v3.0.4

v3.0.4

Bug Fixes

• clients/engine: adapt res.Err → res.CascadeError in polling transport to align with resty.dev/v3 API changes (polling.go)

Dependencies

• bump quic-go/quic-go from v0.59.1 to v0.60.0
• bump resty.dev/v3 from v3.0.0-beta.6 to v3.0.0-rc.1
• bump golang.org/x/crypto from v0.52.0 to v0.53.0
• bump golang.org/x/net from v0.55.0 to v0.56.0
• bump golang.org/x/sys from v0.45.0 to v0.46.0
• bump golang.org/x/text from v0.37.0 to v0.38.0
• bump dependencies across all modules (adapters, clients, parsers, servers)

Full Changelog: v3.0.3...v3.0.4

v3.0.3

✨ Features

CORS & HTTP

• Enhanced CORS origin handling — support for string slices and function callbacks in origin configuration; fixed wildcard origin + credentials behavior per CORS spec (#464b819, #8e69a6e)
• HTTP context refactor — comprehensive documentation, lazy accessor optimization, proper HTTP status code validation, and memory leak prevention (#8e69a6e)
• Graceful shutdown timeout — added 30-second default timeout for graceful HTTP server shutdown (#8e69a6e)

Engine & Transports

• Configurable idle timeout — added IdleTimeout option to engine transports (websocket, webtransport, polling) to control keepalive behavior (#88db3de)

Parser

• DecoderOptions for configurable decoding — new DecoderOptions type allows callers to pass custom decoding parameters to the socket parser (#becc76f)

Broadcast

• Broadcast logging — added structured logging for broadcast operations and response completeness tracking in BroadcastOperator (#becc76f)

Core / pkg

• None type for Optional pattern — added None sentinel type to pkg/types/nullable.go (#8e69a6e)
• Panic recovery for event listeners — event dispatch now recovers from panics and filters nil entries (#8e69a6e)
• Structured logger in queue — replaced standard log with structured logger; improved panic recovery in pkg/queue (#8e69a6e)
• PrefixSimpleHandler enhancements — added attribute and group support (#8e69a6e)

---

🐛 Bug Fixes

Security & Hardening

• Server hardening — fixed nil pointer panic in Upgrades() for unknown transports; added SID format validation (max length + charset) to prevent abuse; added nil check before PING/PONG timer Refresh(); filtered reserved server events (connect, disconnect, etc.) from client onevent; added filename whitelist to sendFile(); set Content-Length header for static file responses; guarded against duplicate engine initialization (#290beb2)

Transports & Connections

• Dead TCP connection detection — WebSocket transport now uses read deadlines to detect dead TCP connections, with guaranteed cleanup on failure (#156, #ef92fbe)
• Write queue close on disconnect — fixed write queue not being closed on ungraceful client disconnect, preventing resource leaks (#1d5eef8)
• Redundant defer in DoClose — removed redundant defer in engine DoClose that could cause unexpected behavior; fixed related client tests (#758c61a)

Concurrency & Correctness

• Map.Len() counter drift — fixed counter drift and orphaned adapter rooms caused by concurrent Join + cleanup operations (#159, #21bec4e)
• Goroutine leak in Timer.Stop() — fixed goroutine leak in pkg/utils/timer.go on Go 1.23+ (#eb78df2)
• backo2 race condition — guarded against concurrent SetMin/SetMax race condition (#8e69a6e)

Polling

• Invalid binary content response — polling transport now correctly sets HTTP status code and response body when invalid binary content is received (#becc76f)

Utils

• yeast decode error handling — Decode now returns an error for invalid input instead of panicking; alphabet optimized from []string to []byte (#8e69a6e)

---

🏗️ Build & CI

• Bumped golang.org/x/* dependencies across all modules (#de3de1c)
• Bumped dependencies across all sub-modules (#e871755, #80a7384)
• Updated golangci-lint to v2.11.3 in CI (#4487323)
• Bumped github.com/gookit/color 1.6.0 → 1.6.1 (#3f6205a)
• Bumped github.com/klauspost/compress 1.18.5 → 1.18.6 (#5bab0ed)

---

📦 Module Versions

Module	Previous	Current
github.com/zishang520/socket.io/v3	v3.0.2	v3.0.3
adapters/adapter	v3.0.2	v3.0.3
adapters/redis	v3.0.2	v3.0.3
adapters/mongo	v3.0.2	v3.0.3
adapters/postgres	v3.0.2	v3.0.3
adapters/unix	v3.0.2	v3.0.3
adapters/valkey	v3.0.2	v3.0.3
clients/engine	v3.0.2	v3.0.3
clients/socket	v3.0.2	v3.0.3
parsers/engine	v3.0.2	v3.0.3
parsers/socket	v3.0.2	v3.0.3
servers/engine	v3.0.2	v3.0.3
servers/socket	v3.0.2	v3.0.3

