feat: add --allow-import flag (#25469)

This replaces `--allow-net` for import permissions and makes the
security sandbox stricter by also checking permissions for statically
analyzable imports.

By default, this has a value of
`--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`,
but that can be overridden by providing a different set of hosts.

Additionally, when no value is provided, import permissions are inferred
from the CLI arguments so the following works because
`fresh.deno.dev:443` will be added to the list of allowed imports:

```ts
deno run -A -r https://fresh.deno.dev
```

---------

Co-authored-by: David Sherret <dsherret@gmail.com>

tests/specs/npm/node_modules_dir_yargs/__test__.jsonc

@@ -0,0 +1,9 @@
+{
+  "tempDir": true,
+  "args": "run --allow-read --allow-env --node-modules-dir=auto cjs_yargs/main.js",
+  "output": "cjs_yargs/main.out",
+  "envs": {
+    "NO_COLOR": "1",
+    "NPM_CONFIG_REGISTRY": "http://localhost:4260/"
+  }
+}

tests/specs/npm/node_modules_dir_yargs/cjs_yargs/main.js

@@ -0,0 +1,20 @@
+import yargs from "npm:yargs@15.4.1";
+
+const args = yargs(["serve", "8000"])
+  .command("serve [port]", "start the server", (yargs) => {
+    return yargs
+      .positional("port", {
+        describe: "port to bind on",
+        default: 5000,
+      });
+  }, (argv) => {
+    console.info(`start server on :${argv.port}`);
+  })
+  .option("verbose", {
+    alias: "v",
+    type: "boolean",
+    description: "Run with verbose logging",
+  })
+  .argv;
+
+console.log(args);

tests/specs/npm/node_modules_dir_yargs/cjs_yargs/main.out

@@ -0,0 +1,84 @@
+[UNORDERED_START]
+Download http://localhost:4260/yargs
+Download http://localhost:4260/cliui
+Download http://localhost:4260/decamelize
+Download http://localhost:4260/find-up
+Download http://localhost:4260/get-caller-file
+Download http://localhost:4260/require-directory
+Download http://localhost:4260/require-main-filename
+Download http://localhost:4260/set-blocking
+Download http://localhost:4260/string-width
+Download http://localhost:4260/which-module
+Download http://localhost:4260/y18n
+Download http://localhost:4260/yargs-parser
+Download http://localhost:4260/strip-ansi
+Download http://localhost:4260/wrap-ansi
+Download http://localhost:4260/locate-path
+Download http://localhost:4260/path-exists
+Download http://localhost:4260/emoji-regex
+Download http://localhost:4260/is-fullwidth-code-point
+Download http://localhost:4260/camelcase
+Download http://localhost:4260/ansi-regex
+Download http://localhost:4260/ansi-styles
+Download http://localhost:4260/p-locate
+Download http://localhost:4260/color-convert
+Download http://localhost:4260/p-limit
+Download http://localhost:4260/color-name
+Download http://localhost:4260/p-try
+[UNORDERED_END]
+[UNORDERED_START]
+Download http://localhost:4260/ansi-regex/ansi-regex-5.0.1.tgz
+Initialize ansi-regex@5.0.1
+Download http://localhost:4260/ansi-styles/ansi-styles-4.3.0.tgz
+Initialize ansi-styles@4.3.0
+Download http://localhost:4260/camelcase/camelcase-5.3.1.tgz
+Initialize camelcase@5.3.1
+Download http://localhost:4260/cliui/cliui-6.0.0.tgz
+Initialize cliui@6.0.0
+Download http://localhost:4260/color-convert/color-convert-2.0.1.tgz
+Initialize color-convert@2.0.1
+Download http://localhost:4260/color-name/color-name-1.1.4.tgz
+Initialize color-name@1.1.4
+Download http://localhost:4260/decamelize/decamelize-1.2.0.tgz
+Initialize decamelize@1.2.0
+Download http://localhost:4260/emoji-regex/emoji-regex-8.0.0.tgz
+Initialize emoji-regex@8.0.0
+Download http://localhost:4260/find-up/find-up-4.1.0.tgz
+Initialize find-up@4.1.0
+Download http://localhost:4260/get-caller-file/get-caller-file-2.0.5.tgz
+Initialize get-caller-file@2.0.5
+Download http://localhost:4260/is-fullwidth-code-point/is-fullwidth-code-point-3.0.0.tgz
+Initialize is-fullwidth-code-point@3.0.0
+Download http://localhost:4260/locate-path/locate-path-5.0.0.tgz
+Initialize locate-path@5.0.0
+Download http://localhost:4260/p-limit/p-limit-2.3.0.tgz
+Initialize p-limit@2.3.0
+Download http://localhost:4260/p-locate/p-locate-4.1.0.tgz
+Initialize p-locate@4.1.0
+Download http://localhost:4260/p-try/p-try-2.2.0.tgz
+Initialize p-try@2.2.0
+Download http://localhost:4260/path-exists/path-exists-4.0.0.tgz
+Initialize path-exists@4.0.0
+Download http://localhost:4260/require-directory/require-directory-2.1.1.tgz
+Initialize require-directory@2.1.1
+Download http://localhost:4260/require-main-filename/require-main-filename-2.0.0.tgz
+Initialize require-main-filename@2.0.0
+Download http://localhost:4260/set-blocking/set-blocking-2.0.0.tgz
+Initialize set-blocking@2.0.0
+Download http://localhost:4260/string-width/string-width-4.2.3.tgz
+Initialize string-width@4.2.3
+Download http://localhost:4260/strip-ansi/strip-ansi-6.0.1.tgz
+Initialize strip-ansi@6.0.1
+Download http://localhost:4260/which-module/which-module-2.0.0.tgz
+Initialize which-module@2.0.0
+Download http://localhost:4260/wrap-ansi/wrap-ansi-6.2.0.tgz
+Initialize wrap-ansi@6.2.0
+Download http://localhost:4260/y18n/y18n-4.0.3.tgz
+Initialize y18n@4.0.3
+Download http://localhost:4260/yargs/yargs-15.4.1.tgz
+Initialize yargs@15.4.1
+Download http://localhost:4260/yargs-parser/yargs-parser-18.1.3.tgz
+Initialize yargs-parser@18.1.3
+[UNORDERED_END]
+start server on :8000
+[WILDCARD]