| 8a78f87 | Luigi Pinca | 15 July 2022, 11:33:27 UTC | [dist] 7.5.9 | 15 July 2022, 15:25:22 UTC |
| 0435e6e | Luigi Pinca | 15 July 2022, 07:32:52 UTC | [security] Fix same host check for ws+unix: redirects Drop the `Authorization` and `Cookie` headers if the original request for the opening handshake is sent to an IPC server and the client is redirected to a TCP server (ws+unix: to ws: or wss:), and vice versa (ws: or wss: to ws+unix). Also drop the `Authorization` and `Cookie` headers if the original request for the opening handshake is sent to an IPC server and the client is redirected to another IPC server. Refs: https://github.com/websockets/ws/commit/6946f5fe | 15 July 2022, 15:25:20 UTC |
| 4271f07 | Luigi Pinca | 26 May 2022, 16:59:42 UTC | [dist] 7.5.8 | 26 May 2022, 16:59:42 UTC |
| dc1781b | Luigi Pinca | 25 May 2022, 13:33:05 UTC | [security] Drop sensitive headers when following insecure redirects Drop the `Authorization` and `Cookie` headers if the original request for the opening handshake is sent over HTTPS and the client is redirected to the same host over plain HTTP (wss: to ws:). If an HTTPS server redirects to same host over plain HTTP, the problem is on the server, but handling this condition is not hard and reduces the risk of leaking credentials due to MITM issues. Refs: https://github.com/websockets/ws/commit/6946f5fe | 26 May 2022, 16:57:28 UTC |
| 2758ed3 | Luigi Pinca | 21 May 2022, 05:02:12 UTC | [fix] Abort the handshake if the Upgrade header is invalid Close the connection if the Upgrade header field in the HTTP response contains a value that is not an ASCII case-insensitive match for the value "websocket". | 26 May 2022, 16:52:02 UTC |
| a370613 | Luigi Pinca | 07 February 2022, 19:36:52 UTC | [dist] 7.5.7 | 07 February 2022, 19:36:52 UTC |
| 1f72e2e | Luigi Pinca | 07 February 2022, 19:21:37 UTC | [security] Drop sensitive headers when following redirects (#2013) Do not forward the `Authorization` and `Cookie` headers if the redirect host is different from the original host. | 07 February 2022, 19:35:10 UTC |
| 8ecd890 | Luigi Pinca | 23 November 2021, 19:23:47 UTC | [dist] 7.5.6 | 23 November 2021, 19:23:47 UTC |
| 22a26af | Luigi Pinca | 22 November 2021, 20:32:18 UTC | [fix] Resume the socket in the `CLOSING` state When the value of the `readyState` attribute is `CLOSING`, the internal socket might still be open. Resume it to read any remaining data and to allow the connection to be closed cleanly. | 23 November 2021, 19:17:10 UTC |
| 73dec34 | Luigi Pinca | 22 November 2021, 14:27:29 UTC | [fix] Do not throw if the redirect URL is invalid If the redirect URL is invalid, then emit the error instead of throwing it, otherwise there is no way to handle it. | 23 November 2021, 19:12:44 UTC |
| 2d968a6 | Luigi Pinca | 08 September 2021, 19:32:08 UTC | [dist] 7.5.5 | 08 September 2021, 19:32:08 UTC |
| ab5fcd6 | Luigi Pinca | 04 September 2021, 18:44:38 UTC | [doc] Change label text to CI | 08 September 2021, 19:30:07 UTC |
| aa21e70 | Luigi Pinca | 31 August 2021, 07:55:03 UTC | [ci] Use Github Actions for Windows x86 testing | 08 September 2021, 19:29:30 UTC |
| e519810 | Luigi Pinca | 31 August 2021, 06:49:52 UTC | [pkg] Update eslint-plugin-prettier to version 4.0.0 | 08 September 2021, 19:28:06 UTC |
| 0e274ac | Luigi Pinca | 30 August 2021, 18:20:45 UTC | [minor] Skip unnecessary operations if the socket is already closed There is no need to remove the already removed `socketOnData` listener, resume the socket, and call `websocket.close()` if the socket is already closed. | 08 September 2021, 19:26:37 UTC |
