feat: add `--allow-import` flag (#25469)

This replaces `--allow-net` for import permissions and makes the
security sandbox stricter by also checking permissions for statically
analyzable imports.

By default, this has a value of
`--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`,
but that can be overridden by providing a different set of hosts.

Additionally, when no value is provided, import permissions are inferred
from the CLI arguments so the following works because
`fresh.deno.dev:443` will be added to the list of allowed imports:

```ts
deno run -A -r https://fresh.deno.dev
```

---------

Co-authored-by: David Sherret <dsherret@gmail.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/cli/tools/check.rs b/cli/tools/check.rs
index c22afbb9a..7edb392d4 100644
--- a/cli/tools/check.rs
+++ b/cli/tools/check.rs
@@ -51,6 +51,7 @@ pub async fn check(
 
   let specifiers_for_typecheck = if check_flags.doc || check_flags.doc_only {
     let file_fetcher = factory.file_fetcher()?;
+    let root_permissions = factory.root_permissions_container()?;
 
     let mut specifiers_for_typecheck = if check_flags.doc {
       specifiers.clone()
@@ -59,7 +60,7 @@ pub async fn check(
     };
 
     for s in specifiers {
-      let file = file_fetcher.fetch_bypass_permissions(&s).await?;
+      let file = file_fetcher.fetch(&s, root_permissions).await?;
       let snippet_files = extract::extract_snippet_files(file)?;
       for snippet_file in snippet_files {
         specifiers_for_typecheck.push(snippet_file.specifier.clone());