1. Moves `unit` and `unit_node` tests to use file_test_runner.
1. Marks all spec, unit, and node_unit tests as flaky on the CI and
outputs when they're flaky so we can track it.
1. Reduces CI concurrency to 1 on 3 flaky test failures (for now...
would be more ideal to lower it slowly maybe, which is easily possible
with this pr)
1. Adds a 100ms delay between flaky test failures.
This change refines how the compiler normalizes and resolves source map
URLs. Now is handled embedded and external source maps.
This reduces false negatives when loading source maps and aligns the
behavior with the expected spec semantics.
This commit changes global `setTimeout` and `setInterval` APIs (along
their `clear*` counterparts) to use Node.js APIs instead of the Web
APIs.
For real world usage we expect no difference in code and behavior,
unless user relies on following checks:
```
const id = setTimeout(...);
if (typeof id === "number") {
// ...
}
```
In which case the conditional should be changed to `if (id)`
This commit adds "permission broker" functionality to the CLI.
Once broker is active (using `DENO_PERMISSION_BROKER_PATH` env var), any
time a permission is checked, instead of relying on the `--allow-*` flags, a
message is sent to the broker that is responsible for granting or denying the request.
The communication is a simple JSONL protocol and it is blocking. Any
mismatch in expected format will result in process termination. If the connection
is broken the process is terminated as well.
Example program run:
```
DENO_PERMISSION_BROKER_PATH=/tmp/deno_perm_broker.sock ./target/debug/deno run test_broker.ts
-> broker req {"v":1,"datetime":"2025-09-23T20:34:14.011647+00:00","permission":"read","value":"\"./README.md\""}
<- broker resp {"result":"allow"}
-> broker req {"v":1,"datetime":"2025-09-23T20:34:14.015288+00:00","permission":"read","value":"\"./Cargo.toml\""}
<- broker resp {"result":"allow"}
-> broker req {"v":1,"datetime":"2025-09-23T20:34:14.015659+00:00","permission":"write","value":"\"./scratch.txt\""}
<- broker resp {"result":"allow"}
-> broker req {"v":1,"datetime":"2025-09-23T20:34:14.016543+00:00","permission":"net","value":"\"0.0.0.0:8000\""}
<- broker resp {"result":"allow"}
Listening on http://0.0.0.0:8000/ (http://localhost:8000/)
-> broker req {"v":1,"datetime":"2025-09-23T20:34:14.018469+00:00","permission":"env","value":null}
<- broker resp {"result":"deny"}
error: Uncaught (in promise) NotCapable: Requires env access, run again with the --allow-env flag
console.log("env", Deno.env.toObject());
^
at Object.toObject (ext:deno_os/30_os.js:134:12)
at file:///Users/ib/dev/deno/test_broker.ts:10:29
```
Adds a `DENO_PERMISSIONS_AUDIT` env var to set the path for a JSONL
permission audit log, with contains the permission and value.
Additionally this can be combined with `DENO_TRACE_PERMISSIONS`, which
will then include the traces in the audit log too.
Fixes https://github.com/denoland/deno/issues/28903
Closes https://github.com/denoland/deno/issues/26190
- Adds a new option `unsafelyDisableHostnameVerification` to
`Deno.connectTls` and `Deno.startTls` to ignore DNS name mismatch errors
from rustls server verifier.
- Disable hostname verification in Node.js TLSSocket if
`checkServerIdentity` is a no-op.
---------
Signed-off-by: Divy Srivastava <dj.srivastava23@gmail.com>
Fixes#27264. Fixes https://github.com/denoland/deno/issues/28161.
Currently the new lockfile version is gated behind an unstable flag
(`--unstable-lockfile-v5`) until the next minor release, where it will
become the default.
The main motivation here is that it improves startup performance when
using the global cache or `--node-modules-dir=auto`.
