Lightning LockerService Disabled

Lightning LockerService is a critical security feature for Lightning code. It provides component isolation that allows code from many sources to execute and interact using safe, standard APIs and event mechanisms. Enable Lightning Locker for AppExchange packages that contain Lightning components or applications.

Lightning LockerService is enabled for all custom Lightning web components. The service was activated for customers in the Summer ’17 release. Lightning LockerService isn’t enforced for components that use API version 39.0 and lower, which covers any component created before Summer ’17. When a component is set to at least API version 40.0, it’s enabled. New AppExchange security reviews and periodic re-reviews require components to be version 40.0 or higher so that Locker is enabled.

Metadata Example

In this component’s <AuraDefinitionBundle> metadata, the <apiVersion> field sets the API version to 39.0. LockerService is disabled for components that use API version 39.0 and lower.
<?xml version="1.0" encoding="UTF-8"?>
<AuraDefinitionBundle xmlns="http://soap.sforce.com/2006/04/metadata">
     <apiVersion>39.0</apiVersion>
     <description>My Component</description>
</AuraDefinitionBundle>
In this component’s revised <AuraDefinitionBundle> metadata, the <apiVersion> field sets the API version to 40.0. LockerService is enforced for components that use API version 40.0 and higher.
<?xml version="1.0" encoding="UTF-8"?>
<AuraDefinitionBundle xmlns="http://soap.sforce.com/2006/04/metadata">
     <apiVersion>40.0</apiVersion>
     <description>My Component</description>
</AuraDefinitionBundle>

For more information, read the Summer 2017 Release Notes and Security with Lightning Locker in the Lightning Web Components Developer Guide.