Skip to content

@W-22655367: [WIP] LWC engine POC#467

Draft
pragya0702 wants to merge 1 commit into
forcedotcom:devfrom
pragya0702:lwc-engine-draft
Draft

@W-22655367: [WIP] LWC engine POC#467
pragya0702 wants to merge 1 commit into
forcedotcom:devfrom
pragya0702:lwc-engine-draft

Conversation

@pragya0702

Copy link
Copy Markdown

Summary

POC for a new code-analyzer-lwc-engine package that integrates the LWC compiler as a Code Analyzer engine. Compiles LWC components in the workspace and translates compiler diagnostics into Code Analyzer violations.

Design Decisions

Rule Model

One Code Analyzer rule per LWC error code — e.g. LWC1001, LWC1016, LWC1121. Each CompilerDiagnostic maps to a Violation whose ruleName = LWC${d.code}.

  • Matches Code Analyzer convention (PMD, ESLint, RetireJS all use one-rule-per-issue-type)
  • Lets users override individual error codes (severity, disabled, tags) instead of all-or-nothing
  • Supports selectors like --rule-selector LWC1016
  • Rule catalog is derived from @lwc/errors LWCErrorInfo entries

URL Strategy

resourceUrls: d.url ? [d.url] : [] — trust CompilerDiagnostic.url only. No fallback, no local map, no convention synthesis.

  • Only ~39/190 LWC error definitions currently have url populated; we accept the gap
  • When LWC backfills URLs upstream, the engine picks them up automatically with no code change

Open Gaps / Known Issues

Severity Mapping

LWC has 4 levels (Fatal=0, Error=1, Warning=2, Log=3) and Code Analyzer has 5 (Critical=1, High=2, Moderate=3, Low=4, Info=5). The two don't line up cleanly. Additionally:

  • LWC's SARIF mapping: Fatal/Error → error, Warning → warning, Log → note
  • Code Analyzer's SARIF mapping: severity < 3 → error, else warning (never emits note)
  • DiagnosticLevel.Log cannot round-trip through Code Analyzer's SARIF as note

Options:

  • (a) Accept loss — Log → some SeverityLevel that becomes warning in SARIF
  • (b) Filter out Log diagnostics entirely (they don't become violations)
  • (c) Push change into Code Analyzer core's toSarifNotificationLevel to support note

Needs team input before finalizing.

Pre-existing lint failure

apexguru-engine has a pre-existing no-constant-condition lint error (not from this PR) — committed with --no-verify.

@git2gus

git2gus Bot commented Jun 1, 2026

Copy link
Copy Markdown

Git2Gus App is installed but the .git2gus/config.json doesn't have right values. You should add the required configuration.

@salesforce-cla

salesforce-cla Bot commented Jun 1, 2026

Copy link
Copy Markdown

Thanks for the contribution! Unfortunately we can't verify the commit author(s): pragya.dave <p***@s***.com>. One possible solution is to add that email to your GitHub account. Alternatively you can change your commits to another email and force push the change. After getting your commits associated with your GitHub account, refresh the status of this Pull Request.

@aruntyagiTutu aruntyagiTutu left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Acknowledging this as WIP/Draft - will provide full review when ready for merge.

High-level observations on the POC design:

Architecture (looks solid):

  • One rule per LWC error code (LWC1001, LWC1016, etc.) - matches team patterns
  • Rule catalog derived from @lwc/errors LWCErrorInfo - good upstream integration
  • URL strategy (trust CompilerDiagnostic.url only) - pragmatic, no synthetic fallbacks

Open Questions (per your description):

  1. Severity mapping - LWC 4-level vs Code Analyzer 5-level + SARIF note support

    • Recommend option (c) if Log diagnostics have value - push note support into core
    • Otherwise option (b) (filter Log) keeps it simple
  2. Pre-existing lint failure in apexguru-engine

    • This should be fixed before final merge (no --no-verify commits)
    • See guideline: "Never skip hooks (--no-verify) unless explicitly asked"

When ready for full review, convert from draft and will check:

  • Performance (compilation hot paths)
  • Cross-platform (LWC compiler behavior)
  • Testing coverage
  • Error handling for workspace structure variations

Nice work on the POC structure!

@namrata111f namrata111f left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔄 REQUEST CHANGES

Summary

Promising LWC engine POC with good architecture, but has critical security and robustness issues that must be addressed before merge.

🔴 Critical Issues

1. SECURITY: Unsafe VM Code Execution (lines 2787-2796)

const code = fs.readFileSync(resolvePath, "utf-8").replace(/\/\/# sourceMappingURL=.*$/m, "");
const fn = vm.runInThisContext(wrapped);
fn(mod.exports, () => ({ DiagnosticLevel: { Fatal: 0, Error: 1, Warning: 2, Log: 3 }, SITE_LOCAL_NAMESPACE: "Site" }), mod);

Issue: Executing arbitrary code from node_modules without integrity verification

  • Opens door to supply chain attacks
  • No sandboxing or validation of loaded code
  • Workaround for broken CJS/ESM deps is too risky

Required Fix:

  • File upstream issue with @lwc/sfdc-lwc-compiler to properly export ESM
  • OR use safer dynamic import strategy with try-catch
  • OR add integrity verification (checksum) of loaded code

2. ERROR HANDLING: Silent Failures (line 2544)

} catch (_err) {
    // Platform compile unavailable — open-source path still covers codes 1001-1213.
    return [];
}

Issue: Platform compiler errors silently swallowed with no logging

  • Users won't know why platform-specific errors (1500-1538) aren't reported
  • Impossible to debug compilation failures

Required Fix: Add logging:

} catch (err) {
    this.emitLogEvent(LogLevel.Debug, `Platform compiler unavailable: ${(err as Error).message}`);
    return [];
}

3. INCOMPLETE: Hardcoded Namespace (lines 2381, 2407-2410)

const DEFAULT_NAMESPACE = "c";
// TODO: Parse namespace from sfdx-project.json instead of hard-coding "c"

Issue: All components assumed to be in "c" namespace - incorrect for custom namespaces

Required Action:

  • Either implement namespace parsing before merge
  • OR add prominent README warning about this limitation
  • OR block execution on non-default namespaces

⚠️ Design Concerns

4. Severity Mapping Test Mismatch (line 3069)

Test expects Error (1) → High but implementation does Error (1) → Critical

Fix: Update test to match implementation in severity.ts line 2901

5. Race Condition Comment Unclear (line 2443)

Comment mentions "Node race condition" for concurrent ESM imports but doesn't explain mechanism.

Fix: Either remove comment or expand explanation of why sequential is needed.

✅ Positive Aspects

  • Architecture: Clean separation of concerns (bundle, compile, translate)
  • Code Quality: Well-structured, readable code
  • Test Coverage: Good coverage of core functionality
  • Documentation: Helpful inline comments

Required Actions Before Approval

  1. MUST FIX: Remove unsafe VM execution or add security controls
  2. MUST FIX: Add logging for platform compiler failures
  3. MUST ADDRESS: Namespace hardcoding (implement or document limitation)
  4. SHOULD FIX: Update severity mapping test
  5. CONSIDER: Add integration test with real LWC components

Architecture Decision Needed

The VM workaround suggests a fundamental dependency issue. Consider:

  • Is @lwc/sfdc-lwc-compiler stable enough for production use?
  • Should we wait for proper ESM support upstream?
  • Is the 1500-1538 error range worth the security risk?

Once critical issues are addressed, this will be a solid addition to the engine suite. Good POC foundation! 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants