Releases: Flow-Scanner/lightning-flow-scanner
Core: fix CWE-94
See Security Advisory "Code Injection via Unsafe Use of new Function() in APIVersion Rule"
Rule: RecordIdAsString
Release Notes
Action tag: action-v2.6.0
Core tag: core-v6.10.0
CLI tag: v6.10.0
VSX Version: v2.4.0
New Rule: RecordIdAsString
Detects flows using a String variable named recordId as input when they could receive the entire record object instead. Since recent Salesforce releases, record pages and quick actions can pass the complete record, eliminating the need for an additional Get Records query and improving performance. This optimization saves a SOQL query and reduces flow execution time.
Severity: 🔵 Note
Example violation:
<variables>
<name>recordId</name>
<dataType>String</dataType>
<isInput>true</isInput>
</variables>
<recordLookups>
<name>Get_Account</name>
<filters>
<field>Id</field>
<operator>EqualTo</operator>
<value>
<elementReference>recordId</elementReference>
</value>
</filters>
</recordLookups>Recommended fix:
Change the variable to receive the full record object:
<variables>
<name>recordId</name>
<dataType>SObject</dataType>
<objectType>Account</objectType>
<isInput>true</isInput>
</variables>Applies to: Screen Flows and AutoLaunched Flows (not record-triggered flows)
Credits
Thank you to @fkramer690 for suggesting this optimization in issue #237
Rule: Transform Instead Of Loop
Release Notes
Action tag: action-v2.5.0
Core tag: core-v6.90
CLI tag: v6.9.0
VSX Version: v2.3.0
New Rule: Transform Instead of Loop
TransformInsteadOfLoop – Detects Loop elements that directly connect to Assignment elements. Transform elements handle collection manipulation in bulk operations, providing significant performance improvements over iterative loop-assignment patterns.
Severity: 🔵 Note
Missing Filter Record Trigger & Improved Rule Loading
Release Notes
Action tag: action-v2.4.0
Core tag: core-v6.8.0
CLI tag: v6.8.0
VSX Version: v2.2.0
New Rule: MissingFilterRecordTrigger
Detects record-triggered flows that lack filters on changed fields or entry conditions, leading to unnecessary executions on every record change. This can degrade system performance, hit governor limits faster, and increase resource consumption in high-volume orgs.
Severity: 🟡 Warning
Improved Rule Loading: Merged Mode (Default)
We've enhanced how Lightning Flow Scanner handles rule configuration to provide a more intuitive experience, similar to ESLint's configuration model.
What's New:
- Merged Mode (Default): By default, all default rules now run, and your configuration only overrides what you specify. No need to list every rule!
- Isolated Mode: For testing or custom profiles, use
"ruleMode": "isolated"to run only explicitly specified rules - Disable Rules: New
"enabled": falseoption to disable specific rules without removing them from your config
Example:
{
"rules": {
"FlowName": {
"severity": "error"
},
"UnusedVariable": {
"enabled": false
}
}
}In this example all default rules run, with FlowName severity overridden and UnusedVariable disabled.
Enhanced Severity Classifications
Enhanced Default Severity Classifications:
Adjusted severities to provide more accurate and helpful feedback during scans. This reduces noise from non-critical issues while emphasizing important ones.
Core Tag: core-v6.7.0
CLI Tag: v6.7.0
VSX version: v2.1.0
Error
- HardcodedId
- HardcodedUrl
- FlowDescription
- MissingMetadataDescription
- UnsafeRunningContext
- ActionCallsInLoop
- SOQLQueryInLoop
- DMLStatementInLoop
- FlowName
Note
- TriggerOrder
- Cyclomatic Complexity
- Auto-Layout
Warning
- All other rules (by default)
View the readme for full details
Monorepo adds Action (Turborepo + pnpm)
Released: 2 December 2025
This release marks the inclusion of lightning-flow-scanner-action into our unified Turborepo + pnpm monorepo alongside lightning-flow-scanner-core and lightning-flow-scanner-cli at lightning-flow-scanner
Key Benefits Now Realized
- Single repository for all components – Core, CLI, and Action are now co-located, simplifying versioning and releases.
- Consistent tooling and configuration – The Action now uses the same TypeScript, linting, and build setup as core and CLI.
- Simplified maintenance – Shared scripts and dependencies reduce duplication and make updates faster.
- Improved developer experience – Action development and testing now fully leverage the monorepo setup, including parallel builds and shared core tests.
- Marketplace-ready – The GitHub Action is fully published with an updated Marketplace README, ready for usage in workflows.
For more details see the development section in the documentation
Monorepo CLI + Core (Turborepo + pnpm)
Monorepo Release
Released: 30 November 2025
This release marks the completion of our full migration to a unified Turborepo + pnpm monorepo for lightning-flow-scanner-core and lightning-flow-scanner-cli at lightning-flow-scanner
Key Benefits Now Realized
- One License – CLI and core are now both MIT licensed.
- Single source of truth – CLI and core are always perfectly in sync
- Lower maintenance overhead – Shared tooling, linting, TypeScript config, and scripts across packages
- Improved testability – Core tests run independently and in parallel; CLI tests now reliably consume the exact built core version
For more details see the development section in the documentation
MissingMetadataDescription (beta) #215
issue #215 by @tomkittlabs, pull request #314 by @smartinello1:
Missing Metadata Description – Flags Flow elements (Get Records, Assignments, Decisions, Actions, etc.) and metadata components (Variables, Formulas, Constants, Text Templates) that lack a description. Adding concise descriptions greatly improves readability, maintainability, and helps AI tools understand your automation intent.
Contributors
Assets 2
Export CSV
Whats changed:
- CSV Export: Added
--csv(-v) flag to export scan results directly to CSV. CSV includesflowFile,flowName,ruleName,severity,type,name, ,metaType. lineNumber,columnNumberare now included in results.- Dependency Added:
csv-stringifyused for reliable CSV output.
Resolves Glob vuln. CVE-2025-64756
For full details, see GHSA-5j98-mcp5-4vw2