fix: lock down allow-run permissions more (#25370)

`--allow-run` even with an allow list has essentially been
`--allow-all`... this locks it down more.

1. Resolves allow list for `--allow-run=` on startup to an absolute
path, then uses these paths when evaluating if a command can execute.
Also, adds these paths to `--deny-write`
1. Resolves the environment (cwd and env vars) before evaluating
permissions and before executing a command. Then uses this environment
to evaluate the permissions and then evaluate the command.

1 files changed, 2 insertions, 2 deletions

diff --git a/cli/task_runner.rs b/cli/task_runner.rs
index e8937590d..ab7163bc9 100644
--- a/cli/task_runner.rs
+++ b/cli/task_runner.rs
@@ -213,8 +213,8 @@ impl ShellCommand for NodeGypCommand {
   ) -> LocalBoxFuture<'static, ExecuteResult> {
     // at the moment this shell command is just to give a warning if node-gyp is not found
     // in the future, we could try to run/install node-gyp for the user with deno
-    if which::which("node-gyp").is_err() {
-      log::warn!("{}: node-gyp was used in a script, but was not listed as a dependency. Either add it as a dependency or install it globally (e.g. `npm install -g node-gyp`)", crate::colors::yellow("warning"));
+    if context.state.resolve_command_path("node-gyp").is_err() {
+      log::warn!("{} node-gyp was used in a script, but was not listed as a dependency. Either add it as a dependency or install it globally (e.g. `npm install -g node-gyp`)", crate::colors::yellow("Warning"));
     }
     ExecutableCommand::new(
       "node-gyp".to_string(),