Node 20 introduced an experimental Permission Model — node --experimental-permission runs your script with no filesystem access, no child_process, no worker_threads, and no native addons unless you opt in via --allow-fs-read, --allow-fs-write, --allow-child-process, --allow-worker. At runtime you can also query process.permission.has('fs.write', '/some/path').
The full post covers each flag with examples (including the zsh wildcard gotcha — --allow-fs-read=* needs to be --allow-fs-read=/), the runtime check API, and a side-by-side with Deno's more mature, secure-by-default permission model.
Originally published at andreasbergstrom.dev — read the full post there.
Top comments (0)