socketio/socket.io 2.4.1
on GitHub

latest releases: socket.io-client@4.8.0, socket.io@4.8.0, engine.io-parser@5.2.3...

3 years ago

This release reverts the breaking change introduced in 2.4.0 (f78a575).

If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:

without CORS (server and client are served from the same domain):

const io = require("socket.io")(httpServer, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
  }
});

with CORS (server and client are served from distinct domains):

io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);

In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).

Reverts

fix(security): do not allow all origins by default (a169050)

Links:

Diff: 2.4.0...2.4.1
Client release: -
engine.io version: ~3.5.0
ws version: ~7.4.2

Check out latest releases or
releases around socketio/socket.io 2.4.1

Don't miss a new socket.io release

NewReleases is sending notifications on new releases.

Get notifications