{"id":28050624,"url":"https://github.com/gussamer/qfpm","last_synced_at":"2026-02-14T02:01:57.005Z","repository":{"id":57332217,"uuid":"297816246","full_name":"gussamer/qfpm","owner":"gussamer","description":"A blend of NPM and SFDX into a Salesforce package dependancy management tool set","archived":false,"fork":false,"pushed_at":"2025-03-06T02:55:43.000Z","size":90,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-09-19T22:43:58.124Z","etag":null,"topics":["javascript","salesforce","shell"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"isc","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gussamer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-09-23T01:19:42.000Z","updated_at":"2025-03-06T02:55:46.000Z","dependencies_parsed_at":"2025-03-06T03:23:11.785Z","dependency_job_id":"7c3cf5f4-b5c3-4950-98ff-552801444928","html_url":"https://github.com/gussamer/qfpm","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/gussamer/qfpm","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gussamer%2Fqfpm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gussamer%2Fqfpm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gussamer%2Fqfpm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gussamer%2Fqfpm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gussamer","download_url":"https://codeload.github.com/gussamer/qfpm/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gussamer%2Fqfpm/sbom","scorecard":{"id":449998,"data":{"date":"2025-08-11","repo":{"name":"github.com/gussamer/qfpm","commit":"5d750b1492f9de85f75793ec5169b887ac4f5c31"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.8,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/27 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Security-Policy","score":3,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Warn: no linked content found","Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":0,"reason":"dangerous workflow patterns detected","details":["Warn: untrusted code checkout '${{github.event.pull_request.head.ref}}': .github/workflows/qfpmtest.yml:14"],"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:28","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:29","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Warn: no topLevel permission defined: .github/workflows/qfpmtest.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/gussamer/qfpm/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/gussamer/qfpm/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/gussamer/qfpm/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/gussamer/qfpm/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/qfpmtest.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/gussamer/qfpm/qfpmtest.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/qfpmtest.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/gussamer/qfpm/qfpmtest.yml/master?enable=pin","Warn: npmCommand not pinned by hash: src/setup.sh:9","Warn: npmCommand not pinned by hash: .github/workflows/qfpmtest.yml:34","Warn: npmCommand not pinned by hash: .github/workflows/qfpmtest.yml:37","Info:   0 out of   5 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   0 out of   3 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: ISC License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 0 commits out of 5 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-19T07:58:11.560Z","repository_id":57332217,"created_at":"2025-08-19T07:58:11.561Z","updated_at":"2025-08-19T07:58:11.561Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29431593,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-13T22:20:51.549Z","status":"online","status_checked_at":"2026-02-14T02:00:07.626Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["javascript","salesforce","shell"],"created_at":"2025-05-12T00:36:58.474Z","updated_at":"2026-02-14T02:01:56.987Z","avatar_url":"https://github.com/gussamer.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![NPM](https://img.shields.io/npm/v/qfpm.svg)](https://www.npmjs.com/package/qfpm)\n[![Downloads/week](https://img.shields.io/npm/dw/qfpm.svg)](https://npmjs.org/package/qfpm)\n![QFPM Tests](https://github.com/gussamer/qfpm/actions/workflows/qfpmtest.yml/badge.svg)\n[![qfpm](https://snyk.io/advisor/npm-package/qfpm/badge.svg)](https://snyk.io/advisor/npm-package/qfpm)\n[![License](https://img.shields.io/badge/ISC-blue.svg)](https://raw.githubusercontent.com/gussamer/qfpm/master/LICENSE)\n# QFPM\n\n## QRFDev Package Manager\n\n### A blend of NPM and SFDX into a Salesforce package dependancy management tool set\n\nThe package mangement methodology intended with qfpm is meant to aid with the dependancy management side of salesforce packages. Currently this could be implmented with a private npm service to benefit from the npm dependancy resolution applied to a teams salesforce metadata libraries as they are broken down into packages with a dependancy hierarchy. QFPM could be extended to support the management of sfdx package2 building and installation with dependencies, as well converted to sfdx plugin, if I ever get around to doing it.  \n\n## Updates\n\n- Updated the commands for the new sf structure\n\n- The removal of the bin/qfpm script dependancy complete, automated removal doesn't seem to work so feel free to delete them after upgrading\n\n- Conversion to using native npm bin definition seems stable and opens up better linux support\n\n- WSL support seems to be working though with a big salesforce asterisk down in the AT4DX example\n\n## Install\n\n1. Open Git Bash on Windows\n1. Navigate to folder you want your project\n1. Create a SFDX project with\n    ```bash\n    sf force project create -n newsfdxproject\n    ```\n1. Move into the project folder with\n    ```bash\n    cd newsfdxproject\n    ```\n1. Install the qfpm tools with*\n    ```bash\n    npm install qfpm --save --only=prod\n    ```\n1. Run setup to create scratch org and deploy dependancies\n    ```bash\n    npm run setup\n    ```\n\n \\* all warnings are due to packages salesforce uses in their default project package.json\n\n## Use\n\n### Example\n\n#### Setup FFLIB commons sample code with dependancies\n\nThis example demonstates facilitating two layers of dependancies required to get started with the fflib apex common sample code library. The sample code requries the fflib apex commons library which intern is dependant on the fflib apex mocks library. With example npm packages for both the commons and mocks published publicly to npm, qfpm is able to install all dependancies via soap to avoid source tracking and then push the sample code for work tracked in the scratch org. \n\n1. Navigate to the [fflib sample code](https://github.com/apex-enterprise-patterns/fflib-apex-common-samplecode)\n1. Clone the repo locally\n    ```bash\n    git clone https://github.com/apex-enterprise-patterns/fflib-apex-common-samplecode.git\n    ```\n1. cd into repo\n    ```bash\n    cd fflib-apex-common-samplecode\n    ```\n1. init npm to create package.json\n    ```bash\n    npm init -y\n    ```\n1. install the qfpm tools\n    ```bash\n    npm install --save qfpm\n    ```\n1. install the the fflib commons\n    ```bash\n    npm install --save npm-fflib-common\n    ```\n1. setup scratch org and install all\n    ```bash\n    npm run setup\n    ```\n\n\n#### Setup AT4DX sample code with dependancies\n\nThis example expands on the previous fflib sample code to satisfy the requirments of the at4dx sample code. As before the multi layered fflib commons and mocks are required by the at4dx requirement which also has a parallel dependancy of force-di. All of which are installed via soap into a scratch org with the at4dx sample code pushed for tracking.\n\n1. Navigate to the [at4dx sample code](https://github.com/apex-enterprise-patterns/at4dx-samplecode)\n1. Clone the repo locally\n    ```bash\n    git clone https://github.com/apex-enterprise-patterns/at4dx-samplecode.git\n    ```\n1. cd into repo\n    ```bash\n    cd at4dx-samplecode\n    ```\n1. init npm to create package.json\n    ```bash\n    npm init -y\n    ```\n1. install the qfpm tools\n    ```bash\n    npm install --save qfpm\n    ```\n1. install the at4dx libraries\n    ```bash\n    npm install --save npm-at4dx\n    ```\n1. setup scratch org and install all*\n    ```bash\n    npm run setup\n    ```\n\n*sfdx on WSL(maybe linux in general) seems to have an issue thinking the README.md inside the sfdx source dirs is a custom metadata type, so I removed them in the npm package as they just said put stuff here. You can run this command after cloning to delete all the offending README.md files in this repo as a work around.\n\n  ```bash\n  for x in $(find ./sfdx-source/ -name README.md); do rm -f $x; done\n  ```\n\n### Commands\n\n1. Build source into metadata format\n\n    - executes sfdx source convert\n\n    ```bash\n    npm run build\n    ```\n\n1. Clean up scratch org\n\n    - marks projects scratch org for deletion\n\n    ```bash\n    npm run clean\n    ```\n\n1. Deploy whole project directly as metadata format\n\n    - executes sfdx source deploy\n    - bypasses source tracking\n\n    ```bash\n    npm run deploy\n    ```\n\n1. Push source to scratch org\n\n    - executes sfdx source push\n\n    ```bash\n    npm run push\n    ```\n\n1. Scratch a new org\n\n    - creates new scratch org from config\n    - checks if org already exists\n\n    ```bash\n    npm run scratch\n    ```\n\n1. Setup current project for development\n\n    - setups up a scratch org\n    - deploys all dependancies to scratch org\n\n    ```bash\n    npm run setup\n    ```\n\n1. Test project\n\n    - runs all tests in scratch org\n\n    ```bash\n    npm run test\n    ```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgussamer%2Fqfpm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgussamer%2Fqfpm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgussamer%2Fqfpm/lists"}