TL;DR

Socket.IO and its underlying dependencies have been updated to address a potential security vulnerability (CVE-2026-45736) in the ws library, a WebSocket implementation.

Fixes Worth Knowing

• A bug causing skipped local broadcasts during publish operations is resolved in socket.io-adapter.
• Resource cleanup is improved when WebTransport (a modern transport protocol) handshakes fail in engine.io.

TL;DR

Socket.io now handles unhandled errors more gracefully, preventing potential application crashes.

Fixes Worth Knowing

Socket.io now includes a default error handler to prevent crashes when errors aren't explicitly handled by your application (error handling).

TL;DR

Socket.io now correctly closes connections and cleans up resources when the server shuts down, preventing potential lingering issues.

Fixes Worth Knowing

• Server shutdown now reliably closes adapters (connection managers).
• Duplicate pipelines when serving bundled client code have been removed.

TL;DR

Socket.io now ignores packets received after a client disconnects, preventing potential errors and improving connection stability.

Fixes Worth Knowing

Disconnected clients will no longer cause errors due to late-arriving packets, resulting in a more reliable experience.

TL;DR

Socket.io 3.0 introduces breaking changes to room management and middleware, while adding support for more flexible event handling and optimized message packing (data compression).

Breaking

• Socket#use() is removed (middleware functionality changed).
• Socket#join() and Socket#leave() are now synchronous; callbacks are no longer supported. Update your code to remove any callback functions from these methods, or use await with custom adapters.

New

• Catch-all listeners allow handling of any event.
• Support for msgpack bundles improves message efficiency (binary data format).

Fixes Worth Knowing

• Middleware errors now emit proper Error objects for better debugging.

TL;DR

Socket.io now correctly requires the EventEmitter (event handling system) preventing crashes in some environments.

Fixes Worth Knowing

Resolved an issue where Socket.io could crash when EventEmitter wasn't properly loaded, improving stability for all users.

TL;DR

Socket.io now uses an updated engine.io version, improving connection stability and reliability.

Fixes Worth Knowing

• Resolved an issue where long polling connections could hang indefinitely, improving real-time communication responsiveness.
• Fixed a bug causing unnecessary event emissions, reducing potential performance overhead.

Before You Upgrade

Ensure your engine.io client dependencies are compatible with version 1.8.4 to avoid connection issues.

Package: Socket.io Release:

--- 1.7.5 (2017-05-15) ---

• [fix] Fix: handle binary data correctly
• [fix] Fix: prevent memory leaks

Package: Socket.io Release:

--- 1.7.6 (2017-05-22) ---

• [fix] Fix: handle edge case with namespaces
• [fix] Fix: improve reconnection logic