Skip to content

Releases: zishang520/socket.io

v3.0.4

Choose a tag to compare

@zishang520 zishang520 released this 11 Jun 09:19

v3.0.4

Bug Fixes

  • clients/engine: adapt res.Err β†’ res.CascadeError in polling transport to align with resty.dev/v3 API changes (polling.go)

Dependencies

  • bump quic-go/quic-go from v0.59.1 to v0.60.0
  • bump resty.dev/v3 from v3.0.0-beta.6 to v3.0.0-rc.1
  • bump golang.org/x/crypto from v0.52.0 to v0.53.0
  • bump golang.org/x/net from v0.55.0 to v0.56.0
  • bump golang.org/x/sys from v0.45.0 to v0.46.0
  • bump golang.org/x/text from v0.37.0 to v0.38.0
  • bump dependencies across all modules (adapters, clients, parsers, servers)

Full Changelog: v3.0.3...v3.0.4

v3.0.3

Choose a tag to compare

@zishang520 zishang520 released this 26 May 03:14

✨ Features

CORS & HTTP

  • Enhanced CORS origin handling β€” support for string slices and function callbacks in origin configuration; fixed wildcard origin + credentials behavior per CORS spec (#464b819, #8e69a6e)
  • HTTP context refactor β€” comprehensive documentation, lazy accessor optimization, proper HTTP status code validation, and memory leak prevention (#8e69a6e)
  • Graceful shutdown timeout β€” added 30-second default timeout for graceful HTTP server shutdown (#8e69a6e)

Engine & Transports

  • Configurable idle timeout β€” added IdleTimeout option to engine transports (websocket, webtransport, polling) to control keepalive behavior (#88db3de)

Parser

  • DecoderOptions for configurable decoding β€” new DecoderOptions type allows callers to pass custom decoding parameters to the socket parser (#becc76f)

Broadcast

  • Broadcast logging β€” added structured logging for broadcast operations and response completeness tracking in BroadcastOperator (#becc76f)

Core / pkg

  • None type for Optional pattern β€” added None sentinel type to pkg/types/nullable.go (#8e69a6e)
  • Panic recovery for event listeners β€” event dispatch now recovers from panics and filters nil entries (#8e69a6e)
  • Structured logger in queue β€” replaced standard log with structured logger; improved panic recovery in pkg/queue (#8e69a6e)
  • PrefixSimpleHandler enhancements β€” added attribute and group support (#8e69a6e)

πŸ› Bug Fixes

Security & Hardening

  • Server hardening β€” fixed nil pointer panic in Upgrades() for unknown transports; added SID format validation (max length + charset) to prevent abuse; added nil check before PING/PONG timer Refresh(); filtered reserved server events (connect, disconnect, etc.) from client onevent; added filename whitelist to sendFile(); set Content-Length header for static file responses; guarded against duplicate engine initialization (#290beb2)

Transports & Connections

  • Dead TCP connection detection β€” WebSocket transport now uses read deadlines to detect dead TCP connections, with guaranteed cleanup on failure (#156, #ef92fbe)
  • Write queue close on disconnect β€” fixed write queue not being closed on ungraceful client disconnect, preventing resource leaks (#1d5eef8)
  • Redundant defer in DoClose β€” removed redundant defer in engine DoClose that could cause unexpected behavior; fixed related client tests (#758c61a)

Concurrency & Correctness

  • Map.Len() counter drift β€” fixed counter drift and orphaned adapter rooms caused by concurrent Join + cleanup operations (#159, #21bec4e)
  • Goroutine leak in Timer.Stop() β€” fixed goroutine leak in pkg/utils/timer.go on Go 1.23+ (#eb78df2)
  • backo2 race condition β€” guarded against concurrent SetMin/SetMax race condition (#8e69a6e)

Polling

  • Invalid binary content response β€” polling transport now correctly sets HTTP status code and response body when invalid binary content is received (#becc76f)