---

Full Changelog: v3.0.2...v3.0.3

v3.0.2

What's Changed

• Refactor PostgresAdapterBuilder and notification message handling by @zishang520 in #150
• Implement Unix Domain Socket emitter and refactor client structure by @zishang520 in #151
• Add MongoDB emitter for Socket.IO with configurable options by @zishang520 in #152
• feat: add adapters/valkey as an independent Socket.IO adapter by @bneigher in #144

Full Changelog: v3.0.1...v3.0.2

v3.0.1

🛡️ Security Fix: Buffer Overflow & Payload Limits

v3.0.1 is a security patch release addressing critical vulnerabilities related to integer overflow in buffer allocation and unbounded memory consumption from malicious payloads.

🔒 Security Changes

• Fixed Integer Overflow in growSlice: Corrected size computation logic in pkg/types/buffer.go to prevent panic or unsafe behavior during buffer expansion when len + n exceeds integer limits. (Resolves GitHub CodeQL alerts 8 and 12).
• Added Global Payload Cap: Introduced a strict 128 MiB upper bound (types.MaxPayloadSize) for encoded payloads.
  • Socket Parser: Payloads exceeding the limit are now silently dropped during encoding in parsers/socket/parser/encoder.go.
  • JSONP Transport: Payloads exceeding the limit in JSONP responses now trigger a 500 Internal Server Error instead of attempting allocation, preventing potential Out-Of-Memory (OOM) attacks.

🧹 Chores

• Upgraded dependencies across adapters, clients, servers, and parsers modules.
• Updated internal version constant to v3.0.1.

⚠️ Breaking Changes

None.
This update is fully backward compatible. The new 128 MiB limit is sufficiently large for standard usage; only abnormally large payloads (potential DoS attempts) will be affected.

What's Changed

• Potential fix for code scanning alert no. 8: Size computation for allocation may overflow by @zishang520 in #148
• Potential fix for code scanning alert no. 12: Size computation for allocation may overflow by @zishang520 in #149

Full Changelog: v3.0.0...v3.0.1

v3.0.0

🚀 v3.0.0 — First Stable Release

Socket.IO for Go v3.0.0 is the first stable release of the completely restructured and modernized Go implementation of the Socket.IO protocol. This release consolidates 6 separate repositories into a single monorepo with 9 versioned submodules, aligns with the Socket.IO v4+ protocol, and introduces comprehensive thread safety, type safety, and security improvements.

✨ Highlights

Monorepo Consolidation

• Merged engine.io-go-parser, engine.io, socket.io-go-parser, socket.io-client-go, and socket.io-go-redis into a single repository
• Unified version management via version.go shared across all modules
• 9 versioned Go submodules with clean dependency boundaries

Protocol Alignment

• Full compatibility with Socket.IO v4+ JavaScript clients
• Engine.IO v4 protocol support including WebTransport
• Configurable attachment count limits (default: 10, aligned with Node.js implementation)

Thread Safety Overhaul

• Atomic socket flags using atomic.Pointer with copy-on-write patterns
• Mutex-protected middleware slice for concurrent-safe modification
• sync.OnceValue for thread-safe lazy initialization in HttpContext
• Goroutine leak prevention via runtime.SetFinalizer on task queues
• Sequential task queue (queue) for ordered message delivery

Type Safety Improvements

• Generic types.Atomic[T] replacing atomic.Value for compile-time type checking
• types.Optional[T] for null-safe configuration values
• Strongly typed Handshake fields (types.IncomingHttpHeaders, types.ParsedUrlQuery)
• Handshake.Auth standardized to map[string]any

New Packages

• slices — Safe slice operations (Get, Map, Filter, Reduce, First, Last, etc.)
• queue — Sequential task queue for message ordering and OOM prevention
• request — HTTP client wrapper built on resty.dev/v3

Redis Cluster Support

• Sharded broadcast operator for Redis Cluster
• CROSSSLOT error fixes with per-channel PubSub client management
• Dynamic channel subscription management
• Pagination support for session restoration
• Configurable SubscriptionMode (Static, Dynamic, DynamicPrivate)

Security Hardening

• HTTP body size limits on polling transport (DoS prevention, default: 1 MB)
• Immutable packet encoding (encoder no longer mutates input packets)
• Configurable attachment limits to prevent memory exhaustion
• Sensitive credential warnings for HTTP mode in request client

🔧 Breaking Changes

Import Path Restructuring
All import paths have been updated to the new monorepo structure:

