denoland/deno

Add import.meta.config or similar to access deno.json fields at compile time

jfernandez opened this issue · 1 comments

jfernandez commented

Feature Request: Access deno.json fields via import.meta

Problem

Currently, there's no efficient way to access deno.json configuration fields (like version) at compile time without runtime overhead or additional permissions. This is a common need for CLI applications that want to display their version while maintaining minimal security permissions.

Security Concerns with Current Workarounds

  1. Runtime JSON import: import config from "./deno.json" with { type: "json" };

    • Requires --allow-read permission for deno.json
    • Expands attack surface unnecessarily for simple metadata access
    • Has runtime parsing overhead

  2. Hardcoded values: const VERSION = "1.0.0";

    • Requires manual sync with deno.json
    • Error-prone when versions get out of sync

  3. Build scripts: Generate version files

    • Adds complexity to build process
    • Still may require additional read permissions

Proposed Solution

Add import.meta.config or similar API to access deno.json fields at compile time, similar to how import.meta.main, import.meta.url, etc. work.

Example usage:

console.log(import.meta.config.version); // "1.0.0" from deno.json
console.log(import.meta.config.name);    // "my-app" from deno.json

Benefits

  • Zero runtime overhead (resolved at compile time)
  • No additional permissions required (compile-time resolution)
  • Always in sync with deno.json
  • Minimal attack surface - no runtime file system access needed
  • Simple, intuitive API consistent with existing import.meta properties

Use Cases

  • Security-conscious CLI applications that need version info without expanding permissions
  • Build tools accessing project metadata
  • Applications with strict permission requirements

Example Security Model

A CLI tool currently running with:

--allow-net=example.com --allow-read=.env,/proc --allow-run=ps,systemctl

Should not need to add --allow-read=deno.json just to display its own version number. The version should be resolvable at compile time without additional runtime permissions.

This would be particularly valuable for security-focused applications where minimizing runtime permissions is critical.

jfernandez commented

Closing this issue - discovered that import config from "./deno.json" with { type: "json" }; actually works at compile time with deno compile. The JSON file gets embedded in the binary during compilation, so there's no runtime file access or additional permissions needed. This provides the exact functionality I was looking for.

  • 👍1