summaryrefslogtreecommitdiff
path: root/cli
diff options
context:
space:
mode:
Diffstat (limited to 'cli')
-rw-r--r--cli/lsp/documents.rs4
-rw-r--r--cli/module_loader.rs58
-rw-r--r--cli/node/mod.rs31
-rw-r--r--cli/npm/resolvers/common.rs13
-rw-r--r--cli/npm/resolvers/global.rs9
-rw-r--r--cli/npm/resolvers/local.rs13
-rw-r--r--cli/npm/resolvers/mod.rs9
-rw-r--r--cli/proc_state.rs4
-rw-r--r--cli/standalone.rs3
-rw-r--r--cli/tests/npm_tests.rs7
-rw-r--r--cli/tests/testdata/npm/permissions_outside_package/foo/config.js4
-rw-r--r--cli/tests/testdata/npm/permissions_outside_package/foo/package.json4
-rw-r--r--cli/tests/testdata/npm/permissions_outside_package/main.out3
-rw-r--r--cli/tests/testdata/npm/permissions_outside_package/main.ts5
-rw-r--r--cli/tests/testdata/npm/registry/@denotest/permissions-outside-package/1.0.0/index.js5
-rw-r--r--cli/tests/testdata/npm/registry/@denotest/permissions-outside-package/1.0.0/package.json5
-rw-r--r--cli/tsc/mod.rs3
-rw-r--r--cli/worker.rs8
18 files changed, 152 insertions, 36 deletions
diff --git a/cli/lsp/documents.rs b/cli/lsp/documents.rs
index bedd1f9a7..92dfdf543 100644
--- a/cli/lsp/documents.rs
+++ b/cli/lsp/documents.rs
@@ -33,6 +33,7 @@ use deno_core::ModuleSpecifier;
use deno_graph::GraphImport;
use deno_graph::Resolved;
use deno_runtime::deno_node::NodeResolutionMode;
+use deno_runtime::permissions::PermissionsContainer;
use once_cell::sync::Lazy;
use std::collections::BTreeMap;
use std::collections::HashMap;
@@ -1004,6 +1005,7 @@ impl Documents {
referrer,
NodeResolutionMode::Types,
npm_resolver,
+ &mut PermissionsContainer::allow_all(),
)
.ok()
.flatten(),
@@ -1040,6 +1042,7 @@ impl Documents {
&npm_ref,
NodeResolutionMode::Types,
npm_resolver,
+ &mut PermissionsContainer::allow_all(),
)
.ok()
.flatten(),
@@ -1208,6 +1211,7 @@ impl Documents {
&npm_ref,
NodeResolutionMode::Types,
npm_resolver,
+ &mut PermissionsContainer::allow_all(),
)
.ok()
.flatten(),
diff --git a/cli/module_loader.rs b/cli/module_loader.rs
index d452c30cf..d507a5b15 100644
--- a/cli/module_loader.rs
+++ b/cli/module_loader.rs
@@ -20,6 +20,7 @@ use deno_core::ModuleSource;
use deno_core::ModuleSpecifier;
use deno_core::ModuleType;
use deno_core::OpState;
+use deno_core::ResolutionKind;
use deno_core::SourceMapGetter;
use deno_runtime::permissions::PermissionsContainer;
use std::cell::RefCell;
@@ -36,28 +37,38 @@ struct ModuleCodeSource {
pub struct CliModuleLoader {
pub lib: TsTypeLib,
/// The initial set of permissions used to resolve the static imports in the
- /// worker. They are decoupled from the worker (dynamic) permissions since
- /// read access errors must be raised based on the parent thread permissions.
+ /// worker. These are "allow all" for main worker, and parent thread
+ /// permissions for Web Worker.
pub root_permissions: PermissionsContainer,
+ /// Permissions used to resolve dynamic imports, these get passed as
+ /// "root permissions" for Web Worker.
