denoland-deno/tests/testdata/jsr/registry/@denotest/import-https-url/1.0.0_meta.json at a9aef0d017bd053d7f4014c363dbc5898ced1a2e - foster/denoland-deno - Foster's Laboratory

foster/denoland-deno

mirror of https://github.com/denoland/deno.git synced 2025-02-05 22:21:20 -05:00

David Sherret 918c5e648f

fix(jsr): do not allow importing a non-JSR url via unanalyzable dynamic import from JSR (#22623 )

A security feature of JSR is that it is self contained other than npm
dependencies. At publish time, the registry rejects packages that write
code like this:

```ts
const data = await import("https://example.com/evil.js");
```

However, this can be trivially bypassed by writing code that the
registry cannot statically analyze for. This PR prevents Deno from
loading dynamic imports that do this.

2024-02-28 16:30:45 -05:00

6 lines

104 B

JSON

Raw Blame History

 {
   "exports": {
     "./unanalyzable": "./unanalyzable.ts",
     "./analyzable": "./analyzable.ts"
   }
 }