|
|
|
|
|
|
by __ryan__
1499 days ago
|
|
|
> “The approach deno is taking is very interesting where all packages are sandboxed.” Can anyone clarify this? My understanding is that packages are not sandboxed, but your entire Deno process is. Meaning that if one part of my app requires full read/write access then any package included in my app also gets it. Is that correct? Such sandboxing is a secure default, and can help to limit the scope of a supply chain attack, sure, but this doesn’t make packages inherently more secure. Per-package sandboxing would be cool, although I’m not sure how that would work. |
|
|
Yes. There has been a discussion on per dependency permissions several times but the conclusions is that it would be difficult to implement and get right semantically. See https://github.com/denoland/deno/issues/171