prabak
prabak4w ago

How to prevent dynamic code from installing remote packages.

I want to allow user submitted code to be run but at the same time i do not want them to install remote dependencies (i.e. dynamic import from npm or jsr). My understanding is if i run deno run --no-remote --cached-only would do the job. I have ran deno cache with vendor: true in deno.json file. But, when i run with --no-remote flag, i can't use any of the standard libs in my deno code. I am getting the follwoing error:
deno run --cached-only --no-remote main.ts
error: JSR package manifest for '@std/crypto' failed to load. A remote specifier was requested: "https://jsr.io/@std/crypto/meta.json", but --no-remote is specified.
at file:///home/xxxxxx/deno/test/main.ts:3:24
deno run --cached-only --no-remote main.ts
error: JSR package manifest for '@std/crypto' failed to load. A remote specifier was requested: "https://jsr.io/@std/crypto/meta.json", but --no-remote is specified.
at file:///home/xxxxxx/deno/test/main.ts:3:24
And main.ts:
import * as emoji from "node-emoji";
import { crypto } from "@std/crypto/crypto";

export async function add(a: number, b: number): number {
const message = "Hello, Deno!";
const encoder = new TextEncoder();
const data = encoder.encode(message);
const hash = await crypto.subtle.digest("BLAKE3", data);
console.log(hash);
console.log(emoji.emojify(`:sauropod: :heart: npm`));
return a + b;
}

// Learn more at https://docs.deno.com/runtime/manual/examples/module_metadata#concepts
if (import.meta.main) {
console.log("Add 2 + 3 =", add(2, 3));
}
import * as emoji from "node-emoji";
import { crypto } from "@std/crypto/crypto";

export async function add(a: number, b: number): number {
const message = "Hello, Deno!";
const encoder = new TextEncoder();
const data = encoder.encode(message);
const hash = await crypto.subtle.digest("BLAKE3", data);
console.log(hash);
console.log(emoji.emojify(`:sauropod: :heart: npm`));
return a + b;
}

// Learn more at https://docs.deno.com/runtime/manual/examples/module_metadata#concepts
if (import.meta.main) {
console.log("Add 2 + 3 =", add(2, 3));
}
Am I miss understanding the use of --no-remote flag? My understanding is that when specified, it prevents fetching from remote. So in my case prevents user submitted code to be run without fetching remote dependencies. Please correct me if I am wrong. I am using deno 1.46.3 thank you
0 Replies
No replies yetBe the first to reply to this messageJoin