prabakP
Denoβ€’2y agoβ€’
1 reply
prabak

How to prevent dynamic code from installing remote packages.

I want to allow user submitted code to be run but at the same time i do not want them to install remote dependencies (i.e. dynamic import from npm or jsr). My understanding is if i run 
deno run --no-remote --cached-only
 would do the job. I have ran 
deno cache
 with 
vendor: true
 in deno.json file. But, when i run with 
--no-remote
 flag, i can't use any of the standard libs in my deno code. I am getting the follwoing error:
deno run --cached-only --no-remote main.ts
error: JSR package manifest for '@std/crypto' failed to load. A remote specifier was requested: "https://jsr.io/@std/crypto/meta.json", but --no-remote is specified.
    at file:///home/xxxxxx/deno/test/main.ts:3:24


And main.ts:

import * as emoji from "node-emoji";
import { crypto } from "@std/crypto/crypto";

export async function add(a: number, b: number): number {
  const message = "Hello, Deno!";
  const encoder = new TextEncoder();
  const data = encoder.encode(message);
  const hash = await crypto.subtle.digest("BLAKE3", data);
  console.log(hash);
  console.log(emoji.emojify(`:sauropod: :heart:  npm`));
  return a + b;
}

// Learn more at https://docs.deno.com/runtime/manual/examples/module_metadata#concepts
if (import.meta.main) {
  console.log("Add 2 + 3 =", add(2, 3));
}


Am I miss understanding the use of 
--no-remote
 flag? My understanding is that when specified, it prevents fetching from remote. So in my case prevents user submitted code to be run without fetching remote dependencies. Please correct me if I am wrong. I am using deno 1.46.3

thank you
Was this page helpful?