5.2.1

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14)
at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22)
at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10)
at writeOrBuffer (internal/streams/writable.js:358:12)

This bug was introduced by this commit, included in engine.io@4.0.0, so previous releases are not impacted.

Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.

Bug Fixes

• properly handle invalid data sent by a malicious websocket client (66f889f)

Links

• Diff: 5.2.0...5.2.1
• Client release: -
• ws version: ~7.4.2

4.1.2

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14)
at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22)
at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10)
at writeOrBuffer (internal/streams/writable.js:358:12)

This bug was introduced by this commit, included in engine.io@4.0.0, so previous releases are not impacted.

Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.

Bug Fixes

• properly handle invalid data sent by a malicious websocket client (a70800d)

Links

• Diff: 4.1.1...4.1.2
• Client release: -
• ws version: ~7.4.2

6.1.0

This release introduces a new engine implementation based on uWebSockets.js, a high performance HTTP/WebSocket server which can be used as an alternative to the default Node.js HTTP server.

Usage:

const { App } = require("uWebSockets.js");
const { uServer } = require("engine.io");

const app = new App();
const server = new uServer();

server.attach(app);

app.listen(3000, () => {});

Feedback is welcome! 👼

Bug Fixes

• fix payload encoding for v3 clients (ed50fc3)

Features

• add an implementation based on uWebSockets.js (271e2df)

Performance Improvements

• refresh ping timer (#628) (37474c7)

Links

• Diff: 6.0.0...6.1.0
• Client release: 6.1.0
• ws version: ~8.2.3

6.0.1

Bug Fixes

• fix payload encoding for v3 clients (3f42262)

Links

• Diff: 6.0.0...6.0.1
• Client release: -
• ws version: ~8.2.3

6.0.0

The codebase was migrated to TypeScript (c0d6eaa)

An ES module wrapper was also added (401f4b6).

Please note that the communication protocol was not updated, so a v5 client will be able to reach a v6 server (and vice-versa).

Reference: https://github.com/socketio/engine.io-protocol

BREAKING CHANGES

• the default export was removed, so the following code won't work anymore:

const eioServer = require("engine.io")(httpServer);

Please use this instead:

const { Server } = require("engine.io");
const eioServer = new Server(httpServer);

Links

• Diff: 5.2.0...6.0.0
• Client release: 6.0.0
• ws version: ~8.2.3 (diff)

5.2.0

No change on the server-side, this matches the client release.

Links

• Diff: 5.1.1...5.2.0
• Client release: 5.2.0
• ws version: ~7.4.2

5.1.1

Bug Fixes

• properly close the websocket connection upon handshake error (4360686)

Links

• Diff: 5.1.0...5.1.1
• Client release: -
• ws version: ~7.4.2

5.1.0

Features

• add a "connection_error" event (7096e98)
• add the "initial_headers" and "headers" events (2527543)

Performance Improvements

• websocket: add a "wsPreEncoded" writing option (7706b12)
• websocket: fix write back-pressure (#618) (ad5306a)

Links

• Diff: 5.0.0...5.1.0
• Client release: 5.1.0
• ws version: ~7.4.2

5.0.0

This major bump is due to a breaking change at the API level (see below).

Apart from this, the Engine.IO protocol was not updated, so a v4 client will be able to reach a v5 server, and vice-versa. Besides, the compatibility mode (allowEIO3: true) is still available between an Engine.IO v3 client and an Engine.IO v5 server.

Bug Fixes

• set default protocol version to 3 (#616) (868d891)

Features

• increase the default value of pingTimeout (5a7fa13)
• remove dynamic require() with wsEngine (edb7343)

BREAKING CHANGES

• the syntax of the "wsEngine" option is updated

Before:

const eioServer = require("engine.io")(httpServer, {
  wsEngine: "eiows"
});

After:

const eioServer = require("engine.io")(httpServer, {
  wsEngine: require("eiows").Server
});

Related: #609

Links

• Diff: 4.1.1...5.0.0
• Client release: 5.0.0
• ws version: ~7.4.2

4.1.1

Bug Fixes

• do not reset the ping timer after upgrade (ff2b8ab)

Links

• Diff: 4.1.0...4.1.1
• Client release: 4.1.1
• ws version: ~7.4.2