Gathering detailed insights and metrics for socket.io
Gathering detailed insights and metrics for socket.io
Installations
npm install socket.ioDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS, ESM
Min. Node Version
>=10.2.0
Node Version
20.18.0
NPM Version
10.8.2
Releases
75
engine.io@6.6.4
engine.io@6.6.4
Updated on Jan 28, 2025
engine.io@6.6.3
engine.io@6.6.3
Updated on Jan 23, 2025
engine.io-client@6.6.3
engine.io-client@6.6.3
Updated on Jan 23, 2025
socket.io@4.8.1
socket.io@4.8.1
Updated on Oct 25, 2024
socket.io-client@4.8.1
socket.io-client@4.8.1
Updated on Oct 25, 2024
engine.io-client@6.6.2
engine.io-client@6.6.2
Updated on Oct 25, 2024
Languages
5
TypeScript
JavaScript
Shell
HTML
CSS
TypeScript (62.4%)
JavaScript (37.44%)
Shell (0.1%)
HTML (0.03%)
CSS (0.02%)
Developer
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
62,191 Stars
7,611 Commits
10,134 Forks
1,506 Watchers
26 Branches
388 Contributors
Updated on Jul 11, 2025
Maintainers
2
Package Meta Information
Latest Version
4.8.1
Package Id
socket.io@4.8.1
Unpacked Size
1.35 MB
Size
341.67 kB
File Count
30
NPM Version
10.8.2
Node Version
20.18.0
Published on
Oct 25, 2024
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
socket.io
Features
Socket.IO enables real-time bidirectional event-based communication. It consists of:
- a Node.js server (this repository)
- a Javascript client library for the browser (or a Node.js client)
Some implementations in other languages are also available:
Its main features are:
Reliability
Connections are established even in the presence of:
- proxies and load balancers.
- personal firewall and antivirus software.
For this purpose, it relies on Engine.IO, which first establishes a long-polling connection, then tries to upgrade to better transports that are "tested" on the side, like WebSocket. Please see the Goals section for more information.
Auto-reconnection support
Unless instructed otherwise a disconnected client will try to reconnect forever, until the server is available again. Please see the available reconnection options here.
Disconnection detection
A heartbeat mechanism is implemented at the Engine.IO level, allowing both the server and the client to know when the other one is not responding anymore.
That functionality is achieved with timers set on both the server and the client, with timeout values (the pingInterval and pingTimeout parameters) shared during the connection handshake. Those timers require any subsequent client calls to be directed to the same server, hence the sticky-session requirement when using multiples nodes.
Binary support
Any serializable data structures can be emitted, including:
- ArrayBuffer and Blob in the browser
- ArrayBuffer and Buffer in Node.js
Simple and convenient API
Sample code:
1io.on('connection', socket => { 2 socket.emit('request', /* … */); // emit an event to the socket 3 io.emit('broadcast', /* … */); // emit an event to all connected sockets 4 socket.on('reply', () => { /* … */ }); // listen to the event 5});
Cross-browser
Browser support is tested in Sauce Labs:
Multiplexing support
In order to create separation of concerns within your application (for example per module, or based on permissions), Socket.IO allows you to create several Namespaces, which will act as separate communication channels but will share the same underlying connection.
Room support
Within each Namespace, you can define arbitrary channels, called Rooms, that sockets can join and leave. You can then broadcast to any given room, reaching every socket that has joined it.
This is a useful feature to send notifications to a group of users, or to a given user connected on several devices for example.
Note: Socket.IO is not a WebSocket implementation. Although Socket.IO indeed uses WebSocket as a transport when possible, it adds some metadata to each packet: the packet type, the namespace and the ack id when a message acknowledgement is needed. That is why a WebSocket client will not be able to successfully connect to a Socket.IO server, and a Socket.IO client will not be able to connect to a WebSocket server (like ws://echo.websocket.org) either. Please see the protocol specification here.
Installation
1// with npm 2npm install socket.io 3 4// with yarn 5yarn add socket.io
How to use
The following example attaches socket.io to a plain Node.JS
HTTP server listening on port 3000.
