Match whole strings instead of partial strings when using patterns about reserved-subdomains HOT 4 CLOSED

I see what you mean and agree that the names you mentioned seem harmless.

I'm sure part of the original motivation for some of these is to prevent spoofing. Let's say these sub-domains are used on a blog platform, where the site can be fully customized. A user could create a subdomain like ftp-downloads.prodvider.ext and create an official looking website as the primary domain and go phishing.

Maybe instead of matching the whole string we matched on boundaries. So the mx rule for example... maybe the pattern shouldn't start with or be prefixed by an underscore or dash?

/(^|-|_)mx[0-9]+/.test('www-mx1') // true
/(^|-|_)mx[0-9]+/.test('bmx1') // false
/(^|-|_)mx[0-9]+/.test('mx1') // true

Now I also see that the rules are using + instead of * for the number ranges. This should probably be updated:

/(^|-|_)ftp[0-9]+/.test('ftp') // false -- this should be true
/(^|-|_)ftp[0-9]*/.test('ftp') // true -- uses * instead

from reserved-subdomains.

Okay, that seems acceptable. Maybe the same boundary rule can be applied to the end too?

/(^|-|_)ftp[0-9]*($|-|_)/

Because with something like /(^|-|_)m[0-9]*/ any domain starting with m would fail validation

from reserved-subdomains.

Sounds reasonable. Ideally a PR addressing these things would also introduce tests so expected behavior is kept in check. The changes we've discussed would technically be a breaking change (major version bump) even if the API doesn't change. But with that said, this might be a good time to review the API ergonomics/idioms, considering TypeScript, etc...

Thanks for getting involved in the project.

from reserved-subdomains.

Yes, I think a way to add names and patterns to the bundled list would be nice. Apart from that, I also noticed that auto-import did not work for me on vscode. I'm not sure why, maybe it doesn't work for certain kinds of exports? This needs to be investigated further.

from reserved-subdomains.