| 075752d | Luigi Pinca | 28 August 2021, 15:30:45 UTC | [dist] 7.5.4 | 28 August 2021, 15:43:01 UTC |
| 2799793 | Luigi Pinca | 28 August 2021, 14:42:49 UTC | [fix] Resume the socket in the next tick Ensure that `socket.resume()` is called after `socket.pause()`. Fixes #1940 | 28 August 2021, 15:43:01 UTC |
| 76087fb | Luigi Pinca | 06 August 2021, 16:49:48 UTC | [fix] Do not rely on undocumented behavior Use the chunk returned by `socket.read()` to handle the buffered data instead of relying on a `'data'` event emitted after the `'close'` event. Refs: https://github.com/nodejs/node/pull/39639 | 28 August 2021, 15:42:56 UTC |
| 4c1849a | Luigi Pinca | 10 July 2021, 05:26:57 UTC | [dist] 7.5.3 | 10 July 2021, 05:26:57 UTC |
| 772236a | Luigi Pinca | 09 July 2021, 10:34:22 UTC | [fix] Abort the handshake if the server is closing or closed Prevent WebSocket connections from being established after `WebSocketServer.prototype.close()` is called. | 09 July 2021, 10:47:58 UTC |
| 5a58730 | Luigi Pinca | 09 July 2021, 09:06:26 UTC | [fix] Emit the `'close'` event after the server is closed Ensure that `WebSocketServer.prototype.close()` does not emit a `'close'` event prematurely if called while the internal HTTP/S server is closing. | 09 July 2021, 09:06:26 UTC |
| ea63b29 | Luigi Pinca | 08 July 2021, 17:21:44 UTC | [minor] Fix typo | 08 July 2021, 17:21:44 UTC |
| 66e58d2 | Luigi Pinca | 08 July 2021, 11:55:29 UTC | [fix] Make the `{noS,s}erver`, and `port` options mutually exclusive Remove ambiguity and prevent `WebSocketServer.prototype.address()` from throwing an error if the `noServer` option is used along with the `port` and/or `server` options. | 08 July 2021, 11:55:29 UTC |
| ecb9d9e | Luigi Pinca | 07 July 2021, 11:07:17 UTC | [minor] Improve JSDoc-inferred types (#1912) Refs: https://github.com/websockets/ws/pull/1910 | 07 July 2021, 11:07:17 UTC |
| 0ad1f9d | Luigi Pinca | 04 July 2021, 05:22:35 UTC | [dist] 7.5.2 | 04 July 2021, 05:22:35 UTC |
| aca94c8 | Luigi Pinca | 03 July 2021, 07:21:39 UTC | [fix] Abort the handshake if an unexpected extension is received Abort the handshake if the client receives a `Sec-WebSocket-Extensions` header but no extension was requested. Also abort the handshake if the server indicates an extension not requested by the client. | 03 July 2021, 08:15:19 UTC |
| 38c6c73 | Luigi Pinca | 29 June 2021, 04:53:49 UTC | [dist] 7.5.1 | 29 June 2021, 04:53:49 UTC |
| 2916006 | Tim Perry | 22 June 2021, 12:43:34 UTC | [test] Add more tests for `WebSocket.prototype.close()` | 28 June 2021, 19:08:28 UTC |
| b434b9f | Luigi Pinca | 25 June 2021, 20:08:01 UTC | [fix] Fix close edge cases Ensure that `socket.end()` is called if an error occurs simultaneously on both peers. Refs: https://github.com/websockets/ws/pull/1902 | 28 June 2021, 19:08:28 UTC |
| c3fdc99 | Luigi Pinca | 28 June 2021, 09:16:11 UTC | [minor] Fix misleading comment | 28 June 2021, 09:16:11 UTC |
| 145480a | Luigi Pinca | 20 June 2021, 17:48:58 UTC | [test] Fix repeated typo | 20 June 2021, 17:51:56 UTC |
| e3f0c17 | Luigi Pinca | 16 June 2021, 13:13:32 UTC | [dist] 7.5.0 | 16 June 2021, 13:13:32 UTC |
| 1d3f4cb | Luigi Pinca | 15 June 2021, 14:20:37 UTC | [doc] Fix anchor tags for error codes | 15 June 2021, 14:20:37 UTC |
| 6eea0d4 | Luigi Pinca | 15 June 2021, 13:50:18 UTC | [doc] Fix typo | 15 June 2021, 13:50:18 UTC |
