chore(release): socket.io-parser@3.4.4

Backported from main: b25738c416

When a packet contains binary elements, the built-in parser does not modify them and simply sends them in their own WebSocket frame.

Example: `socket.emit("some event", Buffer.of(1,2,3))`

is encoded and transferred as:

- 1st frame: 51-["some event",{"_placeholder":true,"num":0}]
- 2nd frame: <buffer 01 02 03>

where:

- `5` is the type of the packet (binary message)
- `1` is the number of binary attachments
- `-` is the separator
- `["some event",{"_placeholder":true,"num":0}]` is the payload (including the placeholder)

On the receiving end, the parser reads the number of attachments and buffers them until they are all received.

Before this change, the built-in parser accepted any number of binary attachments, which could be exploited to make the server run out of memory.

The number of attachments is now limited to 10, which should be sufficient for most use cases.

The limit can be increased with a custom `parser`:

```js
import { Encoder, Decoder } from "socket.io-parser";

const io = new Server({
  parser: {
    Encoder,
    Decoder: class extends Decoder {
      constructor() {
        super({
          maxAttachments: 20
        });
      }
    }
  }
});
```

.github/workflows/ci.yml

@@ -3,7 +3,7 @@ name: CI
 on:
   push:
     branches:
-      - 'socket.io-parser/3.3.x'
+      - 'socket.io-parser/3.4.x'
 
 permissions:
   contents: read

.travis.yml

@@ -1,22 +0,0 @@
-language: node_js
-sudo: false
-node_js:
-  - '8'
-  - '10'
-git:
-  depth: 1
-matrix:
-  include:
-    - node_js: 10
-      env: BROWSERS=1
-cache:
-  directories:
-    - node_modules
-env:
-  global:
-    - secure: >-
-        Ea4P/R9UlWzDlHSP5ynmLiD/YgLjecIvCviOcRTle9mV3P1j2k94Ay1LVu1Jw4whlNmWLq2Z/p8M63L92ODPMlarPsuME8HlP4zGr41whFhRbFdda4k3zrHfUhZBlnhY1MVWXTtVm/l7DOzpBrNh+wKecxZB3yyyEaA+PSG3qcQ=
-    - secure: >-
-        JmPf38qx5Rb6K+WYOMwb5YmESkDmVJ6tgggiJIuyRfHsgQVOO7XBwZuspIKGTSFolUIMaqwQe79Kd+Ehs2ZZ/0lUyF2/6xW3FqFnASUusYJcZdfRjypmBFWs6BRdtEORM8HL0dgBx4O4u/e4ZvtygumbPahjQbMDaqN+MvlpjD0=
-    - secure: >-
-        c3pnLhy3VDJqMl16ABA+8vt3I623aNa2wkLceLXb2V1Dc6eiZeulDH2ekwmdVo/r2WwGIKP3Y6B0mq/xP4W0hg4uT+xWh0AmFHclVyM/yp/AqfXrDUv17Vm0vB7OIgp332OiAlK6Dr13YDbWW8iZxmID41O2+2qohLGPn5JMncg=

CHANGELOG.md

@@ -1,37 +1,33 @@
-## [3.3.5](https://github.com/socketio/socket.io-parser/compare/3.3.4...3.3.5) (2026-03-17)
+## [3.4.4](https://github.com/socketio/socket.io-parser/compare/3.4.3...3.4.4) (2026-03-17)
 
 
 ### Bug Fixes
 
-* add a limit to the number of binary attachments ([9d39f1f](https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf))
+* add a limit to the number of binary attachments ([719f9eb](https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4))
 
 
 
-## [3.3.4](https://github.com/Automattic/socket.io-parser/compare/3.3.3...3.3.4) (2024-07-22)
+## [3.4.3](https://github.com/socketio/socket.io-parser/compare/3.4.2...3.4.3) (2023-05-22)
 
 
 ### Bug Fixes
 
-* check the format of the event name ([#125](https://github.com/Automattic/socket.io-parser/issues/125)) ([ee00660](https://github.com/Automattic/socket.io-parser/commit/ee006607495eca4ec7262ad080dd3a91439a5ba4))
+* check the format of the event name ([2dc3c92](https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced))
 
 
 
-## [3.3.3](https://github.com/Automattic/socket.io-parser/compare/3.3.2...3.3.3) (2022-11-09)
+## [3.4.2](https://github.com/socketio/socket.io-parser/compare/3.4.1...3.4.2) (2022-11-09)
 
 
 ### Bug Fixes
 
-* check the format of the index of each attachment ([fb21e42](https://github.com/Automattic/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983))
+* check the format of the index of each attachment ([04d23ce](https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14))
 
