4.1.2 (2022-01-11)
A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14) at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22) at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10) at writeOrBuffer (internal/streams/writable.js:358:12)
This bug was introduced by this commit, included in engine.io@4.0.0, so previous releases are not impacted.
Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.
- properly handle invalid data sent by a malicious websocket client (a70800d)
4.1.1 (2021-02-02)
- do not reset the ping timer after upgrade (ff2b8ab), closes /github.com/socketio/socket.io-client-swift/pull/1309#issuecomment-768475704
4.1.0 (2021-01-14)
- add support for v3.x clients (663d326)
4.0.6 (2021-01-04)
3.5.0 (2020-12-30)
- add support for all cookie options (19cc582), closes /github.com/jshttp/cookie#options-1
- disable perMessageDeflate by default (5ad2736)
4.0.5 (2020-12-07)
No change on the server-side, this matches the client release.
4.0.4 (2020-11-17)
No change on the server-side, this matches the client release.
4.0.3 (2020-11-17)
No change on the server-side, this matches the client release.
4.0.2 (2020-11-09)
4.0.1 (2020-10-21)
- do not overwrite CORS headers upon error (fe093ba)
4.0.0 (2020-09-10)
More details about this release in the blog post: https://socket.io/blog/engine-io-4-release/
- ignore errors when forcefully closing the socket (#601) (dcdbccb)
- remove implicit require of uws (82cdca2)
- disable perMessageDeflate by default (078527a)
- Diff: v4.0.0-alpha.1...4.0.0
- Full diff: 3.4.0...4.0.0
- Client release: 4.0.0
- ws version: ^7.1.2
3.4.2 (2020-06-04)
- remove explicit require of uws (85e544a)
- Diff: 3.4.1...3.4.2
- Client release: -
- ws version: ^7.1.2
3.4.1 (2020-04-17)
- Diff: 3.4.0...3.4.1
- Client release: 3.4.1
- ws version: ^7.1.2
4.0.0-alpha.1 (2020-02-12)
- Diff: v4.0.0-alpha.0...v4.0.0-alpha.1
- Client release: v4.0.0-alpha.1
- ws version: ^7.1.2
4.0.0-alpha.0 (2020-02-12)
- decrease the default value of maxHttpBufferSize (734f9d1)
- disable cookie by default and add sameSite attribute (a374471), closes /github.com/jshttp/cookie#options-1
- generateId method can now return a Promise (f3c291f)
- reverse the ping-pong mechanism (31ff875)
- use the cors module to handle cross-origin requests (61b9492)
- the handlePreflightRequest option is removed by the change.
Before:
new Server({
handlePreflightRequest: (req, res) => {
res.writeHead(200, {
"Access-Control-Allow-Origin": 'https://example.com',
"Access-Control-Allow-Methods": 'GET',
"Access-Control-Allow-Headers": 'Authorization',
"Access-Control-Allow-Credentials": true
});
res.end();
}
})
After:
new Server({
cors: {
origin: "https://example.com",
methods: ["GET"],
allowedHeaders: ["Authorization"],
credentials: true
}
})
- the syntax has changed from
new Server({
cookieName: "test",
cookieHttpOnly: false,
cookiePath: "/custom"
})
to
new Server({
cookie: {
name: "test",
httpOnly: false,
path: "/custom"
}
})
All other options (domain, maxAge, sameSite, ...) are now supported.
- v3.x clients will not be able to connect anymore (they will send a ping packet and timeout while waiting for a pong packet).
- Diff: 3.4.0...v4.0.0-alpha.0
- Client release: v4.0.0-alpha.0
- ws version: ^7.1.2