chore(release): socket.io-parser@4.2.6

Diff: https://github.com/socketio/socket.io/compare/socket.io-parser@4.2.5...socket.io-parser@4.2.6
fix(parser): add a limit to the number of binary attachments
2026-04-30 03:00:39 -04:00 · 2026-03-17 10:53:22 +01:00 · 2026-03-17 10:27:15 +01:00
19 changed files with 129 additions and 375 deletions
--- a/.github/workflows/build-examples.yml
+++ b/.github/workflows/build-examples.yml
@@ -37,7 +37,6 @@ jobs:
        uses: actions/setup-node@v6
        with:
          node-version: 20
-          cache: npm

      - name: Build ${{ matrix.example }}
        run: |
--- a/.github/workflows/ci-browser.yml
+++ b/.github/workflows/ci-browser.yml
@@ -26,7 +26,6 @@ jobs:
        uses: actions/setup-node@v6
        with:
          node-version: 20
-          cache: npm

      - name: Install dependencies
        run: npm ci
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -55,7 +55,6 @@ jobs:
        uses: actions/setup-node@v6
        with:
          node-version: ${{ matrix.node-version }}
-          cache: npm

      - name: Install dependencies
        run: npm ci
@@ -68,12 +67,12 @@ jobs:

      - name: Run tests with uws (engine.io)
        run: npm run test:uws --workspace=engine.io
-        if: ${{ matrix.node-version == '24' }}
+        if: ${{ matrix.node-version == '18' }}

      - name: Run tests with fetch instead of XHR (engine.io-client)
        run: npm run test:node-fetch --workspace=engine.io-client
-        if: ${{ matrix.node-version == '24' }}
+        if: ${{ matrix.node-version == '18' }}

      - name: Run tests with Node.js native WebSocket (engine.io-client)
        run: npm run test:node-builtin-ws --workspace=engine.io-client
-        if: ${{ matrix.node-version == '24' }}
+        if: ${{ matrix.node-version == '22' }}
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -24,7 +24,6 @@ jobs:
        with:
          node-version: 24
          registry-url: 'https://registry.npmjs.org'
-          cache: npm

      - name: Install dependencies
        run: npm ci
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -37,35 +37,33 @@ We will get back to you as soon as possible and publish a fix if necessary.

 From the transitive dependencies:

-| Date          | Dependency         | Description                                                                                                             | CVE number       |
-|---------------|--------------------|-------------------------------------------------------------------------------------------------------------------------|------------------|
-| January 2016  | `ws`               | [Buffer vulnerability](https://github.com/advisories/GHSA-2mhh-w6q8-5hxw)                                               | `CVE-2016-10518` |
-| January 2016  | `ws`               | [DoS due to excessively large websocket message](https://github.com/advisories/GHSA-6663-c963-2gqg)                     | `CVE-2016-10542` |
-| November 2017 | `ws`               | [DoS in the `Sec-Websocket-Extensions` header parser](https://github.com/advisories/GHSA-5v72-xg48-5rpm)                | `-`              |
-| February 2020 | `engine.io`        | [Resource exhaustion](https://github.com/advisories/GHSA-j4f2-536g-r55m)                                                | `CVE-2020-36048` |
-| January 2021  | `socket.io-parser` | [Resource exhaustion](https://github.com/advisories/GHSA-xfhh-g9f5-x4m4)                                                | `CVE-2020-36049` |
-| May 2021      | `ws`               | [ReDoS in `Sec-Websocket-Protocol` header](https://github.com/advisories/GHSA-6fc8-4gx4-v693)                           | `CVE-2021-32640` |
-| January 2022  | `engine.io`        | [Uncaught exception](https://github.com/advisories/GHSA-273r-mgr4-v34f)                                                 | `CVE-2022-21676` |
-| October 2022  | `socket.io-parser` | [Insufficient validation when decoding a Socket.IO packet](https://github.com/advisories/GHSA-qm95-pgcg-qqfq)           | `CVE-2022-2421`  |
-| November 2022 | `engine.io`        | [Uncaught exception](https://github.com/advisories/GHSA-r7qp-cfhv-p84w)                                                 | `CVE-2022-41940` |
-| May 2023      | `engine.io`        | [Uncaught exception](https://github.com/advisories/GHSA-q9mw-68c2-j6m5)                                                 | `CVE-2023-31125` |
-| May 2023      | `socket.io-parser` | [Insufficient validation when decoding a Socket.IO packet](https://github.com/advisories/GHSA-cqmj-92xf-r6r9)           | `CVE-2023-32695` |
-| June 2024     | `ws`               | [DoS when handling a request with many HTTP headers](https://github.com/advisories/GHSA-3h5v-q93c-6h6q)                 | `CVE-2024-37890` |
-| March 2026    | `socket.io-parser` | [Unbounded number of binary attachments](https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9) | `CVE-2026-33151` |
+| Date          | Dependency         | Description                                                                                                   | CVE number       |
+|---------------|--------------------|---------------------------------------------------------------------------------------------------------------|------------------|
+| January 2016  | `ws`               | [Buffer vulnerability](https://github.com/advisories/GHSA-2mhh-w6q8-5hxw)                                     | `CVE-2016-10518` |
+| January 2016  | `ws`               | [DoS due to excessively large websocket message](https://github.com/advisories/GHSA-6663-c963-2gqg)           | `CVE-2016-10542` |
+| November 2017 | `ws`               | [DoS in the `Sec-Websocket-Extensions` header parser](https://github.com/advisories/GHSA-5v72-xg48-5rpm)      | `-`              |
+| February 2020 | `engine.io`        | [Resource exhaustion](https://github.com/advisories/GHSA-j4f2-536g-r55m)                                      | `CVE-2020-36048` |
+| January 2021  | `socket.io-parser` | [Resource exhaustion](https://github.com/advisories/GHSA-xfhh-g9f5-x4m4)                                      | `CVE-2020-36049` |
+| May 2021      | `ws`               | [ReDoS in `Sec-Websocket-Protocol` header](https://github.com/advisories/GHSA-6fc8-4gx4-v693)                 | `CVE-2021-32640` |
+| January 2022  | `engine.io`        | [Uncaught exception](https://github.com/advisories/GHSA-273r-mgr4-v34f)                                       | `CVE-2022-21676` |
+| October 2022  | `socket.io-parser` | [Insufficient validation when decoding a Socket.IO packet](https://github.com/advisories/GHSA-qm95-pgcg-qqfq) | `CVE-2022-2421`  |
+| November 2022 | `engine.io`        | [Uncaught exception](https://github.com/advisories/GHSA-r7qp-cfhv-p84w)                                       | `CVE-2022-41940` |
+| May 2023      | `engine.io`        | [Uncaught exception](https://github.com/advisories/GHSA-q9mw-68c2-j6m5)                                       | `CVE-2023-31125` |
+| May 2023      | `socket.io-parser` | [Insufficient validation when decoding a Socket.IO packet](https://github.com/advisories/GHSA-cqmj-92xf-r6r9) | `CVE-2023-32695` |
+| June 2024     | `ws`               | [DoS when handling a request with many HTTP headers](https://github.com/advisories/GHSA-3h5v-q93c-6h6q)       | `CVE-2024-37890` |

 ### For the `socket.io-client` package

 From the transitive dependencies:

-| Date          | Dependency         | Description                                                                                                             | CVE number       |
-|---------------|--------------------|-------------------------------------------------------------------------------------------------------------------------|------------------|
-| January 2016  | `ws`               | [Buffer vulnerability](https://github.com/advisories/GHSA-2mhh-w6q8-5hxw)                                               | `CVE-2016-10518` |
-| January 2016  | `ws`               | [DoS due to excessively large websocket message](https://github.com/advisories/GHSA-6663-c963-2gqg)                     | `CVE-2016-10542` |
-| October 2016  | `engine.io-client` | [Insecure Defaults Allow MITM Over TLS](https://github.com/advisories/GHSA-4r4m-hjwj-43p8)                              | `CVE-2016-10536` |
-| November 2017 | `ws`               | [DoS in the `Sec-Websocket-Extensions` header parser](https://github.com/advisories/GHSA-5v72-xg48-5rpm)                | `-`              |
-| January 2021  | `socket.io-parser` | [Resource exhaustion](https://github.com/advisories/GHSA-xfhh-g9f5-x4m4)                                                | `CVE-2020-36049` |
-| May 2021      | `ws`               | [ReDoS in `Sec-Websocket-Protocol` header](https://github.com/advisories/GHSA-6fc8-4gx4-v693)                           | `CVE-2021-32640` |
-| October 2022  | `socket.io-parser` | [Insufficient validation when decoding a Socket.IO packet](https://github.com/advisories/GHSA-qm95-pgcg-qqfq)           | `CVE-2022-2421`  |
-| May 2023      | `socket.io-parser` | [Insufficient validation when decoding a Socket.IO packet](https://github.com/advisories/GHSA-cqmj-92xf-r6r9)           | `CVE-2023-32695` |
-| June 2024     | `ws`               | [DoS when handling a request with many HTTP headers](https://github.com/advisories/GHSA-3h5v-q93c-6h6q)                 | `CVE-2024-37890` |
-| March 2026    | `socket.io-parser` | [Unbounded number of binary attachments](https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9) | `CVE-2026-33151` |
+| Date          | Dependency         | Description                                                                                                   | CVE number       |
+|---------------|--------------------|---------------------------------------------------------------------------------------------------------------|------------------|
+| January 2016  | `ws`               | [Buffer vulnerability](https://github.com/advisories/GHSA-2mhh-w6q8-5hxw)                                     | `CVE-2016-10518` |
+| January 2016  | `ws`               | [DoS due to excessively large websocket message](https://github.com/advisories/GHSA-6663-c963-2gqg)           | `CVE-2016-10542` |
+| October 2016  | `engine.io-client` | [Insecure Defaults Allow MITM Over TLS](https://github.com/advisories/GHSA-4r4m-hjwj-43p8)                    | `CVE-2016-10536` |
+| November 2017 | `ws`               | [DoS in the `Sec-Websocket-Extensions` header parser](https://github.com/advisories/GHSA-5v72-xg48-5rpm)      | `-`              |
+| January 2021  | `socket.io-parser` | [Resource exhaustion](https://github.com/advisories/GHSA-xfhh-g9f5-x4m4)                                      | `CVE-2020-36049` |
+| May 2021      | `ws`               | [ReDoS in `Sec-Websocket-Protocol` header](https://github.com/advisories/GHSA-6fc8-4gx4-v693)                 | `CVE-2021-32640` |
+| October 2022  | `socket.io-parser` | [Insufficient validation when decoding a Socket.IO packet](https://github.com/advisories/GHSA-qm95-pgcg-qqfq) | `CVE-2022-2421`  |
+| May 2023      | `socket.io-parser` | [Insufficient validation when decoding a Socket.IO packet](https://github.com/advisories/GHSA-cqmj-92xf-r6r9) | `CVE-2023-32695` |
+| June 2024     | `ws`               | [DoS when handling a request with many HTTP headers](https://github.com/advisories/GHSA-3h5v-q93c-6h6q)       | `CVE-2024-37890` |
--- a/docs/engine.io-protocol/v3.md
+++ b/docs/engine.io-protocol/v3.md
@@ -296,7 +296,7 @@ A payload is a series of encoded packets tied together. The payload encoding for
 <length1>:<packet1>[<length2>:<packet2>[...]]
 ```
 * length: length of the packet in __characters__
-* packet: actual packets as described above
