fix: reconnect WebPermissions system and upgrade deno dependencies

Author: chaizhenhua

Cargo.lock

@@ -169,9 +169,9 @@ async-trait = "^0.1.89"
 paste = "1.0.15"
 
 # The deno runtime itself, and the webidl extension for the web APIs
-deno_core = "^0.376.0"
+deno_core = "^0.380.1"
 deno_error = "=0.7.1"
-deno_features = "^0.23.0"
+deno_features = "^0.25.0"
 
 # For transpiling typescript
 deno_ast = { version = "^0.52.0", features = ["transpiling", "cjs"] }
@@ -189,7 +189,7 @@ rustls = {version = "0.23.28", optional = true}
 # Upgraded to support axum 0.8+
 reqwest = { version = "^0.12.20", optional = true, default-features = false, features = ["blocking", "rustls-tls"] }
 http = { version = "^1.0", optional = true }
-deno_permissions = { version = "^0.85.0", optional = true }
+deno_permissions       = { version = "^0.87.0", optional = true }
 
 
 #
@@ -199,29 +199,29 @@ deno_permissions = { version = "^0.85.0", optional = true }
 deno_broadcast_channel = { version = "^0.216.0", optional = true }
 uuid = { version = "1.10.0", optional = true, features = ["v4"] }
 
-deno_bundle_runtime = { version = "^0.13.0", optional = true }
-deno_cache      = { version = "^0.159.0", optional = true }
+deno_bundle_runtime = { version = "^0.15.0", optional = true }
+deno_cache      = { version = "^0.161.0", optional = true }
 deno_console    = { version = "^0.222.0", optional = true }
-deno_cron       = { version = "^0.106.0", optional = true }
-deno_crypto     = { version = "^0.240.0", optional = true }
-deno_fetch      = { version = "^0.250.0", optional = true }
-deno_ffi        = { version = "^0.213.0", optional = true }
-deno_fs         = { version = "^0.136.0", optional = true, features = ["sync_fs"] }
-deno_http       = { version = "^0.224.0", optional = true }
-deno_kv         = { version = "^0.134.0", optional = true }
-deno_net        = { version = "^0.218.0", optional = true }
-deno_node       = { version = "^0.164.0", optional = true }
-deno_tls        = { version = "^0.213.0", optional = true }
+deno_cron       = { version = "^0.108.0", optional = true }
+deno_crypto     = { version = "^0.242.0", optional = true }
+deno_fetch      = { version = "^0.252.0", optional = true }
+deno_ffi        = { version = "^0.215.0", optional = true }
+deno_fs         = { version = "^0.138.0", optional = true, features = ["sync_fs"] }
+deno_http       = { version = "^0.226.0", optional = true }
+deno_kv         = { version = "^0.136.0", optional = true }
+deno_net        = { version = "^0.220.0", optional = true }
+deno_node       = { version = "^0.166.0", optional = true }
+deno_tls        = { version = "^0.215.0", optional = true }
 deno_url        = { version = "^0.222.0", optional = true }
 
-deno_web        = { version = "^0.257.0", optional = true }
-deno_webidl     = { version = "^0.226.0", optional = true }
-deno_webstorage = { version = "^0.221.0", optional = true }
-deno_websocket  = { version = "^0.231.0", optional = true }
-deno_webgpu     = { version = "^0.193.0", optional = true }
+deno_web        = { version = "^0.259.0", optional = true }
+deno_webidl     = { version = "^0.228.0", optional = true }
+deno_webstorage = { version = "^0.223.0", optional = true }
+deno_websocket  = { version = "^0.233.0", optional = true }
+deno_webgpu     = { version = "^0.195.0", optional = true }
 
-deno_io = { version = "^0.136.0", optional = true }
-deno_telemetry  = { version = "^0.48.0", optional = true }
+deno_io = { version = "^0.138.0", optional = true }
+deno_telemetry  = { version = "^0.50.0", optional = true }
 
 # Dependencies for the IO feature
 rustyline = {version = "=13.0.0", optional = true}
@@ -238,17 +238,17 @@ once_cell = {version = "^1.17.1", optional = true}
 base64-simd = {version = "0.8.0", optional = true}
 
 # Dependencies for the node feature
-deno_resolver = { version = "^0.57.0", optional = true }
-node_resolver = { version = "^0.64.0", optional = true, features = ["sync"] }
-deno_runtime  = { version = "^0.234.0", optional = true, features = ["exclude_runtime_main_js"] }
+deno_resolver       = { version = "^0.59.0", optional = true }
+node_resolver       = { version = "^0.66.0", optional = true, features = ["sync"] }
+deno_runtime       = { version = "^0.236.0", optional = true, features = ["exclude_runtime_main_js"] }
 deno_terminal = { version = "^0.2.3", optional = true }
 deno_semver   = { version = "^0.9.1", optional = true }
-deno_napi     = { version = "^0.157.0", optional = true }
-deno_npm      = { version = "^0.42.2", optional = true }
-deno_process  = { version = "^0.41.0", optional = true }
-deno_package_json = { version = "^0.28.0", optional = true }
+deno_napi     = { version = "^0.159.0", optional = true }
+deno_npm      = { version = "^0.43.0", optional = true }
+deno_process       = { version = "^0.43.0", optional = true }
+deno_package_json       = { version = "^0.30.0", optional = true }
 checksum      = { version = "0.2.1", optional = true }
-sys_traits    = { version = "=0.1.17", optional = true, features = ["libc", "real", "winapi"] }
+sys_traits    = { version = "=0.1.22", optional = true, features = ["libc", "real", "winapi"] }
 
 [dev-dependencies]
 version-sync = "0.9.5"

Cargo.toml

@@ -12,15 +12,24 @@ use deno_telemetry::OtelConfig;
 use sys_traits::impls::RealSys;
 
 use super::{
-    node::resolvers::RustyResolver, web::PermissionsContainer, ExtensionOptions, ExtensionTrait,
+    node::resolvers::RustyResolver, web::PermissionsContainer, web::to_permissions_options,
+    ExtensionOptions, ExtensionTrait,
 };
 use crate::module_loader::{LoaderOptions, RustyLoader};
 
 fn build_permissions(
     permissions_container: &PermissionsContainer,
 ) -> ::deno_permissions::PermissionsContainer {
     let parser = Arc::new(RuntimePermissionDescriptorParser::<RealSys>::new(RealSys));
-    ::deno_permissions::PermissionsContainer::new(parser, Permissions::allow_all())
+    let opts = to_permissions_options(permissions_container.0.as_ref());
+
+    match Permissions::from_options(&*parser, &opts) {
+        Ok(perms) => ::deno_permissions::PermissionsContainer::new(parser, perms),
+        Err(_) => {
+            // Fallback for backward compatibility
+            ::deno_permissions::PermissionsContainer::new(parser, Permissions::allow_all())
+        }
+    }
 }
 
 // Some of the polyfills reference the denoland/deno runtime directly

examples/test_borrow_mut_error.rs

@@ -11,7 +11,8 @@ mod permissions;
 pub(crate) use permissions::PermissionsContainer;
 pub use permissions::{
     AllowlistWebPermissions, CheckedPath, DefaultWebPermissions, PermissionCheckError,
-    PermissionDeniedError, SystemsPermissionKind, WebPermissions,
+    PermissionDeniedError, PermissionsOptions, SystemsPermissionKind, WebPermissions,
+    to_permissions_options,
 };
 
 /// Stub for a node op deno_net expects to find
@@ -114,10 +115,14 @@ extension!(
         permissions: Arc<dyn WebPermissions>
     },
     state = |state, config| {
-        state.put(PermissionsContainer(config.permissions));
+        state.put(PermissionsContainer(config.permissions.clone()));
         if !state.has::<deno_permissions::PermissionsContainer>() {
             let parser = Arc::new(deno_permissions::RuntimePermissionDescriptorParser::new(sys_traits::impls::RealSys));
-            let permissions = deno_permissions::PermissionsContainer::allow_all(parser);
+            let opts = permissions::to_permissions_options(config.permissions.as_ref());
+            let permissions = match deno_permissions::Permissions::from_options(&*parser, &opts) {
+                Ok(p) => deno_permissions::PermissionsContainer::new(parser, p),
+                Err(_) => deno_permissions::PermissionsContainer::allow_all(parser),
+            };
             state.put(permissions);
         }
     },