+ dynamic_permissions: PermissionsContainer,
pub ps: ProcState,
}
impl CliModuleLoader {
- pub fn new(ps: ProcState) -> Rc<Self> {
+ pub fn new(
+ ps: ProcState,
+ root_permissions: PermissionsContainer,
+ dynamic_permissions: PermissionsContainer,
+ ) -> Rc<Self> {
Rc::new(CliModuleLoader {
lib: ps.options.ts_type_lib_window(),
- root_permissions: PermissionsContainer::allow_all(),
+ root_permissions,
+ dynamic_permissions,
ps,
})
}
pub fn new_for_worker(
ps: ProcState,
- permissions: PermissionsContainer,
+ root_permissions: PermissionsContainer,
+ dynamic_permissions: PermissionsContainer,
) -> Rc<Self> {
Rc::new(CliModuleLoader {
lib: ps.options.ts_type_lib_worker(),
- root_permissions: permissions,
+ root_permissions,
+ dynamic_permissions,
ps,
})
}
@@ -138,6 +149,7 @@ impl CliModuleLoader {
&self,
specifier: &ModuleSpecifier,
maybe_referrer: Option<ModuleSpecifier>,
+ is_dynamic: bool,
) -> Result<ModuleSource, AnyError> {
let code_source = if self.ps.npm_resolver.in_npm_package(specifier) {
let file_path = specifier.to_file_path().unwrap();
@@ -152,6 +164,11 @@ impl CliModuleLoader {
})?;
let code = if self.ps.cjs_resolutions.lock().contains(specifier) {
+ let mut permissions = if is_dynamic {
+ self.dynamic_permissions.clone()
+ } else {
+ self.root_permissions.clone()
+ };
// translate cjs to esm if it's cjs and inject node globals
node::translate_cjs_to_esm(
&self.ps.file_fetcher,
@@ -160,6 +177,7 @@ impl CliModuleLoader {
MediaType::Cjs,
&self.ps.npm_resolver,
&self.ps.node_analysis_cache,
+ &mut permissions,
)?
} else {
// only inject node globals for esm
@@ -203,28 +221,35 @@ impl ModuleLoader for CliModuleLoader {
&self,
specifier: &str,
referrer: &str,
- _is_main: bool,
+ kind: ResolutionKind,
) -> Result<ModuleSpecifier, AnyError> {
- self.ps.resolve(specifier, referrer)
+ let mut permissions = if matches!(kind, ResolutionKind::DynamicImport) {
+ self.dynamic_permissions.clone()
+ } else {
+ self.root_permissions.clone()
+ };
+ self.ps.resolve(specifier, referrer, &mut permissions)
}
fn load(
&self,
specifier: &ModuleSpecifier,
maybe_referrer: Option<ModuleSpecifier>,
- _is_dynamic: bool,
+ is_dynamic: bool,
) -> Pin<Box<deno_core::ModuleSourceFuture>> {
// NOTE: this block is async only because of `deno_core` interface
// requirements; module was already loaded when constructing module graph
// during call to `prepare_load` so we can load it synchronously.
- Box::pin(deno_core::futures::future::ready(
- self.load_sync(specifier, maybe_referrer),
- ))
+ Box::pin(deno_core::futures::future::ready(self.load_sync(
+ specifier,
+ maybe_referrer,
+ is_dynamic,
+ )))
}
fn prepare_load(
&self,
- op_state: Rc<RefCell<OpState>>,
+ _op_state: Rc<RefCell<OpState>>,
specifier: &ModuleSpecifier,
_maybe_referrer: Option<String>,
is_dynamic: bool,
@@ -236,18 +261,15 @@ impl ModuleLoader for CliModuleLoader {
let specifier = specifier.clone();
let ps = self.ps.clone();
- let state = op_state.borrow();
- let dynamic_permissions = state.borrow::<PermissionsContainer>().clone();
+ let dynamic_permissions = self.dynamic_permissions.clone();
let root_permissions = if is_dynamic {
- dynamic_permissions.clone()
+ self.dynamic_permissions.clone()
} else {
self.root_permissions.clone()
};
let lib = self.lib;
- drop(state);
-
async move {
ps.prepare_module_load(
vec![specifier],
diff --git a/cli/node/mod.rs b/cli/node/mod.rs
index e6cc22255..aed639bc4 100644
--- a/cli/node/mod.rs
+++ b/cli/node/mod.rs
@@ -25,12 +25,14 @@ use deno_runtime::deno_node::package_imports_resolve;
use deno_runtime::deno_node::package_resolve;
use deno_runtime::deno_node::path_to_declaration_path;
use deno_runtime::deno_node::NodeModuleKind;
+use deno_runtime::deno_node::NodePermissions;
use deno_runtime::deno_node::NodeResolutionMode;
