3.1.0

In order to ease the migration to Socket.IO v3, the v3 server is now able to communicate with v2 clients:

const io = require("socket.io")({
  allowEIO3: true // false by default
});

Note: the allowEIO3 refers to the version 3 of the Engine.IO protocol which is used in Socket.IO v2

Features

• confirm a weak but matching ETag (#3485) (161091d)
• esm: export the Namespace and Socket class (#3699) (233650c)
• add support for Socket.IO v2 clients (9925746)
• add room events (155fa63)

Bug Fixes

• allow integers as event names (1c220dd)

Links:

• Diff: 3.0.5...3.1.0
• Client release: 3.1.0
• engine.io version: ~4.1.0
• ws version: ~7.4.2

2.4.1

This release reverts the breaking change introduced in 2.4.0 (f78a575).

If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:

• without CORS (server and client are served from the same domain):

const io = require("socket.io")(httpServer, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
  }
});

• with CORS (server and client are served from distinct domains):

io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);

In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).

Reverts

• fix(security): do not allow all origins by default (a169050)

Links:

• Diff: 2.4.0...2.4.1
• Client release: -
• engine.io version: ~3.5.0
• ws version: ~7.4.2

3.0.5

Bug Fixes

• properly clear timeout on connection failure (170b739)

Reverts

• restore the socket middleware functionality (bf54327)

Links:

• Diff: 3.0.4...3.0.5
• Client release: 3.0.5
• engine.io version: ~4.0.6
• ws version: ~7.4.2

2.4.0

Related blog post: https://socket.io/blog/socket-io-2-4-0/

Features (from Engine.IO)

• add support for all cookie options (19cc582)
• disable perMessageDeflate by default (5ad2736)

Bug Fixes

• security: do not allow all origins by default (f78a575)
• properly overwrite the query sent in the handshake (d33a619)

⚠️ BREAKING CHANGE ⚠️

Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (Access-Control-Allow-xxx) to any domain. This will not be the case anymore, and you now have to explicitly enable it.

Please note that you are not impacted if:

• you are using Socket.IO v2 and the origins option to restrict the list of allowed domains
• you are using Socket.IO v3 (disabled by default)

This commit also removes the support for '*' matchers and protocol-less URL:

io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000');          => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*');      => io.origins(['http://localhost:3000']);
io.origins('*:3000');                  => io.origins(['http://localhost:3000']);

To restore the previous behavior (please use with caution):

io.origins((_, callback) => {
  callback(null, true);
});

See also:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• https://socket.io/docs/v3/handling-cors/
• https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#CORS-handling

Thanks a lot to @ni8walk3r for the security report.

Links:

• Milestone: 2.4.0
• Diff: 2.3.0...2.4.0
• Client release: 2.4.0
• engine.io version: ~3.5.0
• ws version: ~7.4.2

3.0.4

Links:

• Diff: 3.0.3...3.0.4
• Client release: 3.0.4
• engine.io version: ~4.0.0
• ws version: ^7.1.2

3.0.3

Links:

• Diff: 3.0.2...3.0.3
• Client release: 3.0.3
• engine.io version: ~4.0.0
• ws version: ^7.1.2

3.0.2

Bug Fixes

• merge Engine.IO options (43705d7)

Links:

• Diff: 3.0.1...3.0.2
• Client release: 3.0.2
• engine.io version: ~4.0.0
• ws version: ^7.1.2

3.0.1

Bug Fixes

• export ServerOptions and Namespace types (#3684) (f62f180)
• typings: update the signature of the emit method (50671d9)

Links:

• Diff: 3.0.0...3.0.1
• Client release: 3.0.1
• engine.io version: ~4.0.0
• ws version: ^7.1.2

3.0.0

More details about this release in the blog post: https://socket.io/blog/socket-io-3-release/

Dedicated migration guide: https://socket.io/docs/migrating-from-2-x-to-3-0/

Bug Fixes

• close clients with no namespace (91cd255)

Features

• emit an Error object upon middleware error (54bf4a4)
• serve msgpack bundle (aa7574f)
• add support for catch-all listeners (5c73733)
• make Socket#join() and Socket#leave() synchronous (129c641)
• remove prod dependency to socket.io-client (7603da7)
• move binary detection back to the parser (669592d)
• add ES6 module export (8b6b100)
• do not reuse the Engine.IO id (2875d2c)
• remove Server#set() method (029f478)
• remove Socket#rooms object (1507b41)
• remove the 'origins' option (a8c0600)
• remove the implicit connection to the default namespace (3289f7e)
• throw upon reserved event names (4bd5b23)

BREAKING CHANGES

• the Socket#use() method is removed (see 5c73733)

• Socket#join() and Socket#leave() do not accept a callback argument anymore.

Before:

socket.join("room1", () => {
 io.to("room1").emit("hello");
});

After:

socket.join("room1");
io.to("room1").emit("hello");
// or await socket.join("room1"); for custom adapters

• the "connected" map is renamed to "sockets"
• the Socket#binary() method is removed, as this use case is now covered by the ability to provide your own parser.
• the 'origins' option is removed

Before:

new Server(3000, {
  origins: ["https://example.com"]
});

The 'origins' option was used in the allowRequest method, in order to
determine whether the request should pass or not. And the Engine.IO
server would implicitly add the necessary Access-Control-Allow-xxx
headers.

After:

new Server(3000, {
  cors: {
    origin: "https://example.com",
    methods: ["GET", "POST"],
    allowedHeaders: ["content-type"]
  }
});

The already existing 'allowRequest' option can be used for validation:

new Server(3000, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.referer.startsWith("https://example.com"));
  }
});

• Socket#rooms is now a Set instead of an object

• Namespace#connected is now a Map instead of an object

• there is no more implicit connection to the default namespace:

// client-side
const socket = io("/admin");

// server-side
io.on("connect", socket => {
  // not triggered anymore
})

io.use((socket, next) => {
  // not triggered anymore
});

io.of("/admin").use((socket, next) => {
  // triggered
});

• the Server#set() method was removed

This method was kept for backward-compatibility with pre-1.0 versions.

Links:

• Diff: 2.3.0...3.0.0
• Client release: 3.0.0
• engine.io version: ~4.0.0
• ws version: ^7.1.2

3.0.0-rc4

Features

• emit an Error object upon middleware error (54bf4a4)
• serve msgpack bundle (aa7574f)

Links:

• Milestone: 3.0.0
• Diff: 3.0.0-rc3...3.0.0-rc4
• Client release: 3.0.0-rc4
• engine.io version: ~4.0.0
• ws version: ^7.1.2