverts

• fix(security): do not allow all origins by default (a169050)

2.4.0 (2021-01-04)

Bug Fixes

• security: do not allow all origins by default (f78a575)
• properly overwrite the query sent in the handshake (d33a619)

• baa6804 chore(release): 2.5.0
• f223178 fix: prevent the socket from joining a room after disconnection
• 226cc16 fix: only set 'connected' to true after middleware execution
• 05e1278 fix: fix race condition in dynamic namespaces
• 22d4bdf fix: ignore packet received after disconnection
• dfded53 chore: update engine.io version to 3.6.0
• e6b8697 chore(release): 2.4.1
• a169050 revert: fix(security): do not allow all origins by default
• 873fdc5 chore(release): 2.4.0
• f78a575 fix(security): do not allow all origins by default
• Additional commits viewable in compare view

Sourced from debug's releases.

3.1.0

Minor Changes

• Ignore package-lock.json: e7e568a24736486721882282eb21beb31c741647
• Remove component.json: 47747f329fe159e94262318b52b87a48f6c0acd4
• Remove "component" from package.json: bdb7e0137f84dc8bcfc95daede7c694799d38dbf
• Add DEBUG_HIDE_DATE env var: #486

Patches

• Correct spelling mistake: daf1a7c8c0f62f5dbc8d48158d6748d0527cc551
• Examples: fix colors printout: 7cd9e539ce571fc3314d34d9d1dac3124839dbac
• Fix browser detection: fdfa0f5f6cc7e83fd60b6cf1e7b990cbf6388621
• Remove ReDoS regexp in %o formatter: #504

Credits

Huge thanks to @​amejiarosario and @​zhuangya for their help!

3.0.0

Featuring pretty new colors!

Major Changes

• Remove DEBUG_FD: #406
• Make millisecond timer namespace specific and allow 'always enabled' output: #408
• Use Date#toISOString() instead to Date#toUTCString() when output is not a TTY: #418
• enabled() updates existing debug instances: #440

Minor Changes

• Add destroy() function: #440
• Document enabled flag: #465
• Support 256 colors: #481
• Update "browserify" to v14.4.0: 826fd94639efeaa3c5701b50d335caead084a5d6
• Separate Node.js and web browser examples: 87880f6ae1f48b12d9f3346bce564a66cba6b93e
• Example: use %o formatter: 31f3343de76cb8687041387a1b811745c6e84473
• More readme screenshots replaced: 25eb545324912dd2863658d0ba35426c0f617619
• Add Namespace Colors section to readme: 8b5c438a222167bd0cc66db046bac073f01b3c01
• Separate the Node and Browser tests in Travis: f178d861df18abacac6e9e4607c7306a1147bf3d

Patches

• Readme: fix typo: #473
• Component: update "ms" to v2.0.0: d2dd80aeaf1b037f0b3be21838c4594bbedc4a9c

Credits

... (truncated)

Sourced from debug's changelog.

3.1.0 / 2017-09-26

• Add DEBUG_HIDE_DATE env var (#486)
• Remove ReDoS regexp in %o formatter (#504)
• Remove "component" from package.json
• Remove component.json
• Ignore package-lock.json
• Examples: fix colors printout
• Fix: browser detection
• Fix: spelling mistake (#496, @​EdwardBetts)

3.0.1 / 2017-08-24

• Fix: Disable colors in Edge and Internet Explorer (#489)

3.0.0 / 2017-08-08

• Breaking: Remove DEBUG_FD (#406)
• Breaking: Use Date#toISOString() instead to Date#toUTCString() when output is not a TTY (#418)
• Breaking: Make millisecond timer namespace specific and allow 'always enabled' output (#408)
• Addition: document enabled flag (#465)
• Addition: add 256 colors mode (#481)
• Addition: enabled() updates existing debug instances, add destroy() function (#440)
• Update: component: update "ms" to v2.0.0
• Update: separate the Node and Browser tests in Travis-CI
• Update: refactor Readme, fixed documentation, added "Namespace Colors" section, redid screenshots
• Update: separate Node.js and web browser examples for organization
• Update: update "browserify" to v14.4.0
• Fix: fix Readme typo (#473)

2.6.9 / 2017-09-22

• remove ReDoS regexp in %o formatter (#504)

2.6.8 / 2017-05-18

• Fix: Check for undefined on browser globals (#462, @​marbemac)

2.6.7 / 2017-05-16

• Fix: Update ms to 2.0.0 to fix regular expression denial of service vulnerability (#458, @​hubdotcom)
• Fix: Inline extend function in node implementation (#452, @​dougwilson)
• Docs: Fix typo (#455, @​msasad)

... (truncated)

• f073e05 Release 3.1.0
• 2c0df9b rename DEBUG_HIDE_TTY_DATE to DEBUG_HIDE_DATE
• dcb37b2 Merge branch '2.x'
• 56a3853 Add DEBUG_HIDE_TTY_DATE env var (#486)
• 13abeae Release 2.6.9
• f53962e remove ReDoS regexp in %o formatter (#504)
• bdb7e01 remove "component" from package.json
• c38a016 remove ReDoS regexp in %o formatter (#504)
• 47747f3 remove component.json
• a0601e5 fix
• Additional commits viewable in compare view

Sourced from engine.io's releases.

