@W-22655367: [WIP] LWC engine POC#467
Conversation
|
Git2Gus App is installed but the |
|
Thanks for the contribution! Unfortunately we can't verify the commit author(s): pragya.dave <p***@s***.com>. One possible solution is to add that email to your GitHub account. Alternatively you can change your commits to another email and force push the change. After getting your commits associated with your GitHub account, refresh the status of this Pull Request. |
aruntyagiTutu
left a comment
There was a problem hiding this comment.
Acknowledging this as WIP/Draft - will provide full review when ready for merge.
High-level observations on the POC design:
Architecture (looks solid):
- One rule per LWC error code (LWC1001, LWC1016, etc.) - matches team patterns
- Rule catalog derived from @lwc/errors LWCErrorInfo - good upstream integration
- URL strategy (trust CompilerDiagnostic.url only) - pragmatic, no synthetic fallbacks
Open Questions (per your description):
-
Severity mapping - LWC 4-level vs Code Analyzer 5-level + SARIF note support
- Recommend option (c) if Log diagnostics have value - push note support into core
- Otherwise option (b) (filter Log) keeps it simple
-
Pre-existing lint failure in apexguru-engine
- This should be fixed before final merge (no --no-verify commits)
- See guideline: "Never skip hooks (--no-verify) unless explicitly asked"
When ready for full review, convert from draft and will check:
- Performance (compilation hot paths)
- Cross-platform (LWC compiler behavior)
- Testing coverage
- Error handling for workspace structure variations
Nice work on the POC structure!
namrata111f
left a comment
There was a problem hiding this comment.
🔄 REQUEST CHANGES
Summary
Promising LWC engine POC with good architecture, but has critical security and robustness issues that must be addressed before merge.
🔴 Critical Issues
1. SECURITY: Unsafe VM Code Execution (lines 2787-2796)
const code = fs.readFileSync(resolvePath, "utf-8").replace(/\/\/# sourceMappingURL=.*$/m, "");
const fn = vm.runInThisContext(wrapped);
fn(mod.exports, () => ({ DiagnosticLevel: { Fatal: 0, Error: 1, Warning: 2, Log: 3 }, SITE_LOCAL_NAMESPACE: "Site" }), mod);Issue: Executing arbitrary code from node_modules without integrity verification
- Opens door to supply chain attacks
- No sandboxing or validation of loaded code
- Workaround for broken CJS/ESM deps is too risky
Required Fix:
- File upstream issue with @lwc/sfdc-lwc-compiler to properly export ESM
- OR use safer dynamic import strategy with try-catch
- OR add integrity verification (checksum) of loaded code
2. ERROR HANDLING: Silent Failures (line 2544)
} catch (_err) {
// Platform compile unavailable — open-source path still covers codes 1001-1213.
return [];
}Issue: Platform compiler errors silently swallowed with no logging
- Users won't know why platform-specific errors (1500-1538) aren't reported
- Impossible to debug compilation failures
Required Fix: Add logging:
} catch (err) {
this.emitLogEvent(LogLevel.Debug, `Platform compiler unavailable: ${(err as Error).message}`);
return [];
}3. INCOMPLETE: Hardcoded Namespace (lines 2381, 2407-2410)
const DEFAULT_NAMESPACE = "c";
// TODO: Parse namespace from sfdx-project.json instead of hard-coding "c"Issue: All components assumed to be in "c" namespace - incorrect for custom namespaces
Required Action:
- Either implement namespace parsing before merge
- OR add prominent README warning about this limitation
- OR block execution on non-default namespaces
⚠️ Design Concerns
4. Severity Mapping Test Mismatch (line 3069)
Test expects Error (1) → High but implementation does Error (1) → Critical
Fix: Update test to match implementation in severity.ts line 2901
5. Race Condition Comment Unclear (line 2443)
Comment mentions "Node race condition" for concurrent ESM imports but doesn't explain mechanism.
Fix: Either remove comment or expand explanation of why sequential is needed.
✅ Positive Aspects
- Architecture: Clean separation of concerns (bundle, compile, translate)
- Code Quality: Well-structured, readable code
- Test Coverage: Good coverage of core functionality
- Documentation: Helpful inline comments
Required Actions Before Approval
- MUST FIX: Remove unsafe VM execution or add security controls
- MUST FIX: Add logging for platform compiler failures
- MUST ADDRESS: Namespace hardcoding (implement or document limitation)
- SHOULD FIX: Update severity mapping test
- CONSIDER: Add integration test with real LWC components
Architecture Decision Needed
The VM workaround suggests a fundamental dependency issue. Consider:
- Is @lwc/sfdc-lwc-compiler stable enough for production use?
- Should we wait for proper ESM support upstream?
- Is the 1500-1538 error range worth the security risk?
Once critical issues are addressed, this will be a solid addition to the engine suite. Good POC foundation! 👍
Summary
POC for a new
code-analyzer-lwc-enginepackage that integrates the LWC compiler as a Code Analyzer engine. Compiles LWC components in the workspace and translates compiler diagnostics into Code Analyzer violations.Design Decisions
Rule Model
One Code Analyzer rule per LWC error code — e.g.
LWC1001,LWC1016,LWC1121. EachCompilerDiagnosticmaps to aViolationwhoseruleName=LWC${d.code}.--rule-selector LWC1016@lwc/errorsLWCErrorInfoentriesURL Strategy
resourceUrls: d.url ? [d.url] : []— trustCompilerDiagnostic.urlonly. No fallback, no local map, no convention synthesis.urlpopulated; we accept the gapOpen Gaps / Known Issues
Severity Mapping
LWC has 4 levels (
Fatal=0, Error=1, Warning=2, Log=3) and Code Analyzer has 5 (Critical=1, High=2, Moderate=3, Low=4, Info=5). The two don't line up cleanly. Additionally:error, Warning →warning, Log →noteseverity < 3 → error, elsewarning(never emitsnote)DiagnosticLevel.Logcannot round-trip through Code Analyzer's SARIF asnoteOptions:
warningin SARIFtoSarifNotificationLevelto supportnoteNeeds team input before finalizing.
Pre-existing lint failure
apexguru-enginehas a pre-existingno-constant-conditionlint error (not from this PR) — committed with--no-verify.