Version Details and Security Vulnerabilities

Socket.IO version 4.7.0 introduces several notable changes compared to the previous stable version 4.6.2, impacting both the server-side and potentially the client-side implementations. One significant difference is the introduction of cors as a direct dependency in version 4.7.0. This implies that Cross-Origin Resource Sharing (CORS) handling is now more explicitly managed within the core Socket.IO package. Developers who rely on Socket.IO for cross-origin communication should be aware of this change.

Furthermore, a core dependency, engine.io, has been updated from version 6.4.2 to 6.5.0. engine.io is the underlying transport mechanism for Socket.IO, handling the low-level details of establishing and maintaining connections. This update likely includes bug fixes, performance improvements, or new features related to transport management.

On the development dependencies side, uWebSockets.js has been updated from version v20.0.0 to v20.30.0, version 4.7.0 bumps its development dependency for socket.io-client to the same version as the main package (4.7.0), which ensures compatibility during development and testing. While both versions include socket.io-client-v2, pointing to version 2.4.0, It’s also worth noting that the unpacked size of the distribution has significantly increased from 1,230,402 bytes in 4.6.2 to 2,347,222 bytes in 4.7.0. This could be due to inclusion of the CORS library, engine.io update and potential expanded internal features or assets. The release date for 4.7.0 is also recent (June 22, 2023) compared with the previous version (May 31, 2023).