4.0.1

Bug Fixes

• typings: add fallback to untyped event listener (#3834) (a11152f)
• typings: update return type from emit (#3843) (1a72ae4)

Links:

• Diff: 4.0.0...4.0.1
• Client release: 4.0.1
• engine.io version: ~5.0.0
• ws version: ~7.4.2

4.0.0

Blog post: https://socket.io/blog/socket-io-4-release/
Migration guide: https://socket.io/docs/v3/migrating-from-3-x-to-4-0/

Bug Fixes

• make io.to(...) immutable (ac9e8ca)

Features

• add some utility methods (b25495c)
• add support for typed events (#3822) (0107510)
• allow to exclude specific rooms when broadcasting (#3789) (7de2e87)
• allow to pass an array to io.to(...) (085d1de)

BREAKING CHANGES

• io.to(...) now returns an immutable operator

Previously, broadcasting to a given room (by calling io.to()) would mutate the io instance, which could lead to surprising behaviors, like:

io.to("room1");
io.to("room2").emit(/* ... */); // also sent to room1

// or with async/await
io.to("room3").emit("details", await fetchDetails()); // random behavior: maybe in room3, maybe to all clients

Calling io.to() (or any other broadcast modifier) will now return an immutable instance.

Links:

• Diff: 3.1.2...4.0.0
• Client release: 4.0.0
• engine.io version: ~5.0.0
• ws version: ~7.4.2

3.1.2

Bug Fixes

• ignore packets received after disconnection (494c64e)

Links:

• Diff: 3.1.1...3.1.2
• Client release: 3.1.2
• engine.io version: ~4.1.0
• ws version: ~7.4.2

3.1.1

Bug Fixes

• properly parse the CONNECT packet in v2 compatibility mode (6f4bd7f)
• typings: add return types and general-case overload signatures (#3776) (9e8f288)
• typings: update the types of "query", "auth" and "headers" (4f2e9a7)

Links:

• Diff: 3.1.0...3.1.1
• Client release: 3.1.1
• engine.io version: ~4.1.0
• ws version: ~7.4.2

3.1.0

In order to ease the migration to Socket.IO v3, the v3 server is now able to communicate with v2 clients:

const io = require("socket.io")({
  allowEIO3: true // false by default
});

Note: the allowEIO3 refers to the version 3 of the Engine.IO protocol which is used in Socket.IO v2

Features

• confirm a weak but matching ETag (#3485) (161091d)
• esm: export the Namespace and Socket class (#3699) (233650c)
• add support for Socket.IO v2 clients (9925746)
• add room events (155fa63)

Bug Fixes

• allow integers as event names (1c220dd)

Links:

• Diff: 3.0.5...3.1.0
• Client release: 3.1.0
• engine.io version: ~4.1.0
• ws version: ~7.4.2

2.4.1

This release reverts the breaking change introduced in 2.4.0 (f78a575).

If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:

• without CORS (server and client are served from the same domain):

const io = require("socket.io")(httpServer, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
  }
});

• with CORS (server and client are served from distinct domains):

io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);

In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).

Reverts

• fix(security): do not allow all origins by default (a169050)

Links:

• Diff: 2.4.0...2.4.1
• Client release: -
• engine.io version: ~3.5.0
• ws version: ~7.4.2

3.0.5

Bug Fixes

• properly clear timeout on connection failure (170b739)

Reverts

• restore the socket middleware functionality (bf54327)

Links:

• Diff: 3.0.4...3.0.5
• Client release: 3.0.5
• engine.io version: ~4.0.6
• ws version: ~7.4.2

2.4.0

Related blog post: https://socket.io/blog/socket-io-2-4-0/

Features (from Engine.IO)

• add support for all cookie options (19cc582)
• disable perMessageDeflate by default (5ad2736)

Bug Fixes

• security: do not allow all origins by default (f78a575)
• properly overwrite the query sent in the handshake (d33a619)

⚠️ BREAKING CHANGE ⚠️

Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (Access-Control-Allow-xxx) to any domain. This will not be the case anymore, and you now have to explicitly enable it.

Please note that you are not impacted if:

• you are using Socket.IO v2 and the origins option to restrict the list of allowed domains
• you are using Socket.IO v3 (disabled by default)

This commit also removes the support for '*' matchers and protocol-less URL:

io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000');          => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*');      => io.origins(['http://localhost:3000']);
io.origins('*:3000');                  => io.origins(['http://localhost:3000']);

To restore the previous behavior (please use with caution):

io.origins((_, callback) => {
  callback(null, true);
});

See also:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• https://socket.io/docs/v3/handling-cors/
• https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#CORS-handling

Thanks a lot to @ni8walk3r for the security report.

Links:

• Milestone: 2.4.0
• Diff: 2.3.0...2.4.0
• Client release: 2.4.0
• engine.io version: ~3.5.0
• ws version: ~7.4.2

3.0.4

Links:

• Diff: 3.0.3...3.0.4
• Client release: 3.0.4
• engine.io version: ~4.0.0
• ws version: ^7.1.2

3.0.3

Links:

• Diff: 3.0.2...3.0.3
• Client release: 3.0.3
• engine.io version: ~4.0.0
• ws version: ^7.1.2