Major improvements:

   - JSONP Polling transport (for IE6-7 cross domain)
   - Opera 10 support
   - Bullet-proof client side and server side disconnection detection
   - 70% test coverage on Socket.IO-node (run the tests with make test)
   - Multiple cross-domain fixes for all transports
   - Dozens of bug fixes
   - Socket.IO-node now serves the client, and is easier to use than ever.

npm install socket.io

Then from your client side code have node serve the client files:

<script src="/socket.io/socket.io.js">

And you're all set!

Socket.IO-node

   - Make sure to only write to open transports (thanks JohnDav)
   - _open is still false, so destroy the connection immediately upon
   websocket error
   - Make sure to disconnect directly onClose if the client is not
   handshaked and he can't possibly reconnect
   - Make sure to end and destroy connection onDisconnect (for timeouts)
   - Added missing .listen() call to example. Fixes #80. Thanks @machee
   - Invalid transport test completed
   - Initial stab at trying to detect invalid transport responses
   - Make sure to provide a default for log if no log key was provided
   (internal)
   - Removed unnecessary file extension verification when serving the client
   - Removed unnecessary Client check upon connection
   - Added support for /socket.io/WebSocketMain.swf
   - Added test for /socket.io/WebSocketMain.swf
   - Client serving ETag testing
   - Added htmlfile transport tests
   - Added extra byte to IE iframe bytes padding
   - Invalid session id test
   - end() before destroy()ing the socket for non-WebSocket or non-valid
   Upgrade requests
   - Added test for non-socket.io requests
   - Simplified index.js tests
   - Moved listener tests into listener.js
   - Make sure to call .end() when listening on connection 'end' event
   - Make sure the file descriptor is destroyed on disconnection
   - Fix for websocket client tracking test
   - Inline (same port) flash socket policy request.
   -

   If the server is not run with root privileges, then the flashsocket
   transport will instead listen to all new connections on the main port for
   policy requests. Flash policy requests happen to both port 843 and the
   destination port:
   http://www.lightsphere.com/dev/articles/flash_socket_policy.html
   -

   [websocket test] Fix sending message to client upon connecting
   - [websocket test] Fix for connection and handshake test
   - [client files serving] Leverage end() write() call
   - [client serving] Make sure to not do a useless file lookup when file is
   cached
   - Finished json encoding test
   - Look for the heartbeat in the decoded message
   - Refactored websocket transports tests to match polling/multipart
   helpers
   - Added coverage testing to Makefile
   - Added heartbeat test to multipart
   - Added buffered messages test for multipart
   - Added assertions for connected property for all the tests
   - Multipart clients tracking test
   - Multipart client>server message sending test
   - Make sure to only close the client stream when the roundtrip is
   complete
   - Multipart connection and handshake tests:
      - Implemented HTTP client on top of net.Stream with multipart boundary
      parsing for testing
      - Test for connection / server>client message sending
   - Removed unnecessary check for this.connection (since we now access the
   socket through req.connection for all transports)
   - Test for duration parameter
   - Added make example to Makefile
   - Added clients tracking test for long polling
   - Added message buffering test for long polling
   - Improve this.request/this.response/this.connection
   - Add 'end' listener onConnect, applies to all transports
   - Improved error handling onConnect
   - Remove legacy flush calls
   - Removed unnecessary closeTimeout clearing in jsonp polling
   - Make sure to close on disconnect if _open = true
   - Clear disconnection timeout on disconnection (double check)
   - Make sure to clear closeTimeout for polling transports on close.
   - Replaced empty with null in log option
   - Comma first style for client serving tests
   - Long polling integration tests
   - Test for heartbeat message
   - Added heartbeat timeout test
   - Support for listener#log false
   - Corrected onConnect signature to support a request and a socket, or a
   request and a response.
   - Removed error checking for non-upgradeable sockets, since they'll be
   destroyed, and error handling is done onConnect
   - Added tests for websocket client tracking
   - Added tests for websocket message buffering
   - Make sure disconnect timeout is cleared on websocket re-connect
   - Updated the flash socket with error detection, and readystate
   detection.
   - This is needed because when a error occures we close down the
   connection,
   - and the stream will become unwriteable.
   - Also changed to a single write instead of multiple writes.
   - Moved error handling to onConnect to avoid messing with the http.Server
   global error handlers
   - Do special error handling for websocket
   - Clearing heartbeat interval upon closing the connection
   - Added error listeners, if theses errors are not correcly caught, they
   will leak memory.
   - This caused http://speedo.no.de/ to go up from 1mb per connection after
   a ECONNECTRESET message
   - Added encode=UTF-8 in jsonp-polling.js and xhr-polling.js since UTF-8
   is the default encoding for http.ServerResponse.write
   - Replaced string.length with Buffer.byteLength in jsonp-polling.js,
   listener.js and xhr-polling.js because content-length header requires number
   of bytes and not the number of symbols in string
   - Fix COR headers/requests for different ports on Safari.
   - Clearing the references to request, response and connection upon
   disconnect.
   - Every require is blocking and requiring the sys module over and over
   and over again just makes no sense + it hurt performance.. Not to mention..
   that it's already included.
   - Socket.IO-node now serves the client out of the box for easier
   implementation
   - Memory caching and ETag support for static files
   - Tests
   - Simplified demo even further thanks to new static file serving
   - Failing to pass an origin header would throw an exception and crash the
   server. Added some handling.
   - .connected renamed to ._open, and adopted proper connected (fixes #41)
   - example/client updated to latest socket.io client
   - Better checking of WebSocket connections
   - Better handling of SSL location (thanks @jdub)
   - Fix for cross-domain websocket (fixes #42)
   - Removed clients/clientsIndex and only using the index (fixes #28)
   - Fixed WebSocket location header for ws/wss (Thanks @jdub, Fixes #40)
   - Cross domain issues with xhr-polling addressed. Thanks Niko Kaiser
   (@nicokaiser)
   - Added origin verification for incoming data.
   - Make sure pathname is set (thanks steadicat & swarmation team)
   - Fix for accessing routes that being with the namespace but are not a
   connection attempt. Thanks @steadicat from swarmation
   - JSONP-polling support
   - Graceful closing of connection for invalid websocket clients
   - Make it possible to just require 'socket.io'
   - Make sure to abort the connect() method upon bad upgrade / origin
   verification
   - Support for automatic JSON encoding/decoding
   - Simplified chat example to take advantage of JSON encoding/decoding
   - Removed fs sync call from example
   - Better how to use
   - Make sure to send content-type text/plain to ok POST responses

Socket.IO

   - Make sure to only destroy if the _iframe was created
   - Removed flashsocket onClose logic since its handled by connectTimeout
   - Added socket checks when disconnecting / sending messages
   - Fixed semicolons (thanks SINPacifist)
   - Added io.util.merge for options merging. Thanks SINPacifist
   - Removed unnecessary onClose handling, since this is taken care by
   Socket (thanks SINPacifist)
   - Make sure not to try other transports if the socket.io cookie was there
   - Updated web-socket-js
   - Make sure not to abort the for loop when skipping the transport
   - Connect timeout (fixes #34)
   - Try different transports upon connect timeout (fixes #35)
   - Restored rememberTransport to default
   - Removed io.setPath check
   - Make sure IE7 doesn't err on the multipart feature detection. Thanks
   Davin Lunz
   - CORS feature detection. Fixes IE7 attempting cross domain requests
   through their incomplete XMLHttpRequest implementation.
   - Now altering WEB_SOCKET_SWF_LOCATION (this way we don't need the
   web-socket-js WebSocket object to be there)
   - Flashsocket .connect() and .send() call addTask.
   - Make sure flashsocket can only be loaded on browsers that don't have a
   native websocket
   - Leveraging __addTask to delay sent messages until WebSocket through SWF
   is fully loaded.
   - Removed __isFlashLite check
   - Leverage node.js serving of the client side files
   - Make sure we can load io.js from node (window check)
   - Fix for XDomain send() on IE8 (thanks Eric Zhang)
   - Added a note about cross domain .swf files
   - Made sure no errors where thrown in IE if there isn't a flash fallback
   available.
   - Make sure disconnect event is only fired if the socket was completely
   connected, and it's not a reconnection attempt that was interrupted.
   - Force disconnection if .connect() is called and a connection attempt is
   ongoing
   - Upon socket disconnection, also mark connecting as false
   - .connecting flag in transport instance
   - Make sure .connecting is cleared in transport
   - Correct sessionid checking
   - Clear sessionid upon disconnection
   - Remove *xhr and *sendXhr objects
   - Moved timeout default into Transport
   - Remove callbacks on _onDisconnect and call abort()
   - Added placeholder for direct disconnect in XHR
   - Timeout logic (fixes #31)
   - Don't check for data length to trigger
...

read more »

Forgot to mention some other major improvements:

   - rememberTransport was fixed
   - There's now a connection timeout that allow socket.io to try multiple
   transports per client on the event that one doesn't work (eg: Flash
   WebSocket behind corporate proxies)
   - Automatic (and lightweight) json encoding. You can now .send({ your:
   'object' })

--
Guillermo Rauch
http://devthought.com

On Nov 1, 2:57 pm, Guillermo Rauch <rau...@gmail.com> wrote:

Yeah, everyone contributing to Socket.IO rock. I built a prototype in under
a week and got funding already for it. It's only because of Node.js,
Socket.IO, and a few other libs that this type of accomplishment can happen.

Thanks,
Francois

It's interesting to see such a detailed change log.

How about security, is there anything particular to lookout for? Can
one just open a Socket.IO connection and expect that from now on and
until the connection closes that everything is secure? (ie. no risk of
XSS for example). If "pure" WebSocket is not supported, do all the
fall-backs handle https?

Cheers,
Peter

On Nov 2, 12:48 am, Francois Laberge <francoislabe...@gmail.com>
wrote: