Import VSX repository with full history into packages/vsx

Author: RubenHalman

packages/vsx/.github/workflows/deploy-RELEASE.yml

@@ -0,0 +1,57 @@
+name: "Build & Release"
+
+on:
+  release:
+    types: [created]
+
+permissions:
+  contents: read
+  id-token: write # for future OpenID CI auth to avoid PATs
+
+concurrency:
+  group: ${{ github.ref_name }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    environment: release
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22.x
+
+      - name: Install Dependencies
+        run: npm ci
+
+      # Snyk security scan (currently advisory)
+      - name: Snyk Security Scan (Advisory Mode)
+        if: env.SNYK_TOKEN != ''
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        run: |
+          npm install -g snyk
+          snyk test || echo "❗ SNYK findings detected (not failing pipeline yet)"
+
+      - name: Build Extension Artifacts
+        run: npm run vscode:prepublish
+
+      - name: Run WDIO E2E Tests
+        run: npm run test
+
+      - name: Package VSIX
+        run: |
+          npm install -g @vscode/vsce
+          vsce package
+
+      - name: Publish to VS Code Marketplace
+        run: |
+          vsce publish --pat "${{ secrets.VSCE_PAT }}" --packagePath *.vsix
+        shell: bash

packages/vsx/.gitignore

@@ -0,0 +1,16 @@
+out
+dist
+node_modules
+.vscode-test/
+*.vsix
+.DS_Store
+yarn-error.logs
+.wdio-vscode-service
+
+*.log
+*.vsix
+coverage
+
+.config
+
+src/vscode.d.ts

packages/vsx/.vscode/launch.json

@@ -0,0 +1,43 @@
+// A launch configuration that compiles the extension and then opens it inside a new window
+// Use IntelliSense to learn about possible attributes.
+// Hover to view descriptions of existing attributes.
+// For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Launch Extension",
+      "type": "extensionHost",
+      "request": "launch",
+      "runtimeExecutable": "${execPath}",
+      "args": ["--extensionDevelopmentPath=${workspaceRoot}" ],
+      "stopOnEntry": false,
+      "sourceMaps": true,
+      "outFiles": ["${workspaceRoot}/out/src/**/*.js"],
+      "preLaunchTask": "npm: watch"
+    },
+    {
+      "args": [
+        "--extensionDevelopmentPath=${workspaceFolder}"
+      ],
+      "name": "Launch Extension xxxxx",
+      "outFiles": [
+        "${workspaceFolder}/dist/**/*.js"
+      ],
+      "request": "launch",
+      "runtimeExecutable": "${execPath}",
+      "type": "pwa-extensionHost"
+    },
+    {
+      "name": "Run Extension",
+      "type": "extensionHost",
+      "request": "launch",
+      "args": [
+        "--extensionDevelopmentPath=${workspaceFolder}"
+      ],
+      "outFiles": [
+        "${workspaceFolder}/dist/**/*.js"
+      ]
+    }
+  ]
+}

packages/vsx/.vscode/settings.json

@@ -0,0 +1,14 @@
+// Place your settings in this file to overwrite default and user settings.
+{
+  "files.exclude": {
+    "out": false, // set this to true to hide the "out" folder with the compiled JS files
+    "dist": false // set this to true to hide the "dist" folder with the compiled JS files
+  },
+  "search.exclude": {
+    "out": true, // set this to false to include "out" folder in search results
+    "dist": true // set this to false to include "dist" folder in search results
+  },
+  // Turn off tsc task auto detection since we have the necessary tasks as npm scripts
+  "typescript.tsc.autoDetect": "off",
+  "typescript.tsdk": "node_modules/typescript/lib",
+}

packages/vsx/.vscode/tasks.json

@@ -0,0 +1,29 @@
+// See https://go.microsoft.com/fwlink/?LinkId=733558
+// for the documentation about the tasks.json format
+{
+	"version": "2.0.0",
+	"tasks": [
+		{
+			"type": "npm",
+			"script": "watch",
+			"problemMatcher": "$ts-webpack-watch",
+			"isBackground": true,
+			"presentation": {
+				"reveal": "never",
+				"group": "watchers"
+			},
+			"group": {
+				"kind": "build",
+				"isDefault": true
+			}
+		},
+		{
+			"type": "npm",
+			"script": "compile",
+			"group": "build",
+			"problemMatcher": [],
+			"label": "npm: compile",
+			"detail": "npm run build"
+		}
+	]
+}

packages/vsx/CNAME

@@ -0,0 +1 @@
+vsx.lightningflowscanner.org

packages/vsx/Contributing.md

@@ -0,0 +1,9 @@
+Since 2021, the _Lightning Flow Scanner_ has grown from its roots as VS Code tool to empower Salesforce Developers across six free and open-source platforms—from developer tools to native Salesforce App—delivering a unified experience for robust static analysis of Flows. Our dedicated community has shared their expertise to deepen understanding of Flow optimization. Your support can amplify our impact. Here’s how you can contribute:
+
+- ⭐ Star your favorite platforms
+- 📢 Share our work with your network
+- 💬 Provide feedback to help us improve
+- 💻 Contribute code to drive innovation
+- 🤝 [Become a member](https://register.lightningflowscanner.org/) and stay involved.
+
+Want to help improve Lightning Flow Scanner? See our [Contributing Guidelines](https://github.com/Flow-Scanner/lightning-flow-scanner-core/blob/main/CONTRIBUTING.md).

packages/vsx/LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

packages/vsx/README.md

@@ -0,0 +1,160 @@
+<p align="center">
+  <a href="https://github.com/Flow-Scanner">
+    <img src="media/bannerslim.png" style="width: 41%;" />
+  </a>
+</p>
+<p align="center"><i>Detect unsafe contexts, queries in loops, hardcoded IDs, and more to optimize Salesforce Flows</i></p>
+
+<p align="center">
+ <img src="media/demo.gif" alt="Flow Overview"/>
+</p>
+
+---
+
+## Table of contents
+
+- **[Usage](#usage)**
+- **[Configuration](#configuration)**
+  - [Scanner Options](#scanner-options)
+  - [Extension Settings](#extension-settings)
+- **[Installation](#installation)**
+- **[Development](#development)**
+
+---
+
+## Usage
+
+
+Lightning Flow Scanner VSX is plug-and-play. Open any project with flows and use our side bar or the **Command Palette** and type `flowscanner` to see the list of all available commands.
+
+* `Configure Flow Scanner` - Set up rules in `.flow-scanner.yml`
+* `Scan Flows` - Analyze a directory or selected flow files
+* `Fix Flows` - Automatically apply available fixes
+* `Flow Scanner Documentation` - Open the rules reference guide
+
+**Privacy:** Zero user data collected. All processing is client-side. → See our [Security Policy](https://github.com/Flow-Scanner/lightning-flow-scanner-vsx?tab=security-ov-file).
+
+---
+
+## Configuration
+
+It is recommended to set up a `.flow-scanner.yml` and define:
+
+- The rules to be executed.
+- The severity of violating any specific rule.
+- Rule properties such as REGEX expressions.
+- Any known exceptions that should be ignored during scanning.
+
+### Scanner Options
+
+```json
+{
+  "rules": {
+    // Your rules here
+  },
+  "exceptions": {
+    // Your exceptions here
+  },
+  "betamode": false // Enable beta rules
+}
+```
+
+Using the rules section of your configurations, you can specify the list of rules to be run. Furthermore, you can define the severity and configure expressions of rules.  Below is a breakdown of the available attributes of rule configuration:
+
+```json
+{
+  "rules": {
+    "<RuleName>": {
+      "severity": "<Severity>",
+      "expression": "<Expression>"
+    }
+  }
+}
+```
+
+Note: if you prefer JSON format, you can create a `.flow-scanner.json` file using the same format. For a more on configurations, review the [scanner documentation](https://flow-scanner.github.io/lightning-flow-scanner-core/#configuration).
+
+### Extension Settings
+
+| Extension Settings           | Description                                                         | Default Value |
+| ---------------------------- | ------------------------------------------------------------------- | ------------- |
+| `flowscanner.SpecifyFiles` | Set to true to select .Flow file paths instead of a root directory. | `true`     |
+
+---
+
+## Installation
+
+`lightning-flow-scanner-vsx` is available on:
+
+| Visual Studio Marketplace                                                                                                                                                                                                                          | Open VSX Registry                                                                                                                                                                                |
+| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| [![VS Marketplace Version](https://img.shields.io/visual-studio-marketplace/v/ForceConfigControl.lightning-flow-scanner-vsx?label=VS%20Marketplace)](https://marketplace.visualstudio.com/items?itemName=ForceConfigControl.lightning-flow-scanner-vsx) | [![Open VSX Version](https://img.shields.io/open-vsx/v/ForceConfigControl/lightning-flow-scanner-vsx?label=Open%20VSX)](https://open-vsx.org/extension/ForceConfigControl/lightning-flow-scanner-vsx) |
+
+To install via CLI (VS Code)
+
+```bash
+code --install-extension ForceConfigControl.lightning-flow-scanner-vsx
+```
+
+---
+
+## Development
+
+> This project optionally uses [Volta](https://volta.sh) to manage Node.js versions. Install Volta with:
+>
+> ```sh
+> curl https://get.volta.sh | bash
+> ```
+>
+> Volta will automatically use the Node.js version defined in `package.json`.
+
+1. **Clone the repository**
+
+```bash
+  git clone https://github.com/Flow-Scanner/lightning-flow-scanner-vsx.git
+```
+
+2. **Install dependencies**
+
+```bash
+  npm install
+```
+
+3. **Compile a new version**
+
+```bash
+  npm run build
+```
+
+4. **Auto-compile new changes**
+
+```bash
+  npm run watch
+```
+
+5. **Run end-to-end tests**
+
+```bash
+  npm run test
+```
+
+6. **Linking** **Core Module (Optional)**
+
+If you’re developing or testing updates to the core module, you can link it locally:
+
+- In the core module directory, run:
+  ```bash
+  npm run link
+  ```
+- In this CLI project directory, run:
+  ```bash
+  npm link @flow-scanner/lightning-flow-scanner-core
+  ```
+
+---
+
+## VSCE to VSX
+
+`lightning-flow-scanner-vsce` was unpublished from the Visual Studio and Open VSX Marketplaces due to a vulnerability stemming from unsafe rule loading. The issue was addressed in [core v5](https://github.com/Flow-Scanner/lightning-flow-scanner-core/releases/tag/v5.1.0). This fork, created on 22/09/2025, emphasizes security and maintainability.
+
+<p><strong>Want to help improve Lightning Flow Scanner? See our <a href="https://github.com/Flow-Scanner/lightning-flow-scanner-core?tab=contributing-ov-file">Contributing Guidelines</a></strong></p>

