1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2024-11-29 16:30:56 -05:00
Commit graph

28 commits

Author SHA1 Message Date
David Sherret
918c5e648f
fix(jsr): do not allow importing a non-JSR url via unanalyzable dynamic import from JSR (#22623)
A security feature of JSR is that it is self contained other than npm
dependencies. At publish time, the registry rejects packages that write
code like this:

```ts
const data = await import("https://example.com/evil.js");
```

However, this can be trivially bypassed by writing code that the
registry cannot statically analyze for. This PR prevents Deno from
loading dynamic imports that do this.
2024-02-28 16:30:45 -05:00
Matt Mastracci
a3f982c1d5
chore(cli): rename --trace-ops to --trace-leaks (#22598)
As we add tracing to more types of runtime activity, `--trace-ops` is
less useful of a name. `--trace-leaks` better reflects that this feature
traces both ops and timers, and will eventually trace resource opening
as well.

This keeps `--trace-ops` as an alias for `--trace-leaks`, but prints a
warning to the console suggesting migration to `--trace-leaks`.

One test continues to use `--trace-ops` to test the deprecation warning.

---------

Signed-off-by: Matt Mastracci <matthew@mastracci.com>
2024-02-28 09:12:43 -07:00
Divy Srivastava
9b5d2f8c1b
feat(publish): provenance attestation (#22573)
Supply chain security for JSR.

```
$ deno publish --provenance

Successfully published @divy/test_provenance@0.0.3
Provenance transparency log available at https://search.sigstore.dev/?logIndex=73657418
```

0. Package has been published.
1. Fetches the version manifest and verifies it's matching with uploaded
files and exports.
2. Builds the attestation SLSA payload using Github actions env.
3. Creates an ephemeral key pair for signing the github token
(aud=sigstore) and DSSE pre authentication tag.
4. Requests a X.509 signing certificate from Fulcio using the challenge
and ephemeral public key PEM.
5. Prepares a DSSE envelop for Rekor to witness. Posts an intoto entry
to Rekor and gets back the transparency log index.
6. Builds the provenance bundle and posts it to JSR.
2024-02-28 07:58:02 +05:30
David Sherret
e9fe71acb5
fix(unstable): sloppy imports should resolve .d.ts files during types resolution (#22602) 2024-02-27 18:30:21 +00:00
Luca Casonato
8d5c231349
feat(publish): support sloppy imports and bare node built-ins (#22588) 2024-02-27 15:13:16 +00:00
Matt Mastracci
47c2a63d87
chore: bump deno_core (#22596)
Migrations:

 - snapshot code updated
 - runtime stats API tweaks
2024-02-27 08:05:57 -07:00
Bartek Iwańczuk
f1a691274e
feat(publish): discover jsr.json and jsr.jsonc files (#22587)
Closes https://github.com/denoland/deno/issues/22491
2024-02-27 08:27:21 +00:00
David Sherret
6567dc94a9
fix(lsp): import map expansion (#22553) 2024-02-24 00:21:09 -05:00
Marvin Hagemeister
cddefecfff
feat: infer dependencies from package.json (#22563)
<!--
Before submitting a PR, please read
https://docs.deno.com/runtime/manual/references/contributing

1. Give the PR a descriptive title.

  Examples of good title:
    - fix(std/http): Fix race condition in server
    - docs(console): Update docstrings
    - feat(doc): Handle nested reexports

  Examples of bad title:
    - fix #7123
    - update docs
    - fix bugs

2. Ensure there is a related issue and it is referenced in the PR text.
3. Ensure there are tests that cover the changes.
4. Ensure `cargo test` passes.
5. Ensure `./tools/format.js` passes without changing files.
6. Ensure `./tools/lint.js` passes.
7. Open as a draft PR if your work is still in progress. The CI won't
run
   all steps, but you can add '[ci]' to a commit message to force it to.
8. If you would like to run the benchmarks on the CI, add the 'ci-bench'
label.
-->
This PR enhances the `deno publish` command to infer dependencies from
`package.json` if present.
2024-02-23 15:56:49 +01:00
Bartek Iwańczuk
197d2480bb
fix(compile): respect compiler options for emit (#22521)
`deno compile` was ignoring configuration file and thus not applying
`compilerOptions` to influence the way files were emitted.
2024-02-21 23:03:11 +00:00
David Sherret
a2c1cc5a1a
fix(publish): better no-slow-types type discovery (#22517) 2024-02-21 14:12:36 -05:00
Matt Mastracci
8aa529f1b8
chore(cli): fix part of flaky test (#22515) 2024-02-21 19:10:51 +00:00
David Sherret
9166d8a4e9
feat(publish): type check on publish (#22506)
Supersedes #22501 and also fixes that issue.
2024-02-21 08:35:25 -05:00
David Sherret
6592a92c20
fix(node/test): disable Deno test sanitizers (#22480)
Closes #22473
2024-02-20 23:22:07 -05:00
Bartek Iwańczuk
77b90f408c
Revert "fix(console): support NO_COLOR and colors option in all scena… (#22507)
…rios (#21910)"

This reverts commit bd1358efab.

