socketio · May 11, 2022 · Jun 6, 2022 · Jun 6, 2022 · Nov 18, 2022 · Nov 19, 2022
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,21 +6,35 @@ on:
   schedule:
     - cron: '0 0 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   test-node:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
 
     strategy:
       matrix:
-        node-version: [14, 16]
+        node-version:
+          - 10
+          - 18
 
     steps:
-      - uses: actions/checkout@v2
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-      - run: npm ci
-      - run: npm test
-        env:
-          CI: true
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run tests
+        run: npm test
+
+      - name: Run tests with µWebSockets.js
+        run: npm run test:uws
+        if: ${{ matrix.node-version == '18' }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,93 @@
+# History
+
+## 2022
+
+- [6.2.1](#621-2022-11-20) (Nov 2022)
+- [3.6.0](#360-2022-06-06) (Jun 2022) (from the [3.x](https://github.com/socketio/engine.io/tree/3.x) branch)
+- [6.2.0](#620-2022-04-17) (Apr 2022)
+- [6.1.3](#613-2022-02-23) (Feb 2022)
+- [6.1.2](#612-2022-01-18) (Jan 2022)
+- [6.1.1](#611-2022-01-11) (Jan 2022)
+
+## 2021
+
+- [6.1.0](#610-2021-11-08) (Nov 2021)
+- [6.0.1](#601-2021-11-06) (Nov 2021)
+- [**6.0.0**](#600-2021-10-08) (Oct 2021)
+- [5.2.0](#520-2021-08-29) (Aug 2021)
+- [5.1.1](#511-2021-05-16) (May 2021)
+- [5.1.0](#510-2021-05-04) (May 2021)
+- [**5.0.0**](#500-2021-03-10) (Mar 2021)
+- [4.1.1](#411-2021-02-02) (Feb 2021)
+- [4.1.0](#410-2021-01-14) (Jan 2021)
+- [4.0.6](#406-2021-01-04) (Jan 2021)
+
+## 2020
+
+- [3.5.0](#350-2020-12-30) (Dec 2020) (from the [3.x](https://github.com/socketio/engine.io/tree/3.x) branch)
+- [4.0.5](#405-2020-12-07) (Dec 2020)
+- [4.0.4](#404-2020-11-17) (Nov 2020)
+- [4.0.3](#403-2020-11-17) (Nov 2020)
+- [4.0.2](#402-2020-11-09) (Nov 2020)
+- [4.0.1](#401-2020-10-21) (Oct 2020)
+- [**4.0.0**](#400-2020-09-10) (Sep 2020)
+- [3.4.2](#342-2020-06-04) (Jun 2020)
+- [3.4.1](#341-2020-04-17) (Apr 2020)
+
+
+
+# Release notes
+
+## [6.2.1](https://github.com/socketio/engine.io/compare/6.2.0...6.2.1) (2022-11-20)
+
+:warning: This release contains an important security fix :warning:
+
+A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
+
+```
+Error: read ECONNRESET
+    at TCP.onStreamRead (internal/stream_base_commons.js:209:20)
+Emitted 'error' event on Socket instance at:
+    at emitErrorNT (internal/streams/destroy.js:106:8)
+    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
+    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
+  errno: -104,
+  code: 'ECONNRESET',
+  syscall: 'read'
+}
+```
+
+Please upgrade as soon as possible.
+
+### Bug Fixes
+
+* catch errors when destroying invalid upgrades ([#658](https://github.com/socketio/engine.io/issues/658)) ([425e833](https://github.com/socketio/engine.io/commit/425e833ab13373edf1dd5a0706f07100db14e3c6))
+
+
+
+# [3.6.0](https://github.com/socketio/engine.io/compare/3.5.0...3.6.0) (2022-06-06)
+
+
+### Bug Fixes
+
+* add extension in the package.json main entry ([#608](https://github.com/socketio/engine.io/issues/608)) ([3ad0567](https://github.com/socketio/engine.io/commit/3ad0567dbd57cfb7c2ff4e8b7488d80f37022b4a))
+* do not reset the ping timer after upgrade ([1f5d469](https://github.com/socketio/engine.io/commit/1f5d4699862afee1e410fcb0e1f5e751ebcd2f9f)), closes [/github.com/socketio/socket.io-client-swift/pull/1309#issuecomment-768475704](https://github.com//github.com/socketio/socket.io-client-swift/pull/1309/issues/issuecomment-768475704)
+
+
+### Features
+
+* decrease the default value of maxHttpBufferSize ([58e274c](https://github.com/socketio/engine.io/commit/58e274c437e9cbcf69fd913c813aad8fbd253703))
+
+This change reduces the default value from 100 mb to a more sane 1 mb.
+
+This helps protect the server against denial of service attacks by malicious clients sending huge amounts of data.
+
+See also: https://github.com/advisories/GHSA-j4f2-536g-r55m
+
+* increase the default value of pingTimeout ([f55a79a](https://github.com/socketio/engine.io/commit/f55a79a28a5fbc6c9edae876dd11308b89cc979e))
+
+
+
 # [6.2.0](https://github.com/socketio/engine.io/compare/6.1.3...6.2.0) (2022-04-17)
 