packages/vsx/SECURITY.md

@@ -0,0 +1,27 @@
+# Security Policy for Lightning Flow Scanner
+
+## Security Practices
+
+- Code is open-source and peer-reviewed by the community.
+- Vulnerabilities can be reported privately via [GitHub vulnerability reporting](https://github.com/Flow-Scanner/lightning-flow-scanner-vsx/security).
+- Changes to the repository are scanned and reviewed before merging.
+
+## Data Handling
+
+This tool collects zero user data. No credentials, PII, payment info, health data, or user content is ever stored, transmitted, or shared. All analysis runs 100% client-side with no network calls to external services.
+
+We temporarily use metadata (e.g., Flow metadata, timestamps) in-memory only for real-time functionality during your session. This data is never stored, logged, or transmitted and is discarded immediately when the session ends.
+
+**Note:** You may manually save scan results (e.g., reports, CSV, JSON) to your local filesystem. These files are created at your request and remain under your full control. This tool does not access, upload, or retain them.
+
+## Dependencies
+
+We actively track and maintain an up-to-date inventory of all third-party dependencies to ensure security and compatibility. Our dependencies include:
+
+| Package                         | License                                                                              | Purpose`                                       |
+| ------------------------------- | ------------------------------------------------------------------------------------ | ---------------------------------------------- |
+| `convert-array-to-csv`        | [MIT](https://github.com/zemirco/convert-array-to-csv/blob/master/LICENSE)              | Converts JavaScript arrays into CSV format     |
+| `lightning-flow-scanner-core` | [MIT](https://github.com/Flow-Scanner/lightning-flow-scanner-core/blob/main/LICENSE.md) | Salesforce Flow scanning utilities             |
+| `tabulator-tables`            | [MIT](https://github.com/olifolkerd/tabulator/blob/master/LICENSE)                      | Interactive tables and data grids for web apps |
+| `uuid`                        | [MIT](https://github.com/uuidjs/uuid/blob/main/LICENSE.md)                              | Generates RFC-compliant UUIDs                  |
+| `cosmiconfig`                        | [MIT](https://github.com/davidtheclark/cosmiconfig/blob/main/LICENSE) | Config file loader for JavaScript/Node |