FAQ-000360 - Code Quality vs Security Vulnerabilities / Uncategorized

To address a vulnerability in a managed component that can't be deleted, you can create a new component with the required security settings (e.g., setting "isExposed" to "false" if applicable). Then, remove all references to the old component and replace them with references to the new one. Afterward, resubmit the updated package for review. If the component can't be removed entirely, ensure that any unused or vulnerable code is removed from Visualforce pages, Apex classes, or other areas. Simply commenting out the code isn't sufficient.

The FAQ content is accurate and clear, but minor wording improvements enhance readability and tone. Changed "cannot" to "can't" for more conversational tone per brand guidelines. The FAQ directly addresses the AvoidLmcIsExposedTrue rule scenario - when Lightning Message Channel components have isExposed="true", this creates a security vulnerability where the component is exposed globally. The FAQ's solution of creating a new component with proper security settings (setting "isExposed" to "false") directly addresses this rule violation. The FAQ's emphasis on removing references to vulnerable components and ensuring complete removal rather than commenting out code aligns with proper security remediation practices that this rule enforces.