@W-22838968 Port Squatting — Token-Based Check with Flag-Gated Backward Compat#57
Merged
ankitsinghkuntal09 merged 6 commits intoJun 11, 2026
Merged
Conversation
ankitsinghkuntal09
force-pushed
the
ankit/W-22838968-port-squat-backward-compat
branch
from
fcdb4e3 to
ead9962
Compare
ankitsinghkuntal09
changed the title
ankitsinghkuntal09
force-pushed
the
ankit/W-22838968-port-squat-backward-compat
branch
from
ead9962 to
06a2c41
Compare
Supersedes the version-gated approach (reading @salesforce/ui-bundle version from
node_modules) — fragile across lockfile + Code Builder layouts.
A server on port 5173 that responds OK but does NOT echo X-Live-Preview-Token is
now classified as "legacy" (old webapp, or a passive squatter — indistinguishable
to the CLI). Behavior under "legacy":
- ALLOW_LEGACY_WEBAPPS_DEFAULT=true (current default): proceed, emit one loud
warning per webapp per process (stderr structured JSON + SfCommand.warn()).
- false / SF_UI_BUNDLE_ALLOW_LEGACY_WEBAPPS=false: abort with PortSquattingAbort.
Once webapp adoption of the token-echoing release is high, flip the default to
false; the liberal branch then becomes a one-line removal.
Changes:
- 4-state checkPortStatus: available | verified | legacy | foreign
- classifyOccupiedPort centralizes the abort-vs-warn decision (shared by
pre-flight one-shot and post-spawn polling)
- emitLegacyWebappWarning emits {"warn":"LEGACY_WEBAPP_DETECTED",...} on stderr
(consumed by the VS Code extension) + this.warn() to the terminal
- Removed: MIN_TOKEN_SUPPORTED_VERSION, compareVersions,
getWebappUiBundleVersion, isNewWebapp, isUrlReachable, pollUntilReachable,
fs/path imports — all version-gating dead code
Co-authored-by: Cursor <cursoragent@cursor.com>
ankitsinghkuntal09
force-pushed
the
ankit/W-22838968-port-squat-backward-compat
branch
from
06a2c41 to
fc79710
Compare
Replace verbose mechanism-leaking warning with a concise, actionable one. Per code review feedback — keep it minimal, no implementation details.
…838968 Per code review (round 2): drop 'outdated dependency' framing and adopt authenticity-verification wording. Honest about what the CLI can actually assert (couldn't verify the server) without naming the verification mechanism. Mirrored on the VS Code extension side. Co-authored-by: Cursor <cursoragent@cursor.com>
ankitsinghkuntal09
deleted the
ankit/W-22838968-port-squat-backward-compat
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
@W-22838968@
Fix — dual-acceptance with a kill switch
checkPortStatusreturns one of four states;classifyOccupiedPortdecides the action:available— spawn our dev serverX-Live-Preview-Tokenmatchesverified— silent reuselegacy— see belowforeign— abort withPortSquattingAbortlegacyis the backward-compat path. An old@salesforce/ui-bundleand a passive squatter are indistinguishable from the CLI side — the flag is the security boundary:ALLOW_LEGACY_WEBAPPS_DEFAULT = true(this PR's default): proceed, emit one loud warning per webapp per CLI process. Warning surfaces as:ALLOW_LEGACY_WEBAPPS_DEFAULT = false(orSF_UI_BUNDLE_ALLOW_LEGACY_WEBAPPS=falseat runtime): strict mode — abort withPortSquattingAborton legacy. Same hard error asforeign.Once webapp adoption of the token-echoing release is high, flip the default to
false;Tested locally (5 scenarios, default mode + strict mode)
verified, silentlegacy, warning shown once per bundle, dev server reusedlegacy(squatter indistinguishable from old), warning shown; strict mode abortslegacy(squatter answers first), warning shown; strict mode aborts withPortSquattingAbort