Skip to content

Add Deno.permissions.reduce method to reduce permissions of the process #31483

New issue
New issue
Open
Open
Add Deno.permissions.reduce method to reduce permissions of the process#31483
Labels
permissionsrelated to --allow-* flagssuggestionsuggestions for new features (yet to be agreed)
@pavelai

Description

@pavelai
pavelai
opened on Dec 3, 2025

I'd like to see an API to reduce permission of a running process from itself. It should allow to reduce permissions given by CLI and deno.json.

For example some process do bootstrapping (creates project structure with symlinks, downloads some assets), or make a decision of a required permissions based on the user input or configuration (read some env file and dependencies in deno.json). Then it reduces own permissions and imports code required to do the job

While Deno.permissions.revoke allows to remove existing permission. Reduce should make the existing rule narrower

Reduce network access to specific port number

// deno run --allow-net=example.com permissions.ts
Deno.permissions.reduce({net: ["example.com:443"]);

Here we can reduce restriction from any port to allow connection to the port 443 only.

Reduce write permissions to a sub directories

// deno run --allow-read=./ permissions.ts
Deno.permissions.reduce({read: ["./src", "./deno.json"]);

Here the permissions could be reduced to left read access to subdirectories or specific files only

It would allow to make frameworks with better security and developer experience. Without the need to write permissions configuration for every project and by having a preconfigured permission models.

Options

  1. It could be achieved by allowing deno instance to run another process

  2. It could be acheived by permission broker

  3. Why not other instance: deno can not replace itself and this would make two instances of Deno to be stored in memory. It could be decided as option if there were an ability to replace the current process of Deno with new one but it would interrupt all the existing connections, ipcs and pipes

  4. Why not permission broker: permission broker requires another instance of some software to be run, so it add an additional layer of complexity and it doesn't seem user friendly to make developers to run two processes to do a single thing

Benefits

  1. It can reduce amount of code required to run user projects. User can write their own wrapper and run code like this:
deno run repo.ts main.ts

Instead of manually specifying all the flags, like this:

deno run --allow-read=. --deny-read=private --allow-net=github.com,npmjs.com main.ts
  1. It could help to make something like dynamic permission presets for developers use cases. And to distribute them as a dependencies or utils

Metadata

Metadata

Assignees

No one assigned

    Labels

    permissionsrelated to --allow-* flagssuggestionsuggestions for new features (yet to be agreed)

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions