Gathering detailed insights and metrics for socket.io
Gathering detailed insights and metrics for socket.io
Realtime application framework (Node.JS server)
npm install socket.io
Typescript
Module System
Min. Node Version
Node Version
NPM Version
98.4
Supply Chain
99.2
Quality
80.9
Maintenance
100
Vulnerability
100
License
engine.io@6.6.4
Updated on Jan 28, 2025
engine.io@6.6.3
Updated on Jan 23, 2025
engine.io-client@6.6.3
Updated on Jan 23, 2025
socket.io@4.8.1
Updated on Oct 25, 2024
socket.io-client@4.8.1
Updated on Oct 25, 2024
engine.io-client@6.6.2
Updated on Oct 25, 2024
TypeScript (62.4%)
JavaScript (37.44%)
Shell (0.1%)
HTML (0.03%)
CSS (0.02%)
Love this project? Help keep it running — sponsor us today! 🚀
Total Downloads
1,597,077,348
Last Day
1,082,885
Last Week
6,782,398
Last Month
28,462,505
Last Year
301,327,653
MIT License
61,613 Stars
7,610 Commits
10,135 Forks
1,519 Watchers
26 Branches
389 Contributors
Updated on Feb 15, 2025
Minified
Minified + Gzipped
Latest Version
4.8.1
Package Id
socket.io@4.8.1
Unpacked Size
1.35 MB
Size
341.67 kB
File Count
30
NPM Version
10.8.2
Node Version
20.18.0
Published on
Oct 25, 2024
Cumulative downloads
Total Downloads
Last Day
-0.4%
1,082,885
Compared to previous day
Last Week
2%
6,782,398
Compared to previous week
Last Month
32.5%
28,462,505
Compared to previous month
Last Year
14%
301,327,653
Compared to previous year
Socket.IO enables real-time bidirectional event-based communication. It consists of:
Some implementations in other languages are also available:
Its main features are:
Connections are established even in the presence of:
For this purpose, it relies on Engine.IO, which first establishes a long-polling connection, then tries to upgrade to better transports that are "tested" on the side, like WebSocket. Please see the Goals section for more information.
Unless instructed otherwise a disconnected client will try to reconnect forever, until the server is available again. Please see the available reconnection options here.
A heartbeat mechanism is implemented at the Engine.IO level, allowing both the server and the client to know when the other one is not responding anymore.
That functionality is achieved with timers set on both the server and the client, with timeout values (the pingInterval
and pingTimeout
parameters) shared during the connection handshake. Those timers require any subsequent client calls to be directed to the same server, hence the sticky-session
requirement when using multiples nodes.
Any serializable data structures can be emitted, including:
Sample code:
1io.on('connection', socket => { 2 socket.emit('request', /* … */); // emit an event to the socket 3 io.emit('broadcast', /* … */); // emit an event to all connected sockets 4 socket.on('reply', () => { /* … */ }); // listen to the event 5});
Browser support is tested in Sauce Labs:
In order to create separation of concerns within your application (for example per module, or based on permissions), Socket.IO allows you to create several Namespaces
, which will act as separate communication channels but will share the same underlying connection.
Within each Namespace
, you can define arbitrary channels, called Rooms
, that sockets can join and leave. You can then broadcast to any given room, reaching every socket that has joined it.
This is a useful feature to send notifications to a group of users, or to a given user connected on several devices for example.
Note: Socket.IO is not a WebSocket implementation. Although Socket.IO indeed uses WebSocket as a transport when possible, it adds some metadata to each packet: the packet type, the namespace and the ack id when a message acknowledgement is needed. That is why a WebSocket client will not be able to successfully connect to a Socket.IO server, and a Socket.IO client will not be able to connect to a WebSocket server (like ws://echo.websocket.org
) either. Please see the protocol specification here.
1// with npm 2npm install socket.io 3 4// with yarn 5yarn add socket.io
The following example attaches socket.io to a plain Node.JS
HTTP server listening on port 3000
.
1const server = require('http').createServer(); 2const io = require('socket.io')(server); 3io.on('connection', client => { 4 client.on('event', data => { /* … */ }); 5 client.on('disconnect', () => { /* … */ }); 6}); 7server.listen(3000);
1const io = require('socket.io')(); 2io.on('connection', client => { ... }); 3io.listen(3000);
1import { Server } from "socket.io"; 2const io = new Server(server); 3io.listen(3000);
Starting with 3.0, express applications have become request handler
functions that you pass to http
or http
Server
instances. You need
to pass the Server
to socket.io
, not the express application
function. Also make sure to call .listen
on the server
, not the app
.
1const app = require('express')(); 2const server = require('http').createServer(app); 3const io = require('socket.io')(server); 4io.on('connection', () => { /* … */ }); 5server.listen(3000);
Like Express.JS, Koa works by exposing an application as a request
handler function, but only by calling the callback
method.
1const app = require('koa')(); 2const server = require('http').createServer(app.callback()); 3const io = require('socket.io')(server); 4io.on('connection', () => { /* … */ }); 5server.listen(3000);
To integrate Socket.io in your Fastify application you just need to
register fastify-socket.io
plugin. It will create a decorator
called io
.
1const app = require('fastify')(); 2app.register(require('fastify-socket.io')); 3app.ready().then(() => { 4 app.io.on('connection', () => { /* … */ }); 5}) 6app.listen(3000);
Please see the documentation here.
The source code of the website can be found here. Contributions are welcome!
Socket.IO is powered by debug.
In order to see all the debug output, run your app with the environment variable
DEBUG
including the desired scope.
To see the output from all of Socket.IO's debugging scopes you can use:
DEBUG=socket.io* node myapp
npm test
This runs the gulp
task test
. By default the test will be run with the source code in lib
directory.
Set the environmental variable TEST_VERSION
to compat
to test the transpiled es5-compat version of the code.
The gulp
task test
will always transpile the source code into es5 and export to dist
first before running the test.
Support us with a monthly donation and help us continue our activities. [Become a backer]
Become a sponsor and get your logo on our README on Github with a link to your site. [Become a sponsor]
Stable Version
1
7.5/10
Summary
Insecure randomness in socket.io
Affected Versions
<= 0.9.6
Patched Versions
0.9.7
3
7.3/10
Summary
socket.io has an unhandled 'error' event
Affected Versions
>= 3.0.0, < 4.6.2
Patched Versions
4.6.2
7.3/10
Summary
socket.io has an unhandled 'error' event
Affected Versions
< 2.5.0
Patched Versions
2.5.1
4.3/10
Summary
CORS misconfiguration in socket.io
Affected Versions
< 2.4.0
Patched Versions
2.4.0
Reason
6 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Reason
security policy file detected
Details
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
Reason
packaging workflow detected
Details
Reason
detected GitHub workflow tokens with excessive permissions
Details
Reason
binaries present in source code
Details
Reason
Found 3/30 approved changesets -- score normalized to 1
Reason
dependency not pinned by hash detected -- score normalized to 1
Details
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
Reason
49 existing vulnerabilities detected
Details
Score
Last Scanned on 2025-02-03
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More