FAQ-000364 - Code Quality vs Security Vulnerabilities / Unused and Obsolete Code Management

Yes, including unused or obsolete code in your package can affect the security review. While unused or obsolete components won't directly cause a security review failure, it's recommended to remove such code before submission. This code may introduce potential vulnerabilities or lead to unnecessary findings during the review process. Make sure your package contains only the necessary and functional code to meet security standards. Keep in mind that all components in the package are subject to review for security risks.

The original answer was verbose and contained redundant phrasing that could be streamlined for better clarity. I made the following improvements: 1) Removed the redundant phrase 'Unused or obsolete components in your package won't directly cause a security review failure, but it's recommended to remove such code before submission, as it' and simplified to 'While unused or obsolete components won't directly cause a security review failure, it's recommended to remove such code before submission.' 2) This creates a more concise flow while preserving all the original information and recommendations. The answer maintains its structure and all key points about unused code potentially introducing vulnerabilities and the recommendation to include only necessary code. No security rules were selected because this FAQ addresses general code hygiene and package management practices rather than specific security vulnerabilities that would be detected by the scanner rules. The available security rules focus on specific technical security issues (like SOQL injection, XSS, CRUD violations, etc.) while this FAQ discusses the broader practice of removing unused code to avoid potential issues during review.