-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dynamically generating import maps #6782
Comments
We sort of talked about some of this before (ref: #3585). I get the utility of it, but as you mention, the security concerns would be the biggest "worry", but allowing a I can't remember off hand if we support remote import maps (we should if we don't) which means that a server could generate an import map, potentially on the fly, with a given set of information. Would something like that sort of solve the problem? |
You could get away with |
@bartlomieju that’s actually a very elegant solution to this problem, much better than what I was thinking. |
Also related #5791 I think workers would be ideal here, or something like node's fork that inherits the current permissions or less. |
There’s a pattern emerging for creating cross-platform ESM modules using the
exports
property inpackage.json
. To be perfectly honest, I wish there were a conditional import syntax for this use case instead, but there isn’t so this is what we’ve got.Rollup, webpack, and of course Node.js, all now support this property.
This means that internally in the module, and in the module’s tests, you can’t use relative imports but instead have to use the package name because relative imports skip the export map loader. And of course, tests all have to do the same.
The nice part of authoring this way is that my modules and all the tests can be run and loaded in the browser and Node.js without a compiler, and the module works as expected when people consume it with a compiler.
When I run tests in the browser I generate an export map and stick it in the page before loading my tests.
Similarly, I can generate an import map for Deno and pass it as a command line flag.
The thing is though, I have my test runner running in Deno natively. I’d like to generate an import map from package.json in Deno and then load it, rather than passing as a command line flag because that would require another subprocess launch and additional permissions.
There are security concerns here. The browser doesn’t allow dynamic import map loading, it requires that it’s in the page you load from the origin. Perhaps something similar could be done with Deno by passing a
.js
or.ts
file instead of.json
file as the importMap argument? There could be an API inDeno
to set the import map and it would only be accessible to that module, creating a similar security pattern to what the browser uses. Or the default export of that file could be the import map?Thoughts?
The text was updated successfully, but these errors were encountered: