How to identify out-of-date installed packages

Did you know that 99% of Salesforce orgs have installed packages with newer versions available? Are you aware of the potential security vulnerabilities and performance issues that can arise from neglecting to update these packages? 

In this blog post, we'll delve into the impacts of out-of-date installed packages, the challenges faced by Salesforce teams in managing them, and walk you through how to effectively address these concerns.

How many out-of-date installed packages are in your Salesforce org?

Before we explore the challenges and recommendations, let's shed light on the concerning statistics related to out-of-date installed packages. 

According to the 2023 Benchmark Report on Salesforce Optimization, on average:

• 99% of orgs have installed packages with newer versions available.
• Salesforce orgs have 14 installed packages with newer versions available.
• 8% of these packages are both out-of-date and haven't undergone security review.

DOWNLOAD: 7 critical org optimizations insights for high-performing Salesforce teams

Understanding Salesforce installed packages

Installed packages refer to apps or code that Salesforce admins can easily add to your Salesforce org with the click of a button. These packages can take the form of managed packages published on Salesforce AppExchange, which implies they have gone through an official Salesforce security review. However, there are also managed packages not listed on AppExchange, unlocked packages, and unmanaged packages, all of which do not ensure the same robust security review has occurred. It’s important to note that ensuring these packages are safe and secure is ultimately your responsibility.

‍

‍

CONTINUED READING: Out-of-date installed package risks: How many are in your Salesforce org?

The impact of out-of-date installed packages

Out-of-date installed packages can have significant consequences for your org, affecting both security and performance. Let's explore these impacts:

1. Legacy declarative automation: Out-of-date packages often contain legacy declarative automation, such as workflows and processes, which can impede productivity and hinder the efficient operation of your org. In fact, 8% of all active workflow rules are from installed packages.
2. Security vulnerabilities: 15% of all custom code security issues come from installed packages. Custom code within out-of-date packages poses potential security vulnerabilities, increasing the risks of data breaches and unauthorized access to sensitive information.
3. Lack of security review: Privately listed applications, in particular, may not have undergone the rigorous AppExchange Security Review process. This lack of review further heightens the security risks associated with these packages.

How to identify out-of-date installed packages in your Salesforce org

So now you know the importance of keeping your installed packages up-to-date, but how can you effectively manage this? Unfortunately, Salesforce has never made this a simple thing for Salesforce teams to manage:

1. Manual AppExchange package version checks: While some package publishers will automatically push upgrades to your org, many do not. Even if you invest the time to manually check for newer package versions by comparing the version numbers in your org with those on the AppExchange, there's no guarantee that you'll find the latest versions. Publishers sometimes neglect to update the AppExchange version number, leaving you in the dark.
2. Lack of transparency with privately installed packages: Packages installed in your org that were not downloaded from the AppExchange will require you to reach out to the publisher to get the most up-to-date version information since there is no published list of package versions.
3. Overwhelming volume: The average Salesforce org has 40 installed packages and 14 with newer versions available. Managing this volume of packages manually is overwhelming and time-consuming, making it challenging to stay on top of updates and security requirements.

To tackle the complex task of managing out-of-date installed packages, Salesforce teams need an efficient and automated solution. That’s why we embedded installed package version tracking into Hubbl Diagnostics, to help simplify the management process. 

“Keeping installed packages up-to-date is critical for Salesforce org health, security, and speed. However, identifying newer versions of public and privately listed packages can be challenging. Hubbl Diagnostics automates this process through powerful metadata audits, optimizing performance and driving speed to value while minimizing the risk of data breaches and security risks.” 

—Chris Conant, CEO, Zennify

How Hubbl Diagnostics identifies out-of-date installed packages

1. Custom Code Security Review: Hubbl Diagnostics Essentials is a free solution that enables a thorough review of custom code, whether unpackaged or in unlocked or unmanaged packages. It analyzes configurations and usage patterns, identifying potential compliance gaps and providing specific recommendations to address them, aligning with best practice security requirements.
2. Package Versioning: With Hubbl Diagnostics Essentials, you gain access to an aggregate view of orgs across the Salesforce ecosystem. This unique perspective allows you to check all installed packages against a comprehensive database of package versions installed in other orgs. This "crowd-sourced" data ensures better visibility and keeps your org up-to-date with the latest features, reducing security risks and removing legacy declarative automation.