1const server = require('http').createServer(); 2const io = require('socket.io')(server); 3io.on('connection', client => { 4 client.on('event', data => { /* … */ }); 5 client.on('disconnect', () => { /* … */ }); 6}); 7server.listen(3000);
Standalone
1const io = require('socket.io')(); 2io.on('connection', client => { ... }); 3io.listen(3000);
Module syntax
1import { Server } from "socket.io"; 2const io = new Server(server); 3io.listen(3000);
In conjunction with Express
Starting with 3.0, express applications have become request handler
functions that you pass to http or http Server instances. You need
to pass the Server to socket.io, not the express application
function. Also make sure to call .listen on the server, not the app.
1const app = require('express')(); 2const server = require('http').createServer(app); 3const io = require('socket.io')(server); 4io.on('connection', () => { /* … */ }); 5server.listen(3000);
In conjunction with Koa
Like Express.JS, Koa works by exposing an application as a request
handler function, but only by calling the callback method.
1const app = require('koa')(); 2const server = require('http').createServer(app.callback()); 3const io = require('socket.io')(server); 4io.on('connection', () => { /* … */ }); 5server.listen(3000);
In conjunction with Fastify
To integrate Socket.io in your Fastify application you just need to
register fastify-socket.io plugin. It will create a decorator
called io.
1const app = require('fastify')(); 2app.register(require('fastify-socket.io')); 3app.ready().then(() => { 4 app.io.on('connection', () => { /* … */ }); 5}) 6app.listen(3000);
Documentation
Please see the documentation here.
The source code of the website can be found here. Contributions are welcome!
Debug / logging
Socket.IO is powered by debug.
In order to see all the debug output, run your app with the environment variable
DEBUG including the desired scope.
To see the output from all of Socket.IO's debugging scopes you can use:
DEBUG=socket.io* node myapp
Testing
npm test
This runs the gulp task test. By default the test will be run with the source code in lib directory.
Set the environmental variable TEST_VERSION to compat to test the transpiled es5-compat version of the code.
The gulp task test will always transpile the source code into es5 and export to dist first before running the test.
Backers
Support us with a monthly donation and help us continue our activities. [Become a backer]
Sponsors
Become a sponsor and get your logo on our README on Github with a link to your site. [Become a sponsor]
License
High
7.5/10
Summary
Insecure randomness in socket.io
Affected Versions
<= 0.9.6
Patched Versions
0.9.7
Moderate
7.3/10
Summary
socket.io has an unhandled 'error' event
Affected Versions
>= 3.0.0, < 4.6.2
Patched Versions
4.6.2
Moderate
7.3/10
Summary
socket.io has an unhandled 'error' event
Affected Versions
< 2.5.0
Patched Versions
2.5.1
Moderate
4.3/10
Summary
CORS misconfiguration in socket.io
Affected Versions
< 2.4.0
Patched Versions
2.4.0
Reason
no dangerous workflow patterns detected
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/publish.yml:12
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/publish.yml:15
- Info: topLevel 'contents' permission set to 'read': .github/workflows/build-examples.yml:8
- Info: topLevel 'contents' permission set to 'read': .github/workflows/ci-browser.yml:14
- Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:12
- Warn: no topLevel permission defined: .github/workflows/publish.yml:1
- Info: no jobLevel write permissions found
Reason
binaries present in source code
Details
- Warn: binary detected: examples/ReactNativeExample/android/gradle/wrapper/gradle-wrapper.jar:1
Reason
0 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 5
Reason
Found 3/30 approved changesets -- score normalized to 1
Reason
dependency not pinned by hash detected -- score normalized to 1
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-examples.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/socketio/socket.io/build-examples.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-examples.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/socketio/socket.io/build-examples.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-browser.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/socketio/socket.io/ci-browser.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-browser.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/socketio/socket.io/ci-browser.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/socketio/socket.io/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/socketio/socket.io/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/socketio/socket.io/publish.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/socketio/socket.io/publish.yml/main?enable=pin
