Hacker News new | past | comments | ask | show | jobs | submit login

- no file system access - no internet access - no environment access

also loads code from the internet and runs it no questions asked.




When invoking the deno command, the user has the option to grant or deny the command access to the file system, internet, environment.

>loads code from the internet and runs it no questions asked

I think this is a reference to the fact that Deno uses "Ecmascript modules" referenced as URLs the same way modern browsers do.


yeah i thought that, too. but assuming the loaded code has no access to any of those things either, then i'm not sure what the concern is. though if you gave network access to your code and it loaded other code from the internet which inherited those permissions, that's pretty terrifying (especially since it's not some edge case) - i assume this has been thought through, since it's so obvious.


.... except it does ask questions

Goal 2

Provide Secure Defaults

    Unless specifically allowed [by the user], scripts can't access files, the environment, or the network.


That doesn't mean what you think. See https://deno.land/std/manual.md#linking-to-third-party-code

"Note that we did not have to provide the --allow-net flag for this program, and yet it accessed the network. The runtime has special access to download imports and cache them to disk."


I don't understand what you're trying to say?

Deno the privileged runtime can do these things, but the scripts/code you get it to run cannot do these things without permission.

Specifically I was talking about this section of the posters comment "runs it no questions asked". No, it will _not_ be run no questions asked.


By default remote imports does allow network access, but when running the downloaded scripts, they subject to network permission settings.

Also if you are just worried about any remote imports anyways, there is a `--no-remote` (turn off http[s] resolution) and `--cached-only` (only resolve remote module if it is already downloaded and saved in cache) flag on `deno run`


loads code from the internet and runs it no questions asked

Like every "modern" package manager? I think that's a lost cause.


What about versions of that url based packages?


By default it blocks network access... at least in my experience




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: