
Security News
npm v12 Ships With Install Scripts Off by Default, Begins Deprecating 2FA-Bypass Tokens
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.
$ npm install vhost
var vhost = require('vhost')
Create a new middleware function to hand off request to handle when the incoming
host for the request matches hostname. The function is called as
handle(req, res, next), like a standard middleware.
hostname can be a string or a RegExp object. When hostname is a string it can
contain * to match 1 or more characters in that section of the hostname. When
hostname is a RegExp, it will be forced to case-insensitive (since hostnames are)
and will be forced to match based on the start and end of the hostname.
When host is matched and the request is sent down to a vhost handler, the req.vhost
property will be populated with an object. This object will have numeric properties
corresponding to each wildcard (or capture group if RegExp object provided) and the
hostname that was matched.
// for match of "foo.bar.example.com:8080" against "*.*.example.com":
req.vhost.host === 'foo.bar.example.com:8080'
req.vhost.hostname === 'foo.bar.example.com'
req.vhost.length === 2
req.vhost[0] === 'foo'
req.vhost[1] === 'bar'
var connect = require('connect')
var serveStatic = require('serve-static')
var vhost = require('vhost')
var mailapp = connect()
// add middlewares to mailapp for mail.example.com
// create app to serve static files on subdomain
var staticapp = connect()
staticapp.use(serveStatic('public'))
// create main app
var app = connect()
// add vhost routing to main app for mail
app.use(vhost('mail.example.com', mailapp))
// route static assets for "assets-*" subdomain to get
// around max host connections limit on browsers
app.use(vhost('assets-*.example.com', staticapp))
// add middlewares and main usage to app
app.listen(3000)
var connect = require('connect')
var serveStatic = require('serve-static')
var vhost = require('vhost')
var mainapp = connect()
// add middlewares to mainapp for the main web site
// create app that will server user content from public/{username}/
var userapp = connect()
userapp.use(function(req, res, next){
var username = req.vhost[0] // username is the "*"
// pretend request was for /{username}/* for file serving
req.originalUrl = req.url
req.url = '/' + username + req.url
next()
})
userapp.use(serveStatic('public'))
// create main app
var app = connect()
// add vhost routing for main app
app.use(vhost('userpages.local', mainapp))
app.use(vhost('www.userpages.local', mainapp))
// listen on all subdomains for user pages
app.use(vhost('*.userpages.local', userapp))
app.listen(3000)
var connect = require('connect')
var http = require('http')
var vhost = require('vhost')
// create main app
var app = connect()
app.use(vhost('mail.example.com', function (req, res) {
// handle req + res belonging to mail.example.com
res.setHeader('Content-Type', 'text/plain')
res.end('hello from mail!')
}))
// an external api server in any framework
var httpServer = http.createServer(function (req, res) {
res.setHeader('Content-Type', 'text/plain')
res.end('hello from the api!')
})
app.use(vhost('api.example.com', function (req, res) {
// handle req + res belonging to api.example.com
// pass the request to a standard Node.js HTTP server
httpServer.emit('request', req, res)
}))
app.listen(3000)
FAQs
virtual domain hosting
The npm package vhost receives a total of 115,131 weekly downloads. As such, vhost popularity was classified as popular.
We found that vhost demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 8 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.

Research
/Security News
Socket tracks the activity as Operation “Muck and Load”: a threat actor uses commit-farming workflows, public dead drops, and protected archives to stage Windows RAT and infostealer malware.

Security News
pnpm 11.10 hardens registry auth to block token redirection, tightens pack-app and deploy, and makes the Rust port (v12) installable.