| bb5d44b | Luigi Pinca | 15 June 2021, 13:48:30 UTC | [doc] Sort error codes alphabetically | 15 June 2021, 13:48:30 UTC |
| c6e3080 | Tim Perry | 15 June 2021, 13:22:01 UTC | [minor] Attach error codes to all receiver errors (#1901) Fixes #1892 | 15 June 2021, 13:22:01 UTC |
| 074e6a8 | Luigi Pinca | 09 June 2021, 07:14:33 UTC | [fix] Don't call `ws.terminate()` unconditionally in `duplex._destroy()` Call `ws.terminate()` only if `duplex.destroy()` is called directly by the user and not indirectly by the listener of the `'error'` event of the `WebSocket` object. Calling `ws.terminate()` right after the `'error'` event is emitted on the `WebSocket` object, might prevent the close frame from being sent to the other peer. | 09 June 2021, 19:31:36 UTC |
| 8806aa9 | Luigi Pinca | 08 June 2021, 09:29:50 UTC | [fix] Close the connection cleanly when an error occurs Instead of destroying the socket, try to close the connection cleanly if an error (such as a data framing error) occurs after the opening handshake has completed. Also, to comply with the specification, use the 1006 status code if no close frame is received, even if the connection is closed due to an error. Fixes #1898 | 09 June 2021, 19:31:36 UTC |
| 05b8ccd | Mestery | 05 June 2021, 19:02:44 UTC | [doc] Fix broken link (#1897) | 05 June 2021, 19:02:44 UTC |
| 03a7078 | Luigi Pinca | 31 May 2021, 16:59:21 UTC | [doc] Remove unsafe regex from code snippet | 31 May 2021, 17:08:20 UTC |
| 7ee3115 | Luigi Pinca | 29 May 2021, 19:21:01 UTC | [doc] Add logo to coverage badge | 29 May 2021, 19:21:01 UTC |
| edff6bb | Luigi Pinca | 28 May 2021, 09:38:47 UTC | [test] Fix nit | 28 May 2021, 09:43:17 UTC |
| 262e45a | Luigi Pinca | 27 May 2021, 06:55:10 UTC | [test] Rename certificates and private keys files Rename `ca1-cert.pem` to `ca-certificate.pem`, `ca1-key.pem` to `ca-key.pem`, `agent1-cert.pem` to `client-certificate.pem`, and `agent1-key.pem` to `client-key.pem`. | 27 May 2021, 07:02:55 UTC |
| d18c677 | Luigi Pinca | 26 May 2021, 19:27:29 UTC | [security] Update link to point to published security advisories | 26 May 2021, 19:27:29 UTC |
| 2f2b3e8 | Luigi Pinca | 26 May 2021, 19:20:45 UTC | [test] Update certificates and private keys Fixes #1890 | 26 May 2021, 19:21:11 UTC |
| c05d51f | Luigi Pinca | 25 May 2021, 16:33:07 UTC | [security] Add ReDoS vulnerability to SECURITY.md | 25 May 2021, 16:33:07 UTC |
| f5297f7 | Luigi Pinca | 25 May 2021, 16:11:07 UTC | [dist] 7.4.6 | 25 May 2021, 16:11:07 UTC |
| 00c425e | Luigi Pinca | 25 May 2021, 09:00:58 UTC | [security] Fix ReDoS vulnerability A specially crafted value of the `Sec-Websocket-Protocol` header could be used to significantly slow down a ws server. PoC and fix were sent privately by Robert McLaughlin from University of California, Santa Barbara. | 25 May 2021, 16:09:51 UTC |
| 990306d | Luigi Pinca | 25 May 2021, 14:48:37 UTC | [lint] Fix prettier error | 25 May 2021, 14:48:37 UTC |
| 32e3a84 | Luigi Pinca | 25 May 2021, 13:54:54 UTC | [security] Remove reference to Node Security Project The Node Security Platform service no longer exists. New security advisories will be published to GitHub Security Advisories. | 25 May 2021, 14:02:21 UTC |
| 8c914d1 | Luigi Pinca | 04 May 2021, 10:18:24 UTC | [minor] Fix nits | 04 May 2021, 10:18:24 UTC |
| fc7e27d | Luigi Pinca | 23 April 2021, 18:24:19 UTC | [ci] Test on node 16 | 23 April 2021, 18:24:19 UTC |
| 587c201 | Luigi Pinca | 23 April 2021, 18:23:23 UTC | [ci] Do not test on node 15 | 23 April 2021, 18:23:23 UTC |
