feat: add `--allow-import` flag (#25469)

This replaces `--allow-net` for import permissions and makes the
security sandbox stricter by also checking permissions for statically
analyzable imports.

By default, this has a value of
`--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`,
but that can be overridden by providing a different set of hosts.

Additionally, when no value is provided, import permissions are inferred
from the CLI arguments so the following works because
`fresh.deno.dev:443` will be added to the list of allowed imports:

```ts
deno run -A -r https://fresh.deno.dev
```

---------

Co-authored-by: David Sherret <dsherret@gmail.com>

6 files changed, 28 insertions, 15 deletions

diff --git a/tests/specs/publish/banned_triple_slash_directives/publish.out b/tests/specs/publish/banned_triple_slash_directives/publish.out
index f1827538a..ab5db6f6e 100644
--- a/tests/specs/publish/banned_triple_slash_directives/publish.out
+++ b/tests/specs/publish/banned_triple_slash_directives/publish.out
@@ -1,6 +1,5 @@
 Check file:///[WILDLINE]/mod.ts
 Checking for slow types in the public API...
-Check file:///[WILDLINE]/mod.ts
 error[banned-triple-slash-directives]: triple slash directives that modify globals are not allowed
  --> [WILDLINE]mod.ts:1:1
   | 
diff --git a/tests/specs/publish/invalid_import/invalid_import.out b/tests/specs/publish/invalid_import/invalid_import.out
index 929fc72cd..6914dc51e 100644
--- a/tests/specs/publish/invalid_import/invalid_import.out
+++ b/tests/specs/publish/invalid_import/invalid_import.out
@@ -1,10 +1,7 @@
-Download http://localhost:4545/welcome.ts
-Download http://localhost:4545/echo.ts
+[# notice that the remote module is not downloaded here. This is so we do not need to add an --allow-import permission here]
 Download http://localhost:4260/chalk
 Download http://localhost:4260/chalk/chalk-5.0.1.tgz
-Check file:///[WILDCARD]/mod.ts
 Checking for slow types in the public API...
-Check file://[WILDCARD]mod.ts
 error[invalid-external-import]: invalid import to a non-JSR 'http' specifier
  --> [WILDCARD]mod.ts:1:8
   | 
diff --git a/tests/specs/publish/invalid_import_esm_sh_suggestion/invalid_import_esm_sh_suggestion.out b/tests/specs/publish/invalid_import_esm_sh_suggestion/invalid_import_esm_sh_suggestion.out
index a7235cbf1..b0a544df8 100644
--- a/tests/specs/publish/invalid_import_esm_sh_suggestion/invalid_import_esm_sh_suggestion.out
+++ b/tests/specs/publish/invalid_import_esm_sh_suggestion/invalid_import_esm_sh_suggestion.out
@@ -1,7 +1,4 @@
-[WILDCARD]
-Check file:///[WILDCARD]/mod.ts
 Checking for slow types in the public API...
-Check file:///[WILDCARD]mod.ts
 error[invalid-external-import]: invalid import to a non-JSR 'http' specifier
  --> [WILDCARD]mod.ts:1:8
   | 
diff --git a/tests/specs/publish/missing_constraint/publish.out b/tests/specs/publish/missing_constraint/publish.out
index 601035b05..d9fb6408f 100644
--- a/tests/specs/publish/missing_constraint/publish.out
+++ b/tests/specs/publish/missing_constraint/publish.out
@@ -1,6 +1,22 @@
-[WILDCARD]
-Checking for slow types in the public API...
+[UNORDERED_START]
+Download http://127.0.0.1:4250/@denotest/add/meta.json
+Download http://127.0.0.1:4250/@denotest/deps/meta.json
+Download http://localhost:4260/@denotest/esm-basic
+Download http://127.0.0.1:4250/@denotest/add/1.0.0_meta.json
+Download http://127.0.0.1:4250/@denotest/deps/1.0.0_meta.json
+Download http://127.0.0.1:4250/@denotest/module-graph/meta.json
+Download http://127.0.0.1:4250/@denotest/no-module-graph/meta.json
+Download http://127.0.0.1:4250/@denotest/module-graph/1.4.0_meta.json
+Download http://127.0.0.1:4250/@denotest/no-module-graph/0.1.1_meta.json
+Download http://127.0.0.1:4250/@denotest/no-module-graph/0.1.1/mod.ts
+Download http://127.0.0.1:4250/@denotest/no-module-graph/0.1.1/TestClass.ts
+Download http://127.0.0.1:4250/@denotest/add/1.0.0/mod.ts
+Download http://127.0.0.1:4250/@denotest/deps/1.0.0/mod.ts
+Download http://127.0.0.1:4250/@denotest/module-graph/1.4.0/other.ts
+Download http://localhost:4260/@denotest/esm-basic/1.0.0.tgz
+[UNORDERED_END]
 Check file:///[WILDLINE]/mod.ts
+Checking for slow types in the public API...
 error[missing-constraint]: specifier 'jsr:@denotest/add' is missing a version constraint
  --> [WILDLINE]mod.ts:[WILDLINE]
   | 
diff --git a/tests/specs/publish/missing_constraint_jsx_import_source/mod.out b/tests/specs/publish/missing_constraint_jsx_import_source/mod.out
index d1da06be8..fa06d8c38 100644
--- a/tests/specs/publish/missing_constraint_jsx_import_source/mod.out
+++ b/tests/specs/publish/missing_constraint_jsx_import_source/mod.out
@@ -1,6 +1,13 @@
-[WILDCARD]
+[UNORDERED_START]
+Download http://localhost:4260/preact
+Download http://localhost:4260/preact-render-to-string
+Download http://localhost:4260/pretty-format
+Download http://localhost:4260/preact-render-to-string/preact-render-to-string-6.4.0.tgz
+Download http://localhost:4260/preact/preact-10.19.6.tgz
+Download http://localhost:4260/pretty-format/pretty-format-3.8.0.tgz
+[UNORDERED_END]
+Check file:///[WILDLINE]/mod.ts
 Checking for slow types in the public API...
-Check file:///[WILDCARD]/mod.ts
 error[missing-constraint]: specifier 'npm:preact/jsx-runtime' is missing a version constraint
  --> [WILDLINE]
   = hint: specify a version constraint for the specifier
diff --git a/tests/specs/publish/prefer_fast_check_graph/main.out b/tests/specs/publish/prefer_fast_check_graph/main.out
index 64296206f..dd7d052c9 100644
--- a/tests/specs/publish/prefer_fast_check_graph/main.out
+++ b/tests/specs/publish/prefer_fast_check_graph/main.out
@@ -1,7 +1,4 @@
-[WILDCARD]
-Check [WILDLINE]/tests/specs/publish/prefer_fast_check_graph/mod.ts
 Checking for slow types in the public API...
-Check [WILDLINE]/tests/specs/publish/prefer_fast_check_graph/mod.ts
 error[invalid-external-import]: invalid import to a non-JSR 'https' specifier
  --> [WILDLINE]deps.ts:1:15
   |