Compliance Hardened

• --targetusername / -u flag removed
  The ability to retrieve latest Flows from an org via sf project retrieve start (using child_process.exec()) has been fully eliminated.

• Zero persistent data
  All operations now run 100% within the Node.js runtime. Metadata (e.g., timestamps) is held in-memory only and discarded immediately on exit.

This change ensures full compliance with our new Project's Security Policy, making the CLI plugin more optimal for air-gapped, CI/CD, and enterprise environments.

For users:
Scan local metadata only. Use sf project retrieve manually if needed, then run the scanner on your local force-app/ directory.

→ See: SECURITY.md

Upgraded to lightning-flow-scanner-core v5.9.0. This release fixes the MissingFaultPath rule to correctly ignore "Wait for Amount of Time" and "Wait Until Date" nodes, checking fault paths only for relevant nodes like "Wait for Conditions". Resolves Issue #272 (contributed by @chazwatkins). See v5.9.0 release notes for full details.

🚨 v5.6 – Security Patch

🔒 Security Fixes

• Enforced Security Guards
  • eval and Function constructors are restricted.
  • Dynamic import() from remote URLs are blocked.
• Removed loading of custom rules entirely in the core module.

🛡 Audit & Dependency Updates

• Updated dependencies and applied npm audit fix to resolve known vulnerabilities.

Full Changelog: v3.27.0...v3.29.0

Full Changelog: v3.26.0...v3.27.0

Full Changelog: v3.25.0...v3.26.0

Full Changelog: v3.24.0...v3.25.0

Full Changelog: v3.23.0...v3.24.0

What's new?

• Minor fixes to pass suppressed element key from advanced rule to rule common

Full Changelog: v3.22.0...v3.23.0

What's new?

New rule disabled option. This option will bubble up rules and be intentional on the configurations. Bubbling up rules would also increase visibility of new rules that can be adopted

rules: MissingFaultPath: disabled: true

Full Changelog: v3.21.0...v3.22.0