src/ext/runtime/mod.rs

@@ -7,6 +7,7 @@ use std::{
 
 pub use deno_permissions::{
     CheckedPath, PermissionCheckError, PermissionDeniedError, PermissionState,
+    PermissionsOptions,
 };
 
 pub fn oops(msg: impl std::fmt::Display) -> PermissionCheckError {
@@ -639,3 +640,70 @@ impl_sys_permission_kinds!(
 #[allow(dead_code)]
 #[derive(Clone, Debug)]
 pub struct PermissionsContainer(pub Arc<dyn WebPermissions>);
+
+/// Convert WebPermissions to deno_permissions::PermissionsOptions
+///
+/// This function probes the WebPermissions trait methods to determine
+/// what should be allowed, then converts to PermissionsOptions format.
+///
+/// - For `DefaultWebPermissions` (or equivalent allow-all): returns options that allow everything
+/// - For restrictive permissions (e.g., `AllowlistWebPermissions`): returns options that deny by default
+pub fn to_permissions_options(perms: &dyn WebPermissions) -> PermissionsOptions {
+    // Probe to detect if this is an allow-all implementation
+    // We test multiple permission categories to be thorough
+    let is_allow_all = perms.allow_hrtime()
+        && perms.check_read_all(None).is_ok()
+        && perms.check_write_all("probe").is_ok()
+        && perms.check_host("0.0.0.0", Some(0), "probe").is_ok()
+        && perms.check_env("__PROBE__").is_ok()
+        && perms.check_exec().is_ok();
+
+    if is_allow_all {
+        // DefaultWebPermissions or equivalent - allow everything
+        PermissionsOptions {
+            allow_read: Some(vec![]),
+            deny_read: None,
+            ignore_read: None,
+            allow_write: Some(vec![]),
+            deny_write: None,
+            allow_net: Some(vec![]),
+            deny_net: None,
+            allow_env: Some(vec![]),
+            deny_env: None,
+            ignore_env: None,
+            allow_sys: Some(vec![]),
+            deny_sys: None,
+            allow_ffi: Some(vec![]),
+            deny_ffi: None,
+            allow_run: Some(vec![]),
+            deny_run: None,
+            allow_import: Some(vec![]),
+            deny_import: None,
+            prompt: false,
+        }
+    } else {
+        // Restrictive permissions - deny everything by default
+        // The deno extensions will check permissions and deny operations
+        PermissionsOptions {
+            allow_read: None,
+            deny_read: None,
+            ignore_read: None,
+            allow_write: None,
+            deny_write: None,
+            allow_net: None,
+            deny_net: None,
+            allow_env: None,
+            deny_env: None,
+            ignore_env: None,
+            allow_sys: None,
+            deny_sys: None,
+            allow_ffi: None,
+            deny_ffi: None,
+            allow_run: None,
+            deny_run: None,
+            allow_import: Some(vec![]), // Allow imports by default for module loading
+            deny_import: None,
+            prompt: false,
+        }
+    }
+}

src/ext/web/mod.rs

@@ -407,7 +407,8 @@ pub use ext::node::resolvers::RustyResolver;
 #[cfg_attr(docsrs, doc(cfg(feature = "web")))]
 pub use ext::web::{
     AllowlistWebPermissions, CheckedPath, DefaultWebPermissions, PermissionCheckError,
-    PermissionDeniedError, SystemsPermissionKind, WebOptions, WebPermissions,
+    PermissionDeniedError, PermissionsOptions, SystemsPermissionKind, WebOptions, WebPermissions,
+    to_permissions_options,
 };
 pub use ext::ExtensionOptions;
 

src/ext/web/permissions.rs

@@ -149,7 +149,7 @@ mod runtime_macros {
     ///     rustyscript.register_entrypoint(load);
     /// ");
     ///
-    /// Runtime::execute_module(
+    /// Runtime::execute_module::<()>(
     ///     &module, vec![],
     ///     Default::default(),
     ///     json_args!("test", 5)
@@ -186,7 +186,7 @@ mod runtime_macros {
     ///     rustyscript.register_entrypoint(load);
     /// ");
     ///
-    /// Runtime::execute_module(
+    /// Runtime::execute_module::<()>(
     ///     &module, vec![],
     ///     Default::default(),
     ///     big_json_args!("test", 5)