What's changed

• fix: ensure broker always respond with PUBCOMP to a PUBREL in QoS 2 (#1056) (65d86c9)
• feat: add drainTimeout option to protect against slow/frozen clients (#1060) (af1ae4b)
• chore: remove release-it configuration from package.json and add to .release-it.json (#1052) (2c6882e)
• chore(dev): fix incorrect automated benchmark threshold handling (#1046) (9b76359)
• chore: replace tap by node:test (#1042) (9063215)
• chore: update dependencies (#1041) (b5178c0)
• chore: migrate to ESM (#1039) (d1cc2a3)
• chore: replace Coveralls with Codecov for coverage reporting (#1040) (8220f0a)
• feat: automate benchmark on PR requests using Github Actions (#1037) (86f5b45)
• feat!: migrate to async persistence (#1034) (f6a09bf)
• feat: automate benchmarking (#1035) (04e391f)
• chore: migrate to ES6 classes (#1032) (16e1886)
• chore: update aedes-persistence to 10 (#1031) (f874bb1)
• chore: migrate websocket-stream to ws (#1030) (ef5e1a8)
• chore: update dependencies (#1028) (f328ee1)
• chore: add type commonjs (#1027) (dcd1d39)

Breaking Changes in v1.0.0

1. Async/Await Broker Initialization (Breaking Change)

Aedes now requires async initialization. The old synchronous constructor has been replaced with Aedes.createBroker().

Before (v0.x):

:::js
const aedes = require('aedes')
const broker = aedes(opts)

After (v1.0.0):

:::js
const { Aedes } = require('aedes')
const broker = await Aedes.createBroker(opts)

Migration: See docs/MIGRATION.md for complete migration guide.

2. Default Export Removed (Breaking Change)

The default export has been removed to prevent confusion between v0.x and v1.x behavior. You must now use named import/require.

Before (v0.x):

:::js
import aedes from 'aedes'  // ❌ No longer works

After (v1.0.0):

:::js
import { Aedes } from 'aedes'  // ✅ Use named import

3. drainTimeout Default Changed (Breaking Change - Security Enhancement)

The drainTimeout option now defaults to 60000ms (60 seconds) instead of 0 (disabled). This protects against slow/frozen clients causing denial-of-service by blocking message delivery to all subscribers.

Impact:

• Before: Slow or frozen clients could cause complete system deadlock
• After: Unresponsive clients are automatically disconnected after 60 seconds

If you need the old behavior (not recommended due to DoS vulnerability):

:::js
const broker = await Aedes.createBroker({
  drainTimeout: 0  // Disable timeout - NOT RECOMMENDED
})

Why this change? A single frozen client (slow network, crashed app, or malicious actor) could previously block message delivery to ALL clients, causing complete deadlock. The default timeout prevents this DoS vulnerability.

See docs/Aedes.md for recommended drainTimeout settings.

4. Async Persistence Interface (Breaking Change)

The persistence interface has been changed from callback-based to async/await.

Minimum Required Versions:

• aedes-persistence: ≥10.2.2
• aedes-persistence-level: ≥9.1.2
• aedes-persistence-mongodb: ≥9.3.1
• aedes-persistence-redis: ≥11.2.1

Aedes will exit if it detects an incompatible persistence implementation.

---

For complete migration instructions, see docs/MIGRATION.md