Fix hostname() to reject case variants and wildcard forms of localhost

[dahlia]

hostname({ allowLocalhost: false }) only blocked the exact lowercase string "localhost". Because DNS hostnames are case-insensitive per RFC 1123, case variants like "LOCALHOST" and "LocalHost" should also be rejected. Additionally, wildcard forms rooted at localhost (e.g., "*.localhost", "*.LOCALHOST") bypassed the localhost check entirely since the wildcard validation runs in a separate code path.

This change makes the localhost comparison case-insensitive using toLowerCase() in packages/core/src/valueparser.ts and adds a dedicated check inside the wildcard validation block to reject *.localhost and its case variants when allowLocalhost is set to false. The fix also applies to socketAddress() since it delegates host validation to hostname().

const parser = hostname({ allowLocalhost: false, allowWildcard: true });

// All of these are now correctly rejected:
parser.parse("LOCALHOST");     // { success: false, ... }
parser.parse("LocalHost");     // { success: false, ... }
parser.parse("*.localhost");   // { success: false, ... }
parser.parse("*.LOCALHOST");   // { success: false, ... }

Closes #321

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

[codecov]

Codecov Report

❌ Patch coverage is 50.00000% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 94.89%. Comparing base (d2c2243) to head (9321d96).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
packages/core/src/valueparser.ts	50.00%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #659      +/-   ##
==========================================
- Coverage   94.90%   94.89%   -0.01%     
==========================================
  Files          38       38              
  Lines       17875    17882       +7     
  Branches     4773     4778       +5     
==========================================
+ Hits        16964    16970       +6     
- Misses        899      900       +1     
  Partials       12       12              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4b7661a3-eb2f-4dd6-96ef-0a4f7a8d973f

📥 Commits

Reviewing files that changed from the base of the PR and between d2c2243 and 9321d96.

📒 Files selected for processing (3)

• CHANGES.md
• packages/core/src/valueparser.test.ts
• packages/core/src/valueparser.ts

---

Walkthrough

This PR fixes the hostname() validator to reject localhost inputs case-insensitively and to block wildcard-localhost forms (e.g., *.localhost). Previously, only the exact lowercase string "localhost" was rejected, allowing case variants like "LOCALHOST" and wildcard localhost forms to pass through validation. The fix changes the direct equality check to a case-insensitive comparison and adds a new check for wildcard hostnames with localhost suffixes. Corresponding test cases and changelog documentation are included.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• #657: Also modifies hostname() validation in valueparser.ts to tighten hostname validation rules by rejecting dotted all-numeric labels.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: fixing hostname() to reject case variants and wildcard forms of localhost.
Description check	✅ Passed	The description clearly explains the issue, solution, and provides concrete examples demonstrating the fix for case-insensitive localhost rejection.
Linked Issues check	✅ Passed	The PR fully implements all coding objectives from issue #321: case-insensitive localhost rejection, wildcard-localhost rejection, and socketAddress() inheritance of the fix.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing localhost validation in hostname() and its wildcard path, with tests and changelog entries appropriately documenting the fix.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/issue-321-hostname-localhost-case

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}