diff options
| author | Bartek IwaĆczuk <biwanczuk@gmail.com> | 2024-09-26 02:50:54 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-26 01:50:54 +0000 |
| commit | 5504acea6751480f1425c88353ad5d36257bdce7 (patch) | |
| tree | fa02e6c546eae469aac894bfc71600ab4eccad28 /cli/tools/registry | |
| parent | 05415bb9de475aa8646985a545f30fe93136207e (diff) | |
feat: add `--allow-import` flag (#25469)
This replaces `--allow-net` for import permissions and makes the
security sandbox stricter by also checking permissions for statically
analyzable imports.
By default, this has a value of
`--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`,
but that can be overridden by providing a different set of hosts.
Additionally, when no value is provided, import permissions are inferred
from the CLI arguments so the following works because
`fresh.deno.dev:443` will be added to the list of allowed imports:
```ts
deno run -A -r https://fresh.deno.dev
```
---------
Co-authored-by: David Sherret <dsherret@gmail.com>
Diffstat (limited to 'cli/tools/registry')
| -rw-r--r-- | cli/tools/registry/diagnostics.rs | 14 | ||||
| -rw-r--r-- | cli/tools/registry/mod.rs | 6 | ||||
| -rw-r--r-- | cli/tools/registry/pm/cache_deps.rs | 3 |
3 files changed, 16 insertions, 7 deletions
diff --git a/cli/tools/registry/diagnostics.rs b/cli/tools/registry/diagnostics.rs index c53a39683..733a78dda 100644 --- a/cli/tools/registry/diagnostics.rs +++ b/cli/tools/registry/diagnostics.rs @@ -3,7 +3,6 @@ use std::borrow::Cow; use std::path::PathBuf; use std::sync::Arc; -use std::sync::Mutex; use deno_ast::diagnostics::Diagnostic; use deno_ast::diagnostics::DiagnosticLevel; @@ -21,6 +20,7 @@ use deno_ast::SourceRanged; use deno_ast::SourceTextInfo; use deno_core::anyhow::anyhow; use deno_core::error::AnyError; +use deno_core::parking_lot::Mutex; use deno_core::url::Url; use deno_graph::FastCheckDiagnostic; use deno_semver::Version; @@ -36,7 +36,7 @@ impl PublishDiagnosticsCollector { pub fn print_and_error(&self) -> Result<(), AnyError> { let mut errors = 0; let mut has_slow_types_errors = false; - let mut diagnostics = self.diagnostics.lock().unwrap().take(); + let mut diagnostics = self.diagnostics.lock().take(); diagnostics.sort_by_cached_key(|d| d.sorting_key()); @@ -75,8 +75,16 @@ impl PublishDiagnosticsCollector { } } + pub fn has_error(&self) -> bool { + self + .diagnostics + .lock() + .iter() + .any(|d| matches!(d.level(), DiagnosticLevel::Error)) + } + pub fn push(&self, diagnostic: PublishDiagnostic) { - self.diagnostics.lock().unwrap().push(diagnostic); + self.diagnostics.lock().push(diagnostic); } } diff --git a/cli/tools/registry/mod.rs b/cli/tools/registry/mod.rs index fbdcd9e77..941514b04 100644 --- a/cli/tools/registry/mod.rs +++ b/cli/tools/registry/mod.rs @@ -341,13 +341,11 @@ impl PublishPreparer { bail!("Exiting due to DENO_INTERNAL_FAST_CHECK_OVERWRITE") } else { log::info!("Checking for slow types in the public API..."); - let mut any_pkg_had_diagnostics = false; for package in package_configs { let export_urls = package.config_file.resolve_export_value_urls()?; let diagnostics = collect_no_slow_type_diagnostics(&graph, &export_urls); if !diagnostics.is_empty() { - any_pkg_had_diagnostics = true; for diagnostic in diagnostics { diagnostics_collector .push(PublishDiagnostic::FastCheck(diagnostic)); @@ -355,7 +353,9 @@ impl PublishPreparer { } } - if any_pkg_had_diagnostics { + // skip type checking the slow type graph if there are any errors because + // errors like remote modules existing will cause type checking to crash + if diagnostics_collector.has_error() { Ok(Arc::new(graph)) } else { // fast check passed, type check the output as a temporary measure diff --git a/cli/tools/registry/pm/cache_deps.rs b/cli/tools/registry/pm/cache_deps.rs index a59817055..7d1773b34 100644 --- a/cli/tools/registry/pm/cache_deps.rs +++ b/cli/tools/registry/pm/cache_deps.rs @@ -16,6 +16,7 @@ pub async fn cache_top_level_deps( ) -> Result<(), AnyError> { let npm_resolver = factory.npm_resolver().await?; let cli_options = factory.cli_options()?; + let root_permissions = factory.root_permissions_container()?; if let Some(npm_resolver) = npm_resolver.as_managed() { if !npm_resolver.ensure_top_level_package_json_install().await? { if let Some(lockfile) = cli_options.maybe_lockfile() { @@ -106,7 +107,7 @@ pub async fn cache_top_level_deps( &roots, false, deno_config::deno_json::TsTypeLib::DenoWorker, - crate::file_fetcher::FetchPermissionsOption::AllowAll, + root_permissions.clone(), None, ) .await?; |