GitHub

2.4.0

release notes

Published 1/4/2021

MinorContains breaking changes

Release notes

Related blog post: https://socket.io/blog/socket-io-2-4-0/

Features (from Engine.IO)

add support for all cookie options (19cc582)
disable perMessageDeflate by default (5ad2736)

Bug Fixes

security: do not allow all origins by default (f78a575)
properly overwrite the query sent in the handshake (d33a619)

⚠️ BREAKING CHANGE ⚠️

Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (Access-Control-Allow-xxx) to any domain. This will not be the case anymore, and you now have to explicitly enable it.

Please note that you are not impacted if:

you are using Socket.IO v2 and the origins option to restrict the list of allowed domains
you are using Socket.IO v3 (disabled by default)

This commit also removes the support for '*' matchers and protocol-less URL:

io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000');          => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*');      => io.origins(['http://localhost:3000']);
io.origins('*:3000');                  => io.origins(['http://localhost:3000']);

To restore the previous behavior (please use with caution):

io.origins((_, callback) => {
  callback(null, true);
});

2.4.0

release notes

Published 1/4/2021

MinorContains breaking changes

Release notes

Related blog post: https://socket.io/blog/socket-io-2-4-0/

Features (from Engine.IO)

add support for all cookie options (19cc582)
disable perMessageDeflate by default (5ad2736)

Bug Fixes

security: do not allow all origins by default (f78a575)
properly overwrite the query sent in the handshake (d33a619)

⚠️ BREAKING CHANGE ⚠️

Please note that you are not impacted if:

you are using Socket.IO v2 and the origins option to restrict the list of allowed domains
you are using Socket.IO v3 (disabled by default)

This commit also removes the support for '*' matchers and protocol-less URL:

io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000');          => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*');      => io.origins(['http://localhost:3000']);
io.origins('*:3000');                  => io.origins(['http://localhost:3000']);

To restore the previous behavior (please use with caution):

io.origins((_, callback) => {
  callback(null, true);
});

socketio/socket.io

socketio/socket.io

2.4.0

Features (from Engine.IO)

Bug Fixes

Links:

2.4.0

Features (from Engine.IO)

Bug Fixes

Links: