Vet require-dev dependency justinrainbow/json-schema as a require dependency

I imagine that adding a new dependecy to core is a big deal and we do not take that lightly. For that reason I am inclined to move the feature described in ✨ [PP-1] Allow schema references in Single Directory Component prop schemas Postponed to contrib.

Note that contrib modules that extend SDC already bring in this library as a run-time dependency anyways.

However, if core release managers think that it's not a big deal, and we should include the new dependency, I think it'd be nice to support ✨ [PP-1] Allow schema references in Single Directory Component prop schemas Postponed in core.

I am marking this as "Needs release manager review" since I think we cannot make a decision here without their guidance.

We last moved two dependencies from require-dev to require in ✨ Add Symfony's Filesystem and Finder components to core Active . The dependency evaluations happened in 📌 Promote symfony/filesystem from dev-dependency to full dependency Fixed and 📌 Promote symfony/finder from dev-dependency to full dependency Fixed .

https://github.com/justinrainbow/json-schema is a well-maintained package with >200 million downloads. It was added as a dev dependency >5 years ago, in #2843147: Add JSON:API to core as a stable module → .

Landing this would unblock ✨ [PP-1] Allow schema references in Single Directory Component prop schemas Postponed , which in turn would unblock the Drupal ecosystem to do very interesting new things on top of SDC, especially now that SDC is stable in 10.3! → .

We already can see some of the cool things that enables in the ui_patterns module's 2.0.x branch, see #3352063-17: [PP-1] Allow schema references in Single Directory Component prop schemas → for an explanation. The way they get around this issue not having landed yet is … by making their contrib module require justinrainbow/json-schema as a non-dev dependency! 😄

Making this a non-dev dependency means that we need to do a fuller evaluation of the security policies of justinrainbow/json-schema and it's dependencies. What's interesting is that master branch has more dependencies than the version we are currently on. It looks like people are trying revive the library a bit but we do need to think about the possibility of adding marc-mabe/php-enum and icecave/parity. It would be great to reach out the current library maintainers to see if they still plan to add these dependencies to the next version. I think we do need some idea about where the library is going and who is doing the maintaining going forward.

We will need to add this to https://www.drupal.org/about/core/policies/core-dependency-policies-and-... → so we will need:
Repository link, release cycle info, security policy info, security issue reporting and contact details

An additional concern here is this we probably want to add a hook requirements to jsonapi module that warns when asserts are on because asserts + this package in production adds a lot of performance overhead to json API requests (yes I have seen this while auditing 'slow' sites)

FYI: the current version of justinrainbow/json-schema (version 5.x) has severe bugs that have been fixed in 6.x:

Create an SDC with this as the schema of one of its props:

      properties:
        src:
          title: "Image URL"
          type: string
          format: uri-reference
          pattern: "^(/|https?://)?.*\\.(png|gif|jpg|jpeg|webp)(\\?.*)?(#.*)?$"

This is valid per https://json-schema.org/understanding-json-schema/reference/regular_expr....

But it triggers a InvalidComponentException: [props.properties.image.properties.src.pattern] Invalid regex format ^(/|https?://)?.*\.(png|gif|jpg|jpeg|webp)(\?.*)?(#.*)?$ !

Turns out it's due to a bug that's been fixed years ago: https://github.com/jsonrainbow/json-schema/issues/508.

(More detail: #3515074-5: Shape matching MUST work with the resolved equivalents of $refs → .)

#7 would be solved by 📌 Move JSON:API validation to a feature flag or separate module Active

Adding ✨ [PP-1] Make link widget autocomplete work (for uri and uri-reference props) Postponed which also requires the 6.3.1 version - the fix in https://github.com/jsonrainbow/json-schema/pull/800 is needed to support entity:node/3 style URIs in experience builder

Added 📌 Allow 6.x version of justinrainbow/json-schema Active for adding support for both 5.x and 6.x at the same time