Utils

  • yeast decode error handling β€” Decode now returns an error for invalid input instead of panicking; alphabet optimized from []string to []byte (#8e69a6e)

πŸ—οΈ Build & CI

  • Bumped golang.org/x/* dependencies across all modules (#de3de1c)
  • Bumped dependencies across all sub-modules (#e871755, #80a7384)
  • Updated golangci-lint to v2.11.3 in CI (#4487323)
  • Bumped github.com/gookit/color 1.6.0 β†’ 1.6.1 (#3f6205a)
  • Bumped github.com/klauspost/compress 1.18.5 β†’ 1.18.6 (#5bab0ed)

πŸ“¦ Module Versions

Module Previous Current
github.com/zishang520/socket.io/v3 v3.0.2 v3.0.3
adapters/adapter v3.0.2 v3.0.3
adapters/redis v3.0.2 v3.0.3
adapters/mongo v3.0.2 v3.0.3
adapters/postgres v3.0.2 v3.0.3
adapters/unix v3.0.2 v3.0.3
adapters/valkey v3.0.2 v3.0.3
clients/engine v3.0.2 v3.0.3
clients/socket v3.0.2 v3.0.3
parsers/engine v3.0.2 v3.0.3
parsers/socket v3.0.2 v3.0.3
servers/engine v3.0.2 v3.0.3
servers/socket v3.0.2 v3.0.3

Full Changelog: v3.0.2...v3.0.3

v3.0.2

Choose a tag to compare

@zishang520 zishang520 released this 20 Apr 05:56

What's Changed

  • Refactor PostgresAdapterBuilder and notification message handling by @zishang520 in #150
  • Implement Unix Domain Socket emitter and refactor client structure by @zishang520 in #151
  • Add MongoDB emitter for Socket.IO with configurable options by @zishang520 in #152
  • feat: add adapters/valkey as an independent Socket.IO adapter by @bneigher in #144

Full Changelog: v3.0.1...v3.0.2

v3.0.1

Choose a tag to compare

@zishang520 zishang520 released this 14 Apr 02:51

πŸ›‘οΈ Security Fix: Buffer Overflow & Payload Limits

v3.0.1 is a security patch release addressing critical vulnerabilities related to integer overflow in buffer allocation and unbounded memory consumption from malicious payloads.

πŸ”’ Security Changes

  • Fixed Integer Overflow in growSlice: Corrected size computation logic in pkg/types/buffer.go to prevent panic or unsafe behavior during buffer expansion when len + n exceeds integer limits. (Resolves GitHub CodeQL alerts 8 and 12).
  • Added Global Payload Cap: Introduced a strict 128 MiB upper bound (types.MaxPayloadSize) for encoded payloads.
    • Socket Parser: Payloads exceeding the limit are now silently dropped during encoding in parsers/socket/parser/encoder.go.
    • JSONP Transport: Payloads exceeding the limit in JSONP responses now trigger a 500 Internal Server Error instead of attempting allocation, preventing potential Out-Of-Memory (OOM) attacks.

🧹 Chores

  • Upgraded dependencies across adapters, clients, servers, and parsers modules.
  • Updated internal version constant to v3.0.1.

⚠️ Breaking Changes

None.
This update is fully backward compatible. The new 128 MiB limit is sufficiently large for standard usage; only abnormally large payloads (potential DoS attempts) will be affected.

What's Changed

  • Potential fix for code scanning alert no. 8: Size computation for allocation may overflow by @zishang520 in #148
  • Potential fix for code scanning alert no. 12: Size computation for allocation may overflow by @zishang520 in #149

Full Changelog: v3.0.0...v3.0.1

v3.0.0

Choose a tag to compare

@zishang520 zishang520 released this 13 Apr 10:09

πŸš€ v3.0.0 β€” First Stable Release

Socket.IO for Go v3.0.0 is the first stable release of the completely restructured and modernized Go implementation of the Socket.IO protocol. This release consolidates 6 separate repositories into a single monorepo with 9 versioned submodules, aligns with the Socket.IO v4+ protocol, and introduces comprehensive thread safety, type safety, and security improvements.

✨ Highlights

Monorepo Consolidation

  • Merged engine.io-go-parser, engine.io, socket.io-go-parser, socket.io-client-go, and socket.io-go-redis into a single repository
  • Unified version management via version.go shared across all modules
  • 9 versioned Go submodules with clean dependency boundaries

Protocol Alignment

  • Full compatibility with Socket.IO v4+ JavaScript clients
  • Engine.IO v4 protocol support including WebTransport
  • Configurable attachment count limits (default: 10, aligned with Node.js implementation)

Thread Safety Overhaul

  • Atomic socket flags using atomic.Pointer with copy-on-write patterns
  • Mutex-protected middleware slice for concurrent-safe modification
  • sync.OnceValue for thread-safe lazy initialization in HttpContext
  • Goroutine leak prevention via runtime.SetFinalizer on task queues
  • Sequential task queue (queue) for ordered message delivery

Type Safety Improvements

  • Generic types.Atomic[T] replacing atomic.Value for compile-time type checking
  • types.Optional[T] for null-safe configuration values
  • Strongly typed Handshake fields (types.IncomingHttpHeaders, types.ParsedUrlQuery)
  • Handshake.Auth standardized to map[string]any

New Packages

  • slices β€” Safe slice operations (Get, Map, Filter, Reduce, First, Last, etc.)
  • queue β€” Sequential task queue for message ordering and OOM prevention
  • request β€” HTTP client wrapper built on resty.dev/v3

Redis Cluster Support

  • Sharded broadcast operator for Redis Cluster
  • CROSSSLOT error fixes with per-channel PubSub client management
  • Dynamic channel subscription management
  • Pagination support for session restoration
  • Configurable SubscriptionMode (Static, Dynamic, DynamicPrivate)

Security Hardening

  • HTTP body size limits on polling transport (DoS prevention, default: 1 MB)
  • Immutable packet encoding (encoder no longer mutates input packets)
  • Configurable attachment limits to prevent memory exhaustion
  • Sensitive credential warnings for HTTP mode in request client

πŸ”§ Breaking Changes

Import Path Restructuring
All import paths have been updated to the new monorepo structure:

  • engine.io β†’ github.com/zishang520/socket.io/servers/engine/v3
  • socket.io/socket β†’ github.com/zishang520/socket.io/servers/socket/v3
  • engine.io-client-go β†’ github.com/zishang520/socket.io/clients/engine/v3
  • socket.io-client-go β†’ github.com/zishang520/socket.io/clients/socket/v3
  • socket.io-go-redis β†’ github.com/zishang520/socket.io/adapters/redis/v3

API Changes

  • ExtendedError consolidated to pkg/types.ExtendedError; server-side Data() method replaced with direct Data field access
  • ParameterBag moved from utils to types
  • HttpContext API: ResponseHeaders β†’ ResponseHeaders(), GetHost() β†’ Host(), GetPathInfo() β†’ PathInfo()
  • GetRaw* config methods return types.Optional[T] instead of pointer types
  • adapter.SliceMap β†’ slices.Map, adapter.Tap β†’ utils.Tap
  • Transport Upgrades() returns []string instead of *types.Set[string]
  • redis.SubscriptionMode moved from adapter subpackage to root redis package

πŸ› Bug Fixes

  • Fixed WebSocket/WebTransport send loop dropping queued packets after first successful send
  • Fixed nil pointer dereference from race condition in Engine.IO server
  • Fixed parser panic on nil payload from client
  • Fixed timer goroutine leaks adapted from upstream Node.js implementation
  • Fixed HTTP/2 connection goroutine leaks in HTTPClient.Close()
  • Fixed Redis timeout when fetching sockets from empty rooms
  • Fixed parser attachment race condition (removed shared mutable ERROR_PACKET singleton)