In a create-next-app project, running an empty file:
```
❯ hyperfine --warmup 25 -N --setup "rm -f deno.lock" "deno run --node-modules-dir=auto -A empty.js" "deno-this-pr run --node-modules-dir=auto -A empty.js" "deno-this-pr run --node-modules-dir=auto --unstable-lockfile-v5 empty.js" "deno run --node-modules-dir=manual -A empty.js" "deno-this-pr run --node-modules-dir=manual -A empty.js"
Benchmark 1: deno run --node-modules-dir=auto -A empty.js
Time (mean ± σ): 247.6 ms ± 1.7 ms [User: 228.7 ms, System: 19.0 ms]
Range (min … max): 245.5 ms … 251.5 ms 12 runs
Benchmark 2: deno-this-pr run --node-modules-dir=auto -A empty.js
Time (mean ± σ): 169.8 ms ± 1.0 ms [User: 152.9 ms, System: 17.9 ms]
Range (min … max): 168.9 ms … 172.5 ms 17 runs
Benchmark 3: deno-this-pr run --node-modules-dir=auto --unstable-lockfile-v5 empty.js
Time (mean ± σ): 16.2 ms ± 0.7 ms [User: 12.3 ms, System: 5.7 ms]
Range (min … max): 15.2 ms … 19.2 ms 185 runs
Benchmark 4: deno run --node-modules-dir=manual -A empty.js
Time (mean ± σ): 16.2 ms ± 0.8 ms [User: 11.6 ms, System: 5.5 ms]
Range (min … max): 14.9 ms … 19.7 ms 187 runs
Benchmark 5: deno-this-pr run --node-modules-dir=manual -A empty.js
Time (mean ± σ): 16.0 ms ± 0.9 ms [User: 12.0 ms, System: 5.5 ms]
Range (min … max): 14.8 ms … 22.3 ms 190 runs
Warning: Statistical outliers were detected. Consider re-running this benchmark on a quiet system without any interferences from other programs. It might help to use the '--warmup' or '--prepare' options.
Summary
deno-this-pr run --node-modules-dir=manual -A empty.js ran
1.01 ± 0.08 times faster than deno run --node-modules-dir=manual -A empty.js
1.01 ± 0.07 times faster than deno-this-pr run --node-modules-dir=auto --unstable-lockfile-v5 empty.js
10.64 ± 0.60 times faster than deno-this-pr run --node-modules-dir=auto -A empty.js
15.51 ± 0.88 times faster than deno run --node-modules-dir=auto -A empty.js
```
When using the new lockfile version, this leads to a 15.5x faster
startup time compared to the current deno version.
Install times benefit as well, though to a lesser degree.
`deno install` on a create-next-app project, with everything cached
(just setting up node_modules from scratch):
```
❯ hyperfine --warmup 5 -N --prepare "rm -rf node_modules" --setup "rm -rf deno.lock" "deno i" "deno-this-pr i" "deno-this-pr i --unstable-lockfile-v5"
Benchmark 1: deno i
Time (mean ± σ): 464.4 ms ± 8.8 ms [User: 227.7 ms, System: 217.3 ms]
Range (min … max): 452.6 ms … 478.3 ms 10 runs
Benchmark 2: deno-this-pr i
Time (mean ± σ): 368.8 ms ± 22.0 ms [User: 150.8 ms, System: 198.1 ms]
Range (min … max): 344.8 ms … 397.6 ms 10 runs
Benchmark 3: deno-this-pr i --unstable-lockfile-v5
Time (mean ± σ): 211.9 ms ± 17.1 ms [User: 7.1 ms, System: 177.2 ms]
Range (min … max): 191.3 ms … 233.4 ms 10 runs
Summary
deno-this-pr i --unstable-lockfile-v5 ran
1.74 ± 0.17 times faster than deno-this-pr i
2.19 ± 0.18 times faster than deno i
```
With lockfile v5, a 2.19x faster install time compared to the current
deno.
This commit changes "Deno.cwd()" (as well as "process.cwd()") to no
longer require full "--allow-read" permission. This change was meant to be done
in Deno 2.0.0, but somehow it slipped. Requiring full read permission
just to read the CWD is a mistake, because CWD can already be obtained
with no permission by throwing an error in JS and inspecting its stack.
Fixes https://github.com/denoland/deno/issues/27110
---------
Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
Instead of hard erroring, we now surface module not found errors as
TypeScript diagnostics (we have yet to show the source code of the
error, but something we can improve over time).
Merging as a fix so that LTS gets this as it's a useful diagnostic tool.
The 1MB unique is because we deduplicate files that we store (ex. some
packages have the same file multiple times so we store that once).
I ended up changing the file system implementation to determine
its root directory as the last step of building it instead of being the
first step which makes it much more reliable.
This commit improves permission prompts by adding an option
to print a full trace of where the permissions is being requested.
Due to big performance hint of stack trace collection, this is only
enabled when `DENO_TRACE_PERMISSIONS` env var is present.
Closes https://github.com/denoland/deno/issues/20756
---------
Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
Support for Wasm modules.
Note this implements the standard where the default export is the
instance (not the module). The module will come later with source phase
imports.
```ts
import { add } from "./math.wasm";
console.log(add(1, 2));
```