3.6.2

This release contains a bump of the ws dependency, which includes an important security fix.

Advisory: GHSA-3h5v-q93c-6h6q

Links

• Diff: socketio/engine.io@3.6.1...3.6.2
• Client release: -
• ws@~7.5.10 (diff)

3.6.1

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

Error: read ECONNRESET
    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
Emitted 'error' event on Socket instance at:
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  errno: -104,
  code: 'ECONNRESET',
  syscall: 'read'
}

Please upgrade as soon as possible.

Bug Fixes

• catch errors when destroying invalid upgrades (83c4071)

3.6.0

Bug Fixes

• add extension in the package.json main entry (#608) (3ad0567)
• do not reset the ping timer after upgrade (1f5d469)

Features

• decrease the default value of maxHttpBufferSize (58e274c)

This change reduces the default value from 100 mb to a more sane 1 mb.

... (truncated)

Sourced from engine.io's changelog.

3.6.2 (2024-06-18)

This release contains a bump of the ws dependency, which includes an important security fix.

Advisory: GHSA-3h5v-q93c-6h6q

3.6.1 (2022-11-20)

Bug Fixes

• catch errors when destroying invalid upgrades (83c4071)

3.6.0 (2022-06-06)

Bug Fixes

• add extension in the package.json main entry (#608) (3ad0567)
• do not reset the ping timer after upgrade (1f5d469), closes socketio/socket.io-client-swift#1309

Features

• decrease the default value of maxHttpBufferSize (58e274c)

This change reduces the default value from 100 mb to a more sane 1 mb.

This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data.

See also: GHSA-j4f2-536g-r55m

• increase the default value of pingTimeout (f55a79a)

3.5.0 (2020-12-30)

Features

• add support for all cookie options (19cc582), closes /github.com/jshttp/cookie#options-1
• disable perMessageDeflate by default (5ad2736)

... (truncated)

• b5e5b05 chore(release): 3.6.2
• 682d771 chore: bump ws to version 7.5.10
• 67a3a87 chore(release): 3.6.1
• 83c4071 fix: catch errors when destroying invalid upgrades
• f62f265 chore(release): 3.6.0
• f55a79a feat: increase the default value of pingTimeout
• 1f5d469 fix: do not reset the ping timer after upgrade
• 3ad0567 fix: add extension in the package.json main entry (#608)
• 58e274c feat: decrease the default value of maxHttpBufferSize
• b9dee7b chore(release): 3.5.0
• Additional commits viewable in compare view

Sourced from ms's releases.

2.0.0

Major Changes

• Limit str to 100 to avoid ReDoS of 0.3s: #89

Patches

• Ignored logs coming from npm: b1eaab752203e978492a4d540a7ae1d26e6306b1
• Bumped dependencies to the latest version: bcf57157678fd5afc691383145a35e116f9704d0
• Invalidated cache for slack badge: 94b995c1d6d5d13ec976a0c6849a3cca9b277e6b

Credits

Huge thanks to @​karenyavine for their help!

1.0.0

Major Changes

• Removed component specification: 1fbbe974cdcad96e592dcb65a7b2a8649f690420

Patches

• Test on LTS version of Node: c9b1fd319f0f9198d85ecf4ba83e46cc1216be04
• Removed XO: 94068ea6d518387670df277f740b1abada80ed48
• Use prettier and eslint: 57b3ef8e3423cae6254f94c5564a11b4492cff43
• Badge for XO removed: 389840b329436117741b2ef13a172725082695b9
• Removed browser testing: e818c3581aca3119c00d81901bfe8fe653bcfda4
• More suitable name for file containing tests: ee91f307a8dc3581ebdad614ec0533ddb3d8bf56

0.7.3

Patches

• Mark "options" param as optional in jsdoc: #77
• Lowercased text files: 5f0653ab192a30301aed8668b4588a87975b41ab
• Pinned dependencies: 126d7f094a1836b991c8d0abfeb4d0ce09ac280f
• Chore(package): update serve to version 5.0.1: #81

Credits

Huge thanks to @​Jokero for their help!

