FAQ-001151 - Lightning Web Security Compatibility / External Library Compatibility

To handle external JavaScript libraries that are incompatible with Lightning Web Security (LWS), you have several options: 1. **Use Static Resources**: Store the libraries in static resources and include them in your solution package. This ensures version control, allows for security analysis, and provides secure and controlled loading. Reference the libraries using a $Resource URL within your components. 2. **Find Compatible Alternatives**: Search for alternative libraries that are compatible with LWS and meet your functional requirements. 3. **Evaluate and Mitigate Risks**: If no secure alternatives exist, assess the library's security risks and take steps to mitigate vulnerabilities as much as possible. 4. **Consult Salesforce Support**: Open a case with Salesforce for guidance on securely integrating the library. **Important Security Considerations:** - Avoid dynamically loading JavaScript files from third-party endpoints or content delivery networks (CDNs) to prevent security risks and vulnerabilities - Ensure all external resources are included as static resources for AppExchange security reviews - Verify that libraries don't have known security vulnerabilities before including them - If the library remains incompatible with LWS, consider refactoring your code to ensure compatibility These approaches help maintain compliance with Salesforce's security policies and protect your application while ensuring your components remain functional.

The FAQ content is generally accurate and well-structured, so minimal changes were needed. I added one bullet point about verifying libraries don't have known security vulnerabilities, which aligns with the vulnerability detection rules while maintaining the existing structure and tone. Security rules selected: - LoadJavaScriptHtmlScript and LoadJavaScriptIncludeScript: These rules detect dynamic loading of JavaScript from external sources, which directly relates to the FAQ's advice about avoiding CDN loading and using static resources instead. - LoadCSSLinkHref and LoadCSSApexStylesheet: While the FAQ focuses on JavaScript, external libraries often include CSS components, and these rules detect similar dynamic loading patterns for stylesheets. - AvoidCreateElementScriptLinkTag: This rule detects dynamic creation of script and link elements, which is another method of loading external resources that the FAQ warns against. - LibraryWithKnown*SeverityVulnerability rules: These four rules (Critical, High, Medium, Low) detect JavaScript libraries with known security vulnerabilities, which directly supports the FAQ's point about evaluating security risks of external libraries and the new point about verifying libraries don't have vulnerabilities.