Why `https` import support?

[zaripych]

Hey, thanks for building the package!

Re: https://github.com/antfu/esbuild-node-loader/pull/34

I've looked at the code and I think it's a little dangerous to allow https imports without even mentioning anything in the README.md. I discovered this by an accident as I was trying to understand how to configure stuff. I tested this behaviour and seems to be working and I was able to import an arbitrary JS file hosted on arbitrary domain using this loader.

I'm new to this concept and I understand that there is Deno and --experimental-network-imports in Node but I didn't expect this behaviour from a small loader library. I also understand that this is how browsers work, but they have a ton of security around that, like CORS and policies you can setup to allow only certain domains.

I feel this at least should be mentioned in the README.md so people who care about security maybe consider this before they adopt the package.

Is it really crucial for this library to support it? How do I disable it? How can I allow only certain domains I trust?

Cheers!