• engine.io → github.com/zishang520/socket.io/servers/engine/v3
• socket.io/socket → github.com/zishang520/socket.io/servers/socket/v3
• engine.io-client-go → github.com/zishang520/socket.io/clients/engine/v3
• socket.io-client-go → github.com/zishang520/socket.io/clients/socket/v3
• socket.io-go-redis → github.com/zishang520/socket.io/adapters/redis/v3

API Changes

• ExtendedError consolidated to pkg/types.ExtendedError; server-side Data() method replaced with direct Data field access
• ParameterBag moved from utils to types
• HttpContext API: ResponseHeaders → ResponseHeaders(), GetHost() → Host(), GetPathInfo() → PathInfo()
• GetRaw* config methods return types.Optional[T] instead of pointer types
• adapter.SliceMap → slices.Map, adapter.Tap → utils.Tap
• Transport Upgrades() returns []string instead of *types.Set[string]
• redis.SubscriptionMode moved from adapter subpackage to root redis package

🐛 Bug Fixes

• Fixed WebSocket/WebTransport send loop dropping queued packets after first successful send
• Fixed nil pointer dereference from race condition in Engine.IO server
• Fixed parser panic on nil payload from client
• Fixed timer goroutine leaks adapted from upstream Node.js implementation
• Fixed HTTP/2 connection goroutine leaks in HTTPClient.Close()
• Fixed Redis timeout when fetching sockets from empty rooms
• Fixed parser attachment race condition (removed shared mutable ERROR_PACKET singleton)

📋 Requirements

• Go: 1.26.0 or higher
• Frontend: Socket.IO client v4.x or higher (npm: socket.io-client@^4.0.0)

📦 Modules

Module	Import Path
Root	github.com/zishang520/socket.io/v3
Engine.IO Parser	github.com/zishang520/socket.io/parsers/engine/v3
Socket.IO Parser	github.com/zishang520/socket.io/parsers/socket/v3
Engine.IO Server	github.com/zishang520/socket.io/servers/engine/v3
Socket.IO Server	github.com/zishang520/socket.io/servers/socket/v3
Engine.IO Client	github.com/zishang520/socket.io/clients/engine/v3
Socket.IO Client	github.com/zishang520/socket.io/clients/socket/v3
Base Adapter	github.com/zishang520/socket.io/adapters/adapter/v3
Redis Adapter	github.com/zishang520/socket.io/adapters/redis/v3

📖 Migration

See the complete Upgrade Guide for detailed instructions on migrating from v1/v2.

v3.0.0-rc.14

Full Changelog: v3.0.0-rc.13...v3.0.0-rc.14

v3.0.0-rc.13

What's Changed

• Potential fix for code scanning alert no. 7: Incorrect conversion between integer types by @zishang520 in #139

New Contributors

• @zishang520 made their first contribution in #139

Full Changelog: v3.0.0-rc.12...v3.0.0-rc.13

v3.0.0-rc.12

What's Changed

• chore(deps): bump golang.org/x/net from 0.36.0 to 0.38.0 by @dependabot[bot] in #94
• chore(deps): bump github.com/andybalholm/brotli from 1.1.1 to 1.2.0 by @dependabot[bot] in #97
• chore(deps): bump github.com/gookit/color from 1.5.4 to 1.6.0 by @dependabot[bot] in #106
• chore(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.54.1 by @dependabot[bot] in #113
• chore(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.55.0 by @dependabot[bot] in #115
• chore(deps): bump resty.dev/v3 from 3.0.0-beta.3 to 3.0.0-beta.4 by @dependabot[bot] in #122
• chore(deps): bump github.com/quic-go/quic-go from 0.55.0 to 0.57.0 by @dependabot[bot] in #121
• chore(deps): bump resty.dev/v3 from 3.0.0-beta.4 to 3.0.0-beta.5 by @dependabot[bot] in #127
• chore(deps): bump resty.dev/v3 from 3.0.0-beta.5 to 3.0.0-beta.6 by @dependabot[bot] in #129
• refactor: switch to upstream quic-go/webtransport-go by @bneigher in #130
• Consolidate duplicate ExtendedError implementations by @Copilot in #135

New Contributors

• @bneigher made their first contribution in #130
• @Copilot made their first contribution in #135

Full Changelog: v3.0.0-rc.11...v3.0.0-rc.12

v3.0.0-rc.10

Full Changelog: v3.0.0-rc.10...v3.0.0-rc.10

v3.0.0-rc.9

What's Changed

• chore(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.54.1 by @dependabot[bot] in #113
• chore(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.55.0 by @dependabot[bot] in #115
• chore(deps): bump resty.dev/v3 from 3.0.0-beta.3 to 3.0.0-beta.4 by @dependabot[bot] in #122
• chore(deps): bump github.com/quic-go/quic-go from 0.55.0 to 0.57.0 by @dependabot[bot] in #121

Full Changelog: v3.0.0-rc.8...v3.0.0-rc.9