• 9b88d15 2.0.0
• 94b995c Invalidated cache for slack badge
• bcf5715 Bumped dependencies to the latest version
• b1eaab7 Ignored logs coming from npm
• caae298 Limit str to 100 to avoid ReDoS of 0.3s (#89)
• b83b36d chore(package): update eslint to version 3.19.0 (#88)
• 3f2a4d7 chore(package): update husky to version 0.13.3 (#86)
• 7daf984 1.0.0
• ee91f30 More suitable name for file containing tests
• e818c35 Removed browser testing
• Additional commits viewable in compare view

Sourced from socket.io-parser's releases.

3.3.4

Bug Fixes

• check the format of the event name (#125) (ee00660)

Links

• Diff: socketio/socket.io-parser@3.3.3...3.3.4

3.3.3

Bug Fixes

• check the format of the index of each attachment (fb21e42)

Links

• Diff: socketio/socket.io-parser@3.3.2...3.3.3
• Branch: 3.3.x

3.3.2

Bug Fixes

• prevent DoS (OOM) via massive packets (#95) (89197a0)

Links

• Diff: socketio/socket.io-parser@3.3.1...3.3.2

3.3.1

Links

• Diff: socketio/socket.io-parser@3.3.0...3.3.1

3.3.0

Bug Fixes

• remove any reference to the global variable (b47efb2)

Links

• Milestone: -
• Diff: 3.2.0...3.3.0

3.2.0

Bug fixes

• properly detect typed arrays (#85)
• properly handle JSON.stringify errors (#84)

... (truncated)

Sourced from socket.io-parser's changelog.

3.3.4 (2024-07-22)

Bug Fixes

• check the format of the event name (#125) (ee00660)

3.3.3 (2022-11-09)

Bug Fixes

• check the format of the index of each attachment (fb21e42)

3.3.2 (2021-01-09)

Bug Fixes

• prevent DoS (OOM) via massive packets (#95) (89197a0)

3.3.1 (2020-09-30)

• 1e9ebc6 chore(release): 3.3.4
• ee00660 fix: check the format of the event name (#125)
• cd11e38 chore(release): 3.3.3
• fb21e42 fix: check the format of the index of each attachment
• 3b0a392 chore(release): 3.3.2
• 89197a0 fix: prevent DoS (OOM) via massive packets (#95)
• 25ca624 chore(release): 3.3.1
• b51b39b test: use Node.js 10 for the browser tests
• 4184e46 chore: bump component-emitter dependency
• 0de72b9 [chore] Release 3.3.0
• Additional commits viewable in compare view

Sourced from ws's releases.

7.5.10

Bug fixes

• Backported e55e5106 to the 7.x release line (22c28763).

7.5.9

Bug fixes

• Backported bc8bd34e to the 7.x release line (0435e6e1).

7.5.8

Bug fixes

• Backported 0fdcc0af to the 7.x release line (2758ed35).
• Backported d68ba9e1 to the 7.x release line (dc1781bc).

7.5.7

Bug fixes

• Backported 6946f5fe to the 7.x release line (1f72e2e1).

7.5.6

Bug fixes

• Backported b8186dd1 to the 7.x release line (73dec34b).
• Backported ed2b8039 to the 7.x release line (22a26afb).

7.5.5

Bug fixes

• Backported ec9377ca to the 7.x release line (0e274acd).

7.5.4

Bug fixes

• Backported 6a72da3e to the 7.x release line (76087fbf).
• Backported 869c9892 to the 7.x release line (27997933).

7.5.3

Bug fixes

• The WebSocketServer constructor now throws an error if more than one of the noServer, server, and port options are specefied (66e58d27).
• Fixed a bug where a 'close' event was emitted by a WebSocketServer before the internal HTTP/S server was actually closed (5a587304).
• Fixed a bug that allowed WebSocket connections to be established after WebSocketServer.prototype.close() was called (772236a1).

7.5.2

Bug fixes

... (truncated)

• d962d70 [dist] 7.5.10
• 22c2876 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 8a78f87 [dist] 7.5.9
• 0435e6e [security] Fix same host check for ws+unix: redirects
• 4271f07 [dist] 7.5.8
• dc1781b [security] Drop sensitive headers when following insecure redirects
• 2758ed3 [fix] Abort the handshake if the Upgrade header is invalid
• a370613 [dist] 7.5.7
• 1f72e2e [security] Drop sensitive headers when following redirects (#2013)
• 8ecd890 [dist] 7.5.6
• Additional commits viewable in compare view

• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.