{"id":10418,"library":"socket.io","title":"Socket.IO","description":"Socket.IO is a real-time, bidirectional, event-based communication library that enables low-latency communication between web clients and Node.js servers. It facilitates cross-browser messaging with fallback options for reliable connections, even through proxies and firewalls. The current stable version is 4.8.3, and the package receives regular patch releases for bug fixes, security updates, and dependency maintenance across its ecosystem components.","status":"active","version":"4.8.3","language":"javascript","source_language":"en","source_url":"https://github.com/socketio/socket.io","tags":["javascript","realtime","framework","websocket","tcp","events","socket","io","typescript"],"install":[{"cmd":"npm install socket.io","lang":"bash","label":"npm"},{"cmd":"yarn add socket.io","lang":"bash","label":"yarn"},{"cmd":"pnpm add socket.io","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"While CommonJS is supported, modern Node.js and TypeScript projects typically use ESM.","wrong":"const Server = require('socket.io');","symbol":"Server","correct":"import { Server } from 'socket.io';"}],"quickstart":{"code":"import { Server } from 'socket.io';\nimport { createServer } from 'http';\n\nconst httpServer = createServer();\nconst io = new Server(httpServer, {\n  cors: {\n    origin: '*', // Allow all origins for simplicity in quickstart\n    methods: ['GET', 'POST']\n  }\n});\n\nio.on('connection', (socket) => {\n  console.log(`User connected: ${socket.id}`);\n\n  socket.emit('hello', `Welcome, ${socket.id}!`);\n\n  socket.on('message', (payload: string) => {\n    console.log(`Received message from ${socket.id}: ${payload}`);\n    // Broadcast the message to all connected clients\n    io.emit('broadcast', `Message from ${socket.id}: ${payload}`);\n  });\n\n  socket.on('disconnect', () => {\n    console.log(`User disconnected: ${socket.id}`);\n  });\n});\n\nconst PORT = process.env.PORT ?? 3000;\nhttpServer.listen(PORT, () => {\n  console.log(`Socket.IO server listening on port ${PORT}`);\n});","lang":"typescript","description":"This code sets up a basic Socket.IO server on port 3000 that listens for client connections. When a client connects, it logs the ID, sends a 'hello' event, listens for 'message' events from that client, and broadcasts them to all connected clients. It also handles client disconnections."},"warnings":[{"fix":"Upgrade `socket.io` to version 4.8.3 or later to ensure `socket.io-parser` (>=4.2.6) is updated.","message":"A critical security vulnerability (CVE-2026-33151) exists in the `socket.io-parser` dependency, allowing potential resource exhaustion via excessively large binary attachments.","severity":"breaking","affected_versions":"<4.8.3 for socket.io (which pulls vulnerable parser versions)"},{"fix":"Configure your load balancer (e.g., Nginx, HAProxy) to use IP-based sticky sessions or a similar mechanism.","message":"When deploying Socket.IO across multiple Node.js instances behind a load balancer, 'sticky sessions' are required to ensure a client's requests are always routed to the same server instance.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Upgrade to `socket.io@4.8.2` or later, which replaces `url.parse()` with `new URL()`.","message":"Older Socket.IO versions (or their dependencies) may use Node.js's deprecated `url.parse()` function, leading to deprecation warnings in newer Node.js environments.","severity":"deprecated","affected_versions":"<4.8.2"},{"fix":"Upgrade to `socket.io@4.8.3` or later, which includes a fix for this behavior.","message":"Calling `io.close()` on an already stopped server instance could throw an error, potentially leading to unhandled exceptions.","severity":"gotcha","affected_versions":"<4.8.3"}],"env_vars":null,"last_verified":"2026-04-18T00:00:00.000Z","next_check":"2026-07-17T00:00:00.000Z","problems":[{"fix":"Initialize the Socket.IO server with `new Server(httpServer)` or `new Server(3000)`.","cause":"The `Server` constructor was called without an `http.Server` instance or a port number.","error":"Error: Server must be passed to the constructor"},{"fix":"Upgrade `socket.io` to version 4.8.2 or later.","cause":"An older version of `socket.io` or its dependencies is using the deprecated `url.parse()` function in Node.js.","error":"DeprecationWarning: The URL.parse() method is deprecated and will be removed in a future version. Please use the WHATWG URL API."},{"fix":"Ensure the Socket.IO server is running and listening on the expected host and port. Verify the client's connection URL matches the server's address.","cause":"The client attempted to connect to a Socket.IO server that is not running or is listening on a different host/port.","error":"Error: connect ECONNREFUSED ::1:3000 (or similar IP/port)"},{"fix":"Attach client-specific event listeners within the `io.on('connection', (socket) => { ... })` callback, using the `socket` object: `socket.on('eventName', handler)`.","cause":"Attempting to register a client-specific event listener on the `io` (Server) instance instead of an individual `socket` instance.","error":"TypeError: socket.on is not a function"},{"fix":"Ensure CORS options are correctly configured on the server-side, e.g., `new Server(httpServer, { cors: { origin: \"*\", methods: [\"GET\", \"POST\"] } })`.","cause":"This often indicates a Cross-Origin Resource Sharing (CORS) issue or an incorrect Engine.IO path configuration between the client and server.","error":"WebSocket connection to 'ws://localhost:3000/socket.io/?EIO=4&transport=websocket' failed: Error during WebSocket handshake: Unexpected response code: 400"}],"ecosystem":"npm"}