principletypescriptModerate
Deno permissions model: explicit capability grants
Viewed 0 times
deno permissions--allow-net--allow-readcapability grantssecurity modelPermissionDenied
deno
Error Messages
PermissionDenied: Requires net access to "example.com"PermissionDenied: Requires read access to "/etc"Problem
Running Deno scripts requires understanding the permissions model to avoid runtime errors from denied access to network, filesystem, or environment.
Solution
Deno denies all capabilities by default. Grant with flags: --allow-net, --allow-read, --allow-write, --allow-env, --allow-run. Scope grants: --allow-read=/tmp limits to a directory. Use --allow-all (-A) only for trusted scripts.
Why
Deno's security model means a compromised dependency cannot read your files or phone home unless explicitly permitted — unlike Node.js where all capabilities are always available.
Gotchas
- Forgetting --allow-net causes PermissionDenied errors even for localhost connections
- --allow-run gives permission to spawn subprocesses which can bypass other restrictions
- Permissions can be requested dynamically at runtime with Deno.permissions.request()
- deno.json can configure permissioning for deno task scripts to avoid long flag lists
Code Snippets
Run with scoped permissions
deno run --allow-net=api.example.com --allow-read=./data --allow-env=API_KEY main.tsRevisions (0)
No revisions yet.