FAQ-001339 - Package Design and Architecture Security / Mixed Package Component Management

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
What are the considerations and security implications when mixing managed and unmanaged package components or creating extension packages?
Answer
When working with mixed package components or extension packages, consider these important aspects: **Mixing Managed and Unmanaged Components:** - Only managed-released packages are eligible for AppExchange Security Review - unmanaged or beta packages are not accepted - If your solution includes unmanaged components, they must be converted into a managed package before submission - All components, including external web applications, client applications, and any dependent packages, must be included in the review to ensure comprehensive security testing - This ensures that the entire solution complies with Salesforce's enterprise security standards **Extension Package Security Implications:** - Every extension package must undergo a security review, even if it is small, as it could introduce vulnerabilities - When submitting an extension package for review, you must include the base and dependent packages it integrates with, even if the base solutions have already passed a security review - If the base package has already passed the security review, you only need to submit the extension package for review - If the base package has not passed the review, you must submit both the extension package and the unreviewed base package together - The requirements for submitting an extension package are the same as for a standalone solution, including providing security scan reports, documentation, and access to all relevant components **Design and Architecture Considerations:** - Careful design of the app and its interfaces is crucial to avoid breaking dependencies and ensure that updates to the base package do not negatively affect the extension package - Avoid duplication by ensuring that the base package functionality is not duplicated - the extension package should reference the base package to maintain consistency and avoid redundancy - The base package must include features supported by all intended editions, while the extension package can add advanced features for higher editions - Ensure that updates to the base package do not disrupt the functionality of the extension package - Properly design and test the interfaces between the base and extension packages to ensure compatibility and functionality This approach ensures a thorough evaluation of the entire solution for security compliance while maintaining a seamless and efficient package structure.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules
AvoidOldSalesforceApiVersions
Question
What are the considerations and security implications when mixing managed and unmanaged package components or creating extension packages?
Recommended Answer Update
When working with mixed package components or extension packages, consider these important aspects: **Mixing Managed and Unmanaged Components:** - Only managed-released packages are eligible for AppExchange Security Review - unmanaged or beta packages are not accepted - If your solution includes unmanaged components, they must be converted into a managed package before submission - All components, including external web applications, client applications, and any dependent packages, must be included in the review to ensure comprehensive security testing - This ensures that the entire solution complies with Salesforce's enterprise security standards **Extension Package Security Implications:** - Every extension package must undergo a security review, even if it's small, as it could introduce vulnerabilities - When submitting an extension package for review, you must include the base and dependent packages it integrates with, even if the base solutions have already passed a security review - If the base package has already passed the security review, you only need to submit the extension package for review - If the base package hasn't passed the review, you must submit both the extension package and the unreviewed base package together - The requirements for submitting an extension package are the same as for a standalone solution, including providing security scan reports, documentation, and access to all relevant components **Design and Architecture Considerations:** - Careful design of the app and its interfaces is crucial to avoid breaking dependencies and ensure that updates to the base package don't negatively affect the extension package - Avoid duplication by ensuring that the base package functionality isn't duplicated - the extension package should reference the base package to maintain consistency and avoid redundancy - The base package must include features supported by all intended editions, while the extension package can add advanced features for higher editions - Ensure that updates to the base package don't disrupt the functionality of the extension package - Properly design and test the interfaces between the base and extension packages to ensure compatibility and functionality This approach ensures a thorough evaluation of the entire solution for security compliance while maintaining a seamless and efficient package structure.
Reasoning
The FAQ content is largely accurate and comprehensive. I made minor improvements to enhance readability by using contractions (don't, hasn't, isn't) to align with the conversational tone guidelines. These changes make the text more natural and easier to read while preserving all original information and technical accuracy. I associated this FAQ with the AvoidOldSalesforceApiVersions rule because package design and architecture considerations include ensuring that all package components use current API versions. While managing mixed components and extension packages, developers need to be aware that older API versions can introduce security vulnerabilities and compliance issues. The FAQ discusses comprehensive security testing and compliance with enterprise security standards, which directly relates to using current, secure API versions across all package components.
Reasoning References