 
 
-## [3.3.2](https://github.com/Automattic/socket.io-parser/compare/3.3.1...3.3.2) (2021-01-09)
+## [3.4.1](https://github.com/socketio/socket.io-parser/compare/3.4.0...3.4.1) (2020-05-13)
 
 
 ### Bug Fixes
 
-* prevent DoS (OOM) via massive packets ([#95](https://github.com/Automattic/socket.io-parser/issues/95)) ([89197a0](https://github.com/Automattic/socket.io-parser/commit/89197a05c43b18cc4569fd178d56e7bb8f403865))
-
-
-## [3.3.1](https://github.com/socketio/socket.io-parser/compare/3.3.0...3.3.1) (2020-09-30)
-
+* prevent DoS (OOM) via massive packets ([#95](https://github.com/socketio/socket.io-parser/issues/95)) ([dcb942d](https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55))

Readme.md

@@ -4,7 +4,7 @@
 [![Build Status](https://secure.travis-ci.org/socketio/socket.io-parser.svg?branch=master)](http://travis-ci.org/socketio/socket.io-parser)
 [![NPM version](https://badge.fury.io/js/socket.io-parser.svg)](http://badge.fury.io/js/socket.io-parser)
 
-A socket.io encoder and decoder written in JavaScript complying with version `3`
+A socket.io encoder and decoder written in JavaScript complying with version `4`
 of [socket.io-protocol](https://github.com/socketio/socket.io-protocol).
 Used by [socket.io](https://github.com/automattic/socket.io) and
 [socket.io-client](https://github.com/automattic/socket.io-client).

index.js

@@ -272,26 +272,6 @@ Decoder.prototype.add = function(obj) {
   }
 };
 
-function isPayloadValid(type, payload) {
-  switch (type) {
-    case 0: // CONNECT
-      return typeof payload === "object";
-    case 1: // DISCONNECT
-      return payload === undefined;
-    case 4: // ERROR
-      return typeof payload === "string" || typeof payload === "object";
-    case 2: // EVENT
-    case 5: // BINARY_EVENT
-      return (
-        isArray(payload) &&
-        (typeof payload[0] === "string" || typeof payload[0] === "number")
-      );
-    case 3: // ACK
-    case 6: // BINARY_ACK
-      return isArray(payload);
-  }
-}
-
 /**
  * Decode a packet String (JSON data)
  *
@@ -379,6 +359,26 @@ function tryParse(str) {
   }
 }
 
+function isPayloadValid(type, payload) {
+  switch (type) {
+    case 0: // CONNECT
+      return typeof payload === "object";
+    case 1: // DISCONNECT
+      return payload === undefined;
+    case 4: // ERROR
+      return typeof payload === "string" || typeof payload === "object";
+    case 2: // EVENT
+    case 5: // BINARY_EVENT
+      return (
+        isArray(payload) &&
+        (typeof payload[0] === "string" || typeof payload[0] === "number")
+      );
+    case 3: // ACK
+    case 6: // BINARY_ACK
+      return isArray(payload);
+  }
+}
+
 /**
  * Deallocates a parser's resources
  *

package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket.io-parser",
-  "version": "3.3.5",
+  "version": "3.4.4",
   "description": "socket.io protocol parser",
   "repository": {
     "type": "git",
@@ -12,11 +12,14 @@
     "is-buffer.js"
   ],
   "dependencies": {
-    "component-emitter": "~1.3.0",
-    "debug": "~3.1.0",
+    "debug": "~4.1.0",
+    "component-emitter": "1.2.1",
     "isarray": "2.0.1"
   },
   "devDependencies": {
+    "@babel/core": "~7.9.6",
+    "@babel/preset-env": "~7.9.6",
+    "babelify": "~10.0.0",
     "benchmark": "2.1.2",
     "expect.js": "0.3.1",
     "mocha": "3.2.0",
@@ -27,5 +30,8 @@
   "scripts": {
     "test": "make test"
   },
-  "license": "MIT"
+  "license": "MIT",
+  "engines": {
+    "node": ">=10.0.0"
+  }
 }

zuul.config.js

@@ -23,6 +23,16 @@ if (process.env.CI === 'true') {
     type: 'ngrok',
     bind_tls: true
   };
+  zuulConfig.browserify = [
+    {
+      transform: {
+        name: "babelify",
+        presets: ["@babel/preset-env"],
+        global: true,
+        only: [ /\/node_modules\/debug\// ]
+      }
+    }
+  ]
 }
 
 var isPullRequest = process.env.TRAVIS_PULL_REQUEST && process.env.TRAVIS_PULL_REQUEST !== 'false';