Use minimum system permissions necessary

task.ts and ci.ts works as wrappers to execute the real CLI script (cli.ts). This wrapper fixes different issues. So, restricting permissions to these files has no effect to cli.ts(AFAIK, permissions are not propagated between childprocesses: a file with only --allow-run could run a script passing the --allow-all argument).

The use cases are so variable that this is the reason I’ve decided to run cli.ts with --allow-all, for example:

• Sites that fetch data from an external API, needs allow-net or allow-net=api-url.
• Sites that have different configurations depending on the environment variables (like ENV=dev) needs --allow-env.
• Sites that need to run some scripts during the build needs --allow-run
• Sites that use some binary libraries connected with ffi needs --allow-ffi.
• Sites that use WebAssembly libraries needs --allow-read to read the WebAssembly file.

Restricting the permissions right now can break many sites. I think it’s better to let the users configure the permisisions once Deno team implements permission configuration in the deno.json file. In Lume 2.0 I’m planning to remove these wrapper files and depend only on deno.json that will be mandatory (unlike now, that both deno.json and import_map.json files are optional).

If you’re concerned about that, the correct way to apply permissions is by running the cli.ts file directly. You can create a task like this:

{
  "importMap": "import_map.json",
  "tasks": {
    "lume": "deno run --unstable --allow-read=./ --allow-write=./ --allow-net=localhost https://lume.land/x/lume@1.11.4/cli.ts",
    "build": "deno task lume",
    "serve": "deno task lume -s"
  }
}

This conversation makes me think that a Permissions section in the documentation website would be really useful for users that want to restrict these permissions.

Permissions are explained here: https://lume.land/docs/advanced/permissions/ Closing this.