node-http-proxy
node-http-proxy copied to clipboard
http-party
[dist] Update dependency socket.io to v4
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| socket.io | ^2.1.0 -> ^4.0.0 |
||||
| socket.io | ~0.9.16 -> ~4.5.0 |
Release Notes
socketio/socket.io
v4.5.2
Bug Fixes
- prevent the socket from joining a room after disconnection (18f3fda)
- uws: prevent the server from crashing after upgrade (ba497ee)
v4.5.1
Bug Fixes
- forward the local flag to the adapter when using fetchSockets() (30430f0)
- typings: add HTTPS server to accepted types (#4351) (9b43c91)
v4.5.0
Bug Fixes
Features
- add support for catch-all listeners for outgoing packets (531104d)
This is similar to onAny(), but for outgoing packets.
Syntax:
socket.onAnyOutgoing((event, ...args) => {
console.log(event);
});
- broadcast and expect multiple acks (8b20457)
Syntax:
io.timeout(1000).emit("some-event", (err, responses) => {
// ...
});
- add the "maxPayload" field in the handshake details (088dcb4)
So that clients in HTTP long-polling can decide how many packets they have to send to stay under the maxHttpBufferSize value.
This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as we only add a field in the JSON-encoded handshake data:
0{"sid":"lv_VI97HAXpY6yYWAAAC","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000,"maxPayload":1000000}
4.4.1 (2022-01-06)
Bug Fixes
- types: make
RemoteSocket.datatype safe (#4234) (770ee59) - types: pass
SocketDatatype to custom namespaces (#4233) (f2b8de7)
v4.4.1
Bug Fixes
- types: make
RemoteSocket.datatype safe (#4234) (770ee59) - types: pass
SocketDatatype to custom namespaces (#4233) (f2b8de7)
v4.4.0
Bug Fixes
- only set 'connected' to true after middleware execution (02b0f73)
Features
- add an implementation based on uWebSockets.js (c0d8c5a)
- add timeout feature (f0ed42f)
- add type information to
socket.data(#4159) (fe8730c)
4.3.2 (2021-11-08)
Bug Fixes
4.3.1 (2021-10-16)
Bug Fixes
v4.3.2
Bug Fixes
v4.3.1
Bug Fixes
v4.3.0
Bug Fixes
- typings: add name field to cookie option (#4099) (033c5d3)
- send volatile packets with binary attachments (dc81fcf)
Features
- serve ESM bundle (60edecb)
v4.2.0
Bug Fixes
- typings: allow async listener in typed events (ccfd8ca)
Features
4.1.3 (2021-07-10)
Bug Fixes
4.1.2 (2021-05-17)
Bug Fixes
- typings: ensure compatibility with TypeScript 3.x (0cb6ac9)
- ensure compatibility with previous versions of the adapter (a2cf248)
4.1.1 (2021-05-11)
Bug Fixes
- typings: properly type server-side events (b84ed1e)
- typings: properly type the adapter attribute (891b187)
v4.1.3
Bug Fixes
v4.1.2
Bug Fixes
- typings: ensure compatibility with TypeScript 3.x (0cb6ac9)
- ensure compatibility with previous versions of the adapter (a2cf248)
v4.1.1
Bug Fixes
- typings: properly type server-side events (b84ed1e)
- typings: properly type the adapter attribute (891b187)
v4.1.0
Features
- add support for inter-server communication (93cce05)
- notify upon namespace creation (499c892)
- add a "connection_error" event (7096e98, from
engine.io) - add the "initial_headers" and "headers" events (2527543, from
engine.io)
Performance Improvements
- add support for the "wsPreEncoded" writing option (dc381b7)
4.0.2 (2021-05-06)
Bug Fixes
4.0.1 (2021-03-31)
Bug Fixes
- typings: add fallback to untyped event listener (#3834) (a11152f)
- typings: update return type from emit (#3843) (1a72ae4)
v4.0.2
Bug Fixes
v4.0.1
Bug Fixes
- typings: add fallback to untyped event listener (#3834) (a11152f)
- typings: update return type from emit (#3843) (1a72ae4)
v4.0.0
Bug Fixes
- make io.to(...) immutable (ac9e8ca)
Features
- add some utility methods (b25495c)
- add support for typed events (#3822) (0107510)
- allow to exclude specific rooms when broadcasting (#3789) (7de2e87)
- allow to pass an array to io.to(...) (085d1de)
3.1.2 (2021-02-26)
Bug Fixes
- ignore packets received after disconnection (494c64e)
3.1.1 (2021-02-03)
Bug Fixes
- properly parse the CONNECT packet in v2 compatibility mode (6f4bd7f)
- typings: add return types and general-case overload signatures (#3776) (9e8f288)
- typings: update the types of "query", "auth" and "headers" (4f2e9a7)
v3.1.2
Bug Fixes
- ignore packets received after disconnection (494c64e)
v3.1.1
Bug Fixes
- properly parse the CONNECT packet in v2 compatibility mode (6f4bd7f)
- typings: add return types and general-case overload signatures (#3776) (9e8f288)
- typings: update the types of "query", "auth" and "headers" (4f2e9a7)
v3.1.0
Features
- confirm a weak but matching ETag (#3485) (161091d)
- esm: export the Namespace and Socket class (#3699) (233650c)
- add support for Socket.IO v2 clients (9925746)
- add room events (155fa63)
Bug Fixes
- allow integers as event names (1c220dd)
3.0.5 (2021-01-05)
Bug Fixes
- properly clear timeout on connection failure (170b739)
Reverts
- restore the socket middleware functionality (bf54327)
3.0.4 (2020-12-07)
3.0.3 (2020-11-19)
3.0.2 (2020-11-17)
Bug Fixes
- merge Engine.IO options (43705d7)
3.0.1 (2020-11-09)
Bug Fixes
- export ServerOptions and Namespace types (#3684) (f62f180)
- typings: update the signature of the emit method (50671d9)
v3.0.5
Bug Fixes
- properly clear timeout on connection failure (170b739)
Reverts
- restore the socket middleware functionality (bf54327)
v3.0.4
v3.0.3
v3.0.2
Bug Fixes
- merge Engine.IO options (43705d7)
v3.0.1
Bug Fixes
- export ServerOptions and Namespace types (#3684) (f62f180)
- typings: update the signature of the emit method (50671d9)
v3.0.0
Bug Fixes
- close clients with no namespace (91cd255)
Features
- emit an Error object upon middleware error (54bf4a4)
- serve msgpack bundle (aa7574f)
- add support for catch-all listeners (5c73733)
- make Socket#join() and Socket#leave() synchronous (129c641)
- remove prod dependency to socket.io-client (7603da7)
- move binary detection back to the parser (669592d)
- add ES6 module export (8b6b100)
- do not reuse the Engine.IO id (2875d2c)
- remove Server#set() method (029f478)
- remove Socket#rooms object (1507b41)
- remove the 'origins' option (a8c0600)
- remove the implicit connection to the default namespace (3289f7e)
- throw upon reserved event names (4bd5b23)
BREAKING CHANGES
-
the Socket#use() method is removed (see 5c73733)
-
Socket#join() and Socket#leave() do not accept a callback argument anymore.
Before:
socket.join("room1", () => {
io.to("room1").emit("hello");
});
After:
socket.join("room1");
io.to("room1").emit("hello");
// or await socket.join("room1"); for custom adapters
- the "connected" map is renamed to "sockets"
- the Socket#binary() method is removed, as this use case is now covered by the ability to provide your own parser.
- the 'origins' option is removed
Before:
new Server(3000, {
origins: ["https://example.com"]
});
The 'origins' option was used in the allowRequest method, in order to determine whether the request should pass or not. And the Engine.IO server would implicitly add the necessary Access-Control-Allow-xxx headers.
