- Issue created by @e0ipso
- e0ipso Can Picafort
I imagine that adding a new dependecy to core is a big deal and we do not take that lightly. For that reason I am inclined to move the feature described in β¨ [PP-1] Allow schema references in Single Directory Component prop schemas Postponed to contrib.
Note that contrib modules that extend SDC already bring in this library as a run-time dependency anyways.
However, if core release managers think that it's not a big deal, and we should include the new dependency, I think it'd be nice to support β¨ [PP-1] Allow schema references in Single Directory Component prop schemas Postponed in core.
I am marking this as "Needs release manager review" since I think we cannot make a decision here without their guidance.
- Status changed to RTBC
8 months ago 12:59pm 5 April 2024 - π§πͺBelgium wim leers Ghent π§πͺπͺπΊ
We last moved two dependencies from
require-devtorequirein β¨ Add Symfony's Filesystem and Finder components to core Active . The dependency evaluations happened in π Promote symfony/filesystem from dev-dependency to full dependency Fixed and π Promote symfony/finder from dev-dependency to full dependency Fixed .https://github.com/justinrainbow/json-schema is a well-maintained package with >200 million downloads. It was added as a dev dependency >5 years ago, in #2843147: Add JSON:API to core as a stable module β .
Landing this would unblock β¨ [PP-1] Allow schema references in Single Directory Component prop schemas Postponed , which in turn would unblock the Drupal ecosystem to do very interesting new things on top of SDC, especially now that SDC is stable in 10.3! β .
We already can see some of the cool things that enables in the
ui_patternsmodule's2.0.xbranch, see #3352063-17: [PP-1] Allow schema references in Single Directory Component prop schemas β for an explanation. The way they get around this issue not having landed yet is β¦ by making their contrib module requirejustinrainbow/json-schemaas a non-dev dependency! π - Status changed to Needs work
8 months ago 3:36pm 6 April 2024 - π¬π§United Kingdom alexpott πͺπΊπ
Making this a non-dev dependency means that we need to do a fuller evaluation of the security policies of justinrainbow/json-schema and it's dependencies. What's interesting is that master branch has more dependencies than the version we are currently on. It looks like people are trying revive the library a bit but we do need to think about the possibility of adding marc-mabe/php-enum and icecave/parity. It would be great to reach out the current library maintainers to see if they still plan to add these dependencies to the next version. I think we do need some idea about where the library is going and who is doing the maintaining going forward.
We will need to add this to https://www.drupal.org/about/core/policies/core-dependency-policies-and-... β so we will need:
Repository link, release cycle info, security policy info, security issue reporting and contact details - π¦πΊAustralia larowlan π¦πΊπ.au GMT+10
An additional concern here is this we probably want to add a hook requirements to jsonapi module that warns when asserts are on because asserts + this package in production adds a lot of performance overhead to json API requests (yes I have seen this while auditing 'slow' sites)
