No support for disabled menus

Second this. We have a situation where the menu only appears if a page is in the menu, but want the link to several pages to not appear in the menu so that the user arrives at the page via a separate navigation method.

Are there concerns disabled items being exposed could be considered a security issue around information disclosure?

Menus are config entities; maybe we can add a third_party_settings, which adds a checkbox that says "Provide disabled menu links over the API" as an opt-in for this. How does that sound?

i use this solution!

Core Patch:
(drupal/core/lib/Drupal/Core/Menu/MenuTreeParameters.php)

--- MenuTreeParameters.php.BAK	2025-02-10 21:55:07.477305842 +0100
+++ MenuTreeParameters.php	2025-02-10 21:58:06.924300799 +0100
@@ -178,7 +178,9 @@
    * @return $this
    */
   public function onlyEnabledLinks() {
-    $this->addCondition('enabled', 1);
+    if (!isset($this->conditions['enabled'])) {
+      $this->addCondition('enabled', 1);
+    }
     return $this;
   }

Filter Parameter:

&filter[conditions][enabled][value][]=0&filter[conditions][enabled][value][]=1&filter[conditions][enabled][operator]=IN

This approach could be taken by the module without needing a core patch. We could move the $parameters->onlyEnabledLinks(); to before the if ($request->query->has('filter')) {. And then if you add a condition on enabled it will respect that instead.

Thinking about security. I think we're okay in terms access to links as this will still be checked so we're not giving out access if the user does not have access to link. I guess the one consideration is that maybe people have used the enabled flag as a proxy for access when it's something they can not control. I think this use-case is highly likely and therefore I think potentially we should go the other way here and prevent a user from adding enabled to the list of filter conditions and clearly document that this route only returns enabled links.