chore(release): engine.io@6.6.4

Diff: https://github.com/socketio/socket.io/compare/engine.io@6.6.3...engine.io@6.6.4

package-lock.json

@@ -42,6 +42,7 @@
         "base64-arraybuffer": "^1.0.2",
         "benchmark": "^2.1.4",
         "blob": "^0.1.0",
+        "cookie": "~0.7.2",
         "eiows": "^7.1.0",
         "engine.io-client-v3": "npm:engine.io-client@^3.5.2",
         "expect.js": "^0.3.1",
@@ -5756,11 +5757,11 @@
       "dev": true
     },
     "node_modules/cookie": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-1.0.2.tgz",
-      "integrity": "sha512-9Kr/j4O16ISv8zBBhJoi4bXOYNTkFLOqSL3UDB0njXxCXNezjeyVrJyGOWtgfs/q2km1gwBcfH8q1yEGoMYunA==",
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
       "engines": {
-        "node": ">=18"
+        "node": ">= 0.6"
       }
     },
     "node_modules/cookie-signature": {
@@ -15506,14 +15507,14 @@
       }
     },
     "packages/engine.io": {
-      "version": "6.6.2",
+      "version": "6.6.3",
       "license": "MIT",
       "dependencies": {
         "@types/cors": "^2.8.12",
         "@types/node": ">=10.0.0",
         "accepts": "~1.3.4",
         "base64id": "2.0.0",
-        "cookie": "~1.0.2",
+        "cookie": "~0.7.2",
         "cors": "~2.8.5",
         "debug": "~4.3.1",
         "engine.io-parser": "~5.2.1",
@@ -15524,7 +15525,7 @@
       }
     },
     "packages/engine.io-client": {
-      "version": "6.6.2",
+      "version": "6.6.3",
       "license": "MIT",
       "dependencies": {
         "@socket.io/component-emitter": "~3.1.0",

package.json

@@ -43,6 +43,7 @@
     "base64-arraybuffer": "^1.0.2",
     "benchmark": "^2.1.4",
     "blob": "^0.1.0",
+    "cookie": "~0.7.2",
     "eiows": "^7.1.0",
     "engine.io-client-v3": "npm:engine.io-client@^3.5.2",
     "expect.js": "^0.3.1",

packages/engine.io/CHANGELOG.md

@@ -2,6 +2,7 @@
 
 | Version                                                                                              | Release date   |
 |------------------------------------------------------------------------------------------------------|----------------|
+| [6.6.4](#664-2025-01-28)                                                                             | January 2025   |
 | [6.6.3](#663-2025-01-23)                                                                             | January 2025   |
 | [6.6.2](#662-2024-10-09)                                                                             | October 2024   |
 | [6.6.1](#661-2024-09-21)                                                                             | September 2024 |
@@ -48,6 +49,17 @@
 
 # Release notes
 
+## [6.6.4](https://github.com/socketio/socket.io/compare/engine.io@6.6.3...engine.io@6.6.4) (2025-01-28)
+
+The bump of the `cookie` dependency was reverted, as it drops support for older Node.js versions (< 14).
+
+
+### Dependencies
+
+- [`ws@~8.17.1`](https://github.com/websockets/ws/releases/tag/8.17.1) (no change)
+
+
+
 ## [6.6.3](https://github.com/socketio/socket.io/compare/engine.io@6.6.2...engine.io@6.6.3) (2025-01-23)
 
 This release contains a bump of the `cookie` dependency.

packages/engine.io/lib/contrib/types.cookie.ts

@@ -0,0 +1,117 @@
+// imported from https://github.com/DefinitelyTyped/DefinitelyTyped/blob/b83cf9ef8b044e69f05b2a00aa7c6cb767a9acd2/types/cookie/index.d.ts (now deleted)
+/**
+ * Basic HTTP cookie parser and serializer for HTTP servers.
+ */
+
+/**
+ * Additional serialization options
+ */
+export interface CookieSerializeOptions {
+  /**
+   * Specifies the value for the {@link https://tools.ietf.org/html/rfc6265#section-5.2.3|Domain Set-Cookie attribute}. By default, no
+   * domain is set, and most clients will consider the cookie to apply to only
+   * the current domain.
+   */
+  domain?: string | undefined;
+
+  /**
+   * Specifies a function that will be used to encode a cookie's value. Since
+   * value of a cookie has a limited character set (and must be a simple
+   * string), this function can be used to encode a value into a string suited
+   * for a cookie's value.
+   *
+   * The default function is the global `encodeURIComponent`, which will
+   * encode a JavaScript string into UTF-8 byte sequences and then URL-encode
+   * any that fall outside of the cookie range.
+   */
+  encode?(value: string): string;
+
+  /**
+   * Specifies the `Date` object to be the value for the {@link https://tools.ietf.org/html/rfc6265#section-5.2.1|`Expires` `Set-Cookie` attribute}. By default,
+   * no expiration is set, and most clients will consider this a "non-persistent cookie" and will delete
+   * it on a condition like exiting a web browser application.
+   *
+   * *Note* the {@link https://tools.ietf.org/html/rfc6265#section-5.3|cookie storage model specification}
+   * states that if both `expires` and `maxAge` are set, then `maxAge` takes precedence, but it is
+   * possible not all clients by obey this, so if both are set, they should
+   * point to the same date and time.
+   */
+  expires?: Date | undefined;
+  /**
+   * Specifies the boolean value for the {@link https://tools.ietf.org/html/rfc6265#section-5.2.6|`HttpOnly` `Set-Cookie` attribute}.
+   * When truthy, the `HttpOnly` attribute is set, otherwise it is not. By
+   * default, the `HttpOnly` attribute is not set.
+   *
+   * *Note* be careful when setting this to true, as compliant clients will
+   * not allow client-side JavaScript to see the cookie in `document.cookie`.
+   */
+  httpOnly?: boolean | undefined;
+  /**
+   * Specifies the number (in seconds) to be the value for the `Max-Age`
+   * `Set-Cookie` attribute. The given number will be converted to an integer
+   * by rounding down. By default, no maximum age is set.
+   *
+   * *Note* the {@link https://tools.ietf.org/html/rfc6265#section-5.3|cookie storage model specification}
+   * states that if both `expires` and `maxAge` are set, then `maxAge` takes precedence, but it is
+   * possible not all clients by obey this, so if both are set, they should
+   * point to the same date and time.
+   */
+  maxAge?: number | undefined;
+  /**
+   * Specifies the `boolean` value for the [`Partitioned` `Set-Cookie`](rfc-cutler-httpbis-partitioned-cookies)
+   * attribute. When truthy, the `Partitioned` attribute is set, otherwise it is not. By default, the
+   * `Partitioned` attribute is not set.
+   *
+   * **note** This is an attribute that has not yet been fully standardized, and may change in the future.
+   * This also means many clients may ignore this attribute until they understand it.
+   *
+   * More information about can be found in [the proposal](https://github.com/privacycg/CHIPS)
+   */
+  partitioned?: boolean | undefined;
+  /**
+   * Specifies the value for the {@link https://tools.ietf.org/html/rfc6265#section-5.2.4|`Path` `Set-Cookie` attribute}.
+   * By default, the path is considered the "default path".
+   */
+  path?: string | undefined;
+  /**
+   * Specifies the `string` to be the value for the [`Priority` `Set-Cookie` attribute][rfc-west-cookie-priority-00-4.1].
+   *
+   * - `'low'` will set the `Priority` attribute to `Low`.
+   * - `'medium'` will set the `Priority` attribute to `Medium`, the default priority when not set.
+   * - `'high'` will set the `Priority` attribute to `High`.
+   *
+   * More information about the different priority levels can be found in
+   * [the specification][rfc-west-cookie-priority-00-4.1].
+   *
+   * **note** This is an attribute that has not yet been fully standardized, and may change in the future.
+   * This also means many clients may ignore this attribute until they understand it.
+   */
+  priority?: "low" | "medium" | "high" | undefined;
+  /**
+   * Specifies the boolean or string to be the value for the {@link https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.7|`SameSite` `Set-Cookie` attribute}.
+   *
+   * - `true` will set the `SameSite` attribute to `Strict` for strict same
+   * site enforcement.
+   * - `false` will not set the `SameSite` attribute.
+   * - `'lax'` will set the `SameSite` attribute to Lax for lax same site
+   * enforcement.
+   * - `'strict'` will set the `SameSite` attribute to Strict for strict same
+   * site enforcement.
+   *  - `'none'` will set the SameSite attribute to None for an explicit
+   *  cross-site cookie.
+   *
+   * More information about the different enforcement levels can be found in {@link https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.7|the specification}.
+   *
+   * *note* This is an attribute that has not yet been fully standardized, and may change in the future. This also means many clients may ignore this attribute until they understand it.
+   */
+  sameSite?: true | false | "lax" | "strict" | "none" | undefined;
+  /**
+   * Specifies the boolean value for the {@link https://tools.ietf.org/html/rfc6265#section-5.2.5|`Secure` `Set-Cookie` attribute}. When truthy, the
+   * `Secure` attribute is set, otherwise it is not. By default, the `Secure` attribute is not set.
+   *
+   * *Note* be careful when setting this to `true`, as compliant clients will
+   * not send the cookie back to the server in the future if the browser does
+   * not have an HTTPS connection.
+   */
+  secure?: boolean | undefined;
+}

packages/engine.io/lib/server.ts

@@ -6,7 +6,6 @@ import { EventEmitter } from "events";
 import { Socket } from "./socket";
 import debugModule from "debug";
 import { serialize } from "cookie";
-import type { SerializeOptions } from "cookie";
 import { Server as DEFAULT_WS_ENGINE } from "ws";
 import type {
   IncomingMessage,
@@ -18,6 +17,7 @@ import type { Duplex } from "stream";
 import { WebTransport } from "./transports/webtransport";
 import { createPacketDecoderStream } from "engine.io-parser";
 import type { EngineRequest } from "./transport";
+import type { CookieSerializeOptions } from "./contrib/types.cookie";
 
 const debug = debugModule("engine");
 
@@ -123,7 +123,7 @@ export interface ServerOptions {
    * might be used for sticky-session. Defaults to not sending any cookie.
    * @default false
    */
-  cookie?: (SerializeOptions & { name: string }) | boolean;
+  cookie?: (CookieSerializeOptions & { name: string }) | boolean;
   /**
    * the options that will be forwarded to the cors module
    */

packages/engine.io/package.json

@@ -1,6 +1,6 @@
 {
   "name": "engine.io",
-  "version": "6.6.3",
+  "version": "6.6.4",
   "description": "The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server",
   "type": "commonjs",
   "main": "./build/engine.io.js",
@@ -35,7 +35,7 @@
     "@types/node": ">=10.0.0",
     "accepts": "~1.3.4",
     "base64id": "2.0.0",
-    "cookie": "~1.0.2",
+    "cookie": "~0.7.2",
     "cors": "~2.8.5",
     "debug": "~4.3.1",
     "engine.io-parser": "~5.2.1",