Skip to content

Releases: websockets/ws

2.0.2

03 Feb 17:34
@lpinca lpinca
2.0.2
f0d03cc
Compare
Choose a tag to compare
2.0.2

Notable changes

  • Added support for bufferutil@2 and utf-8-validate@3 (466e210).
Assets 2
Loading

2.0.1

01 Feb 11:46
@lpinca lpinca
2.0.1
a8d21d4
Compare
Choose a tag to compare
2.0.1

Bug fixes

  • Fixed a bug that caused wrong frames to be created (d856dcb).
Assets 2
Loading

2.0.0

30 Jan 11:47
@lpinca lpinca
2.0.0
cb50a29
Compare
Choose a tag to compare
2.0.0

Breaking changes

  • Dropped support for Node.js < 4.5.0.
  • The new operator is now required to create all instances as we moved to ES6
    classes.
  • Error messages have been simplified.
  • The clients property of the WebSocketServer is no longer an Array but a
    Set and is only set if the clientTracking option is truthy (#806).
  • The default HTTP status message is now used when handshake fails (41e7cae).
  • Removed support for the Hixie-76 version of the protocol (#871).
  • Removed ability to specify different paths for multiple WebSocketServers
    when binding them to the same underlying HTTP/s server (#885).
  • Removed WebSocket.prototype.stream() and ability to pass a readable stream
    to WebSocket.prototype.send() (#875).
  • Removed callback argument from handleProtocols handler (#890).
  • Removed supports property from WebSocket (#918).
  • Removed WebSocket.createServer(), WebSocket.createConnection(), and
    WebSocket.connect() factory functions (#926).
  • The second argument of WebSocket.prototype.ping() and
    WebSocket.prototype.pong() is no longer an options object but a boolean
    (#951).
  • An error is emitted if WebSocket.prototype.close() is called before the
    connection is established (#956).

The following breaking changes only apply if you required the mentioned classes
directly.

  • Removed Sender inheritance from EventEmitter (#861).
  • Removed BufferPool class (73ab370).
  • Made extensions a required argument for the Receiver constructor (5f53194).
  • receiver.onbinary and receiver.ontext have been merged into
    receiver.onmessage (#939).

Features

  • Added ability to set TCP backlog for WebSocketServer (#795).
  • Added checkServerIdentity option to WebSocket (#701).
  • Added a threshold option for permessage-deflate to only compress messages
    whose size is bigger than threshold (6b3904b).
  • Added shouldHandle method to WebSocketServer to see if a request should
    be accepted or rejected. This method can be overridden by the user if a
    custom logic is desired (6472425).
  • Added removeEventListener method to WebSocket (078e96a).
  • Added family option to WebSocket (#962).

Bug fixes

  • Fixed an issue that prevented permessage-deflate options from being correctly
    handled (#744).
  • All error events are now emitted with a proper Error instance (#789).
  • Fixed an issue that could cause a stack overflow crash (#810).
  • Added 1012 and 1013 to the list of allowed close codes (b58f688).
  • Fixed an issue that prevented the connection from being closed when path
    validation failed (#534).
  • Fixed an issue where the fin option of WebSocket.prototype.send() was
    unconditionally set to true (ea50be7).
  • Fixed an issue that prevented the total length of a fragmented message from
    being correctly calculated (545635d).
  • Fixed an issue where zlib.flush() was called with a wrong flush level
    (#733).
  • The callback of WebSocketServer.prototype.close() is now invoked when the
    close event is emitted by the underlying HTTP/s server (#892).
  • Fixed an issue that prevented the server from listening on IPv6 addresses
    with default settings (dcdc652).
  • Fixed an issue where the connection event was emitted even if the client
    closed the connection during the handshake process (04530ad).
  • The masking key is now generated using crypto.randomBytes() instead of
    Math.random() (7253f06).
  • Fixed an issue that, under particular circumstances, caused data to be
    discarded (#945).
  • Fixed an issue that prevented clients from being removed from the clients
    set (#955).
  • WebSocket.prototype.close() now works as expected if called on the client
    before the connection is established (#956).
  • WebSocket.prototype.send() no longer mutates the options object (#968).
  • The bufferedAmount getter now takes into account the data queued in the
    sender (#971).
Assets 2
Loading

2.0.0-beta.2

25 Jan 08:55
@lpinca lpinca
2.0.0-beta.2
236ea22
Compare
Choose a tag to compare
2.0.0-beta.2 Pre-release
Pre-release 
[dist] 2.0.0-beta.2
Assets 2
Loading

2.0.0-beta.1

14 Jan 16:22
@lpinca lpinca
2.0.0-beta.1
e62b9ba
Compare
Choose a tag to compare
2.0.0-beta.1 Pre-release
Pre-release 
[dist] 2.0.0-beta.1
Assets 2
Loading

2.0.0-beta.0

10 Jan 14:08
@lpinca lpinca
2.0.0-beta.0
19ce183
Compare
Choose a tag to compare
2.0.0-beta.0 Pre-release
Pre-release 
[dist] 2.0.0-beta.0
Assets 2
Loading

1.1.1

31 Jan 07:41
@lpinca lpinca
1.1.1
c7bb730
Compare
Choose a tag to compare
1.1.1

1.1.0...1.1.1

Assets 2
Loading

1.1.0

31 Jan 07:35
@lpinca lpinca
1.1.0
4263f26
Compare
Choose a tag to compare
1.1.0

1.0.1...1.1.0

Assets 2
Loading

Buffer vulnerability

04 Jan 12:53
@3rd-Eden 3rd-Eden
1.0.1
40a9d68
Compare
Choose a tag to compare
Buffer vulnerability

There has been vulnerability in the ping functionality of the ws module which allowed clients to allocate memory by simply sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally we always transform all data that we need to send to a Buffer instance and this is where the problem was. We didn't do any checks for the type of data we were sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.

var x = new Buffer(100);
// vs
var x = new Buffer('100');

This would allocate 100 bytes of memory in the first example and just 3 bytes with 100 as value in the second example. So when the server would receive a ping message of 1000 it would allocate 1000 bytes on the server and returned non-zeroed buffer to the client instead of the actual 100 message.

var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
  console.log('open')
  client.ping(50) // this makes the server return a non-zeroed buffer of 50 bytes

  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // a non-zeroed out allocated buffer returned from the server
  })
})

As you can imagine that is pretty darn dangerous so we fixed it as soon as we received a heads up about this. So I would like to thank @feross and @mafintosh for discovering this vulnerability and disclosing it to me so it could be resolved asap.

Assets 2
Loading

Path forward

30 Dec 19:22
@3rd-Eden 3rd-Eden
1.0.0
753937f
Compare
Choose a tag to compare
Path forward
  • Discontinued support for all node versions except for 0.12, 4.0 and 5.0. We should focus on the future and that will be Node 5 and ES6.
  • Removed the client code. It was simple wrapper that really doesn't belong in a full ledged node.js library. If you want browser support you could just conditionally import it the WebSocket server. var WS = window.WebSocket || require('ws')
  • Fixed a zlib issue that caused thrown errors.
  • Binary addons have been completely removed. Even as optional dependency, it seems that npm is just unable to properly handle the builds causing installations to fail and lead to massive developer issues. While the dependencies have been removed, you can still optionally install things. See https://github.com/websockets/ws#opt-in-for-performance for additional information.

So future.. Ideally I want to start rewriting parts of the library in ES6 and completely clean up the code base. Pull requests for this are encouraged and appreciated <3 as this takes a lot of time.

Assets 2
Loading