+* packet: actual packets as descriped above

 When XHR2 is not supported, the same encoding principle is used also when
 binary data is sent, but it is sent as base64 encoded strings. For the purposes of decoding, an identifier `b` is
--- a/packages/engine.io/CHANGELOG.md
+++ b/packages/engine.io/CHANGELOG.md
@@ -48,30 +48,13 @@
 | [3.4.2](#342-2020-06-04)                                                                             | June 2020      | `"`          |
 | [3.4.1](#341-2020-04-17)                                                                             | April 2020     | `^7.1.2`     |

-
-## [6.6.7](https://github.com/socketio/socket.io/compare/engine.io@6.6.6...engine.io@6.6.7) (2026-04-27)
-
-
-### Bug Fixes
-
-* close HTTP requests with invalid content type ([fc11285](https://github.com/socketio/socket.io/commit/fc11285e14964c2132d122164bf130c355f60671))
-* handle invalid packets when upgrading to WebTransport ([1fa1f46](https://github.com/socketio/socket.io/commit/1fa1f46cd420ac5b57bb4c04c959b58f3c79158c))
-* prevent WebTransport connections when a middleware is registered ([d1f5aa9](https://github.com/socketio/socket.io/commit/d1f5aa93722a7f1ed729b96f771daf92a3dfdaf7))
-
-
-### Dependencies
-
- [`ws@~8.18.3`](https://github.com/websockets/ws/releases/tag/8.18.3) (no change)
-
-
-
 ## [6.6.6](https://github.com/socketio/socket.io/compare/engine.io@6.6.5...engine.io@6.6.6) (2026-03-10)


 ### Bug Fixes

-* add `@types/ws` as dependency ([#5458](https://github.com/socketio/socket.io/issues/5458)) ([07cbe15](https://github.com/socketio/socket.io/commit/07cbe1510ded7e5460cb82e026e2533e50e30eaf))
-* **uws** emit initial_headers and headers events in uServer ([#5460](https://github.com/socketio/socket.io/issues/5460)) ([44ed73f](https://github.com/socketio/socket.io/commit/44ed73f53995d35ef0c8d10df6806d5687238282))
+* add `@types/ws` as dependency ([#5458](https://github.com/socketio/socket/issues/5458)) ([07cbe15](https://github.com/socketio/socket/commit/07cbe1510ded7e5460cb82e026e2533e50e30eaf))
+* **uws** emit initial_headers and headers events in uServer ([#5460](https://github.com/socketio/socket/issues/5460)) ([44ed73f](https://github.com/socketio/socket/commit/44ed73f53995d35ef0c8d10df6806d5687238282))


 ### Dependencies
@@ -155,7 +138,7 @@ See also: https://github.com/advisories/GHSA-pxg6-pf52-xh8x

 ### Performance Improvements

-* do not reset the heartbeat timer on each packet ([5359bae](https://github.com/socketio/engine.io/commit/5359bae683e2a25742bd4989d0355a8fc10d294e))
+* do not reset the hearbeat timer on each packet ([5359bae](https://github.com/socketio/engine.io/commit/5359bae683e2a25742bd4989d0355a8fc10d294e))
 * **websocket:** use bound callbacks ([9a68c8c](https://github.com/socketio/engine.io/commit/9a68c8ce93cc1bc0bc1a30548558da49860f4acd))


@@ -552,9 +535,9 @@ Please upgrade as soon as possible.

 * decrease the default value of maxHttpBufferSize ([58e274c](https://github.com/socketio/engine.io/commit/58e274c437e9cbcf69fd913c813aad8fbd253703))

-This change reduces the default value from 100 MB to a saner 1 MB.
+This change reduces the default value from 100 mb to a more sane 1 mb.

-This helps protect the server against denial-of-service attacks by malicious clients sending huge amounts of data.
+This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data.

 See also: https://github.com/advisories/GHSA-j4f2-536g-r55m

@@ -572,7 +555,7 @@ See also: https://github.com/advisories/GHSA-j4f2-536g-r55m
 So that clients in HTTP long-polling can decide how many packets they have to send to stay under the maxHttpBufferSize
 value.

-This is a backward compatible change that should not mandate a new major revision of the protocol (we stay in v4), as
+This is a backward compatible change which should not mandate a new major revision of the protocol (we stay in v4), as
 we only add a field in the JSON-encoded handshake data:

 ```
@@ -658,7 +641,7 @@ The codebase was migrated to TypeScript ([c0d6eaa](https://github.com/socketio/e

 An ES module wrapper was also added ([401f4b6](https://github.com/socketio/engine.io/commit/401f4b60693fb6702c942692ce42e5bb701d81d7)).

-Please note that the communication protocol was not updated, so a v5 client will be able to reach a v6 server (and vice versa).
+Please note that the communication protocol was not updated, so a v5 client will be able to reach a v6 server (and vice-versa).

