Skip to content

Releases: Flow-Scanner/lightning-flow-scanner

Security Patches & API Improvements

Choose a tag to compare

@RubenHalman RubenHalman released this 04 Jul 12:14
Immutable release. Only release title and notes can be modified.

Security Patches & API Improvements

Expose configurableOptions on Rule Instances (UMD)

Resolves #298. Third-party consumers of the UMD build (e.g. browser extensions) can now dynamically discover rule configuration capabilities without hardcoding rule-specific knowledge.

getRules() now reliably exposes configurableOptions on all configurable rule instances:

const rules = lightningflowscanner.getRules();
for (const rule of rules) {
  if (rule.isConfigurable && rule.configurableOptions) {
    for (const opt of rule.configurableOptions) {
      console.log(`${rule.name}: ${opt.name} (${opt.type}), default: ${opt.defaultValue}`);
      // APIVersion: expression (expression), default: ">= 50"
      // CyclomaticComplexity: threshold (number), default: 25
      // FlowName: expression (expression), default: "[A-Za-z0-9]+_[A-Za-z0-9]+"
    }
  }
}

The ConfigurableOption type is now also exported from the public API for consumers who want to type against it.

Security Patches

Several dependencies were updated to resolve known vulnerabilities:

  • vite updated from 6.4.1 → 6.4.3 — resolves server.fs.deny bypass on Windows alternate paths (high) and NTLMv2 hash disclosure via UNC path handling (medium)
  • turbo updated from ^2.6.1 → ^2.9.14 — resolves login callback CSRF/session fixation (medium) and unexpected local code execution during Yarn Berry detection (low)
  • uuid updated from ^11.0.5 → ^11.1.1 — resolves missing buffer bounds check in v3/v5/v6

Release tags:

Action: action-v3.7.2
Core: core-v6.19.3
CLI: v6.19.4
VSX: vsx-v3.4.2

Security Patches & Dependency Updates

Choose a tag to compare

@RubenHalman RubenHalman released this 05 Apr 12:51
Immutable release. Only release title and notes can be modified.

Security Patch: fast-xml-parser

Action: action-v3.7.1 | Core: core-v6.19.2 | CLI: v6.19.3 | VSX: v3.4.1

Several dependencies were updated to resolve known vulnerabilities:

  • fast-xml-parser updated to resolve security advisories in the XML parsing layer
  • minimatch (Action) bumped from v9 to v10 — resolves a ReDoS vulnerability in older versions
  • lodash (VSX) removed — functionality replaced with native alternatives
  • rollup (VSX) updated from v4.34 to v4.59 — build tooling security improvements
  • Node.js engine support extended to include v24 in the regex-scanner package

Platform Changes

  • Copado Plugin — The Copado marketplace listing has been delisted by Copado. We hope to restore the integration in the future.
  • Open VSX — The Open VSX Registry listing has been deprecated due to maintenance overhead. You can still generate a .vsix directly from our repository and install it manually in any compatible editor.

New Rule: Cognitive Complexity

Choose a tag to compare

@RubenHalman RubenHalman released this 02 Feb 16:35
Immutable release. Only release title and notes can be modified.

New Rule: Cognitive Complexity

Action tag: action-v3.7.0
Core tag: core-v6.19.1
CLI tag: v6.19.1
VSX Version: v3.4.0

This rule measures the cognitive complexity of Flows — a human-oriented metric that reflects how difficult a flow is to understand and maintain.Unlike traditional cyclomatic complexity (which counts execution paths), cognitive complexity penalizes:

  • Each control structure (decisions, loops) → +1 base
  • Nesting depth → additional penalty per level
  • Extra branches in decisions beyond binary (more than one outcome)
  • Deeply nested logic or complex multi-branch decisions increase the score significantly.

Applies to: Backend / autolaunched / screen flows (configurable via supportedTypes)
Default threshold: 15 (configurable)
Severity: note (suggestion) — encourages refactoring into subflows
Rule category: suggestion

Bug fix: Scans now exclude the tags

Fixed a scanner crash / false-positive error when Flow element tags contain hyperlinks, record IDs, or other markup/formatting that previously triggered invalid reference parsing. Descriptions are now safely ignored during reference validation — the scanner no longer fails on valid, user-friendly element documentation

New Rule: Missing Start Reference

Choose a tag to compare

@RubenHalman RubenHalman released this 30 Jan 18:11

New Rule: Missing Start Reference

Action tag: action-v3.6.0
Core tag: core-v6.18.0
CLI tag: v6.18.1
VSX Version: v3.3.0

  1. New Tule: missing-start-reference by @DivyanshuBist
    This rule ensures all scanned flows contain a valid start node and prevents invalid flow definitions from going unnoticed.
  • Applies to all flow types
  • Severity: Error
  • Rule category: System(A new Layout subcategory)
  1. System subcategory
    Introduces a new System subcategory under Layout, containing violations that are typically prevented by the Flow Builder UI.
    These checks can be disabled to improve scan performance.
{ systemRules: false }
  1. Filter by categories/severity
    You can now filter scan results by category and severity, helping you focus on the results that matter most first.
{ "categories": ["problem", "layout"] }

Action: optimized config parameter

Choose a tag to compare

@RubenHalman RubenHalman released this 23 Jan 12:52

Improved config flag

action tag: action-v3.5.0

Enhances the config parameter to override any default .flow-scanner configuration files discovered.

Patch: Missing Fault Path

Choose a tag to compare

@RubenHalman RubenHalman released this 21 Jan 08:09

Patch: Missing Fault Path

Action tag: action-v3.4.1
CLI tag: v6.17.2
Core tag: core-v6.17.3
VSX Version: v3.2.3

This patch release contains no major breaking changes or new rules. The focus has been on reducing false positives in the following rules:

  1. Missing Fault Path rule:
    Reduced false positives by excluding elements that are already part of defined fault paths.
    Also improved handling to skip scenarios where a formula is used as a condition (avoiding unnecessary flags on valid conditional logic).
    (Related commits: patch(core): exclude results when a formula is used as a condition and patch(core): improve Missing Fault Path to exclude elements already part of fault paths)

  2. Missing Trigger Filter rule:
    Fixed false positives (specific details on the adjustment are internal to the core engine updates in this release).

New Rule: Hardcoded Secret

Choose a tag to compare

@RubenHalman RubenHalman released this 15 Jan 14:04

New Rule: Hardcoded Secret

Action tag: action-v3.4.0
CLI tag: v6.17.1
Core tag: core-v6.17.2
VSX Version: v3.2.2

We’ve introduced a new rule to help prevent security risks caused by embedding sensitive values directly in Flows such as API keys, tokens, passwords, or credentials defined directly within Salesforce Flows.

Hardcoding sensitive values can lead to accidental exposure, difficult rotations, and security vulnerabilities. Instead, secrets should be stored and managed securely.

Recommended alternatives

When a hardcoded secret is detected, we recommend using one of the following secure storage options:

  • Named Credentials
  • Custom Settings
  • Custom Metadata
  • External secret management systems

Fix: exception by id ignored

Choose a tag to compare

@RubenHalman RubenHalman released this 09 Jan 18:38

Fix Exceptions Issue running via sf cli

Exceptions are now correctly skipped from the CLI when configured. The behavior is now consistent across CLI plugin and VS Code fully resolving #285 reported by @aidandunne1892

CLI version: v6.16.2
VSX Version: v3.1.2

For more information on exceptions, please refer the readme documentation

Improved Rule Messages & Category

Choose a tag to compare

@RubenHalman RubenHalman released this 04 Jan 19:39

Release Notes –Improved Rule Messages & Category

You can now provide a custom message for any rule. This message overrides the default rule description in scan results, making violations clearer and easier for your team to understand.

Action tag: action-v3.3.0
CLI tag: v6.16.0
Core tag: core-v6.16.0
VSX Version: v3.1.0

Custom Rule Messages Feature

When specified, the custom message and url replaces the default rule description and documentation reference in scan results.

Example configuration:

{
  "rules": {
    "dml-in-loop": {
      "message": "Avoid DML inside loops. Bulkify operations instead.",
      "messageUrl": "https://internal.docs.company.com/salesforce/flow-dml-best-practices"
    }
  }
}

Improved default severities

We’ve also updated the default severity levels and descriptions for several rules to better reflect their impact and help prioritize:

  • ActionCallsInLoop → now Warning (was Error)
  • ProcessBuilder → now Error (was Warning)
  • MissingMetadataDescription → now Warning (was Error)
  • RecordIdAsString → now Warning (was Error)

Custom Rule Messages(Url Patch)

Choose a tag to compare

@RubenHalman RubenHalman released this 04 Jan 17:18

Release Notes –Custom Rule Messages

You can now provide a custom message for any rule. This message overrides the default rule description in scan results, making violations clearer and easier for your team to understand.

Action tag: action-v3.2.1
CLI tag: v6.15.1
Core tag: core-v6.15.1
VSX Version: v3.0.1

Custom Rule Messages Feature

When specified, the custom message and url replaces the default rule description and documentation reference in scan results.

Example configuration:

{
  "rules": {
    "dml-in-loop": {
      "message": "Avoid DML inside loops. Bulkify operations instead.",
      "messageUrl": "https://internal.docs.company.com/salesforce/flow-dml-best-practices"
    }
  }
}

Improved default severities

We’ve also updated the default severity levels and descriptions for several rules to better reflect their impact and help prioritize:

  • ActionCallsInLoop → now Warning (was Error)
  • ProcessBuilder → now Error (was Warning)
  • MissingMetadataDescription → now Warning (was Error)
  • RecordIdAsString → now Warning (was Error)