chore(release): 2.4.1

Diff: https://github.com/socketio/socket.io/compare/2.4.0...2.4.1
revert: fix(security): do not allow all origins by default
2026-01-11 16:08:24 -05:00 · 2021-01-07 10:59:46 +01:00 · 2021-01-07 10:51:55 +01:00 · 2021-01-05 00:27:13 +01:00 · 2021-01-04 22:34:09 +01:00 · 2021-01-04 11:34:24 +01:00
8 changed files with 3413 additions and 17 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,24 @@
+name: CI
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  test-node:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [10.x, 12.x, 14.x]
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v1
+        with:
+          node-version: ${{ matrix.node-version }}
+      - run: npm ci
+      - run: npm test
+        env:
+          CI: true
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,12 +0,0 @@
-language: node_js
-sudo: false
-node_js:
-  - '8'
-  - '10'
-notifications:
-  irc: "irc.freenode.org#socket.io"
-git:
-  depth: 1
-cache:
-  directories:
-    - node_modules
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -0,0 +1,15 @@
+## [2.4.1](https://github.com/socketio/socket.io/compare/2.4.0...2.4.1) (2021-01-07)
+
+
+### Reverts
+
+* fix(security): do not allow all origins by default ([a169050](https://github.com/socketio/socket.io/commit/a1690509470e9dd5559cec4e60908ca6c23e9ba0))
+
+
+# [2.4.0](https://github.com/socketio/socket.io/compare/2.3.0...2.4.0) (2021-01-04)
+
+
+### Bug Fixes
+
+* **security:** do not allow all origins by default ([f78a575](https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7))
+* properly overwrite the query sent in the handshake ([d33a619](https://github.com/socketio/socket.io/commit/d33a619905a4905c153d4fec337c74da5b533a9e))
--- a/Readme.md
+++ b/Readme.md
@@ -2,7 +2,7 @@
 # socket.io

 [![Backers on Open Collective](https://opencollective.com/socketio/backers/badge.svg)](#backers) [![Sponsors on Open Collective](https://opencollective.com/socketio/sponsors/badge.svg)](#sponsors)
-[![Build Status](https://secure.travis-ci.org/socketio/socket.io.svg?branch=master)](https://travis-ci.org/socketio/socket.io)
+[![Build Status](https://github.com/socketio/socket.io/workflows/CI/badge.svg)](https://github.com/socketio/socket.io/actions)
 [![Dependency Status](https://david-dm.org/socketio/socket.io.svg)](https://david-dm.org/socketio/socket.io)
 [![devDependency Status](https://david-dm.org/socketio/socket.io/dev-status.svg)](https://david-dm.org/socketio/socket.io#info=devDependencies)
 [![NPM version](https://badge.fury.io/js/socket.io.svg)](https://www.npmjs.com/package/socket.io)
--- a/lib/socket.js
+++ b/lib/socket.js
@@ -116,7 +116,7 @@ Socket.prototype.buildHandshake = function(query){
  function buildQuery(){
    var requestQuery = url.parse(self.request.url, true).query;
    //if socket-specific query exist, replace query strings in requestQuery
-    return Object.assign({}, query, requestQuery);
+    return Object.assign({}, requestQuery, query);
  }
  return {
    headers: this.request.headers,
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "socket.io",
-  "version": "2.3.0",
+  "version": "2.4.1",
  "description": "node.js realtime framework server",
  "keywords": [
    "realtime",
@@ -25,10 +25,10 @@
  },
  "dependencies": {
    "debug": "~4.1.0",
-    "engine.io": "~3.4.0",
+    "engine.io": "~3.5.0",
    "has-binary2": "~1.0.2",
    "socket.io-adapter": "~1.1.0",
-    "socket.io-client": "2.3.0",
+    "socket.io-client": "2.4.0",
    "socket.io-parser": "~3.4.0"
  },
  "devDependencies": {
--- a/test/socket.io.js
+++ b/test/socket.io.js
@@ -1621,8 +1621,25 @@ describe('socket.io', function(){
        expect(s.handshake.query.key2).to.be('&=bb');
        done();
      });
+    });

