feat: add `--allow-import` flag (#25469)

This replaces `--allow-net` for import permissions and makes the
security sandbox stricter by also checking permissions for statically
analyzable imports.

By default, this has a value of
`--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`,
but that can be overridden by providing a different set of hosts.

Additionally, when no value is provided, import permissions are inferred
from the CLI arguments so the following works because
`fresh.deno.dev:443` will be added to the list of allowed imports:

```ts
deno run -A -r https://fresh.deno.dev
```

---------

Co-authored-by: David Sherret <dsherret@gmail.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/cli/tools/registry/pm/cache_deps.rs b/cli/tools/registry/pm/cache_deps.rs
index a59817055..7d1773b34 100644
--- a/cli/tools/registry/pm/cache_deps.rs
+++ b/cli/tools/registry/pm/cache_deps.rs
@@ -16,6 +16,7 @@ pub async fn cache_top_level_deps(
 ) -> Result<(), AnyError> {
   let npm_resolver = factory.npm_resolver().await?;
   let cli_options = factory.cli_options()?;
+  let root_permissions = factory.root_permissions_container()?;
   if let Some(npm_resolver) = npm_resolver.as_managed() {
     if !npm_resolver.ensure_top_level_package_json_install().await? {
       if let Some(lockfile) = cli_options.maybe_lockfile() {
@@ -106,7 +107,7 @@ pub async fn cache_top_level_deps(
         &roots,
         false,
         deno_config::deno_json::TsTypeLib::DenoWorker,
-        crate::file_fetcher::FetchPermissionsOption::AllowAll,
+        root_permissions.clone(),
         None,
       )
       .await?;