Only authorize import modules listed in the import map

[udfordria]

Proposition

Having a way to only authorize dependencies listed in the imports block of the deno.json file.

Examples

This example should NOT work when I run deno run -A main.ts because the dependency is not listed in the imports block.

deno.json

{
  "imports": {}
}

main.ts

import { fib } from "jsr:@phocks/fib"; // Error not listed in deno.json

console.log(fib(3)); 

---

However, that example must work when I run deno run -A main.ts because the dependency is listed in the imports block.

deno.json

{
  "imports": {
    "fibonacci": "jsr:@phocks/fib"
  }
}

main.ts

import { fib } from "fibonacci"; // import from deno.json

console.log(fib(3)); 

[bartlomieju]

I'm a bit lost here, could you explain a bit more? Do you mean Deno should not send authorization headers for private registries?

[udfordria]

What I mean is to have an option to consider "imports" as a bill of materials. If one external dependency is not listed inside the "imports" and is used as import in my typescript code, the program must not work.

[dsherret]

I agree on adding this. It would be nice if this mode also didn't store anything in the lockfile that's not found in the deno.json/package.json

[bartlomieju]

@dsherret do you have an idea how it would be enabled? I think that banning npm:/jsr:/etc... specifier just by presence of deno.json is too restrictive and something we can't do in v2.x. Starting with an option in deno.json seems easy.

[bartlomieju]

I think this would be (at least partially) fixed by https://github.com/denoland/deno_lint/pull/1361.