+    it('should see the query options sent in the Socket.IO handshake (specific to the given socket)', (done) => {
+      const srv = http();
+      const sio = io(srv);
+      const socket = client(srv, '/namespace',{ query: { key1: 'a', key2: 'b' }}); // manager-specific query option
+      socket.query = { key2: 'c' }; // socket-specific query option

+      const success = () => {
+        sio.close();
+        socket.close();
+        done();
+      }
+
+      sio.of('/namespace').on('connection', (s) => {
+        expect(s.handshake.query.key1).to.be('a'); // in the query params
+        expect(s.handshake.query.key2).to.be('c'); // in the Socket.IO handshake
+        success();
+      });
    });

    it('should handle very large json', function(done){
Author	SHA1	Message	Date
Damien Arrachequesne	e6b869738c	chore(release): 2.4.1 Diff: https://github.com/socketio/socket.io/compare/2.4.0...2.4.1	2021-01-07 10:59:46 +01:00
Damien Arrachequesne	a169050947	revert: fix(security): do not allow all origins by default This reverts commit `f78a575f66`. This commit contains a breaking change which deviates from semver, which we try to follow as closely as possible. That's why this change is reverted and we will rather suggest users to upgrade to v3. Related: https://github.com/socketio/socket.io/discussions/3741	2021-01-07 10:51:55 +01:00
Damien Arrachequesne	873fdc55ed	chore(release): 2.4.0 Diff: https://github.com/socketio/socket.io/compare/2.3.0...2.4.0	2021-01-05 00:27:13 +01:00
Damien Arrachequesne	f78a575f66	fix(security): do not allow all origins by default BREAKING CHANGE: previously, all origins were allowed by default, which meant that a Socket.IO server sent the necessary CORS headers (`Access-Control-Allow-xxx`) to any domain by default. Please note that you are not impacted if: - you are using Socket.IO v2 and the `origins` option to restrict the list of allowed domains - you are using Socket.IO v3 (disabled by default) This commit also removes the support for '' matchers and protocol-less URL: ``` io.origins('https://example.com:443'); => io.origins(['https://example.com']); io.origins('localhost:3000'); => io.origins(['http://localhost:3000']); io.origins('http://localhost:'); => io.origins(['http://localhost:3000']); io.origins('*:3000'); => io.origins(['http://localhost:3000']); ``` To restore the previous behavior (please use with caution): ```js io.origins((_, callback) => { callback(null, true); }); ``` See also: - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS - https://socket.io/docs/v3/handling-cors/ - https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#CORS-handling Thanks a lot to https://github.com/ni8walk3r for the security report.	2021-01-04 22:34:09 +01:00
Sebastiaan Marynissen	d33a619905	fix: properly overwrite the query sent in the handshake The `query` option of the Manager had the priority over the one of the Socket instance, which meant updating the Socket#query object on the client-side was not reflected in the Socket#handshake object on the server-side. Please note that the behavior of the `query` option is still a bit weird in Socket.IO v2, as it only applies to non-default namespace. This is fixed in v3: - https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#Add-a-clear-distinction-between-the-Manager-query-option-and-the-Socket-query-option - https://socket.io/docs/v3/middlewares/#Sending-credentials Fixes https://github.com/socketio/socket.io/issues/3495	2021-01-04 11:34:24 +01:00
Damien Arrachequesne	3951a79359	chore: bump engine.io version Diff: https://github.com/socketio/engine.io/compare/3.4.2...3.5.0	2021-01-04 10:50:13 +01:00
Damien Arrachequesne	6fa026fc94	ci: migrate to GitHub Actions Due to the recent changes to the Travis CI platform (see [1]), we will now use GitHub Actions to run the tests. Reference: https://docs.github.com/en/free-pro-team@latest/actions/guides/building-and-testing-nodejs [1]: https://blog.travis-ci.com/2020-11-02-travis-ci-new-billing	2021-01-04 10:46:44 +01:00