Currently, Gearset’s Problem Analyzer correctly identifies issues with InstalledPackages, such as suggesting activateRSS be set to false to avoid deployment failures. However, it does not yet account for the securityType field.

When an InstalledPackage is deployed without a defined <securityType>, Salesforce defaults the access level to AllUsers. In a production environment, this is a significant security risk, as managed package components and data access should typically be restricted during the initial deployment.

I am proposing an additional check within the Problem Analyzer for InstalledPackage metadata:

Detection: Identify any InstalledPackage in the deployment package that is missing the <securityType> tag.

Recommendation: Flag this as a security risk and offer an automatic fix to insert <securityType>AdminsOnly</securityType>.

Benefit: This aligns with the "Principle of Least Privilege" and prevents accidental broad-access grants that are difficult to audit or roll back after a deployment is finalized.

Standardizing the security type to AdminsOnly at the deployment gate ensures that organizations can manually verify and assign package access to specific profiles or permission sets post-install, rather than defaulting to the least secure option.