import.meta.resolve() is being wrongly blocked when used by a JSR package

[mcandeia]

Version: Deno 1.46.3

Description:

The current behavior of JSR (JavaScript Registry) prevents the usage of import.meta.resolve() when resolving a URL (like HTTP(S)) within a JSR package. However, import.meta.resolve() is not used for dynamic imports but simply for resolving the import URL.

JSR correctly disallows direct imports from HTTP(S) for security reasons, but this restriction should not apply to import.meta.resolve() since it's only resolving the URL and not executing the import.

Steps to reproduce:

1. Add an entry in your import map that resolves to a http endpoint ("resource/xpto.ts")

2. Publish any JSR package that contains the following code:

   import.meta.resolve("resource/xpto.ts");

3. Check the output, and you will receive the following block message:

   Importing https://example.com/resource/xpto.ts blocked. JSR packages cannot import non-JSR remote modules for security reasons.

Expected Behavior:

import.meta.resolve() should be allowed to resolve HTTP(S) URLs without raising a security block since it is not dynamically importing the URL but merely resolving it.

Actual Behavior:

JSR blocks the resolution and shows a security message, even though no actual dynamic import is being performed.

[lucacasonato]

I can reproduce:

{
  "imports": {
    "resource/xpto.ts": "https://deno.land/x/testing_do_not_use/resource/xpto.ts"
  }
}

import * as mod from "jsr:@luca/testing-do-not-use@0.0.4";

console.log(mod.resolve("./xpto.ts"));
console.log(mod.resolve("resource/xpto.ts"));