Avoid repetition of whitelisted modules

[arrustamyan]

First of all - great idea! I can definitely see myself integrating something like this in my codebases.

But this got me thinking about modules that are required across many files (e.g. something like request). It's going to be unmanageable repeating secureRequire("awesomeModule", ["dep1", "dep2", ...]) all over the code.

Obvious solution that comes to mind is having a configuration file that will hold whitelists:

{
  "awesomeModule": ["dep1", "dep2", ...]
}

so you can just go with secureRequire("awesomeModule").

I know this might sound like a stretch, but it the future this might even part of package.json as a vital part of your module's definition:

package.json

{
...
  "dependencies": [...],
  "security": {
    "awesomeModule": ["dep1", "dep2", ...]
  }
...
}

Or maybe you already have a solution in your mind that addresses this problem?

[ryzokuken]

@arrustamyan the package.json solution seems simple and honestly quite wonderful. Here's the kind of workflow that comes to my mind:

1. If whitelist is not undefined, just do your thing.
2. If whitelist is undefined, check package.json. 
3. If no corresponding key is available, then fallback to default behavior.
4. Otherwise, use the specified whitelist.

Great idea! Thanks. Why didn't I think of this, lol.

[arrustamyan]

I'll see if I can steal some time, be a good OS citizen and create a PR. 🙂

[arrustamyan]

@ryzokuken Nice! You've already implemented it.

I was just thinking is security really a good name for it? It might be too vague. Maybe permissions is a better name, or even permittedModules to match your internal naming or something else?

[ryzokuken]

@arrustamyan ah, sorry. I started hacking on it immediately after you suggested and didn't get the time to see this or let you know. I'm sorry if you'd started working on this. While I'm here waiting 7 hours for my next flight, maybe you'd like to add tests for it instead?

[arrustamyan]

@ryzokuken it's actually quite the opposite, I am super glad to see how quickly project gains features.

I'll see if i can make time to add tests.