[VikingCoder]

To the last point - imagine that you're using some library code, and you do an update, and now it starts trying to talk to some back-end server. That might be a good thing to stop.

Also, I'm looking forward to the idea of running a host like Deno, with applications inside that other people wrote. Kind of like sandstorm.io. I may be naive, but I'm hoping this happens really, really soon.

[eis]

The problem is that you grant the privileges on the application level and not library level. You grant network access to your app and then some updated dependency suddenly starts communicating home and it wont prevent that.

It is also possible in Deno to set permissions for Workers but that's not just plug and play for existing libraries.

[Hovertruck]

I suppose that depends on if you're blanket-allowing network, though. You could pass an allow list of ips/hosts that are allowed, though that's not going to be feasible for every application: https://deno.land/manual@v1.26.0/getting_started/permissions...

[eis]

Yea you could restrict the app by whitelisting only the network services and folders that it will use and that's pretty valuable though at least on Linux could already easily be achieved otherwise. It's good that Deno makes it easy but let's be honest, most people will just pass -A.

I'd love to see a permissions system on a library basis. It would ask the first time a dependency is added and when a new permission is requested after an update. Javascript doesn't make that easy though by being so dynamic. SES could maybe help: https://github.com/endojs/endo/blob/master/packages/ses/READ...

[johannes1234321]

On a library level won't be easy, as there will be wrapper libraries of some kind (axiom-style or whatever) and those wrapper lib will get the permission, so you'd then need a mechanism to prevent somebody calling into that library directly ... and not indirectly (say telling a third module to use the http-wrapper as a callback for some other thing) it is a rabbit hole

[laurencerowe]

Workers are the solution here since they provide a security boundary. Access to the outside world must then be intermediated by your app. You might provide a version of fetch inside the worker that works through postMessage or SharedArrayBuffer allowing your app to filter the requests made by the untrusted script inside the worker.

[losvedir]

Sure, I suppose if you granted it at the library level that might be good, but it's at the whole app level. You could maintain a very fine grained list of network URLs, though. That might be nice if you could configure in the `deno.config` file, rather than having to specify them all on the command line.

But this also gets at my "you have larger issues" comment. How is library code going to just start talking to a server? I like to review and audit all my dependencies and their changes, so it shouldn't just randomly happen. That's my whole problem with npm and its million dependencies and why I'm glad deno provides a standard library in the first place.