After:
new Server(3000, {
cors: {
origin: "https://example.com",
methods: ["GET", "POST"],
allowedHeaders: ["content-type"]
}
});
The already existing 'allowRequest' option can be used for validation:
new Server(3000, {
allowRequest: (req, callback) => {
callback(null, req.headers.referer.startsWith("https://example.com"));
}
});
-
Socket#rooms is now a Set instead of an object
-
Namespace#connected is now a Map instead of an object
-
there is no more implicit connection to the default namespace:
// client-side
const socket = io("/admin");
// server-side
io.on("connect", socket => {
// not triggered anymore
})
io.use((socket, next) => {
// not triggered anymore
});
io.of("/admin").use((socket, next) => {
// triggered
});
- the Server#set() method was removed
This method was kept for backward-compatibility with pre-1.0 versions.
v2.5.0
:warning: WARNING :warning:
The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.
Security advisory: https://github.com/advisories/GHSA-j4f2-536g-r55m
Bug Fixes
- fix race condition in dynamic namespaces (05e1278)
- ignore packet received after disconnection (22d4bdf)
- only set 'connected' to true after middleware execution (226cc16)
- prevent the socket from joining a room after disconnection (f223178)
Links:
- Diff: https://github.com/socketio/socket.io/compare/2.4.1...2.5.0
- Client release: 2.5.0
- engine.io version:
~3.6.0(diff) - ws version:
~7.4.2
v2.4.1
This release reverts the breaking change introduced in 2.4.0 (https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7).
If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:
- without CORS (server and client are served from the same domain):
const io = require("socket.io")(httpServer, {
allowRequest: (req, callback) => {
callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
}
});
- with CORS (server and client are served from distinct domains):
io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);
In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).
Reverts
- fix(security): do not allow all origins by default (a169050)
Links:
- Diff: https://github.com/socketio/socket.io/compare/2.4.0...2.4.1
- Client release: -
- engine.io version:
~3.5.0 - ws version:
~7.4.2
v2.4.0
Related blog post: https://socket.io/blog/socket-io-2-4-0/
Features (from Engine.IO)
Bug Fixes
- security: do not allow all origins by default (f78a575)
- properly overwrite the query sent in the handshake (d33a619)
:warning: BREAKING CHANGE :warning:
Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (Access-Control-Allow-xxx) to any domain. This will not be the case anymore, and you now have to explicitly enable it.
Please note that you are not impacted if:
- you are using Socket.IO v2 and the
originsoption to restrict the list of allowed domains - you are using Socket.IO v3 (disabled by default)
This commit also removes the support for '*' matchers and protocol-less URL:
io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000'); => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*'); => io.origins(['http://localhost:3000']);
io.origins('*:3000'); => io.origins(['http://localhost:3000']);
To restore the previous behavior (please use with caution):
io.origins((_, callback) => {
callback(null, true);
});
See also:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
- https://socket.io/docs/v3/handling-cors/
- https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#CORS-handling
Thanks a lot to @ni8walk3r for the security report.
Links:
- Milestone: 2.4.0
- Diff: https://github.com/socketio/socket.io/compare/2.3.0...2.4.0
- Client release: 2.4.0
- engine.io version:
~3.5.0 - ws version:
~7.4.2
v2.3.0
This release mainly contains a bump of the engine.io and ws packages, but no additional features.
Links:
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
- [ ] If you want to rebase/retry this PR, click this checkbox.
This PR has been generated by Mend Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
Codecov Report
Merging #1528 (bdcd35f) into master (9b96cd7) will not change coverage. The diff coverage is
n/a.
@@ Coverage Diff @@
## master #1528 +/- ##
=======================================
Coverage 92.38% 92.38%
=======================================
Files 6 6
Lines 315 315
=======================================
Hits 291 291
Misses 24 24
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact),ø = not affected,? = missing dataPowered by Codecov. Last update 9b96cd7...bdcd35f. Read the comment docs.
