Web hosts are starting to treat application-dependency security as a default feature rather than an add-on. On July 7Hostinger integrated vulnerability intelligence from Patchstack into its Node.js hosting, so that applications running on its Business and Cloud plans are scanned automatically for known flaws in their npm package dependencies. The feature is on by default and surfaces issues with remediation guidance as they appear. It is a small product update carrying a larger signal: securing the open-source supply chain is moving from something a developer bolts on to something the hosting platform does for them.

What Hostinger Turned On

The integration puts Patchstack’s vulnerability data behind Hostinger’s Node.js environment. For applications on the Business web hosting tier and the Cloud plans (Startup, Professional, Enterprise and Enterprise Plus), the feature:

  • Continuously scans the npm packages an application depends on, rather than checking once at deploy
  • Raises automatic alerts when a known vulnerability appears in one of them
  • Points developers to the fix, in cases offering an auto-fix from a dedicated vulnerabilities view
  • Is on by default and needs no setup

Because open-source dependencies change constantly, that continuous cadence is the point. “Open-source dependencies keep changing, so developers need ongoing visibility into new vulnerabilities, not just a one-time scan,” said Oliver Sild, CEO of Patchstack. No usage numbers accompany the launch, and the feature covers dependency vulnerabilities, not flaws in the application’s own code.

The Problem It Targets: Ship Fast, Forget the Dependencies

The risk Hostinger and Patchstack point at is specific and growing: applications assembled quickly, increasingly with AI assistance, that pull in dozens of third-party npm packages and are then never looked at again. A modern Node.js app can inherit hundreds of transitive dependencies, any of which can turn vulnerable after deployment, and the developer who generated it in an afternoon rarely tracks the advisories. That is the soft spot of the software supply chain, and it is where a growing share of recent incidents have started. Standalone scanners have existed for years, from Snyk to GitHub’s Dependabot to npm’s own audit command, but each has to be set up and then watched, which is exactly what a fast-shipped app rarely gets. Building the scan into the hosting layer, switched on by default, is an attempt to close that gap for the many customers who would never wire up a tool themselves.

Patchstack Moves Beyond WordPress, and Into the Host

For Patchstack, the deal is part of a deliberate expansion. The company built its reputation on WordPress, running a large vulnerability database and pushing virtual patches for insecure plugins and themes, and it has been extending the same model to npm packages and the wider open-source stack. It has also been embedding itself directly inside large hosting providers rather than selling to end users one at a time. Patchstack has struck arrangements with other major hosts, including GoDaddy, to surface its threat intelligence inside the host’s own product. As Sild argued in an earlier conversation with this publication, the old model of selling hosting security as a separate upsell has broken, and the more durable place for it is switched on inside the platform. The Hostinger integration is that thesis applied to Node.js.

Security Responsibility Moves Up the Stack

The move fits a broader shift in where security responsibility sits. For years a host’s job ended at keeping the servers patched, and everything above that was the customer’s problem. Default-on dependency scanning pushes that line upward, into the application layer, and makes the host partly accountable for the third-party code its customers run. For developers shipping AI-generated apps at speed, it is visibility they did not have to configure. For hosts, it is a differentiator and a support-cost lever, since a vulnerability caught early is cheaper than a compromised site cleaned up later. The open question is depth. Dependency scanning is a floor, not a ceiling: it does not touch the application’s own logic or the misconfigurations behind many breaches. But as a default it moves the baseline, and it signals that the contest among hosts is increasingly about what they secure for you, not only what they run.