 

diff --git a/README.md b/README.md
@@ -87,7 +87,6 @@ For more information on the client refer to the
 - **Future proof**
 - **100% Node.JS core style**
   - No API sugar (left for higher level projects)
-  - Written in readable vanilla JavaScript
 
 ## API
 

diff --git a/examples/latency/package-lock.json b/examples/latency/package-lock.json
diff --git a/examples/latency/package.json b/examples/latency/package.json
@@ -4,7 +4,7 @@
   "dependencies": {
     "enchilada": "0.13.0",
     "engine.io": "^4.1.2",
-    "engine.io-client": "^4.0.0",
+    "engine.io-client": "^4.1.4",
     "express": "^4.17.1",
     "smoothie": "1.19.0"
   }

diff --git a/lib/parser-v3/index.ts b/lib/parser-v3/index.ts
@@ -137,7 +137,7 @@ export function decodePacket (data, binaryType, utf8decode) {
     type = data.charAt(0);
 
     if (type === 'b') {
-      return decodeBase64Packet(data.substr(1), binaryType);
+      return decodeBase64Packet(data.slice(1), binaryType);
     }
 
     if (utf8decode) {
@@ -152,7 +152,7 @@ export function decodePacket (data, binaryType, utf8decode) {
     }
 
     if (data.length > 1) {
-      return { type: packetslist[type], data: data.substring(1) };
+      return { type: packetslist[type], data: data.slice(1) };
     } else {
       return { type: packetslist[type] };
     }
@@ -191,7 +191,7 @@ function tryDecode(data) {
 
 export function decodeBase64Packet (msg, binaryType) {
   var type = packetslist[msg.charAt(0)];
-  var data = Buffer.from(msg.substr(1), 'base64');
+  var data = Buffer.from(msg.slice(1), 'base64');
   if (binaryType === 'arraybuffer') {
     var abv = new Uint8Array(data.length);
     for (var i = 0; i < abv.length; i++){
@@ -305,7 +305,7 @@ export function decodePayload (data, binaryType, callback) {
       return callback(err, 0, 1);
     }
 
-    msg = data.substr(i + 1, n);
+    msg = data.slice(i + 1, i + 1 + n);
 
     if (length != msg.length) {
       // parser error - ignoring payload

diff --git a/lib/server.ts b/lib/server.ts
@@ -555,7 +555,7 @@ export class Server extends BaseServer {
         return;
       }
 
-      const head = Buffer.from(upgradeHead); // eslint-disable-line node/no-deprecated-api
+      const head = Buffer.from(upgradeHead);
       upgradeHead = null;
 
       // delegate to ws
@@ -643,7 +643,7 @@ export class Server extends BaseServer {
     path += "/";
 
     function check(req) {
-      return path === req.url.substr(0, path.length);
+      return path === req.url.slice(0, path.length);
     }
 
     // cache and clean up listeners
@@ -678,6 +678,9 @@ export class Server extends BaseServer {
           setTimeout(function() {
             // @ts-ignore
             if (socket.writable && socket.bytesWritten <= 0) {
+              socket.on("error", e => {
+                debug("error while destroying upgrade: %s", e.message);
+              });
               return socket.end();
             }
           }, destroyUpgradeTimeout);