Replies: 2 comments 1 reply
-
The permissions model is extremely valuable when you're running untrusted code. We don't rely on many dependencies and the lockfile ensure that the dependencies cannot be changed without us knowing about it. Running our test suite requires all permissions anyway because they need to read environment variables, start a web server, spawn child processes, make network requests etc. This in essence is pretty much equal to allowing all permissions. That's why a lot of the commands have But not every Deno project is like that. If you for example wrote a custom script that does some calculations in memory, it's better to not give it any permissions. If you have a project that only ever needs access to environment variables, only give it permissions to that. |
Beta Was this translation helpful? Give feedback.
-
@marvinhagemeister, so allowing all is a common way for most tasks cases (because not many people run untrusted code on daily basis, or writing tasks without side effects). Am I right? But the lock file doesn't protect you from unknown vulnerabilities or mistakes in newer version after update. It is the same as working under root user and telling that every system binary version is locked and trusted, isn't it? |
Beta Was this translation helpful? Give feedback.
-
I'm pretty new in Deno and heard of one major thing in Deno is "Permissions":
https://docs.deno.com/runtime/manual/basics/permissions/
And there is a way to allow anything:
Which means developer must carefully allow access to only required resources for each specific task and avoid using
-A
. But that I can see in the project confuses me:https://github.com/denoland/fresh/blob/main/deno.json#L10-L20
Beta Was this translation helpful? Give feedback.
All reactions