[29athrowaway]

Personally I do not like the fact that it puts too much trust into DNS.

DNS wasn't created with security in mind, so to say Deno is secure because it uses a permissions system while relying directly into DNS for imports to me sounds weird.

[koprulusector]

How is this any different than any other package management system? If you npm or pip install a package and import it, you’re still relying on DNS to resolve pypi or npmjs.

But with deno, if you’ve just accidentally installed some malicious squatters’ package that mimics the one you meant to use, at least you’ve got less exposure because the malicious code won’t necessarily have blanket permissions to make network calls, read files, etc. virtually any other language/package management system cannot say the same.

deno will download and cache the dependencies you import, they’re right in the project folder vs buried in a sea of node_modules. It’s super convenient to look at and inspect, if there’s any doubt or idle curiosity.

[simonw]

It's not just DNS, thankfully - deno.land has a TLS certificate too, which I think means that DNS exploits wouldn't succeed in causing clients to install untrusted packages.

[IshKebab]

It uses https. Are you not satisfied that that is reasonably secure?