Add flag to ignore env requests

[quentinadam]

It is quite common for (npm-) packages to use environment variables to enable optional behaviour.

For example the npm:esbuild package checks if the optional ESBUILD_BINARY_PATH environment variable is set and dependending on this value will either use that as the path to the esbuild binary or will otherwise download the esbuild binary from npm.

Another example is the npm:chalk package which has vendored in the code from the npm:supports-color package which checks a lot of optional environment variables like FORCE_COLOR, TERM, CI, TERM_PROGRAM or COLORTERM to name a few.

When running Deno code that (directly or indirectly) depends on such packages that check optional environment variables, there is currently no way to run this code successfully without supplying an --allow flag such as --allow-all, --allow-env or --allow-env=ESBUILD_BINARY_PATH for example.

In security sensitive contexts, it may not be desirable to add an --allow flag. I would suggest adding an --ignore-env flag that would silently ignore any access to environment variables (if access was not explicitly allowed with an --allow flag), without requesting permissions or throwing an error, and that would for example return undefined for any call to Deno.env.get as if the environment variable was not set.

Optionally this flag would support adding specific environment variable names that should be ignored, like for example --ignore-env=ESBUILD_BINARY_PATH,FORCE_COLOR.

[kuboon]

Deno 2.6 added --ignore-env
https://deno.com/blog/v2.6#more-granular-permissions

[quentinadam]

Yes I saw that, it’s great and I think it makes a lot of sense!