Geoffrey Booth

> However, `import { config } from 'node:test'` doesn't sound correct: > What happens if two different configurations are set in two different files? I feel like we should solve...

I assume you know about https://nodejs.org/api/policy.html ? Shouldn’t the configuration for this be part of that?

> > I assume you know about [nodejs.org/api/policy.html](https://nodejs.org/api/policy.html) ? Shouldn’t the configuration for this be part of that? > > Yes. Honestly, this is quite different from the current policy...

> That’s indeed a good point. I’ll mention it in the next Security WG. If you any nomenclature suggestion, please raise them here 😄 Looking in https://nodejs.org/api/policy.html, that feature is...

> suggest a better namespace. Perhaps just copy Deno's naming? https://deno.land/manual/getting_started/permissions They call their feature Permissions but their flag is `allow`, as in `--allow-read` or `--allow-net`. This was one of...

> The structure defined in [nodejs/security-wg#791](https://github.com/nodejs/security-wg/issues/791) is to be permissive by default (avoiding a global breakage). The nomenclature suggested (`--deny-*`) makes sense to me. I've included it as a possibility...

What is the use case for supporting a file named `.js`?

> Currently, starting a `.mjs` or `.cjs` file allow to skip the lookup and the parsing of a `package.json` file, I’m reluctant to change that but I’m curious what others...

> I’m tempted to say it’s good enough, wdyt? No, that only works for `--loader` and other flags that expect a file path as an argument. Once we support defining...

> I'm very reluctant about adding this because I think it's a mistake to resume CI without looking at the failures, and if you are looking at the failures you...