`deno run` that never writes to `DENO_DIR` or `deno.lock`?
I am working on an application that embeds a
deno
1.46.3 binary and uses it to deno run
some app plugins.
The plugins are folders that are included in our app bundle, which contain deno configuration and .ts
files.
Because we need to sign our app bundle, and some plugins are bundled within the app bundle, we run into the issue where the signature will be invalidated due to deno run --cached-only
being able to modify deno.lock
and any already-cached deno-deps
.
We don't want to use --frozen
, because this would return an error instead of an invalid signature. We don't want to compile
because having many copies of deno would make our app much larger in size.
It seems like some combination of --cached-only
, --no-remote
or maybe --vendor
could help us out, but we haven't had luck yet. Another approach we may explore is using the OS filesystem to mark our bundled plugin folders as readonly.0 Replies