πŸ“‹ Requirements

  • Go: 1.26.0 or higher
  • Frontend: Socket.IO client v4.x or higher (npm: socket.io-client@^4.0.0)

πŸ“¦ Modules

Module Import Path
Root github.com/zishang520/socket.io/v3
Engine.IO Parser github.com/zishang520/socket.io/parsers/engine/v3
Socket.IO Parser github.com/zishang520/socket.io/parsers/socket/v3
Engine.IO Server github.com/zishang520/socket.io/servers/engine/v3
Socket.IO Server github.com/zishang520/socket.io/servers/socket/v3
Engine.IO Client github.com/zishang520/socket.io/clients/engine/v3
Socket.IO Client github.com/zishang520/socket.io/clients/socket/v3
Base Adapter github.com/zishang520/socket.io/adapters/adapter/v3
Redis Adapter github.com/zishang520/socket.io/adapters/redis/v3

πŸ“– Migration

See the complete Upgrade Guide for detailed instructions on migrating from v1/v2.

v3.0.0-rc.14

Choose a tag to compare

@zishang520 zishang520 released this 08 Apr 09:44

v3.0.0-rc.13

Choose a tag to compare

@zishang520 zishang520 released this 11 Mar 03:35

What's Changed

  • Potential fix for code scanning alert no. 7: Incorrect conversion between integer types by @zishang520 in #139

New Contributors

Full Changelog: v3.0.0-rc.12...v3.0.0-rc.13

v3.0.0-rc.12

Choose a tag to compare

@zishang520 zishang520 released this 10 Feb 08:16

What's Changed

  • chore(deps): bump golang.org/x/net from 0.36.0 to 0.38.0 by @dependabot[bot] in #94
  • chore(deps): bump github.com/andybalholm/brotli from 1.1.1 to 1.2.0 by @dependabot[bot] in #97
  • chore(deps): bump github.com/gookit/color from 1.5.4 to 1.6.0 by @dependabot[bot] in #106
  • chore(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.54.1 by @dependabot[bot] in #113
  • chore(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.55.0 by @dependabot[bot] in #115
  • chore(deps): bump resty.dev/v3 from 3.0.0-beta.3 to 3.0.0-beta.4 by @dependabot[bot] in #122
  • chore(deps): bump github.com/quic-go/quic-go from 0.55.0 to 0.57.0 by @dependabot[bot] in #121
  • chore(deps): bump resty.dev/v3 from 3.0.0-beta.4 to 3.0.0-beta.5 by @dependabot[bot] in #127
  • chore(deps): bump resty.dev/v3 from 3.0.0-beta.5 to 3.0.0-beta.6 by @dependabot[bot] in #129
  • refactor: switch to upstream quic-go/webtransport-go by @bneigher in #130
  • Consolidate duplicate ExtendedError implementations by @Copilot in #135

New Contributors

  • @bneigher made their first contribution in #130
  • @Copilot made their first contribution in #135

Full Changelog: v3.0.0-rc.11...v3.0.0-rc.12

v3.0.0-rc.10

Choose a tag to compare

@zishang520 zishang520 released this 30 Dec 07:56

v3.0.0-rc.9

Choose a tag to compare

@zishang520 zishang520 released this 27 Nov 09:23

What's Changed

  • chore(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.54.1 by @dependabot[bot] in #113
  • chore(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.55.0 by @dependabot[bot] in #115
  • chore(deps): bump resty.dev/v3 from 3.0.0-beta.3 to 3.0.0-beta.4 by @dependabot[bot] in #122
  • chore(deps): bump github.com/quic-go/quic-go from 0.55.0 to 0.57.0 by @dependabot[bot] in #121

Full Changelog: v3.0.0-rc.8...v3.0.0-rc.9