 Reference: https://github.com/socketio/engine.io-protocol

--- a/packages/engine.io/lib/server.ts
+++ b/packages/engine.io/lib/server.ts
@@ -166,11 +166,6 @@ function parseSessionId(data: string): string | undefined {
  } catch (e) {}
 }

-// Object.hasOwn() was introduced in Node.js 16.9
-function hasOwn(obj: Record<string, any>, key: string): boolean {
-  return Object.prototype.hasOwnProperty.call(obj, key);
-}
-
 export abstract class BaseServer extends EventEmitter {
  public opts: ServerOptions;

@@ -303,7 +298,7 @@ export abstract class BaseServer extends EventEmitter {
    // sid check
    const sid = req._query.sid;
    if (sid) {
-      if (!hasOwn(this.clients, sid)) {
+      if (!this.clients.hasOwnProperty(sid)) {
        debug('unknown sid "%s"', sid);
        return fn(Server.errors.UNKNOWN_SID, {
          sid,
@@ -403,9 +398,9 @@ export abstract class BaseServer extends EventEmitter {
   */
  public close() {
    debug("closing all open clients");
-    for (const sid in this.clients) {
-      if (hasOwn(this.clients, sid)) {
-        this.clients[sid].close(true);
+    for (let i in this.clients) {
+      if (this.clients.hasOwnProperty(i)) {
+        this.clients[i].close(true);
      }
    }
    this.cleanup();
@@ -529,15 +524,6 @@ export abstract class BaseServer extends EventEmitter {
  }

  public async onWebTransportSession(session: any) {
-    if (this.middlewares.length > 0) {
-      // middlewares expect an IncomingMessage argument, which cannot be created from the WebTransport session object
-      // see also: https://github.com/fails-components/webtransport/issues/448
-      debug(
-        "closing session since WebTransport is not compatible with middlewares",
-      );
-      return session.close();
-    }
-
    const timeout = setTimeout(() => {
      debug(
        "the client failed to establish a bidirectional stream in the given period",
@@ -597,7 +583,7 @@ export abstract class BaseServer extends EventEmitter {

    const sid = parseSessionId(value.data);

-    if (!sid || !hasOwn(this.clients, sid)) {
+    if (!sid) {
      debug("invalid WebTransport handshake");
      return session.close();
    }
@@ -764,20 +750,18 @@ export class Server extends BaseServer {
  /**
   * Handles an Engine.IO HTTP request.
   *
-   * @param {IncomingMessage} req
+   * @param {EngineRequest} req
   * @param {ServerResponse} res
   */
-  public handleRequest(req: IncomingMessage, res: ServerResponse) {
+  public handleRequest(req: EngineRequest, res: ServerResponse) {
    debug('handling "%s" http request "%s"', req.method, req.url);
-    const engineRequest = req as EngineRequest;
-
-    this.prepare(engineRequest);
-    engineRequest.res = res;
+    this.prepare(req);
+    req.res = res;

    const callback: ErrorCallback = (errorCode, errorContext) => {
      if (errorCode !== undefined) {
        this.emit("connection_error", {
-          req: engineRequest,
+          req,
          code: errorCode,
          message: Server.errorMessages[errorCode],
          context: errorContext,
@@ -786,27 +770,25 @@ export class Server extends BaseServer {
        return;
      }

-      if (engineRequest._query.sid) {
+      if (req._query.sid) {
        debug("setting new request for existing client");
-        this.clients[engineRequest._query.sid].transport.onRequest(
-          engineRequest,
-        );
+        this.clients[req._query.sid].transport.onRequest(req);
      } else {
        const closeConnection = (errorCode, errorContext) =>
          abortRequest(res, errorCode, errorContext);
        this.handshake(
-          engineRequest._query.transport as TransportName,
-          engineRequest,
+          req._query.transport as TransportName,
+          req,
          closeConnection,
        );
      }
    };

-    this._applyMiddlewares(engineRequest, res, (err) => {
+    this._applyMiddlewares(req, res, (err) => {
      if (err) {
        callback(Server.errors.BAD_REQUEST, { name: "MIDDLEWARE_FAILURE" });
      } else {
-        this.verify(engineRequest, false, callback);
+        this.verify(req, false, callback);
      }
    });
  }
@@ -815,19 +797,17 @@ export class Server extends BaseServer {
   * Handles an Engine.IO HTTP Upgrade.
   */
  public handleUpgrade(
-    req: IncomingMessage,
+    req: EngineRequest,
    socket: Duplex,
    upgradeHead: Buffer,
  ) {
-    const engineRequest = req as EngineRequest;
+    this.prepare(req);

-    this.prepare(engineRequest);
-
-    const res = new WebSocketResponse(engineRequest, socket);
+    const res = new WebSocketResponse(req, socket);
    const callback: ErrorCallback = (errorCode, errorContext) => {
      if (errorCode !== undefined) {
        this.emit("connection_error", {
-          req: engineRequest,
+          req,
          code: errorCode,
          message: Server.errorMessages[errorCode],
          context: errorContext,
@@ -844,22 +824,18 @@ export class Server extends BaseServer {
      res.writeHead();

      // delegate to ws
-      this.ws.handleUpgrade(engineRequest, socket, head, (websocket) => {
-        this.onWebSocket(engineRequest, socket, websocket);
+      this.ws.handleUpgrade(req, socket, head, (websocket) => {
+        this.onWebSocket(req, socket, websocket);
      });
    };

-    this._applyMiddlewares(
-      engineRequest,
-      res as unknown as ServerResponse,
-      (err) => {
-        if (err) {
-          callback(Server.errors.BAD_REQUEST, { name: "MIDDLEWARE_FAILURE" });
-        } else {
-          this.verify(engineRequest, true, callback);
-        }
-      },
-    );
+    this._applyMiddlewares(req, res as unknown as ServerResponse, (err) => {
+      if (err) {
+        callback(Server.errors.BAD_REQUEST, { name: "MIDDLEWARE_FAILURE" });
+      } else {
+        this.verify(req, true, callback);
+      }
+    });
  }

