Lecture examples for the Node.js Permission Model (Node 25+).
The model is stable and enabled with --permission (not --experimental-permission).
- Node.js 25+
| File | Purpose |
|---|---|
config.json |
Demo config (apiUrl, logFile). |
app.js |
Main demo app: reads config, writes log, HTTP get, worker, child process. |
worker.js |
Worker used by app.js. |
1-default.js / 1-default.sh |
Run without permission mode. |
2-deny.sh |
--permission only → fails (deny by default). |
3-fs-read.sh |
Allow only config read. |
4-fs-write.sh |
Config read + log write. |
5-net.sh |
+ network. |
6-worker.sh |
+ worker (and worker.js read). |
7-child.sh |
+ child process (full allow-list). |
8-runtime-check.js / 8-runtime-check.sh |
process.permission.has() demo. |
From repo root (scripts cd into JavaScript/):
chmod +x JavaScript/*.sh
./JavaScript/1-default.sh # no restrictions
./JavaScript/2-deny.sh # fails with ERR_ACCESS_DENIED
./JavaScript/3-fs-read.sh # only config read
./JavaScript/4-fs-write.sh # + log write (ensure JavaScript/var exists)
./JavaScript/5-net.sh # + network
./JavaScript/6-worker.sh # + worker
./JavaScript/7-child.sh # full allow-list
./JavaScript/8-runtime-check.sh # runtime permission checksOr from JavaScript/:
node 1-default.js
node --permission app.js
# etc.--permission— enable permission model (deny by default).--allow-fs-read=<path>— allow fs read (multiple flags for multiple paths).--allow-fs-write=<path>— allow fs write.--allow-net— allow network.--allow-worker— allow worker threads.--allow-child-process— allow child processes.
Entrypoint script (e.g. app.js) is implicitly readable when permission mode is on.