{
"apollo-client": {
"version": "...",
"access": ["fetch"] // only fetch allowed
},
"stringutils": {
"version": "...",
"access": [] // no system resources allowed for this dependency, own or transitive
},
...
}
It would probably require the language to limit monkey-patching core primitives (such as Object.prototype in javascript),
and it would be more cumbersome for the developer to define the permissions it gives to each dependency.
These required permissions could be listed on the package site (eg npm or PyPI) and the developer would just copy paste the permissions when adding the dependency.
But if you upgrade a dependency version and it now requires a permission that seems suspicious (eg "stringutils" needing "filesystem"), it would prompt the developer to stop and investigate, or if it seems justified add the permission to "access" list.
So using exceptions for an expected path of a function seems sub-optimal.