- Warn: containerImage not pinned by hash: examples/cluster-haproxy/server/Dockerfile:1: pin your Docker image by updating node:14-alpine to node:14-alpine@sha256:434215b487a329c9e867202ff89e704d3a75e554822e07f3e0c0f9e606121b33
- Warn: containerImage not pinned by hash: examples/cluster-httpd/server/Dockerfile:1: pin your Docker image by updating node:14-alpine to node:14-alpine@sha256:434215b487a329c9e867202ff89e704d3a75e554822e07f3e0c0f9e606121b33
- Warn: containerImage not pinned by hash: examples/cluster-nginx/client/Dockerfile:1: pin your Docker image by updating node:14-alpine to node:14-alpine@sha256:434215b487a329c9e867202ff89e704d3a75e554822e07f3e0c0f9e606121b33
- Warn: containerImage not pinned by hash: examples/cluster-nginx/server/Dockerfile:1: pin your Docker image by updating node:14-alpine to node:14-alpine@sha256:434215b487a329c9e867202ff89e704d3a75e554822e07f3e0c0f9e606121b33
- Warn: containerImage not pinned by hash: examples/cluster-traefik/server/Dockerfile:1: pin your Docker image by updating node:14-alpine to node:14-alpine@sha256:434215b487a329c9e867202ff89e704d3a75e554822e07f3e0c0f9e606121b33
- Warn: containerImage not pinned by hash: examples/connection-state-recovery-example/cjs/.codesandbox/Dockerfile:1: pin your Docker image by updating node:20-bullseye to node:20-bullseye@sha256:b79260a8b34ba6438b4c0ac583cf04385b00147c57d8a0798525ca0f78d12e94
- Warn: containerImage not pinned by hash: examples/connection-state-recovery-example/esm/.codesandbox/Dockerfile:1: pin your Docker image by updating node:20-bullseye to node:20-bullseye@sha256:b79260a8b34ba6438b4c0ac583cf04385b00147c57d8a0798525ca0f78d12e94
- Warn: npmCommand not pinned by hash: examples/cluster-haproxy/server/Dockerfile:9
- Warn: npmCommand not pinned by hash: examples/cluster-httpd/server/Dockerfile:9
- Warn: npmCommand not pinned by hash: examples/cluster-nginx/client/Dockerfile:9
- Warn: npmCommand not pinned by hash: examples/cluster-nginx/server/Dockerfile:9
- Warn: npmCommand not pinned by hash: examples/cluster-traefik/server/Dockerfile:9
- Warn: npmCommand not pinned by hash: .github/workflows/build-examples.yml:44
- Info: 0 out of 8 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 7 containerImage dependencies pinned
- Info: 3 out of 9 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 3 are checked with a SAST tool
Reason
61 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-4q6p-r6v2-jvc5
- Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
- Warn: Project is vulnerable to: GHSA-vp56-6g26-6827
- Warn: Project is vulnerable to: GHSA-76p7-773f-r4q5
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-mpg4-rc92-vx8v
- Warn: Project is vulnerable to: GHSA-m5qc-5hw7-8vg7
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
- Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
- Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
- Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
- Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
- Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
- Warn: Project is vulnerable to: GHSA-c7qv-q95q-8v27
- Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh
- Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986
- Warn: Project is vulnerable to: GHSA-wr3j-pwj9-hqq6
- Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v
- Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h
- Warn: Project is vulnerable to: GHSA-hpx4-r86g-5jrg
- Warn: Project is vulnerable to: GHSA-prr3-c3m5-p7q2
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-ghr5-ch3p-vcr6
- Warn: Project is vulnerable to: GHSA-q9mw-68c2-j6m5
- Warn: Project is vulnerable to: GHSA-rp65-9cf3-cjxr
- Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-25hc-qcg6-38wj
- Warn: Project is vulnerable to: GHSA-cqmj-92xf-r6r9
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-hc6q-2mpp-qw7j
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
- Warn: Project is vulnerable to: GHSA-75v8-2h7p-7m2m
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-6fx8-h7jm-663j
- Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx
- Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v
- Warn: Project is vulnerable to: GHSA-9vvw-cc9w-f27h
- Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
- Warn: Project is vulnerable to: GHSA-wrvr-8mpx-r7pp
- Warn: Project is vulnerable to: GHSA-hxm2-r34f-qmc5
- Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m
- Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-w9mr-4mfr-499f
- Warn: Project is vulnerable to: GHSA-qg8p-v9q4-gh34
- Warn: Project is vulnerable to: GHSA-g4rg-993r-mgx7
- Warn: Project is vulnerable to: GHSA-34r7-q49f-h37c
- Warn: Project is vulnerable to: GHSA-c9f4-xj24-8jqx
Score
5.3
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More