perf(node): skip require permission checks when read is fully granted (#34722)

divybot · littledivy · web-flow · commit 39893c20965e · 2026-06-02T20:41:05.000+05:30
## Summary Every `require()` (and `node:worker_threads` filename resolution) runs through the `ensure_read_permission` helpers in `ext/node/ops/require.rs` and `ext/node/ops/worker_threads.rs`. Those helpers fetch the `NodeRequireLoaderRc` and dispatch into the loader, whose CLI implementation (`CliNodeRequireLoader::ensure_read_permission`) does a `url_from_file_path` + module-graph lookup — an `RwLock` read, an `Arc` clone, a `Url` allocation and a hashmap lookup — on **every** call, before the registry checker's existing `query_read_all()` fast path is ever reached. As noted in the issue, this means we effectively always do node permission work even when permissions are fully allowed. This hoists the read-all check to the top of the two ext/node op helpers, so the entire loader dispatch and its per-call work are skipped when read is fully granted. ## Correctness The loader's graph / `node_modules` allowances only exist to permit reads *without* a full read grant; when read is fully granted everything is allowed anyway, so returning the path unchanged is equivalent. `--deny-read` keeps `query_read_all()` returning `false`, so restricted reads still fall through to the full per-path check. Smoke-tested locally: - `deno run -A` / `deno run --allow-read` resolve `require()` as before. - `deno run --allow-read=main.cjs` still denies reading a sibling dependency with `NotCapable: Requires read access ...`. Closes #23919 Closes denoland/divybot#424 Co-authored-by: divybot <divybot@users.noreply.github.com> Co-authored-by: Divy Srivastava <me@littledivy.com>
diff --git a/ext/node/ops/require.rs b/ext/node/ops/require.rs
@@ -39,6 +39,12 @@ fn ensure_read_permission<'a>(
   state: &mut OpState,
   file_path: Cow<'a, Path>,
 ) -> Result<Cow<'a, Path>, JsErrorBox> {
+  // Fast path: when read is fully granted there's nothing to check, so skip
+  // fetching the loader and the per-call work it does (e.g. module graph
+  // lookups) entirely.
+  if state.borrow::<PermissionsContainer>().query_read_all() {
+    return Ok(file_path);
+  }
   let loader = state.borrow::<NodeRequireLoaderRc>().clone();
   let permissions = state.borrow_mut::<PermissionsContainer>();
   loader.ensure_read_permission(permissions, file_path)
diff --git a/ext/node/ops/worker_threads.rs b/ext/node/ops/worker_threads.rs
@@ -32,6 +32,12 @@ fn ensure_read_permission<'a>(
   state: &mut OpState,
   file_path: Cow<'a, Path>,
 ) -> Result<Cow<'a, Path>, JsErrorBox> {
+  // Fast path: when read is fully granted there's nothing to check, so skip
+  // fetching the loader and the per-call work it does (e.g. module graph
+  // lookups) entirely.
+  if state.borrow::<PermissionsContainer>().query_read_all() {
+    return Ok(file_path);
+  }
   let loader = state.borrow::<NodeRequireLoaderRc>().clone();
   let permissions = state.borrow_mut::<PermissionsContainer>();
   loader.ensure_read_permission(permissions, file_path)