| f672710 | Luigi Pinca | 18 April 2021, 08:00:59 UTC | [dist] 7.4.5 | 18 April 2021, 08:00:59 UTC |
| 67e25ff | Luigi Pinca | 18 April 2021, 07:34:27 UTC | [fix] Fix case where `abortHandshake()` does not close the connection On Node.js >= 14.3.0 `request.abort()` does not destroy the socket if called after the request completed. Fixes #1869 | 18 April 2021, 07:52:27 UTC |
| 23ba6b2 | Luigi Pinca | 17 April 2021, 14:23:19 UTC | [fix] Make UTF-8 validation work even if utf-8-validate is not installed Fixes #1868 | 17 April 2021, 14:23:19 UTC |
| 114de9e | Luigi Pinca | 07 March 2021, 07:44:53 UTC | [ci] Use a unique ID instead of commit SHA | 07 March 2021, 16:50:40 UTC |
| d75a62e | Luigi Pinca | 07 March 2021, 05:54:46 UTC | [ci] Include commit SHA in `flag-name` | 07 March 2021, 05:54:46 UTC |
| a74dd2e | Luigi Pinca | 06 March 2021, 20:29:14 UTC | [dist] 7.4.4 | 06 March 2021, 20:29:14 UTC |
| 9277437 | Luigi Pinca | 06 March 2021, 20:12:07 UTC | [fix] Recreate the inflate stream if it ends Refs: https://github.com/nodejs/node/issues/37612 | 06 March 2021, 20:19:06 UTC |
| cbff929 | Luigi Pinca | 03 March 2021, 08:30:15 UTC | [doc] Improve `websocket.terminate()` documentation Fixes #1858 | 03 March 2021, 08:42:29 UTC |
| 489a295 | Luigi Pinca | 26 February 2021, 16:42:21 UTC | [ci] Use GitHub Actions (#1853) | 26 February 2021, 16:42:21 UTC |
| 77370e0 | Luigi Pinca | 24 February 2021, 19:18:51 UTC | [pkg] Update eslint-config-prettier to version 8.1.0 | 24 February 2021, 19:18:51 UTC |
| 99338f7 | Ryan Christian | 07 February 2021, 07:38:09 UTC | [doc] Fix `data` argument type (#1843) | 07 February 2021, 07:38:09 UTC |
| 223194e | Luigi Pinca | 02 February 2021, 19:16:11 UTC | [dist] 7.4.3 | 02 February 2021, 19:16:11 UTC |
| 4e9607b | Stefan | 02 February 2021, 18:18:21 UTC | [perf] Reset compressor/decompressor instead of re-initialize (#1840) | 02 February 2021, 18:18:21 UTC |
| 2789887 | Luigi Pinca | 27 January 2021, 07:53:40 UTC | [minor] Use `request.socket` instead of `request.connection` `request.connection` is deprecated. | 27 January 2021, 07:53:40 UTC |
| 2079ca5 | Luigi Pinca | 26 January 2021, 15:49:10 UTC | [test] Increase code coverage | 26 January 2021, 15:49:10 UTC |
| d1a8af4 | Luigi Pinca | 29 December 2020, 20:06:39 UTC | [dist] 7.4.2 | 29 December 2020, 20:10:42 UTC |
| 48a2349 | Luigi Pinca | 29 December 2020, 20:09:51 UTC | [pkg] Update eslint-config-prettier to version 7.1.0 | 29 December 2020, 20:10:42 UTC |
| a2c0d44 | Luigi Pinca | 28 December 2020, 20:42:32 UTC | [minor] Silence deprecation warning Fixes #1829 | 28 December 2020, 20:42:32 UTC |
| c171962 | Luigi Pinca | 04 December 2020, 20:41:31 UTC | [dist] 7.4.1 | 04 December 2020, 20:41:31 UTC |
| 38d6ab3 | Luigi Pinca | 04 December 2020, 19:28:49 UTC | [fix] Handle cases where the `'error'` event is emitted multiple times The `'error'` event can be emitted multiple times by the `http.ClientRequest` object in Node.js < 13. Handle the case properly. Fixes #1819 | 04 December 2020, 20:14:30 UTC |
| 3d5066a | Luigi Pinca | 08 November 2020, 08:07:08 UTC | [test] Check configurability and enumerability of WebSocket properties | 08 November 2020, 08:25:37 UTC |
| eb36a63 | Luigi Pinca | 08 November 2020, 06:41:21 UTC | [dist] 7.4.0 | 08 November 2020, 06:41:21 UTC |
| 3f185bf | Luigi Pinca | 07 November 2020, 08:41:03 UTC | [minor] Use the public `binaryType` property | 07 November 2020, 08:41:03 UTC |
