Consider security implications of variable interpolation on URL requests

[jimporter]

Currently, it's possible to send specific environment variables off to a remote server by using variable interpolation. This could conceivably be a security issue. However, since we're also running arbitrary scripts to build, the cat's already out of the bag.

Potentially, we might want to restrict variable interpolation in URLs if we later added the option to fetch deps without building them, and then build them separately. Then a user could enable their internet connection for the fetch and disable it during building to be safer.