feat: add --allow-import flag (#25469)

This replaces `--allow-net` for import permissions and makes the
security sandbox stricter by also checking permissions for statically
analyzable imports.

By default, this has a value of
`--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`,
but that can be overridden by providing a different set of hosts.

Additionally, when no value is provided, import permissions are inferred
from the CLI arguments so the following works because
`fresh.deno.dev:443` will be added to the list of allowed imports:

```ts
deno run -A -r https://fresh.deno.dev
```

---------

Co-authored-by: David Sherret <dsherret@gmail.com>

tests/specs/npm/node_modules_dir_with_deps/__test__.jsonc

@@ -0,0 +1,9 @@
+{
+  "tempDir": true,
+  "args": "run --allow-read --allow-env --node-modules-dir=auto cjs_with_deps/main.js",
+  "output": "cjs_with_deps/main_node_modules.out",
+  "envs": {
+    "NO_COLOR": "1",
+    "NPM_CONFIG_REGISTRY": "http://localhost:4260/"
+  }
+}

tests/specs/npm/node_modules_dir_with_deps/cjs_with_deps/main.js

@@ -0,0 +1,12 @@
+import chalk from "npm:chalk@4";
+import { expect } from "npm:chai@4.3";
+
+console.log(chalk.green("chalk cjs loads"));
+
+const timeout = setTimeout(() => {}, 0);
+expect(timeout).to.be.a("number");
+clearTimeout(timeout);
+
+const interval = setInterval(() => {}, 100);
+expect(interval).to.be.a("number");
+clearInterval(interval);

tests/specs/npm/node_modules_dir_with_deps/cjs_with_deps/main.out

@@ -0,0 +1,33 @@
+[UNORDERED_START]
+Download http://localhost:4260/chalk
+Download http://localhost:4260/chai
+Download http://localhost:4260/ansi-styles
+Download http://localhost:4260/supports-color
+Download http://localhost:4260/assertion-error
+Download http://localhost:4260/check-error
+Download http://localhost:4260/deep-eql
+Download http://localhost:4260/get-func-name
+Download http://localhost:4260/loupe
+Download http://localhost:4260/pathval
+Download http://localhost:4260/type-detect
+Download http://localhost:4260/color-convert
+Download http://localhost:4260/has-flag
+Download http://localhost:4260/color-name
+[UNORDERED_END]
+[UNORDERED_START]
+Download http://localhost:4260/ansi-styles/ansi-styles-4.3.0.tgz
+Download http://localhost:4260/assertion-error/assertion-error-1.1.0.tgz
+Download http://localhost:4260/chai/chai-4.3.6.tgz
+Download http://localhost:4260/chalk/chalk-4.1.2.tgz
+Download http://localhost:4260/check-error/check-error-1.0.2.tgz
+Download http://localhost:4260/color-convert/color-convert-2.0.1.tgz
+Download http://localhost:4260/color-name/color-name-1.1.4.tgz
+Download http://localhost:4260/deep-eql/deep-eql-3.0.1.tgz
+Download http://localhost:4260/get-func-name/get-func-name-2.0.0.tgz
+Download http://localhost:4260/has-flag/has-flag-4.0.0.tgz
+Download http://localhost:4260/loupe/loupe-2.3.4.tgz
+Download http://localhost:4260/pathval/pathval-1.1.1.tgz
+Download http://localhost:4260/supports-color/supports-color-7.2.0.tgz
+Download http://localhost:4260/type-detect/type-detect-4.0.8.tgz
+[UNORDERED_END]
+chalk cjs loads

