FAQ-000833 - External Platform Security / External Dependencies and Libraries

No, security issues in external dependencies can't be excluded from the AppExchange security review. The review process tests all external components—web applications, services, and mobile clients—to ensure secure data transfer and compliance with security standards. All dependencies must be included in your submission to avoid delays or omissions in the review process.

The answer was clear and accurate but used overly formal language that didn't match the conversational tone guidelines. I improved the phrasing by using contractions ('can't' instead of 'cannot') and adding em dashes for better readability while preserving all the original information and structure. The technical content about external dependencies being subject to security review aligns with the security rules. For the related security rules selected: 1. LibraryWithKnownCriticalSeverityVulnerability, LibraryWithKnownHighSeverityVulnerability, LibraryWithKnownMediumSeverityVulnerability, LibraryWithKnownLowSeverityVulnerability: These rules directly relate to the FAQ's discussion of external dependencies by detecting JavaScript libraries with known security vulnerabilities. The FAQ explains that 'security issues in external dependencies cannot be excluded' and these rules are specifically designed to catch vulnerable external libraries that would be flagged during the security review process. 2. AvoidInsecureHttpRemoteSiteSetting: This rule relates to the FAQ's mention of 'web applications' and 'services' as external components that are tested. Remote site settings for HTTP endpoints would be considered external dependencies that could have security issues. 3. AvoidDisableProtocolSecurityRemoteSiteSetting: Similar to the above, this rule addresses security configuration for external connections, which aligns with the FAQ's explanation that external components must meet security standards and cannot be excluded from review.