Will security review automatically fail applications using external JavaScript libraries that are incompatible with Lightning Web Security (LWS)?
Answer
Applications using external JavaScript libraries that are incompatible with Lightning Web Security (LWS) will not automatically fail the security review. However, to ensure compliance and avoid functional issues:
**Requirements for Passing Security Review:**
- Ensure compatibility with LWS to prevent unexpected behavior and functional issues in Lightning components
- Include all scripts in static resources rather than loading them dynamically
- Make sure the security properties of the offering are fully analyzable by the security review process
**Best Practices:**
- Test thoroughly to ensure the application functions correctly with LWS enabled
- Address any compatibility issues before submitting for security review
- Document any security considerations or mitigations implemented
While automatic failure won't occur, applications with LWS compatibility issues may face delays or require remediation during the security review process.
Will security review automatically fail applications using external JavaScript libraries that are incompatible with Lightning Web Security (LWS)?
Recommended Answer Update
Applications using external JavaScript libraries that are incompatible with Lightning Web Security (LWS) won't automatically fail the security review. However, to ensure compliance and avoid functional issues:
**Requirements for Passing Security Review:**
- Ensure compatibility with LWS to prevent unexpected behavior and functional issues in Lightning components
- Include all scripts in static resources rather than loading them dynamically
- Make sure the security properties of your app are fully analyzable by the security review process
**Best Practices:**
- Test thoroughly to ensure your app functions correctly with LWS enabled
- Address any compatibility issues before submitting for security review
- Document any security considerations or mitigations you've implemented
While automatic failure won't occur, apps with LWS compatibility issues may face delays or require remediation during the security review process.
Reasoning
The original FAQ content was accurate but used overly formal language that didn't align with the conversational tone guidelines. The recommended updates make the following improvements:
1. **Tone and Voice**: Changed 'the application' to 'your app' and 'the offering' to 'your app' to be more direct and conversational, following the brand guidelines to avoid sounding like enterprise documentation
2. **Clarity**: Replaced 'the application functions correctly' with 'your app functions correctly' and 'mitigations implemented' with 'mitigations you've implemented' to be more user-focused
3. **Conversational Language**: Used contractions where appropriate ('won't' instead of 'will not') and more natural phrasing throughout
The content structure, technical accuracy, and all key points remain unchanged - only the language was refined for better user experience.
Regarding the security rule AvoidCreateElementScriptLinkTag: This rule directly relates to the FAQ's discussion about including scripts in static resources rather than loading them dynamically. The FAQ specifically mentions 'Include all scripts in static resources rather than loading them dynamically' which aligns with this security rule that flags dynamic creation of script and link elements. The rule helps enforce the LWS-compatible approach the FAQ recommends by preventing dynamic script loading that could bypass security controls.