| 2069e68 | Luigi Pinca | 07 November 2020, 07:56:02 UTC | [fix] Fix the enumerability of some properties Make the `CONNECTING`, `OPEN`, `CLOSING`, `CLOSED`, `binaryType`, `bufferedAmount`, `extensions`, `onclose`, `onerror`, `onmessage`, `onopen`, `protocol`, `readyState`, and `url` properties enumerable. | 07 November 2020, 08:29:12 UTC |
| eabed8f | Luigi Pinca | 07 November 2020, 07:21:53 UTC | [fix] Make read-only properties read-only Fixes #1814 | 07 November 2020, 08:29:06 UTC |
| 7d39f19 | Luigi Pinca | 06 November 2020, 19:02:30 UTC | [minor] Pass the request object to `server.handleUpgrade()` callback Fixes #1813 | 06 November 2020, 19:02:30 UTC |
| 572c81f | Luigi Pinca | 05 November 2020, 19:53:09 UTC | [ci] Test on node 15 | 05 November 2020, 19:53:09 UTC |
| 237960e | Luigi Pinca | 22 October 2020, 10:37:37 UTC | [codestyle] Use 80 characters per line in JSDoc comments | 22 October 2020, 10:37:37 UTC |
| 02ecf45 | Dmitry Kirilyuk | 22 October 2020, 09:50:15 UTC | [minor] Specify optional parameters in JSDoc (#1799) | 22 October 2020, 10:22:40 UTC |
| 69172fc | Luigi Pinca | 22 October 2020, 07:35:07 UTC | [minor] Add missing parameters in JSDoc comments | 22 October 2020, 08:47:26 UTC |
| d972c33 | Eugene Maslovich | 17 September 2020, 05:48:21 UTC | [example] Write 401 response before destroying the socket (#1798) | 17 September 2020, 05:48:21 UTC |
| 535c556 | Luigi Pinca | 01 September 2020, 19:00:19 UTC | [ci] Do not test on node 13 | 01 September 2020, 19:02:17 UTC |
| 40a9d2a | Luigi Pinca | 06 August 2020, 05:42:37 UTC | [test] Fix typo | 06 August 2020, 05:42:37 UTC |
| 9a99197 | Luigi Pinca | 05 August 2020, 17:19:39 UTC | [test] Clarify comment | 05 August 2020, 17:19:39 UTC |
| 42abb0e | Luigi Pinca | 05 August 2020, 14:24:00 UTC | [test] Use `os.tmpdir()` instead of hardcoded /tmp | 05 August 2020, 15:10:09 UTC |
| 622e2f3 | Luigi Pinca | 29 July 2020, 18:14:33 UTC | [meta] Remove 3rd-Eden from FUNDING.yml 3rd-Eden is not yet enrolled in GitHub Sponsors. | 29 July 2020, 18:22:35 UTC |
| cc656df | Luigi Pinca | 29 July 2020, 17:10:05 UTC | [meta] Add FUNDING.yml | 29 July 2020, 17:10:05 UTC |
| da42ea1 | Luigi Pinca | 20 July 2020, 18:11:25 UTC | [doc] Improve documentation for `websocket.bufferedAmount` Closes #492 | 20 July 2020, 18:15:43 UTC |
| d09daaf | Luigi Pinca | 05 July 2020, 05:18:22 UTC | [dist] 7.3.1 | 05 July 2020, 05:18:22 UTC |
| a162942 | Luigi Pinca | 29 June 2020, 17:28:46 UTC | [fix] Use `socket._writableState.length` instead of `socket.bufferSize` Refs: https://github.com/nodejs/node/pull/34088 | 29 June 2020, 17:33:59 UTC |
| 41b0f9b | Luigi Pinca | 24 June 2020, 16:26:09 UTC | [minor] Fix nit | 24 June 2020, 17:32:06 UTC |
| 44bcbc8 | Luigi Pinca | 24 June 2020, 16:24:28 UTC | [minor] Fix JSDoc comments | 24 June 2020, 17:32:06 UTC |
| e1349c0 | Luigi Pinca | 24 June 2020, 15:44:40 UTC | [fix] Take into account the data that is being compressed Improve `websocket.bufferedAmount` accuracy by taking into account the number of bytes of a message while it is being compressed. | 24 June 2020, 17:30:04 UTC |
| 0954abc | sa-linetco | 23 June 2020, 17:07:56 UTC | [doc] Add clarification for `http{,s}.request()` options (#1773) | 23 June 2020, 17:07:56 UTC |
| 88d0345 | Luigi Pinca | 13 June 2020, 06:48:58 UTC | [pkg] Update prettier to version 2.0.5 | 13 June 2020, 06:51:03 UTC |
| b6ae22a | Luigi Pinca | 13 June 2020, 06:40:10 UTC | [pkg] Update eslint to version 7.2.0 | 13 June 2020, 06:44:49 UTC |
| c4c7f3c | Luigi Pinca | 13 June 2020, 06:22:34 UTC | [ci] Run the lint script only once | 13 June 2020, 06:44:42 UTC |
