6 files changed, 42 insertions, 1 deletions

diff --git a/cli/tests/integration/run_tests.rs b/cli/tests/integration/run_tests.rs
index 118623760..d4dfbb32b 100644
--- a/cli/tests/integration/run_tests.rs
+++ b/cli/tests/integration/run_tests.rs
@@ -2839,3 +2839,15 @@ itest!(nested_error {
   output: "nested_error.ts.out",
   exit_code: 1,
 });
+
+itest!(node_env_var_allowlist_with_unstable_flag {
+  args: "run --unstable --no-prompt node_env_var_allowlist.ts",
+  output: "node_env_var_allowlist_with_unstable_flag.ts.out",
+  exit_code: 1,
+});
+
+itest!(node_env_var_allowlist_without_unstable_flag {
+  args: "run --no-prompt node_env_var_allowlist.ts",
+  output: "node_env_var_allowlist_without_unstable_flag.ts.out",
+  exit_code: 1,
+});
diff --git a/cli/tests/testdata/node_env_var_allowlist.ts b/cli/tests/testdata/node_env_var_allowlist.ts
new file mode 100644
index 000000000..95da38c24
--- /dev/null
+++ b/cli/tests/testdata/node_env_var_allowlist.ts
@@ -0,0 +1,2 @@
+console.log(Deno.env.get("NODE_DEBUG") ?? "ok");
+Deno.env.get("NOT_NODE_DEBUG");
diff --git a/cli/tests/testdata/node_env_var_allowlist_with_unstable_flag.ts.out b/cli/tests/testdata/node_env_var_allowlist_with_unstable_flag.ts.out
new file mode 100644
index 000000000..62f335c0f
--- /dev/null
+++ b/cli/tests/testdata/node_env_var_allowlist_with_unstable_flag.ts.out
@@ -0,0 +1,5 @@
+ok
+[WILDCARD]error: Uncaught PermissionDenied: Requires env access to "NOT_NODE_DEBUG", run again with the --allow-env flag
+Deno.env.get("NOT_NODE_DEBUG");
+         ^
+    at [WILDCARD]
diff --git a/cli/tests/testdata/node_env_var_allowlist_without_unstable_flag.ts.out b/cli/tests/testdata/node_env_var_allowlist_without_unstable_flag.ts.out
new file mode 100644
index 000000000..ac92cdb6b
--- /dev/null
+++ b/cli/tests/testdata/node_env_var_allowlist_without_unstable_flag.ts.out
@@ -0,0 +1,4 @@
+[WILDCARD]error: Uncaught PermissionDenied: Requires env access to "NODE_DEBUG", run again with the --allow-env flag
+console.log(Deno.env.get("NODE_DEBUG") ?? "ok");
+                     ^
+    at [WILDCARD]
diff --git a/ext/node/lib.rs b/ext/node/lib.rs
index da8ca3003..42348915e 100644
--- a/ext/node/lib.rs
+++ b/ext/node/lib.rs
@@ -8,6 +8,7 @@ use deno_core::url::Url;
 use deno_core::Extension;
 use deno_core::OpState;
 use once_cell::sync::Lazy;
+use std::collections::HashSet;
 use std::path::Path;
 use std::path::PathBuf;
 use std::rc::Rc;
@@ -59,6 +60,15 @@ pub static NODE_GLOBAL_THIS_NAME: Lazy<String> = Lazy::new(|| {
   format!("__DENO_NODE_GLOBAL_THIS_{}__", seconds)
 });
 
+pub static NODE_ENV_VAR_ALLOWLIST: Lazy<HashSet<String>> = Lazy::new(|| {
+  // The full list of environment variables supported by Node.js is available
+  // at https://nodejs.org/api/cli.html#environment-variables
+  let mut set = HashSet::new();
+  set.insert("NODE_DEBUG".to_string());
+  set.insert("NODE_OPTIONS".to_string());
+  set
+});
+
 struct Unstable(pub bool);
 
 pub fn init<P: NodePermissions + 'static>(
diff --git a/runtime/ops/os.rs b/runtime/ops/os.rs
index 5d275a836..21a94b0fb 100644
--- a/runtime/ops/os.rs
+++ b/runtime/ops/os.rs
@@ -8,6 +8,7 @@ use deno_core::url::Url;
 use deno_core::Extension;
 use deno_core::OpState;
 use deno_core::{op, ExtensionBuilder};
+use deno_node::NODE_ENV_VAR_ALLOWLIST;
 use serde::Serialize;
 use std::collections::HashMap;
 use std::env;
@@ -99,7 +100,14 @@ fn op_get_env(
   state: &mut OpState,
   key: String,
 ) -> Result<Option<String>, AnyError> {
-  state.borrow_mut::<Permissions>().env.check(&key)?;
+  let skip_permission_check =
+    state.borrow::<crate::ops::UnstableChecker>().unstable
+      && NODE_ENV_VAR_ALLOWLIST.contains(&key);
+
+  if !skip_permission_check {
+    state.borrow_mut::<Permissions>().env.check(&key)?;
+  }
+
   if key.is_empty() || key.contains(&['=', '\0'] as &[char]) {
     return Err(type_error("Key contains invalid characters."));
   }