feat: add --ignore-env=...

[dsherret]

Adds the ability to ignore certain environment variables and return undefined instead of erroring.

> cat main.ts
console.log(Deno.env.get("VAR1"));
console.log(Deno.env.get("VAR2"));
console.log(Deno.env.toObject());
> VAR1=1 VAR2=2 deno run --ignore-env main.ts
undefined
undefined
[Object: null prototype] {}
> VAR1=1 VAR2=2 deno run --ignore-env=VAR1 --allow-env=VAR2 main.ts
undefined
2
[Object: null prototype] { VAR2: "2" }

Also doesn't error anymore when doing --allow-env --deny-env=SOMETHING and getting all env vars.

Closes #30891
Closes #31071

[bartlomieju]

Closes #31071?

[bartlomieju]

Can you please update the docs for permissions and show an example what happens if you use --ignore-env --deny-env=VAR1?

[bartlomieju]

That is a nice solution 👍

[bartlomieju]

Can you please add --ignore-env and --deny-env interaction here? And preferably all three too

[bartlomieju]

Not a blocker, but we should update the interactive prompt with the i option as well - but it should be selective only to the env permission

[Copilot]

Pull Request Overview

This PR adds support for ignoring specific environment variables through the new --ignore-env flag and ignore configuration option. When an environment variable is ignored, attempts to access it return undefined (or are excluded from Deno.env.toObject()) without raising a permission error, providing a way to hide sensitive environment variables from scripts without requiring explicit permission denials.

Key Changes:

• Introduces new PermissionState::Ignored and PermissionState::DeniedPartial states to the permission system
• Adds --ignore-env CLI flag and corresponding configuration support for environment permissions
• Refactors NODE_ENV_VAR_ALLOWLIST from a lazy-initialized HashSet to a sorted const array for more efficient lookups

Reviewed Changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
tests/specs/run/permission_env_allow_and_deny/main.ts	Updates test to verify env vars are properly filtered with allow/deny flags
tests/specs/run/permission_env_allow_and_deny/main.out	Removes expected error output as test now succeeds with proper permission setup
tests/specs/run/permission_env_allow_and_deny/__test__.jsonc	Updates test config to use allow/deny flags without expecting errors
tests/specs/permission/ignore_env/flags/main.ts	New test for --ignore-env flag functionality
tests/specs/permission/ignore_env/flags/__test__.jsonc	Test configurations for various --ignore-env scenarios (all, some, with allow-env, with deny-env)
tests/specs/permission/ignore_env/config/main.ts	New test for ignore configuration via deno.json
tests/specs/permission/ignore_env/config/deno.json	Config file demonstrating ignore: true setting for env permissions
tests/specs/permission/ignore_env/config/__test__.jsonc	Test configuration for ignore via config file
runtime/permissions/lib.rs	Core implementation: adds Ignored/DeniedPartial states, implements ignore list tracking, updates permission query logic
runtime/ops/permissions.rs	Updates PermissionStatus conversion to handle new permission states
libs/config/deno_json/permissions.rs	Adds AllowDenyIgnorePermissionConfig struct and deserialization support
libs/config/deno_json/mod.rs	Exports new AllowDenyIgnore config types
ext/os/lib.rs	Implements ignore behavior in env operations (get/set/delete/toObject), refactors NODE_ENV_VAR_ALLOWLIST to const array
cli/schemas/config-file.v1.json	Defines JSON schema for ignore permission config
cli/args/mod.rs	Integrates ignore_env into permissions options, renames no_op to identity for clarity
cli/args/flags.rs	Adds ignore_env flag parsing, serialization, and test coverage

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[dsherret]

Converting to draft. Going to do a bigger overhaul to the permission system in a separate PR before merging.

[dsherret]

This needs to be used in "env" before merging.