v20.33.0

Rebalancing with maxLifetime

A reworked timeout system now allows two lightweight timeout settings for WebSockets; idleTimeout (up to 16 minutes) and maxLifetime (up to 4 hours):

• idleTimeout is how long (in seconds) a WebSocket may be idle (have no traffic) before it is considered closed.
• maxLifetime is how long (in minutes) a WebSocket may be connected, before being gracefully closed by the server.

Specifying a value of 0 disables respective feature (the default for maxLifetime).

Why use maxLifetime?

The idea here is to enforce a partial rebalancing, constantly forcing a few connections to reconnect via whatever load balancer in use. This is a strategy used by Netflix where they found success in having maxLifetime = 30 minutes.

Good values for the settings should be somewhere around 30-120 seconds idleTimeout and 30-120 minutes maxLifetime.

v20.32.0

Subscription events

A new kind of event has been added. Whenever a WebSocket::subscribe or WebSocket::unsubscribe call is made, or when implicit unsubscription happens (such as when a WebSocket has subscriptions and gets closed in any way), a subscription event will fire with:

• the WebSocket involved
• the topic name
• the new number of subscribers to this topic
• the former number of subscribers to this topic

These events can be used to easily manage external subscriptions such as when using Redis to orchestrate multiple instances of uWS. Whenever a subscription event with new subscription count == 1; you can create the corresponding Redis subscription. Whenever a subscription event with new subscription count == 0; you can free the corresponding Redis subscription.

v20.31.0

• Don't use strftime for Date header (it depends on locale)

v20.30.0

• Fixes undefined behavior introduced in v20.28.0

v20.29.0

Hooking up Windows testing

• GitHub Actions now builds and runs the unit tests and smoke test on Windows on every push.
• The server was entirely broken on Windows, since the changes in v20.28.0 which is now fixed thanks to @rehans

v20.28.0

More RFC 9112 (HTTP/1.1) compliance fixups

• Field names are now restricted to alphanumeric + hyphen
• Chunked encoding parsing now properly rejects too large chunks
• Chunked encoding now rejects non-hex chunk size and handles A-F, a-f, 0-9 properly
• The Host field has to be present, but is allowed to have empty value
• Field values are trimmed both front and back, by SP and HTAB only
• Request method is now case sensitive and getCaseSensitiveMethod() has been added
• getMethod() will continue to return lower cased for backwards compatibility until v21.

Performance regression testing

• Performance comparison against the v20.0.0 release shows there is no performance drift. We haven't lost any measurable performance by improving spec. compliance.

Smoke testing on CI

• There is a new smoke test that makes a bunch of different fetch() requests in keep-alive using Deno, checking CRC32 hashes for correctness both for chunked encoding and for fixed length bodies. This test runs on CI automatically on every push along the unit tests. It will be extended with more request types in the near future.

v20.27.0

Initial C-API

Contributed by Ciro Spaciari (@cirospaciari) - there is now a quite complete C API that can be used from Zig, Rust and the like. Some form of this C API is already in use by Bun.

v20.26.0

RFC 9112 (HTTP/1.1) compliance fixup

HTTP/1.1 has been around since late stone age and there is now a new RFC9112 that updates it further, released this very summer. This is a good time to go over said spec. and make uWS as compliant as practically possible. This is going to be a gradual shift over time, making uWS more strict in this area, but here are some of the fixes in this release:

• HTTP/1.0 requests are no longer accepted (so long Apache Bench!).
• Content-Length and Transfer-Encoding are now more strictly and correctly parsed and used.
• Requests without "host" header are dropped.
• Requests with both Content-Length and Transfer-Encoding are dropped.
• Requests with ridiculously large Content-Length are dropped.
• Header values can no longer contain invisible control bytes (ASCII below 32), except for HTAB.
• We are more strict in dropping requests with space between header key and colon.

Some of these fixes are due to a report by FFRI Security, Inc. If you consider spec. compliance a security factor; then update to latest uWS.

v20.25.0

Yet more Transfer-Encoding: chunked fixes

• Keep-alive for chunked bodies was broken due to expecting an empty trailer which simply isn't there.

v20.24.0

Date, Transfer-Encoding fixes

• The HTTP server now appends a valid "Date" header to responses.
• Fixes broken keep-alive for HEAD, OPTIONS, TRACE, CONNECT and DELETE methods introduced in v20.23.0 while adding chunked encoding support.