  /**
@@ -957,7 +933,7 @@ export class Server extends BaseServer {
    server.on("request", (req, res) => {
      if (check(req)) {
        debug('intercepting request for path "%s"', path);
-        this.handleRequest(req, res);
+        this.handleRequest(req as EngineRequest, res);
      } else {
        let i = 0;
        const l = listeners.length;
@@ -970,7 +946,7 @@ export class Server extends BaseServer {
    if (~this.opts.transports.indexOf("websocket")) {
      server.on("upgrade", (req, socket, head) => {
        if (check(req)) {
-          this.handleUpgrade(req, socket, head);
+          this.handleUpgrade(req as EngineRequest, socket, head);
        } else if (false !== options.destroyUpgrade) {
          // default node behavior is to disconnect when no handlers
          // but by adding a handler, we prevent that
--- a/packages/engine.io/lib/transports-uws/polling.ts
+++ b/packages/engine.io/lib/transports-uws/polling.ts
@@ -136,8 +136,7 @@ export class Polling extends Transport {
    const isBinary = "application/octet-stream" === req.headers["content-type"];

    if (isBinary && this.protocol === 4) {
-      this.onError("invalid content");
-      return res.writeStatus("400 Bad Request").end();
+      return this.onError("invalid content");
    }

    this.dataReq = req;
--- a/packages/engine.io/lib/transports/polling.ts
+++ b/packages/engine.io/lib/transports/polling.ts
@@ -122,8 +122,7 @@ export class Polling extends Transport {
    const isBinary = "application/octet-stream" === req.headers["content-type"];

    if (isBinary && this.protocol === 4) {
-      this.onError("invalid content");
-      return res.writeHead(400).end();
+      return this.onError("invalid content");
    }

    this.dataReq = req;
--- a/packages/engine.io/package.json
+++ b/packages/engine.io/package.json
@@ -1,6 +1,6 @@
 {
  "name": "engine.io",
-  "version": "6.6.7",
+  "version": "6.6.6",
  "description": "The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server",
  "type": "commonjs",
  "main": "./build/engine.io.js",
--- a/packages/engine.io/test/common.js
+++ b/packages/engine.io/test/common.js
@@ -60,32 +60,6 @@ exports.listen = (opts, fn) => {
  return e;
 };

-exports.listenAsync = function listenAsync(opts = {}) {
-  return new Promise((resolve) => {
-    const engine = exports.listen(opts, (port) => {
-      resolve({
-        port,
-        close: () => {
-          engine.close();
-          if (engine.httpServer) {
-            engine.httpServer.close();
-          }
-        },
-      });
-    });
-  });
-};
-
-exports.runHandshake = async function runHandshake(port) {
-  const res = await fetch(
-    `http://localhost:${port}/engine.io/?EIO=4&transport=polling`,
-  );
-  const data = await res.text();
-  return {
-    sid: JSON.parse(data.substring(1)).sid,
-  };
-};
-
 exports.ClientSocket = Socket;

 exports.createPartialDone = (done, count) => {
--- a/packages/engine.io/test/server.js
+++ b/packages/engine.io/test/server.js
@@ -7,13 +7,7 @@ const path = require("path");
 const exec = require("child_process").exec;
 const zlib = require("zlib");
 const { Server, Socket, attach } = require("..");
-const {
-  ClientSocket,
-  listen,
-  listenAsync,
-  runHandshake,
-  createPartialDone,
-} = require("./common");
+const { ClientSocket, listen, createPartialDone } = require("./common");
 const expect = require("expect.js");
 const request = require("superagent");
 const cookieMod = require("cookie");
@@ -587,7 +581,7 @@ describe("server", () => {
      });
    });

-    it("should not suggest upgrades when none are available", (done) => {
+    it("should not suggest upgrades when none are availble", (done) => {
      listen({ transports: ["polling"] }, (port) => {
        const socket = new ClientSocket(`ws://localhost:${port}`, {});
        socket.on("handshake", (obj) => {
@@ -1464,26 +1458,6 @@ describe("server", () => {
      },
    );

-    it("should abort the polling data request if the content type is invalid", async () => {
-      const { port, close } = await listenAsync();
-      const { sid } = await runHandshake(port);
-
-      const res = await fetch(
-        `http://localhost:${port}/engine.io/?EIO=4&transport=polling&sid=${sid}`,
-        {
-          method: "POST",
-          headers: {
-            "content-type": "application/octet-stream",
-          },
-          body: Buffer.of(1, 2, 3),
-        },
-      );
-
-      expect(res.status).to.eql(400);
-
-      close();
-    });
-
    // tests https://github.com/LearnBoost/engine.io-client/issues/207
    // websocket test, transport error
    it("should trigger transport close before open for ws", (done) => {
--- a/packages/engine.io/test/webtransport.mjs
+++ b/packages/engine.io/test/webtransport.mjs
@@ -302,122 +302,6 @@ describe("WebTransport", () => {
    );
  });

-  it("should close a connection that sends an invalid upgrade", (done) => {
-    setupServer(
-      {
-        transports: ["polling", "websocket", "webtransport"],
-      },
-      async ({ engine, h3Server, certificate }) => {
-        const httpServer = await createHttpServer(h3Server.port);
-        engine.attach(httpServer);
-
-        request(`http://localhost:${h3Server.port}/engine.io/`)
-          .query({ EIO: 4, transport: "polling" })
-          .end(async (_, res) => {
-            const payload = JSON.parse(res.text.substring(1));
-
-            expect(payload.upgrades).to.eql(["websocket", "webtransport"]);
-
-            const client = new WebTransport(
-              `https://127.0.0.1:${h3Server.port}/engine.io/`,
-              {
-                serverCertificateHashes: [
-                  {
-                    algorithm: "sha-256",
-                    value: certificate.hash,
-                  },
-                ],
-              },
-            );
-
-            await client.ready;
-
-            const stream = await client.createBidirectionalStream();
-            const writer = stream.writable.getWriter();
-
-            await writer.write(Uint8Array.of(31));
-            await writer.write(
-              TEXT_ENCODER.encode(`0{"sid":"11111111111111111111"}`),
-            );
-
-            client.closed.then(() => {
-              success(engine, h3Server, done);
-            });
-          });
-      },
-    );
-  });
-
-  it("should close a connection that sends an invalid upgrade (bis)", (done) => {
-    setupServer(
-      {
-        transports: ["polling", "websocket", "webtransport"],
-      },
-      async ({ engine, h3Server, certificate }) => {
-        const httpServer = await createHttpServer(h3Server.port);
-        engine.attach(httpServer);
-
-        request(`http://localhost:${h3Server.port}/engine.io/`)
-          .query({ EIO: 4, transport: "polling" })
-          .end(async (_, res) => {
-            const payload = JSON.parse(res.text.substring(1));
-
-            expect(payload.upgrades).to.eql(["websocket", "webtransport"]);
-
-            const client = new WebTransport(
-              `https://127.0.0.1:${h3Server.port}/engine.io/`,
-              {
-                serverCertificateHashes: [
-                  {
-                    algorithm: "sha-256",
-                    value: certificate.hash,
-                  },
-                ],
-              },
-            );
-
-            await client.ready;
-
-            const stream = await client.createBidirectionalStream();
-            const writer = stream.writable.getWriter();
-
-            await writer.write(Uint8Array.of(20));
-            await writer.write(TEXT_ENCODER.encode(`0{"sid":"__proto__"}`));
-
-            client.closed.then(() => {
-              success(engine, h3Server, done);
-            });
-          });
-      },
-    );
-  });
-
-  it("should refuse the connection when a middleware is registered", (done) => {
-    setupServer({}, async ({ engine, h3Server, certificate }) => {
-      engine.use((req, res, next) => next());
-
-      engine.on("connection", () => {
-        done(new Error("should not happen"));
-      });
-
-      const client = new WebTransport(
-        `https://127.0.0.1:${h3Server.port}/engine.io/`,
-        {
-          serverCertificateHashes: [
-            {
-              algorithm: "sha-256",
-              value: certificate.hash,
-            },
-          ],
-        },
-      );
-
-      await client.closed;
-
-      success(engine, h3Server, done);
-    });
-  });
-
  it("should send ping/pong packets", (done) => {
    setup(
      {
--- a/packages/socket.io-adapter/lib/cluster-adapter.ts
+++ b/packages/socket.io-adapter/lib/cluster-adapter.ts
@@ -438,7 +438,11 @@ export abstract class ClusterAdapter extends Adapter {
        });
        this.addOffsetIfNecessary(packet, opts, offset);
      } catch (e) {
-        debug("[%s] error while broadcasting message: %s", this.uid, e.message);
+        return debug(
+          "[%s] error while broadcasting message: %s",
+          this.uid,
+          e.message,
+        );
      }
    }

--- a/packages/socket.io-adapter/test/cluster-adapter.ts
+++ b/packages/socket.io-adapter/test/cluster-adapter.ts
@@ -15,7 +15,6 @@ const NODES_COUNT = 3;

 class EventEmitterAdapter extends ClusterAdapterWithHeartbeat {
  private offset = 1;
-  public shouldFailPublish = false;

  constructor(
    nsp,
@@ -28,9 +27,6 @@ class EventEmitterAdapter extends ClusterAdapterWithHeartbeat {
  }

  protected doPublish(message: ClusterMessage): Promise<string> {
-    if (this.shouldFailPublish) {
-      return Promise.reject(new Error("publish failed"));
-    }
    this.eventBus.emit("message", message);
    return Promise.resolve(String(++this.offset));
  }
@@ -156,19 +152,6 @@ describe("cluster adapter", () => {
      servers[0].local.emit("test");
    });

-    it("broadcasts to local clients even when publishAndReturnOffset throws", (done) => {
-      const adapter = servers[0].of("/").adapter as EventEmitterAdapter;
-      adapter.shouldFailPublish = true;
-
-      clientSockets[0].on("test", (arg1) => {
-        expect(arg1).to.eql(1);
-        adapter.shouldFailPublish = false;
-        done();
-      });
-
-      servers[0].emit("test", 1);
-    });
-
    it("broadcasts with multiple acknowledgements", (done) => {
      clientSockets[0].on("test", (cb) => cb(1));
      clientSockets[1].on("test", (cb) => cb(2));
--- a/packages/socket.io-parser/CHANGELOG.md
+++ b/packages/socket.io-parser/CHANGELOG.md
@@ -1,57 +1,38 @@
 # Changelog

-| Version                                                                                                               | Release date   |
-|-----------------------------------------------------------------------------------------------------------------------|----------------|
-| [3.4.4](#344-2026-03-17) (from the [3.4.x](https://github.com/socketio/socket.io/tree/socket.io-parser/3.4.x) branch) | March 2026     |
-| [3.3.5](#335-2026-03-17) (from the [3.3.x](https://github.com/socketio/socket.io/tree/socket.io-parser/3.3.x) branch) | March 2026     |
-| [4.2.6](#426-2026-03-17)                                                                                              | March 2026     |
-| [4.2.5](#425-2025-12-23)                                                                                              | December 2025  |
-| [3.3.4](#334-2024-07-22) (from the [3.3.x](https://github.com/socketio/socket.io-parser/tree/3.3.x) branch)           | July 2024      |
-| [4.2.4](#424-2023-05-31)                                                                                              | May 2023       |
-| [3.4.3](#343-2023-05-22) (from the [3.4.x](https://github.com/socketio/socket.io-parser/tree/3.4.x) branch)           | May 2023       |
-| [4.2.3](#423-2023-05-22)                                                                                              | May 2023       |
-| [4.2.2](#422-2023-01-19)                                                                                              | January 2023   |
-| [3.3.3](#333-2022-11-09) (from the [3.3.x](https://github.com/socketio/socket.io-parser/tree/3.3.x) branch)           | November 2022  |
-| [3.4.2](#342-2022-11-09) (from the [3.4.x](https://github.com/socketio/socket.io-parser/tree/3.4.x) branch)           | November 2022  |
-| [4.0.5](#405-2022-06-27) (from the [4.0.x](https://github.com/socketio/socket.io-parser/tree/4.0.x) branch)           | June 2022      |
-| [4.2.1](#421-2022-06-27)                                                                                              | June 2022      |
-| [4.2.0](#420-2022-04-17)                                                                                              | April 2022     |
-| [4.1.2](#412-2022-02-17)                                                                                              | February 2022  |
-| [3.3.3](#333-2022-11-09) (from the [3.3.x](https://github.com/socketio/socket.io-parser/tree/3.3.x) branch)           | November 2022  |
-| [3.4.2](#342-2022-11-09) (from the [3.4.x](https://github.com/socketio/socket.io-parser/tree/3.4.x) branch)           | November 2022  |
-| [4.0.5](#405-2022-06-27) (from the [4.0.x](https://github.com/socketio/socket.io-parser/tree/4.0.x) branch)           | June 2022      |
-| [4.2.1](#421-2022-06-27)                                                                                              | June 2022      |
-| [4.2.0](#420-2022-04-17)                                                                                              | April 2022     |
-| [4.1.2](#412-2022-02-17)                                                                                              | February 2022  |
-| [4.1.1](#411-2021-10-14)                                                                                              | October 2021   |
-| [4.1.0](#410-2021-10-11)                                                                                              | October 2021   |
-| [4.0.4](#404-2021-01-15)                                                                                              | January 2021   |
-| [3.3.2](#332-2021-01-09) (from the [3.3.x](https://github.com/socketio/socket.io-parser/tree/3.3.x) branch)           | January 2021   |
-| [4.0.3](#403-2021-01-05)                                                                                              | January 2021   |
-| [4.0.2](#402-2020-11-25)                                                                                              | November 2020  |
-| [4.0.1](#401-2020-11-05)                                                                                              | November 2020  |
-| [3.3.1](#331-2020-09-30) (from the [3.3.x](https://github.com/socketio/socket.io-parser/tree/3.3.x) branch)           | September 2020 |
-| [**4.0.0**](#400-2020-09-28)                                                                                          | September 2020 |
-| [3.4.1](#341-2020-05-13)                                                                                              | May 2020       |
-| [3.4.0](#340-2019-09-20)                                                                                              | September 2019 |
-| [3.3.0](#330-2018-11-07)                                                                                              | November 2018  |
-
-## [3.4.4](https://github.com/socketio/socket.io-parser/compare/3.4.3...3.4.4) (2026-03-17)
-
-
-### Bug Fixes
-
-* add a limit to the number of binary attachments ([719f9eb](https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4))
-
-
-
-## [3.3.5](https://github.com/socketio/socket.io-parser/compare/3.3.4...3.3.5) (2026-03-17)
-
-
-### Bug Fixes
-
-* add a limit to the number of binary attachments ([9d39f1f](https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf))
-
+| Version                                                                                                     | Release date   |
+|-------------------------------------------------------------------------------------------------------------|----------------|
+| [4.2.6](#426-2026-03-17)                                                                                    | March 2026     |
+| [4.2.5](#425-2025-12-23)                                                                                    | December 2025  |
+| [3.3.4](#334-2024-07-22) (from the [3.3.x](https://github.com/socketio/socket.io-parser/tree/3.3.x) branch) | July 2024      |
+| [4.2.4](#424-2023-05-31)                                                                                    | May 2023       |
+| [3.4.3](#343-2023-05-22) (from the [3.4.x](https://github.com/socketio/socket.io-parser/tree/3.4.x) branch) | May 2023       |
+| [4.2.3](#423-2023-05-22)                                                                                    | May 2023       |
+| [4.2.2](#422-2023-01-19)                                                                                    | January 2023   |
+| [3.3.3](#333-2022-11-09) (from the [3.3.x](https://github.com/socketio/socket.io-parser/tree/3.3.x) branch) | November 2022  |
+| [3.4.2](#342-2022-11-09) (from the [3.4.x](https://github.com/socketio/socket.io-parser/tree/3.4.x) branch) | November 2022  |
+| [4.0.5](#405-2022-06-27) (from the [4.0.x](https://github.com/socketio/socket.io-parser/tree/4.0.x) branch) | June 2022      |
+| [4.2.1](#421-2022-06-27)                                                                                    | June 2022      |
+| [4.2.0](#420-2022-04-17)                                                                                    | April 2022     |
+| [4.1.2](#412-2022-02-17)                                                                                    | February 2022  |
+| [3.3.3](#333-2022-11-09) (from the [3.3.x](https://github.com/socketio/socket.io-parser/tree/3.3.x) branch) | November 2022  |
+| [3.4.2](#342-2022-11-09) (from the [3.4.x](https://github.com/socketio/socket.io-parser/tree/3.4.x) branch) | November 2022  |
+| [4.0.5](#405-2022-06-27) (from the [4.0.x](https://github.com/socketio/socket.io-parser/tree/4.0.x) branch) | June 2022      |
+| [4.2.1](#421-2022-06-27)                                                                                    | June 2022      |
+| [4.2.0](#420-2022-04-17)                                                                                    | April 2022     |
+| [4.1.2](#412-2022-02-17)                                                                                    | February 2022  |
+| [4.1.1](#411-2021-10-14)                                                                                    | October 2021   |
+| [4.1.0](#410-2021-10-11)                                                                                    | October 2021   |
+| [4.0.4](#404-2021-01-15)                                                                                    | January 2021   |
+| [3.3.2](#332-2021-01-09) (from the [3.3.x](https://github.com/socketio/socket.io-parser/tree/3.3.x) branch) | January 2021   |
+| [4.0.3](#403-2021-01-05)                                                                                    | January 2021   |
+| [4.0.2](#402-2020-11-25)                                                                                    | November 2020  |
+| [4.0.1](#401-2020-11-05)                                                                                    | November 2020  |
+| [3.3.1](#331-2020-09-30) (from the [3.3.x](https://github.com/socketio/socket.io-parser/tree/3.3.x) branch) | September 2020 |
+| [**4.0.0**](#400-2020-09-28)                                                                                | September 2020 |
+| [3.4.1](#341-2020-05-13)                                                                                    | May 2020       |
+| [3.4.0](#340-2019-09-20)                                                                                    | September 2019 |
+| [3.3.0](#330-2018-11-07)                                                                                    | November 2018  |


 ## [4.2.6](https://github.com/socketio/socket.io/compare/socket.io-parser@4.2.5...socket.io-parser@4.2.6) (2026-03-17)
@@ -59,7 +40,7 @@

 ### Bug Fixes

-* **parser:** add a limit to the number of binary attachments ([3fff7ca](https://github.com/socketio/socket.io/commit/3fff7cafa98f1ba5840475b6917c651fe841a943))
+* **parser:** add a limit to the number of binary attachments ([3fff7ca](https://github.com/socketio/socket/commit/3fff7cafa98f1ba5840475b6917c651fe841a943))



--- a/packages/socket.io/lib/typed-events.ts
+++ b/packages/socket.io/lib/typed-events.ts
@@ -22,6 +22,8 @@ export type EventNames<Map extends EventsMap> = keyof Map & (string | symbol);

 /**
 * Returns a union type containing all the keys of an event map that have an acknowledgement callback.
+ *
+ * That also have *some* data coming in.
 */
 export type EventNamesWithAck<
  Map extends EventsMap,
@@ -30,11 +32,11 @@ export type EventNamesWithAck<
  Last<Parameters<Map[K]>> | Map[K],
  K,
  K extends (
-    Parameters<Map[K]> extends never[]
-      ? never
-      : Last<Parameters<Map[K]>> extends (...args: any[]) => any
-        ? K
-        : never
+    Last<Parameters<Map[K]>> extends (...args: any[]) => any
+      ? FirstNonErrorArg<Last<Parameters<Map[K]>>> extends void
+        ? never
+        : K
+      : never
  )
    ? K
    : never
--- a/packages/socket.io/test/socket.io.test-d.ts
+++ b/packages/socket.io/test/socket.io.test-d.ts
@@ -265,11 +265,15 @@ describe("server", () => {
  interface ServerToClientEventsWithMultipleWithAck {
    ackFromServer: (a: boolean, b: string) => Promise<boolean[]>;
    ackFromServerSingleArg: (a: boolean, b: string) => Promise<string[]>;
+    // This should technically be `undefined[]`, but this doesn't work currently *only* with emitWithAck
+    // you can use an empty callback with emit, but not emitWithAck
    onlyCallback: () => Promise<undefined>;
  }
  interface ServerToClientEventsWithAck {
    ackFromServer: (a: boolean, b: string) => Promise<boolean>;
    ackFromServerSingleArg: (a: boolean, b: string) => Promise<string>;
+    // This doesn't work currently *only* with emitWithAck
+    // you can use an empty callback with emit, but not emitWithAck
    onlyCallback: () => Promise<undefined>;
  }
  describe("Emitting Types", () => {
@@ -416,9 +420,8 @@ describe("server", () => {
        sio.timeout(0).emitWithAck("noArgs");
        // @ts-expect-error - "helloFromServer" doesn't have a callback and is thus excluded
        sio.timeout(0).emitWithAck("helloFromServer");
-        expectType<
-          ToEmitWithAck<ServerToClientEventsWithMultipleWithAck, "onlyCallback">
-        >(sio.timeout(0).emitWithAck<"onlyCallback">);
+        // @ts-expect-error - "onlyCallback" doesn't have a callback and is thus excluded
+        sio.timeout(0).emitWithAck("onlyCallback");
        expectType<
          ToEmitWithAck<
            ServerToClientEventsWithMultipleWithAck,
@@ -444,7 +447,7 @@ describe("server", () => {
          nio.emit<"noArgs">,
        );
        expectType<ToEmit<ServerToClientEventsNoAck, "helloFromServer">>(
-          // These errors will disappear once the TS version is updated from 4.7.4
+          // These errors will dissapear once the TS version is updated from 4.7.4
          // the TSD instance is using a newer version of TS than the workspace version
          // to enable the ability to compare against `any`
          sio.emit<"helloFromServer">,
@@ -493,12 +496,10 @@ describe("server", () => {
          s.emitWithAck("noArgs");
          // @ts-expect-error - "helloFromServer" doesn't have a callback and is thus excluded
          s.emitWithAck("helloFromServer");
-          expectType<
-            ToEmitWithAck<ServerToClientEventsWithAck, "onlyCallback">
-          >(s.emitWithAck<"onlyCallback">);
-          expectType<
-            ToEmitWithAck<ServerToClientEventsWithAck, "onlyCallback">
-          >(s.timeout(0).emitWithAck<"onlyCallback">);
+          // @ts-expect-error - "onlyCallback" doesn't have a callback and is thus excluded
+          s.emitWithAck("onlyCallback");
+          // @ts-expect-error - "onlyCallback" doesn't have a callback and is thus excluded
+          s.timeout(0).emitWithAck("onlyCallback");
          expectType<
            ToEmitWithAck<ServerToClientEventsWithAck, "ackFromServerSingleArg">
          >(s.emitWithAck<"ackFromServerSingleArg">);