feat: add --allow-import flag (#25469)

This replaces `--allow-net` for import permissions and makes the
security sandbox stricter by also checking permissions for statically
analyzable imports.

By default, this has a value of
`--allow-import=deno.land:443,jsr.io:443,esm.sh:443,raw.githubusercontent.com:443,gist.githubusercontent.com:443`,
but that can be overridden by providing a different set of hosts.

Additionally, when no value is provided, import permissions are inferred
from the CLI arguments so the following works because
`fresh.deno.dev:443` will be added to the list of allowed imports:

```ts
deno run -A -r https://fresh.deno.dev
```

---------

Co-authored-by: David Sherret <dsherret@gmail.com>

tests/specs/npm/nonexistent_file_node_modules_dir/__test__.jsonc

@@ -0,0 +1,10 @@
+{
+  "tempDir": true,
+  "args": "run -A --quiet --node-modules-dir nonexistent_file/main.js",
+  "output": "nonexistent_file/main.out",
+  "envs": {
+    "NO_COLOR": "1",
+    "NPM_CONFIG_REGISTRY": "http://localhost:4260/"
+  },
+  "exitCode": 1
+}

tests/specs/npm/nonexistent_file_node_modules_dir/nonexistent_file/main.js

@@ -0,0 +1,2 @@
+import hmacSHA512 from "npm:crypto-js/non-existent";
+console.log(hmacSHA512);

tests/specs/npm/nonexistent_file_node_modules_dir/nonexistent_file/main.out

@@ -0,0 +1,4 @@
+error: Unable to load [WILDCARD]non-existent imported from [WILDCARD]main.js
+
+Caused by:
+[WILDCARD]