tests/specs/npm/node_modules_dir_with_deps/cjs_with_deps/main_info.out

@@ -0,0 +1,22 @@
+local: [WILDCARD]main.js
+type: JavaScript
+dependencies: 14 unique
+size: [WILDCARD]
+
+file:///[WILDCARD]/npm/cjs_with_deps/main.js ([WILDCARD])
+├─┬ npm:/chalk@4.1.2 ([WILDCARD])
+│ ├─┬ npm:/ansi-styles@4.3.0 ([WILDCARD])
+│ │ └─┬ npm:/color-convert@2.0.1 ([WILDCARD])
+│ │   └── npm:/color-name@1.1.4 ([WILDCARD])
+│ └─┬ npm:/supports-color@7.2.0 ([WILDCARD])
+│   └── npm:/has-flag@4.0.0 ([WILDCARD])
+└─┬ npm:/chai@4.3.6 ([WILDCARD])
+  ├── npm:/assertion-error@1.1.0 ([WILDCARD])
+  ├── npm:/check-error@1.0.2 ([WILDCARD])
+  ├─┬ npm:/deep-eql@3.0.1 ([WILDCARD])
+  │ └── npm:/type-detect@4.0.8 ([WILDCARD])
+  ├── npm:/get-func-name@2.0.0 ([WILDCARD])
+  ├─┬ npm:/loupe@2.3.4 ([WILDCARD])
+  │ └── npm:/get-func-name@2.0.0 ([WILDCARD])
+  ├── npm:/pathval@1.1.1 ([WILDCARD])
+  └── npm:/type-detect@4.0.8 ([WILDCARD])

tests/specs/npm/node_modules_dir_with_deps/cjs_with_deps/main_info_json.out

@@ -0,0 +1,148 @@
+{
+  "roots": [
+    "file://[WILDCARD]/main.js"
+  ],
+  "modules": [
+    {
+      "kind": "esm",
+      "dependencies": [
+        {
+          "specifier": "npm:chalk@4",
+          "code": {
+            "specifier": "npm:chalk@4",
+            "span": {
+              "start": {
+                "line": 0,
+                "character": 18
+              },
+              "end": {
+                "line": 0,
+                "character": 31
+              }
+            }
+          },
+          "npmPackage": "chalk@4.1.2"
+        },
+        {
+          "specifier": "npm:chai@4.3",
+          "code": {
+            "specifier": "npm:chai@4.3",
+            "span": {
+              "start": {
+                "line": 1,
+                "character": 23
+              },
+              "end": {
+                "line": 1,
+                "character": 37
+              }
+            }
+          },
+          "npmPackage": "chai@4.3.6"
+        }
+      ],
+      "local": "[WILDCARD]main.js",
+      "size": 325,
+      "mediaType": "JavaScript",
+      "specifier": "[WILDCARD]/main.js"
+    }
+  ],
+  "redirects": {
+    "npm:chai@4.3": "npm:/chai@4.3.6",
+    "npm:chalk@4": "npm:/chalk@4.1.2"
+  },
+  "version": 1,
+  "npmPackages": {
+    "ansi-styles@4.3.0": {
+      "name": "ansi-styles",
+      "version": "4.3.0",
+      "dependencies": [
+        "color-convert@2.0.1"
+      ]
+    },
+    "assertion-error@1.1.0": {
+      "name": "assertion-error",
+      "version": "1.1.0",
+      "dependencies": []
+    },
+    "chai@4.3.6": {
+      "name": "chai",
+      "version": "4.3.6",
+      "dependencies": [
+        "assertion-error@1.1.0",
+        "check-error@1.0.2",
+        "deep-eql@3.0.1",
+        "get-func-name@2.0.0",
+        "loupe@2.3.4",
+        "pathval@1.1.1",
+        "type-detect@4.0.8"
+      ]
+    },
+    "chalk@4.1.2": {
+      "name": "chalk",
+      "version": "4.1.2",
+      "dependencies": [
+        "ansi-styles@4.3.0",
+        "supports-color@7.2.0"
+      ]
+    },
+    "check-error@1.0.2": {
+      "name": "check-error",
+      "version": "1.0.2",
+      "dependencies": []
+    },
+    "color-convert@2.0.1": {
+      "name": "color-convert",
+      "version": "2.0.1",
+      "dependencies": [
+        "color-name@1.1.4"
+      ]
+    },
+    "color-name@1.1.4": {
+      "name": "color-name",
+      "version": "1.1.4",
+      "dependencies": []
+    },
+    "deep-eql@3.0.1": {
+      "name": "deep-eql",
+      "version": "3.0.1",
+      "dependencies": [
+        "type-detect@4.0.8"
+      ]
+    },
+    "get-func-name@2.0.0": {
+      "name": "get-func-name",
+      "version": "2.0.0",
+      "dependencies": []
+    },
+    "has-flag@4.0.0": {
+      "name": "has-flag",
+      "version": "4.0.0",
+      "dependencies": []
+    },
+    "loupe@2.3.4": {
+      "name": "loupe",
+      "version": "2.3.4",
+      "dependencies": [
+        "get-func-name@2.0.0"
+      ]
+    },
+    "pathval@1.1.1": {
+      "name": "pathval",
+      "version": "1.1.1",
+      "dependencies": []
+    },
+    "supports-color@7.2.0": {
+      "name": "supports-color",
+      "version": "7.2.0",
+      "dependencies": [
+        "has-flag@4.0.0"
+      ]
+    },
+    "type-detect@4.0.8": {
+      "name": "type-detect",
+      "version": "4.0.8",
+      "dependencies": []
+    }
+  }
+}

tests/specs/npm/node_modules_dir_with_deps/cjs_with_deps/main_node_modules.out

@@ -0,0 +1,47 @@
+[UNORDERED_START]
+Download http://localhost:4260/chalk
+Download http://localhost:4260/chai
+Download http://localhost:4260/ansi-styles
+Download http://localhost:4260/supports-color
+Download http://localhost:4260/assertion-error
+Download http://localhost:4260/check-error
+Download http://localhost:4260/deep-eql
+Download http://localhost:4260/get-func-name
+Download http://localhost:4260/loupe
+Download http://localhost:4260/pathval
+Download http://localhost:4260/type-detect
+Download http://localhost:4260/color-convert
+Download http://localhost:4260/has-flag
+Download http://localhost:4260/color-name
+[UNORDERED_END]
+[UNORDERED_START]
+Download http://localhost:4260/ansi-styles/ansi-styles-4.3.0.tgz
+Initialize ansi-styles@4.3.0
+Download http://localhost:4260/assertion-error/assertion-error-1.1.0.tgz
+Initialize assertion-error@1.1.0
+Download http://localhost:4260/chai/chai-4.3.6.tgz
+Initialize chai@4.3.6
+Download http://localhost:4260/chalk/chalk-4.1.2.tgz
+Initialize chalk@4.1.2
+Download http://localhost:4260/check-error/check-error-1.0.2.tgz
+Initialize check-error@1.0.2
+Download http://localhost:4260/color-convert/color-convert-2.0.1.tgz
+Initialize color-convert@2.0.1
+Download http://localhost:4260/color-name/color-name-1.1.4.tgz
+Initialize color-name@1.1.4
+Download http://localhost:4260/deep-eql/deep-eql-3.0.1.tgz
+Initialize deep-eql@3.0.1
+Download http://localhost:4260/get-func-name/get-func-name-2.0.0.tgz
+Initialize get-func-name@2.0.0
+Download http://localhost:4260/has-flag/has-flag-4.0.0.tgz
+Initialize has-flag@4.0.0
+Download http://localhost:4260/loupe/loupe-2.3.4.tgz
+Initialize loupe@2.3.4
+Download http://localhost:4260/pathval/pathval-1.1.1.tgz
+Initialize pathval@1.1.1
+Download http://localhost:4260/supports-color/supports-color-7.2.0.tgz
+Initialize supports-color@7.2.0
+Download http://localhost:4260/type-detect/type-detect-4.0.8.tgz
+Initialize type-detect@4.0.8
+[UNORDERED_END]
+chalk cjs loads