feat: add --allow-import flag

[bartlomieju]

This replaces --allow-net for import permissions and makes the security sandbox stricter by also checking permissions for statically analyzable imports.

By default, this has a value of --allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443, but that can be overridden by providing a different set of hosts.

Additionally, when no value is provided, import permissions are inferred from the CLI arguments so the following works because fresh.deno.dev:443 will be added to the list of allowed imports:

deno run -A -r https://fresh.deno.dev

Closes #8266

[bartlomieju]

Closing in favor of #25508

Ooops, wrong PR.

[bartlomieju]

This seems strange to me - do we just silently skip checking and there's no info surfaced about it? Or is it getting surfaced somewhere else?

[dsherret]

I'm going to update this comment. If the graph contains any of these then it's invalid.

[bartlomieju]

Maybe open an issue about this one and ask @nayeemrmn to add a setting in vscode_deno to pass an allow list?

[bartlomieju]

Can you please update the PR description to mention that this flag replaces --allow-net for imports/workers?

Also note to self to update the docs page with new flag.

[dsherret]

LGTM

[rivy]

@bartlomieju , @dsherret , I'm hitting new, unexpected permission requests based on this change.

Can "cdn.jsdelivr.net:443" and "cdn.skypack.dev:443" be added to the defaults?
Both are well-known and frequently used CDNs.

[dsherret]

Probably the defaults will be left as-is. We can't guarantee the security of all hosts.

[rivy]

@dsherret , thanks for the reply.

Just to discuss a bit more... JSDelivr is one of the largest (if not the largest) NPM and GitHub CDNs; SkyPack is more niche but I think similar to ESM.sh in being one of the first on the scene for ESM conversion and hosting. SkyPack seems to be able to generate types for more packages as well.

And, at least JSDelivr should be a minimal security issue as it's sponsored the biggies, Cloudflare and Fastly, and delivering more than 250 billion requests monthly (compared to only 450 million per month for esm). Using only "esm.sh" seems like a weird choice, in comparison.

Since it looks like this just landed in RC7, I hope you'll look at these and pass them along to the other devs and reconsider adding the two.

Thanks for the consideration.

[rivy]

@dsherret , another data point is that some places where using JSDelivr, as a CDN, simply downloads and succeeds, esm.sh is doing some translation and fails.

For example, deno install --global -Af "https://cdn.jsdelivr.net/gh/rivy/deno.dxx@fabe08a2e7/eg/args.ts" succeeds, but using esm.sh (deno install --global -Af "https://esm.sh/gh/rivy/deno.dxx@fabe08a2e7/eg/args.ts") fails with "error: Import 'https://esm.sh/v135/jsr:@latest/denonext/[email protected]/read-all.js' failed: 400 Bad Request when it attempts to translates the file to JS. And deno install --global -Af "https://raw.esm.sh/gh/rivy/deno.dxx@fabe08a2e7/eg/args.ts" fails with "error: Module not found "https://raw.esm.sh/v135/gh/rivy/deno.dxx@fabe08a2e7/vendor/@types/[email protected]".

Using https://raw.githubusercontent.com/rivy/deno.dxx/fabe08a2e7/eg/args.ts succeeds similarly to JSDelivr, but it has historically had rate limits which are too small to use as a public CDN. Whereas, JSDelivr is designed to serve worldwide at scale and it's perceptibly faster than github or esm as well.

[dsherret]

@rivy #26013

[rivy]

@rivy #26013

@dsherret , Thank you for the follow-up and your advocacy!

I was going to open an issue requesting this addition.
Thanks for beating me to it!
😄