This change caused https://github.com/denoland/deno/issues/22496 and
https://github.com/denoland/deno/issues/22445
2024-02-21 00:17:50 +00:00
Asher Gomez
ca8bc7ece8
fix(ext/node): permission prompt for missing process.env permissions (#22487)
Closes #18665
Closes #20213
2024-02-20 16:40:32 -05:00
Luca Casonato
54a3eb585d
fix(publish): print files that will be published (#22495) 2024-02-20 13:30:34 +01:00
David Sherret
66424032a2
feat(unstable/lint): no-slow-types for JSR packages (#22430)
1. Renames zap/fast-check to instead be a `no-slow-types` lint rule.
1. This lint rule is automatically run when doing `deno lint` for
packages (deno.json files with a name, version, and exports field)
1. This lint rules still occurs on publish. It can be skipped by running
with `--no-slow-types`
2024-02-19 15:28:41 +00:00
Asher Gomez
2b279ad630
chore: move test_util to tests/util/server (#22444)
As discussed with @mmastrac.

---------

Signed-off-by: Asher Gomez <ashersaupingomez@gmail.com>
Co-authored-by: Matt Mastracci <matthew@mastracci.com>
2024-02-19 06:34:24 -07:00
Matt Mastracci
67a4231bb6
refactor(cli): move op sanitizer to Rust (#22413)
The format of the sanitizers will change a little bit:

- If multiple async ops leak and traces are on, we repeat the async op
header once per stack trace.
- All leaks are aggregated under a "Leaks detected:" banner as the new
timers are eventually going to be added, and these are neither ops nor
resources.
 - `1 async op` is now `An async op`
- If ops and resources leak, we show both (rather than op leaks masking
resources)

Follow-on to https://github.com/denoland/deno/pull/22226
2024-02-16 21:22:12 +00:00
Matt Mastracci
c92717a1a4
chore(cli): pre-factor the sanitizer tests (#22436)
Moving tests around so that we can make #22413 smaller
2024-02-16 10:49:42 -07:00
David Sherret
4f80d83774
feat(unstable): single checksum per JSR package in the lockfile (#22421)
This changes the lockfile to not store JSR specifiers in the "remote"
section. Instead a single JSR integrity is stored per package in the
lockfile, which is a hash of the version's `x.x.x_meta.json` file, which
contains hashes for every file in the package. The hashes in this file
are then compared against when loading.

Additionally, when using `{ "vendor": true }` in a deno.json, the files
can be modified without causing lockfile errors—the checksum is only
checked when copying into the vendor folder and not afterwards
(eventually we should add this behaviour for non-jsr specifiers as
well). As part of this change, the `vendor` folder creation is not
always automatic in the LSP and running an explicit cache command is
necessary. The code required to track checksums in the LSP would have
been too complex for this PR, so that all goes through deno_graph now.
The vendoring is still automatic when running from the CLI.
2024-02-15 14:49:35 -05:00
Divy Srivastava
b72f0be27c
chore: add DENO_FUTURE env var (#22318)
Closes https://github.com/denoland/deno/issues/22315

```
~> DENO_FUTURE=1 target/debug/deno

> globalThis.window
undefined
```
2024-02-15 04:50:17 +00:00
Nayeem Rahman
1ad754b412
feat(lsp): jsr support with cache probing (#22418) 2024-02-14 22:48:39 +00:00
Matt Mastracci
e23fc6d88c
chore: deno_core bump (#22407)
- Adding `None` flag for warmup script.
 - Modify opcall trace interface to match new Rust implementation
2024-02-13 19:44:37 -07:00
Asher Gomez
6be389ce29
chore: move test_util/std to tests/util/std (#22402)
Note: tests are not the only part of the codebase that uses `std`. Other
parts, like `tools/`, do too. So, it could be argued that this is a
little misleading. Either way, I'm doing this as discussed with
@mmastrac.
2024-02-13 09:22:49 -07:00
Leo Kettmeir
bd1358efab
fix(console): support NO_COLOR and colors option in all scenarios (#21910)
Noticed in #21607
2024-02-12 14:35:23 +01:00
Matt Mastracci
f5e46c9bf2
chore: move cli/tests/ -> tests/ (#22369)
This looks like a massive PR, but it's only a move from cli/tests ->
tests, and updates of relative paths for files.

This is the first step towards aggregate all of the integration test
files under tests/, which will lead to a set of integration tests that
can run without the CLI binary being built.

While we could leave these tests under `cli`, it would require us to
keep a more complex directory structure for the various test runners. In
addition, we have a lot of complexity to ignore various test files in
the `cli` project itself (cargo publish exclusion rules, autotests =
false, etc).

And finally, the `tests/` folder will eventually house the `test_ffi`,
`test_napi` and other testing code, reducing the size of the root repo
directory.

For easier review, the extremely large and noisy "move" is in the first
commit (with no changes -- just a move), while the remainder of the
changes to actual files is in the second commit.
2024-02-10 20:22:13 +00:00