Periodic updates pertaining to organization-wide limitations, governor limits, etc. are released by Salesforce to improve the usability, stability and system performance. Because these updates may affect the existing customizations, Salesforce lists them in “Critical Updates”. Read more.

1. Why companies should respond to Salesforce Critical Updates
Introduction
Periodic updates pertaining to organization-wide limitations, governor limits, etc. are released by
Salesforce to improve the usability, stability and system performance. Because these updates may
affect the existing customizations, Salesforce lists them in “Critical Updates” and sends out an alert
to the admins to review the updates when they go to set up. Each update can be manually activated
or deactivated several times to evaluate its impact on the organization and modify the affected
customizations accordingly. If the manual activation or deactivation is not done in a particular time
frame, Salesforce auto activates the update permanently. Let me explain this with a few examples –
Example 1: Text Encrypted Formulae Field
Suppose an admin has had a business use case wherein he needs to use a text encrypted formula
field. But even though he used an encrypted field, data is visible, which is a security breach in
Salesforce. To rectify this issue Salesforce would release critical updates, the same way as we get OS
updates on our iPhone or Android devices. Some people might have already used this feature (text
encrypted formula field), thinking it to be expected behavior. Now, if Salesforce imposes the updates
all of a sudden, it impacts the business of the customer due to the existing customization done by
them. Therefore, to avoid such impacts, Salesforce releases critical updates periodically and sends
out an alert notification (to confirm) to all the admins asking them if they would manually update or
let the system auto-update the fixes.
Example 2: Clickjacking in Visualforce
Clickjacking is a type of attack that tricks users to click something, such as a button or a link because
they perceive they are clicking something safe. Instead, the button or link performs malicious actions
on your site, leading to data intrusion, unauthorized emails, changed credentials, etc. We can hack
using JavaScript. By using session Id, we can update data in Salesforce. Some users might have used
JavaScript and session Id intentionally. Now, as the update would impact these kinds of users who
have intentionally used session Id, Salesforce sends out an alert/notification so that the user gets to
look for possible workarounds. Salesforce usually releases these updates with every release, where

2. the Salesforce admin will manually update, even its ignored it will be auto-updated by Salesforce. In
some cases, if Salesforce feels that it needs to be implemented immediately, Salesforce auto
updates the features by communicating the same to the org administrators.
Example 3: Lightning Locker Service
One more example is the introduction of locker service critical update. Lightning locker service is a
security feature in Lightning which protects us from security vulnerabilities and other loopholes
which come along with the use of components from different sources and third-party libraries.
When Salesforce introduced Lightning, there was no locker service feature. After a few releases,
Salesforce released locker service which isolates components that belong to one namespace from
the components with a different namespace. But even though Salesforce issued locker service
feature now, few users might have already started using Lightning components without locker
service. If Salesforce released this critical update immediately, all the communities and components
they developed would have been impacted. So, Salesforce released critical updates with a particular
time frame and sends out an alert asking developers to implement locker services in their code or
else they would be auto-updated.
Example 4: Extension of critical updates time frame
Let’s assume an admin of the company received Locker Service critical update. A company
implemented a lot of Lightning components in their org and the time frame given by Salesforce was
not sufficient to update all the components. The admin decides to reach out to Salesforce by raising
a critical ticket asking Salesforce not to impose the updates in their org as they are still working on
updating the code. If several other admins also raise similar tickets to Salesforce, they would extend
the time frame of the auto-activation window.
How to manage Critical Updates?
To manage critical updates

3. This page shows the list of various updates issued for your organization. A summary on why the
update is issued for, an activation link to test the update in sandbox or production before Salesforce
auto activates it on the scheduled auto-activation date. A review link to view the impact it would
have on the customizations with or without the update being executed.
Why does a company need to respond to Critical Updates?
The Critical Updates fine-tune the drawbacks/loopholes in the system. These updates are scheduled
to be automatically activated after a period of time. Even though these updates don’t impact every
org, but sometimes may have a negative impact on the existing functionalities. Therefore, Salesforce
recommends every admin to respond to the critical updates by analyzing the impact of a Critical
Update, take proper steps or workarounds and activate the update manually.
New Critical Updates

4. Enforced Critical Updates
These critical updates were announced in a previous release and are now enforced.
Enable External Org-Wide Defaults in Orgs with Communities or Portals (Critical Update, Enforced)
Enabling external org-wide defaults in orgs with communities or portals was a critical update in
Spring ’19 and is enforced for the Summer ’19 release. This update enables the External Sharing
Model and helps you secure your data. You can set more restrictive levels of access for external
users instead of giving internal and external users the same default access.
Postponed Critical Updates
These critical updates were announced in a previous release and the auto-activation date was
postponed.
Use without sharing for @Aura Enabled Apex Controllers with Implicit Sharing (Critical Update,
Postponed)
This critical update, released in Spring ’18, was scheduled for auto-activation in Summer ’19 but has
been postponed to Winter ’20.

5. Source:
https://releasenotes.docs.salesforce.com/en-us/summer19/release
notes/rn_cruc.htm?edition=&impact=
https://help.salesforce.com/articleView?id=cruc_overview.htm&type=5
About Solunus:
Solunus is a dedicated Salesforce partner organization, headquartered in Dallas, Texas. Our
unrelenting focus on comprehending the unique needs of our clients coupled with our unrivaled
expertise of the Salesforce platform enable us to deliver the perfect solutions that create the best
value. Our unflinching commitment to quality and affordability has earned us a 100% Customer
Satisfaction (CSAT) score from all our customers.