How to prevent dynamic code from installing remote packages.

I want to allow user submitted code to be run but at the same time i do not want them to install remote dependencies (i.e. dynamic import from npm or jsr). My understanding is if i run deno run --no-remote --cached-onlydeno run --no-remote --cached-only would do the job. I have ran deno cachedeno cache with vendor: truevendor: true in deno.json file. But, when i run with --no-remote--no-remote flag, i can't use any of the standard libs in my deno code. I am getting the follwoing error:

deno run --cached-only --no-remote main.ts
error: JSR package manifest for '@std/crypto' failed to load. A remote specifier was requested: "https://jsr.io/@std/crypto/meta.json", but --no-remote is specified.
    at file:///home/xxxxxx/deno/test/main.ts:3:24

deno run --cached-only --no-remote main.ts
error: JSR package manifest for '@std/crypto' failed to load. A remote specifier was requested: "https://jsr.io/@std/crypto/meta.json", but --no-remote is specified.
    at file:///home/xxxxxx/deno/test/main.ts:3:24

And main.ts:

import * as emoji from "node-emoji";
import { crypto } from "@std/crypto/crypto";

export async function add(a: number, b: number): number {
  const message = "Hello, Deno!";
  const encoder = new TextEncoder();
  const data = encoder.encode(message);
  const hash = await crypto.subtle.digest("BLAKE3", data);
  console.log(hash);
  console.log(emoji.emojify(`:sauropod: :heart:  npm`));
  return a + b;
}

// Learn more at https://docs.deno.com/runtime/manual/examples/module_metadata#concepts
if (import.meta.main) {
  console.log("Add 2 + 3 =", add(2, 3));
}

import * as emoji from "node-emoji";
import { crypto } from "@std/crypto/crypto";

export async function add(a: number, b: number): number {
  const message = "Hello, Deno!";
  const encoder = new TextEncoder();
  const data = encoder.encode(message);
  const hash = await crypto.subtle.digest("BLAKE3", data);
  console.log(hash);
  console.log(emoji.emojify(`:sauropod: :heart:  npm`));
  return a + b;
}

// Learn more at https://docs.deno.com/runtime/manual/examples/module_metadata#concepts
if (import.meta.main) {
  console.log("Add 2 + 3 =", add(2, 3));
}

Am I miss understanding the use of --no-remote--no-remote flag? My understanding is that when specified, it prevents fetching from remote. So in my case prevents user submitted code to be run without fetching remote dependencies. Please correct me if I am wrong. I am using deno 1.46.3

thank you

How to prevent dynamic code from installing remote packages.

deno run --cached-only --no-remote main.ts
error: JSR package manifest for '@std/crypto' failed to load. A remote specifier was requested: "https://jsr.io/@std/crypto/meta.json", but --no-remote is specified.
    at file:///home/xxxxxx/deno/test/main.ts:3:24

deno run --cached-only --no-remote main.ts
error: JSR package manifest for '@std/crypto' failed to load. A remote specifier was requested: "https://jsr.io/@std/crypto/meta.json", but --no-remote is specified.
    at file:///home/xxxxxx/deno/test/main.ts:3:24

And main.ts:

import * as emoji from "node-emoji";
import { crypto } from "@std/crypto/crypto";

export async function add(a: number, b: number): number {
  const message = "Hello, Deno!";
  const encoder = new TextEncoder();
  const data = encoder.encode(message);
  const hash = await crypto.subtle.digest("BLAKE3", data);
  console.log(hash);
  console.log(emoji.emojify(`:sauropod: :heart:  npm`));
  return a + b;
}

// Learn more at https://docs.deno.com/runtime/manual/examples/module_metadata#concepts
if (import.meta.main) {
  console.log("Add 2 + 3 =", add(2, 3));
}

import * as emoji from "node-emoji";
import { crypto } from "@std/crypto/crypto";

export async function add(a: number, b: number): number {
  const message = "Hello, Deno!";
  const encoder = new TextEncoder();
  const data = encoder.encode(message);
  const hash = await crypto.subtle.digest("BLAKE3", data);
  console.log(hash);
  console.log(emoji.emojify(`:sauropod: :heart:  npm`));
  return a + b;
}

// Learn more at https://docs.deno.com/runtime/manual/examples/module_metadata#concepts
if (import.meta.main) {
  console.log("Add 2 + 3 =", add(2, 3));
}

How to prevent dynamic code from installing remote packages.

How to prevent dynamic code from installing remote packages.

Continue the conversation

Deno

Continue the conversation

Deno

Similar Threads