#632)

**IMPORTANT SECURITY FIX**

A malicious client could send a specially crafted HTTP request,
triggering an uncaught exception and killing the Node.js process:

> RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
>   at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14)
>   at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22)
>   at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10)
>   at writeOrBuffer (internal/streams/writable.js:358:12)

This bug was introduced by [1], included in `[email protected]`, so
previous releases are not impacted.

[1]: f3c291f

Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.

Diff: 6.1.0...6.1.1

…636)

Bumps [engine.io](https://github.com/socketio/engine.io) from 4.0.0 to 4.1.2.
- [Release notes](https://github.com/socketio/engine.io/releases)
- [Changelog](https://github.com/socketio/engine.io/blob/4.1.2/CHANGELOG.md)
- [Commits](4.0.0...4.1.2)

---
updated-dependencies:
- dependency-name: engine.io
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

When binding to an uWebSockets.js App, there was an unhandled case that
could crash the server:

```
curl "http:https://localhost:3000/engine.io/?EIO=4&transport=websocket"
```

would result in:

```
Error: Returning from a request handler without responding or attaching an abort handler is forbidden!
terminate called without an active exception
```

Note: this does not apply to the default server based on ws, because
the error was caught elsewhere in the source code.

Related: socketio/socket.io#4250

You can now pass additional options:

```js
const { App } = require("uWebSockets.js");
const { uServer } = require("engine.io");

const app = new App();
const server = new uServer();

server.attach(app, {
  compression: uWS.DEDICATED_COMPRESSOR_128KB, // defaults to none
  idleTimeout: 60, // defaults to 120
  maxBackpressure: 8 * 1024 // defaults to 1024 * 1024
});

app.listen(3000);
```

Related: #633

When binding to an uWebSockets.js application, the server could crash
with the following error:

```
TypeError: res.onData is not a function
    at Polling.onDataRequest (build/transports-uws/polling.js:133:13)
    at Polling.onRequest (build/transports-uws/polling.js:47:18)
    at callback (build/userver.js:80:56)
```

Related: #637

Note to future self: URL for dependencies from GitHub must use
"git+https" instead of "git+ssh" to make the CI pass, else you will
encounter the following error:

```
npm ERR! Error while executing:
npm ERR! /usr/bin/git ls-remote -h -t ssh:https://[email protected]/uNetworking/uWebSockets.js.git
npm ERR!
npm ERR! Warning: Permanently added the RSA host key for IP address '140.82.112.3' to the list of known hosts.
npm ERR! [email protected]: Permission denied (publickey).
npm ERR! fatal: Could not read from remote repository.
npm ERR!
npm ERR! Please make sure you have the correct access rights
npm ERR! and the repository exists.
npm ERR!
npm ERR! exited with error code: 128
```

Merged from #630

Diff: 6.1.1...6.1.2

Reference: https://www.npmjs.com/package/cors#configuring-cors-asynchronously

Related: DefinitelyTyped/DefinitelyTyped@54a59cd

With the engine based on µWebSockets.js (introduced in version 6.1.0),
a huge request body split in multiple chunks would throw the following
error:

> node:buffer:254
>   TypedArrayPrototypeSet(target, source, targetStart);
>   ^
>
> TypeError: Cannot perform %TypedArray%.prototype.set on a detached ArrayBuffer
>     at Buffer.set (<anonymous>)
>     at _copyActual (node:buffer:254:3)
> node:buffer:254
>   TypedArrayPrototypeSet(target, source, targetStart);
>   ^
>
> TypeError: Cannot perform %TypedArray%.prototype.set on a detached ArrayBuffer
>     at Buffer.set (<anonymous>)
>     at _copyActual (node:buffer:254:3)
>     at Function.concat (node:buffer:562:12)
>     at onEnd (.../node_modules/engine.io/build/transports-uws/polling.js:126:32)
>     at .../node_modules/engine.io/build/transports-uws/polling.js:143:17

Note: µWebSockets.js does not currently support chunked transfer
encoding.

In order to make sure the types added in [1] are included.

Related:

- #639
- #640

[1]: socketio/engine.io-parser@ad5bd7d

Diff: 6.1.2...6.1.3

Before this, the connection was closed abrutly with an HTTP 502
response.

See also: f8100f9

Related: socketio/socket.io#4293

See also: https://github.com/nodejs/Release

So that clients in HTTP long-polling can decide how many packets they
have to send to stay under the maxHttpBufferSize value.

This is a backward compatible change which should not mandate a new
major revision of the protocol (we stay in v4), as we only add a field
in the JSON-encoded handshake data:

```
0{"sid":"lv_VI97HAXpY6yYWAAAC","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000,"maxPayload":1000000}
```

Related: socketio/socket.io-client#1531

Diff: 6.1.3...6.2.0