use deno_runtime::deno_node::PackageJson;
use deno_runtime::deno_node::PathClean;
use deno_runtime::deno_node::RequireNpmResolver;
use deno_runtime::deno_node::DEFAULT_CONDITIONS;
use deno_runtime::deno_node::NODE_GLOBAL_THIS_NAME;
+use deno_runtime::permissions::PermissionsContainer;
use once_cell::sync::Lazy;
use regex::Regex;
@@ -440,6 +442,7 @@ pub fn node_resolve(
referrer: &ModuleSpecifier,
mode: NodeResolutionMode,
npm_resolver: &dyn RequireNpmResolver,
+ permissions: &mut dyn NodePermissions,
) -> Result<Option<NodeResolution>, AnyError> {
// Note: if we are here, then the referrer is an esm module
// TODO(bartlomieju): skipped "policy" part as we don't plan to support it
@@ -481,6 +484,7 @@ pub fn node_resolve(
DEFAULT_CONDITIONS,
mode,
npm_resolver,
+ permissions,
)?;
let url = match url {
Some(url) => url,
@@ -510,6 +514,7 @@ pub fn node_resolve_npm_reference(
reference: &NpmPackageReference,
mode: NodeResolutionMode,
npm_resolver: &NpmPackageResolver,
+ permissions: &mut dyn NodePermissions,
) -> Result<Option<NodeResolution>, AnyError> {
let package_folder =
npm_resolver.resolve_package_folder_from_deno_module(&reference.req)?;
@@ -525,6 +530,7 @@ pub fn node_resolve_npm_reference(
DEFAULT_CONDITIONS,
mode,
npm_resolver,
+ permissions,
)
.with_context(|| {
format!("Error resolving package config for '{}'", reference)
@@ -553,11 +559,13 @@ pub fn node_resolve_binary_export(
pkg_req: &NpmPackageReq,
bin_name: Option<&str>,
npm_resolver: &NpmPackageResolver,
+ permissions: &mut dyn NodePermissions,
) -> Result<NodeResolution, AnyError> {
let package_folder =
npm_resolver.resolve_package_folder_from_deno_module(pkg_req)?;
let package_json_path = package_folder.join("package.json");
- let package_json = PackageJson::load(npm_resolver, package_json_path)?;
+ let package_json =
+ PackageJson::load(npm_resolver, permissions, package_json_path)?;
let bin = match &package_json.bin {
Some(bin) => bin,
None => bail!(
@@ -665,11 +673,12 @@ fn package_config_resolve(
conditions: &[&str],
mode: NodeResolutionMode,
npm_resolver: &dyn RequireNpmResolver,
+ permissions: &mut dyn NodePermissions,
) -> Result<Option<PathBuf>, AnyError> {
let package_json_path = package_dir.join("package.json");
let referrer = ModuleSpecifier::from_directory_path(package_dir).unwrap();
let package_config =
- PackageJson::load(npm_resolver, package_json_path.clone())?;
+ PackageJson::load(npm_resolver, permissions, package_json_path.clone())?;
if let Some(exports) = &package_config.exports {
let result = package_exports_resolve(
&package_json_path,
@@ -680,6 +689,7 @@ fn package_config_resolve(
conditions,
mode,
npm_resolver,
+ permissions,
);
match result {
Ok(found) => return Ok(Some(found)),
@@ -712,7 +722,11 @@ pub fn url_to_node_resolution(
if url_str.starts_with("http") {
Ok(NodeResolution::Esm(url))
} else if url_str.ends_with(".js") || url_str.ends_with(".d.ts") {
- let package_config = get_closest_package_json(&url, npm_resolver)?;
+ let package_config = get_closest_package_json(
+ &url,
+ npm_resolver,
+ &mut PermissionsContainer::allow_all(),
+ )?;
if package_config.typ == "module" {
Ok(NodeResolution::Esm(url))
} else {
@@ -786,6 +800,7 @@ fn module_resolve(
conditions: &[&str],
mode: NodeResolutionMode,
npm_resolver: &dyn RequireNpmResolver,
+ permissions: &mut dyn NodePermissions,
) -> Result<Option<ModuleSpecifier>, AnyError> {
// note: if we're here, the referrer is an esm module
let url = if should_be_treated_as_relative_or_absolute_path(specifier) {
@@ -811,6 +826,7 @@ fn module_resolve(
conditions,
mode,
npm_resolver,
+ permissions,
)
.map(|p| ModuleSpecifier::from_file_path(p).unwrap())?,
)
@@ -824,6 +840,7 @@ fn module_resolve(
conditions,
mode,
npm_resolver,
+ permissions,
)?
.map(|p| ModuleSpecifier::from_file_path(p).unwrap())
};
@@ -879,6 +896,7 @@ pub fn translate_cjs_to_esm(
media_type: MediaType,
npm_resolver: &NpmPackageResolver,
node_analysis_cache: &NodeAnalysisCache,
+ permissions: &mut dyn NodePermissions,
) -> Result<String, AnyError> {
fn perform_cjs_analysis(
analysis_cache: &NodeAnalysisCache,
@@ -956,6 +974,7 @@ pub fn translate_cjs_to_esm(
&["deno", "require", "default"],
NodeResolutionMode::Execution,
npm_resolver,
+ permissions,
)?;
let reexport_specifier =
ModuleSpecifier::from_file_path(resolved_reexport).unwrap();
@@ -1027,6 +1046,7 @@ fn resolve(
conditions: &[&str],
mode: NodeResolutionMode,
npm_resolver: &dyn RequireNpmResolver,
+ permissions: &mut dyn NodePermissions,
) -> Result<PathBuf, AnyError> {
if specifier.starts_with('/') {
todo!();
@@ -1056,7 +1076,7 @@ fn resolve(
let package_json_path = module_dir.join("package.json");
if package_json_path.exists() {
let package_json =
- PackageJson::load(npm_resolver, package_json_path.clone())?;
+ PackageJson::load(npm_resolver, permissions, package_json_path.clone())?;
if let Some(exports) = &package_json.exports {
return package_exports_resolve(
@@ -1068,6 +1088,7 @@ fn resolve(
conditions,
mode,
npm_resolver,
+ permissions,
);
}
@@ -1080,7 +1101,7 @@ fn resolve(
let package_json_path = d.join("package.json");
if package_json_path.exists() {
let package_json =
- PackageJson::load(npm_resolver, package_json_path)?;
+ PackageJson::load(npm_resolver, permissions, package_json_path)?;
if let Some(main) = package_json.main(NodeModuleKind::Cjs) {
return Ok(d.join(main).clean());
}
diff --git a/cli/npm/resolvers/common.rs b/cli/npm/resolvers/common.rs
index ff8a63f9b..7fe9c3fa4 100644
--- a/cli/npm/resolvers/common.rs
+++ b/cli/npm/resolvers/common.rs
@@ -10,6 +10,7 @@ use deno_core::error::AnyError;
use deno_core::futures;
use deno_core::futures::future::BoxFuture;
use deno_core::url::Url;
+use deno_runtime::deno_node::NodePermissions;
use deno_runtime::deno_node::NodeResolutionMode;
use crate::args::Lockfile;
@@ -54,7 +55,11 @@ pub trait InnerNpmPackageResolver: Send + Sync {
fn cache_packages(&self) -> BoxFuture<'static, Result<(), AnyError>>;
- fn ensure_read_permission(&self, path: &Path) -> Result<(), AnyError>;
+ fn ensure_read_permission(
+ &self,
+ permissions: &mut dyn NodePermissions,
+ path: &Path,
+ ) -> Result<(), AnyError>;
fn snapshot(&self) -> NpmResolutionSnapshot;
@@ -103,6 +108,7 @@ pub async fn cache_packages(
}
pub fn ensure_registry_read_permission(
+ permissions: &mut dyn NodePermissions,
registry_path: &Path,
path: &Path,
) -> Result<(), AnyError> {
@@ -126,10 +132,7 @@ pub fn ensure_registry_read_permission(
}
}
- Err(deno_core::error::custom_error(
- "PermissionDenied",
- format!("Reading {} is not allowed", path.display()),
- ))
+ permissions.check_read(path)
}
/// Gets the corresponding @types package for the provided package name.
diff --git a/cli/npm/resolvers/global.rs b/cli/npm/resolvers/global.rs
index a42ccdd53..d73ccbe9b 100644
--- a/cli/npm/resolvers/global.rs
+++ b/cli/npm/resolvers/global.rs
@@ -12,6 +12,7 @@ use deno_core::error::AnyError;
use deno_core::futures::future::BoxFuture;
use deno_core::futures::FutureExt;
use deno_core::url::Url;
+use deno_runtime::deno_node::NodePermissions;
use deno_runtime::deno_node::NodeResolutionMode;
use crate::args::Lockfile;
@@ -154,9 +155,13 @@ impl InnerNpmPackageResolver for GlobalNpmPackageResolver {
async move { cache_packages_in_resolver(&resolver).await }.boxed()
}
- fn ensure_read_permission(&self, path: &Path) -> Result<(), AnyError> {
+ fn ensure_read_permission(
+ &self,
+ permissions: &mut dyn NodePermissions,
+ path: &Path,
+ ) -> Result<(), AnyError> {
let registry_path = self.cache.registry_folder(&self.registry_url);
- ensure_registry_read_permission(&registry_path, path)
+ ensure_registry_read_permission(permissions, &registry_path, path)
}
fn snapshot(&self) -> NpmResolutionSnapshot {
diff --git a/cli/npm/resolvers/local.rs b/cli/npm/resolvers/local.rs
index 04539e462..b702d3bb3 100644
--- a/cli/npm/resolvers/local.rs
+++ b/cli/npm/resolvers/local.rs
@@ -19,6 +19,7 @@ use deno_core::futures::future::BoxFuture;
use deno_core::futures::FutureExt;
use deno_core::url::Url;
use deno_runtime::deno_core::futures;
+use deno_runtime::deno_node::NodePermissions;
use deno_runtime::deno_node::NodeResolutionMode;
use deno_runtime::deno_node::PackageJson;
use tokio::task::JoinHandle;
@@ -245,8 +246,16 @@ impl InnerNpmPackageResolver for LocalNpmPackageResolver {
.boxed()
}
- fn ensure_read_permission(&self, path: &Path) -> Result<(), AnyError> {
- ensure_registry_read_permission(&self.root_node_modules_path, path)
+ fn ensure_read_permission(
+ &self,
+ permissions: &mut dyn NodePermissions,
+ path: &Path,
+ ) -> Result<(), AnyError> {
+ ensure_registry_read_permission(
+ permissions,
+ &self.root_node_modules_path,
+ path,
+ )
}
fn snapshot(&self) -> NpmResolutionSnapshot {
diff --git a/cli/npm/resolvers/mod.rs b/cli/npm/resolvers/mod.rs
index 023ef625a..767187f5e 100644
--- a/cli/npm/resolvers/mod.rs
+++ b/cli/npm/resolvers/mod.rs
@@ -11,6 +11,7 @@ use deno_core::error::custom_error;
use deno_core::error::AnyError;
use deno_core::parking_lot::Mutex;
use deno_core::serde_json;
+use deno_runtime::deno_node::NodePermissions;
use deno_runtime::deno_node::NodeResolutionMode;
use deno_runtime::deno_node::PathClean;
use deno_runtime::deno_node::RequireNpmResolver;
@@ -367,8 +368,12 @@ impl RequireNpmResolver for NpmPackageResolver {
.is_ok()
}
- fn ensure_read_permission(&self, path: &Path) -> Result<(), AnyError> {
- self.inner.ensure_read_permission(path)
+ fn ensure_read_permission(
+ &self,
+ permissions: &mut dyn NodePermissions,
+ path: &Path,
+ ) -> Result<(), AnyError> {
+ self.inner.ensure_read_permission(permissions, path)
}
}
diff --git a/cli/proc_state.rs b/cli/proc_state.rs
index 0dd97b5e3..bbfc3cbad 100644
--- a/cli/proc_state.rs
+++ b/cli/proc_state.rs
@@ -532,6 +532,7 @@ impl ProcState {
&self,
specifier: &str,
referrer: &str,
+ permissions: &mut PermissionsContainer,
) -> Result<ModuleSpecifier, AnyError> {
if let Ok(referrer) = deno_core::resolve_url_or_path(referrer) {
if self.npm_resolver.in_npm_package(&referrer) {
@@ -542,6 +543,7 @@ impl ProcState {
&referrer,
NodeResolutionMode::Execution,
&self.npm_resolver,
+ permissions,
))
.with_context(|| {
format!("Could not resolve '{}' from '{}'.", specifier, referrer)
@@ -575,6 +577,7 @@ impl ProcState {
&reference,
NodeResolutionMode::Execution,
&self.npm_resolver,
+ permissions,
))
.with_context(|| format!("Could not resolve '{}'.", reference));
} else {
@@ -618,6 +621,7 @@ impl ProcState {
&reference,
deno_runtime::deno_node::NodeResolutionMode::Execution,
&self.npm_resolver,
+ permissions,
))
.with_context(|| format!("Could not resolve '{}'.", reference));
}
diff --git a/cli/standalone.rs b/cli/standalone.rs
index 2b0a77e18..18d134293 100644
--- a/cli/standalone.rs
+++ b/cli/standalone.rs
@@ -23,6 +23,7 @@ use deno_core::url::Url;
use deno_core::v8_set_flags;
use deno_core::ModuleLoader;
use deno_core::ModuleSpecifier;
+use deno_core::ResolutionKind;
use deno_graph::source::Resolver;
use deno_runtime::deno_broadcast_channel::InMemoryBroadcastChannel;
use deno_runtime::deno_tls::rustls_pemfile;
@@ -137,7 +138,7 @@ impl ModuleLoader for EmbeddedModuleLoader {
&self,
specifier: &str,
referrer: &str,
- _is_main: bool,
+ _kind: ResolutionKind,
) -> Result<ModuleSpecifier, AnyError> {
// Try to follow redirects when resolving.
let referrer = match self.eszip.get_module(referrer) {
diff --git a/cli/tests/npm_tests.rs b/cli/tests/npm_tests.rs
index aa0563ef9..c0ff56f2d 100644
--- a/cli/tests/npm_tests.rs
+++ b/cli/tests/npm_tests.rs
@@ -360,6 +360,13 @@ mod npm {
exit_code: 1,
});
+ itest!(permissions_outside_package {
+ args: "run --allow-read npm/permissions_outside_package/main.ts",
+ output: "npm/permissions_outside_package/main.out",
+ envs: env_vars_for_npm_tests(),
+ http_server: true,
+ });
+
#[test]
fn parallel_downloading() {
let (out, _err) = util::run_and_collect_output_with_args(
diff --git a/cli/tests/testdata/npm/permissions_outside_package/foo/config.js b/cli/tests/testdata/npm/permissions_outside_package/foo/config.js
new file mode 100644
index 000000000..e667790d2
--- /dev/null
+++ b/cli/tests/testdata/npm/permissions_outside_package/foo/config.js
@@ -0,0 +1,4 @@
+module.exports = {
+ "name": "foobar",
+ "version": "0.0.1",
+};
diff --git a/cli/tests/testdata/npm/permissions_outside_package/foo/package.json b/cli/tests/testdata/npm/permissions_outside_package/foo/package.json
new file mode 100644
index 000000000..cc049e6ce
--- /dev/null
+++ b/cli/tests/testdata/npm/permissions_outside_package/foo/package.json
@@ -0,0 +1,4 @@
+{
+ "name": "foobar",
+ "version": "0.0.1"
+}
diff --git a/cli/tests/testdata/npm/permissions_outside_package/main.out b/cli/tests/testdata/npm/permissions_outside_package/main.out
new file mode 100644
index 000000000..4edf66ae9
--- /dev/null
+++ b/cli/tests/testdata/npm/permissions_outside_package/main.out
@@ -0,0 +1,3 @@
+Download http://localhost:4545/npm/registry/@denotest/permissions-outside-package
+Download http://localhost:4545/npm/registry/@denotest/permissions-outside-package/1.0.0.tgz
+{ name: "foobar", version: "0.0.1" }
diff --git a/cli/tests/testdata/npm/permissions_outside_package/main.ts b/cli/tests/testdata/npm/permissions_outside_package/main.ts
new file mode 100644
index 000000000..b0b82b626
--- /dev/null
+++ b/cli/tests/testdata/npm/permissions_outside_package/main.ts
@@ -0,0 +1,5 @@
+import { loadConfigFile } from "npm:@denotest/permissions-outside-package";
+
+const fileName = `${Deno.cwd()}/npm/permissions_outside_package/foo/config.js`;
+const config = loadConfigFile(fileName);
+console.log(config);
diff --git a/cli/tests/testdata/npm/registry/@denotest/permissions-outside-package/1.0.0/index.js b/cli/tests/testdata/npm/registry/@denotest/permissions-outside-package/1.0.0/index.js
new file mode 100644
index 000000000..ec854713f
--- /dev/null
+++ b/cli/tests/testdata/npm/registry/@denotest/permissions-outside-package/1.0.0/index.js
@@ -0,0 +1,5 @@
+function loadConfigFile(fileName) {
+ return require(fileName);
+}
+
+module.exports.loadConfigFile = loadConfigFile; \ No newline at end of file
diff --git a/cli/tests/testdata/npm/registry/@denotest/permissions-outside-package/1.0.0/package.json b/cli/tests/testdata/npm/registry/@denotest/permissions-outside-package/1.0.0/package.json
new file mode 100644
index 000000000..447a119e4
--- /dev/null
+++ b/cli/tests/testdata/npm/registry/@denotest/permissions-outside-package/1.0.0/package.json
@@ -0,0 +1,5 @@
+{
+ "name": "@denotest/permissions-outside-package",
+ "version": "1.0.0",
+ "main": "./index.js"
+}
diff --git a/cli/tsc/mod.rs b/cli/tsc/mod.rs
index c08b4e1ae..6ea037522 100644
--- a/cli/tsc/mod.rs
+++ b/cli/tsc/mod.rs
@@ -33,6 +33,7 @@ use deno_core::RuntimeOptions;
use deno_core::Snapshot;
use deno_graph::Resolved;
use deno_runtime::deno_node::NodeResolutionMode;
+use deno_runtime::permissions::PermissionsContainer;
use once_cell::sync::Lazy;
use std::borrow::Cow;
use std::collections::HashMap;
@@ -647,6 +648,7 @@ fn op_resolve(
&referrer,
NodeResolutionMode::Types,
npm_resolver,
+ &mut PermissionsContainer::allow_all(),
)
.ok()
.flatten(),
@@ -703,6 +705,7 @@ pub fn resolve_npm_package_reference_types(
npm_ref,
NodeResolutionMode::Types,
npm_resolver,
+ &mut PermissionsContainer::allow_all(),
)?;
Ok(NodeResolution::into_specifier_and_media_type(
maybe_resolution,
diff --git a/cli/worker.rs b/cli/worker.rs
index 2d29a7a53..2f8a9b687 100644
--- a/cli/worker.rs
+++ b/cli/worker.rs
@@ -459,6 +459,7 @@ async fn create_main_worker_internal(
&package_ref.req,
package_ref.sub_path.as_deref(),
&ps.npm_resolver,
+ &mut PermissionsContainer::allow_all(),
)?;
let is_main_cjs =
matches!(node_resolution, node::NodeResolution::CommonJs(_));
@@ -473,7 +474,11 @@ async fn create_main_worker_internal(
(main_module, false)
};
- let module_loader = CliModuleLoader::new(ps.clone());
+ let module_loader = CliModuleLoader::new(
+ ps.clone(),
+ PermissionsContainer::allow_all(),
+ permissions.clone(),
+ );
let maybe_inspector_server = ps.maybe_inspector_server.clone();
@@ -649,6 +654,7 @@ fn create_web_worker_callback(
let module_loader = CliModuleLoader::new_for_worker(
ps.clone(),
args.parent_permissions.clone(),
+ args.permissions.clone(),
);
let create_web_worker_cb =
create_web_worker_callback(ps.clone(), stdio.clone());
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-06 16:36:17 +0000