From 5295563dcb117b162cbd70ff82a7aee1e55543fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?= Date: Wed, 8 Apr 2026 09:03:01 +0200 Subject: [PATCH] docs: fix static module graph description to include all module sources The key principles section incorrectly stated that only local files could be imported without restrictions in the static module graph. This also applies to npm, jsr, and remote URL imports. Closes #2686 Co-Authored-By: Claude Opus 4.6 (1M context) --- runtime/fundamentals/security.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/runtime/fundamentals/security.md b/runtime/fundamentals/security.md index b0b2b4528..7f34855f3 100644 --- a/runtime/fundamentals/security.md +++ b/runtime/fundamentals/security.md @@ -45,11 +45,11 @@ the key principles of Deno's security model: - **Code can not escalate its privileges without user consent**: Code executing in a Deno runtime can not escalate its privileges without the user agreeing explicitly to an escalation via interactive prompt or a invocation time flag. -- **The initial static module graph can import local files without - restrictions**: All files that are imported in the initial static module graph - can be imported without restrictions, so even if an explicit read permission - is not granted for that file. This does not apply to any dynamic module - imports. +- **The initial static module graph can import modules without restrictions**: + All modules that are imported in the initial static module graph (local files, + npm packages, jsr packages, and remote URLs) can be loaded without + restrictions, even if explicit permissions are not granted. This does not + apply to dynamic module imports. These key principles are designed to provide an environment where a user can execute code with minimal risk of harm to the host machine or network. The