v3.0.1

🛡️ Security Fix: Buffer Overflow & Payload Limits

v3.0.1 is a security patch release addressing critical vulnerabilities related to integer overflow in buffer allocation and unbounded memory consumption from malicious payloads.

🔒 Security Changes

• Fixed Integer Overflow in growSlice: Corrected size computation logic in pkg/types/buffer.go to prevent panic or unsafe behavior during buffer expansion when len + n exceeds integer limits. (Resolves GitHub CodeQL alerts 8 and 12).
• Added Global Payload Cap: Introduced a strict 128 MiB upper bound (types.MaxPayloadSize) for encoded payloads.
  • Socket Parser: Payloads exceeding the limit are now silently dropped during encoding in parsers/socket/parser/encoder.go.
  • JSONP Transport: Payloads exceeding the limit in JSONP responses now trigger a 500 Internal Server Error instead of attempting allocation, preventing potential Out-Of-Memory (OOM) attacks.

🧹 Chores

• Upgraded dependencies across adapters, clients, servers, and parsers modules.
• Updated internal version constant to v3.0.1.

⚠️ Breaking Changes

None.
This update is fully backward compatible. The new 128 MiB limit is sufficiently large for standard usage; only abnormally large payloads (potential DoS attempts) will be affected.

What's Changed

• Potential fix for code scanning alert no. 8: Size computation for allocation may overflow by @zishang520 in #148
• Potential fix for code scanning alert no. 12: Size computation for allocation may overflow by @zishang520 in #149

Full Changelog: v3.0.0...v3.0.1

v3.0.0

🚀 v3.0.0 — First Stable Release

Socket.IO for Go v3.0.0 is the first stable release of the completely restructured and modernized Go implementation of the Socket.IO protocol. This release consolidates 6 separate repositories into a single monorepo with 9 versioned submodules, aligns with the Socket.IO v4+ protocol, and introduces comprehensive thread safety, type safety, and security improvements.

✨ Highlights

Monorepo Consolidation

• Merged engine.io-go-parser, engine.io, socket.io-go-parser, socket.io-client-go, and socket.io-go-redis into a single repository
• Unified version management via version.go shared across all modules
• 9 versioned Go submodules with clean dependency boundaries

Protocol Alignment

• Full compatibility with Socket.IO v4+ JavaScript clients
• Engine.IO v4 protocol support including WebTransport
• Configurable attachment count limits (default: 10, aligned with Node.js implementation)

Thread Safety Overhaul

• Atomic socket flags using atomic.Pointer with copy-on-write patterns
• Mutex-protected middleware slice for concurrent-safe modification
• sync.OnceValue for thread-safe lazy initialization in HttpContext
• Goroutine leak prevention via runtime.SetFinalizer on task queues
• Sequential task queue (queue) for ordered message delivery

Type Safety Improvements

• Generic types.Atomic[T] replacing atomic.Value for compile-time type checking
• types.Optional[T] for null-safe configuration values
• Strongly typed Handshake fields (types.IncomingHttpHeaders, types.ParsedUrlQuery)
• Handshake.Auth standardized to map[string]any

New Packages

• slices — Safe slice operations (Get, Map, Filter, Reduce, First, Last, etc.)
• queue — Sequential task queue for message ordering and OOM prevention
• request — HTTP client wrapper built on resty.dev/v3

Redis Cluster Support

• Sharded broadcast operator for Redis Cluster
• CROSSSLOT error fixes with per-channel PubSub client management
• Dynamic channel subscription management
• Pagination support for session restoration
• Configurable SubscriptionMode (Static, Dynamic, DynamicPrivate)

Security Hardening

• HTTP body size limits on polling transport (DoS prevention, default: 1 MB)
• Immutable packet encoding (encoder no longer mutates input packets)
• Configurable attachment limits to prevent memory exhaustion
• Sensitive credential warnings for HTTP mode in request client

🔧 Breaking Changes

Import Path Restructuring
All import paths have been updated to the new monorepo structure:

• engine.io → github.com/zishang520/socket.io/servers/engine/v3
• socket.io/socket → github.com/zishang520/socket.io/servers/socket/v3
• engine.io-client-go → github.com/zishang520/socket.io/clients/engine/v3
• socket.io-client-go → github.com/zishang520/socket.io/clients/socket/v3
• socket.io-go-redis → github.com/zishang520/socket.io/adapters/redis/v3

API Changes

• ExtendedError consolidated to pkg/types.ExtendedError; server-side Data() method replaced with direct Data field access
• ParameterBag moved from utils to types
• HttpContext API: ResponseHeaders → ResponseHeaders(), GetHost() → Host(), GetPathInfo() → PathInfo()
• GetRaw* config methods return types.Optional[T] instead of pointer types
• adapter.SliceMap → slices.Map, adapter.Tap → utils.Tap
• Transport Upgrades() returns []string instead of *types.Set[string]
• redis.SubscriptionMode moved from adapter subpackage to root redis package

🐛 Bug Fixes

• Fixed WebSocket/WebTransport send loop dropping queued packets after first successful send
• Fixed nil pointer dereference from race condition in Engine.IO server
• Fixed parser panic on nil payload from client
• Fixed timer goroutine leaks adapted from upstream Node.js implementation
• Fixed HTTP/2 connection goroutine leaks in HTTPClient.Close()
• Fixed Redis timeout when fetching sockets from empty rooms
• Fixed parser attachment race condition (removed shared mutable ERROR_PACKET singleton)

📋 Requirements

• Go: 1.26.0 or higher
• Frontend: Socket.IO client v4.x or higher (npm: socket.io-client@^4.0.0)

📦 Modules

Module	Import Path
Root	github.com/zishang520/socket.io/v3
Engine.IO Parser	github.com/zishang520/socket.io/parsers/engine/v3
Socket.IO Parser	github.com/zishang520/socket.io/parsers/socket/v3
Engine.IO Server	github.com/zishang520/socket.io/servers/engine/v3
Socket.IO Server	github.com/zishang520/socket.io/servers/socket/v3
Engine.IO Client	github.com/zishang520/socket.io/clients/engine/v3
Socket.IO Client	github.com/zishang520/socket.io/clients/socket/v3
Base Adapter	github.com/zishang520/socket.io/adapters/adapter/v3
Redis Adapter	github.com/zishang520/socket.io/adapters/redis/v3

📖 Migration

See the complete Upgrade Guide for detailed instructions on migrating from v1/v2.

v3.0.0-rc.14

Full Changelog: v3.0.0-rc.13...v3.0.0-rc.14

v3.0.0-rc.13

What's Changed

• Potential fix for code scanning alert no. 7: Incorrect conversion between integer types by @zishang520 in #139

New Contributors

• @zishang520 made their first contribution in #139

Full Changelog: v3.0.0-rc.12...v3.0.0-rc.13

v3.0.0-rc.12

What's Changed

• chore(deps): bump golang.org/x/net from 0.36.0 to 0.38.0 by @dependabot[bot] in #94
• chore(deps): bump github.com/andybalholm/brotli from 1.1.1 to 1.2.0 by @dependabot[bot] in #97
• chore(deps): bump github.com/gookit/color from 1.5.4 to 1.6.0 by @dependabot[bot] in #106
• chore(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.54.1 by @dependabot[bot] in #113
• chore(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.55.0 by @dependabot[bot] in #115
• chore(deps): bump resty.dev/v3 from 3.0.0-beta.3 to 3.0.0-beta.4 by @dependabot[bot] in #122
• chore(deps): bump github.com/quic-go/quic-go from 0.55.0 to 0.57.0 by @dependabot[bot] in #121
• chore(deps): bump resty.dev/v3 from 3.0.0-beta.4 to 3.0.0-beta.5 by @dependabot[bot] in #127
• chore(deps): bump resty.dev/v3 from 3.0.0-beta.5 to 3.0.0-beta.6 by @dependabot[bot] in #129
• refactor: switch to upstream quic-go/webtransport-go by @bneigher in #130
• Consolidate duplicate ExtendedError implementations by @Copilot in #135

New Contributors

• @bneigher made their first contribution in #130
• @Copilot made their first contribution in #135

Full Changelog: v3.0.0-rc.11...v3.0.0-rc.12

v3.0.0-rc.10

Full Changelog: v3.0.0-rc.10...v3.0.0-rc.10

v3.0.0-rc.9

What's Changed

• chore(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.54.1 by @dependabot[bot] in #113
• chore(deps): bump github.com/quic-go/quic-go from 0.54.0 to 0.55.0 by @dependabot[bot] in #115
• chore(deps): bump resty.dev/v3 from 3.0.0-beta.3 to 3.0.0-beta.4 by @dependabot[bot] in #122
• chore(deps): bump github.com/quic-go/quic-go from 0.55.0 to 0.57.0 by @dependabot[bot] in #121

Full Changelog: v3.0.0-rc.8...v3.0.0-rc.9

v3.0.0-rc.8

Full Changelog: v3.0.0-rc.7...v3.0.0-rc.8

v3.0.0-rc.7

Full Changelog: v3.0.0-rc.6...v3.0.0-rc.7

v3.0.0-rc.6

Full Changelog: v3.0.0-rc.5...v3.0.0-rc.6