Problem/Motivation

Note (& Cover My Ass-disclaimer): This issue been discussed with @longwave wearing his Drupal Security Team hat (which I must admit matches the color of his eyes perfectly) and he was OK with this being handled in the public queue.

Also it was decided it would be OK to update all the SA-flagged dependencies in one issue, since splitting this up per dependency would basically be sendig us on a reroll-rampage since they all affect core/yarn.lock.

Right, with the legalities out of the way: We currently have a few SA-flagged JavaScript dependencies in core.

$ yarn audit
yarn audit v1.22.19
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.7.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint > meow > read-pkg-up > read-pkg >                  │
│               │ normalize-package-data > semver                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092459                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Uncaught Exception in yaml                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yaml                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eslint-plugin-yml                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ eslint-plugin-yml > yaml-eslint-parser > yaml                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1091871                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cspell                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cspell > semver                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092461                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint > meow > normalize-package-data > semver           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092461                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ tough-cookie Prototype Pollution vulnerability               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tough-cookie                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.1.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jsdom                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jsdom> tough-cookie                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092470                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Stylelint has vulnerability in semver dependency             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ stylelint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=15.10.1                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092471                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ word-wrap vulnerable to Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ word-wrap                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eslint                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ eslint > optionator > word-wrap                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092330                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eslint-config-airbnb-base                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ eslint-config-airbnb-base > semver                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092460                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ postcss-url                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ postcss-url > make-dir > semver                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092460                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cspell                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cspell > cspell-lib > configstore > make-dir > semver        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092460                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nightwatch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nightwatch > semver                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092461                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
11 vulnerabilities found - Packages audited: 826
Severity: 1 Low | 9 Moderate | 1 High
Done in 1.64s.

Steps to reproduce

$ yarn install
$ yarn audit

Proposed resolution

yarn upgrade stylelint eslint-plugin-yml cspell jsdom eslint eslint-config-airbnb-base postcss-url

Since we don't want to facilitate installing unsafe dependencies I bumped the versions of the above in core/package.json where needed.

We need to special case nightwatch since:

a) Upgrading it currently makes TestBot _really_ unhappy (See #3323988: Update Nightwatch from 2.4.2 to 2.6.19)
b) Even upgrading it locally to the latest 2.x version didn't solve the semver issue.

Adding a "resolutions"-section to core/package.json and a $ yarn installdid the trick and $ yarn audit now returns a happy 0 vulnerabilities found - Packages audited: 814.

Since we're updating cspell, I also created a new dictionary.txt.

EDIT: Seems the above introduced 3 new errors when doing a yarn check -s

error "acorn" is wrong version: expected "8.8.2", got "8.10.0"
error "espree#acorn" not installed
error "espree#acorn-jsx" not installed
error Found 3 errors.

which I basically don't care about, but breaks drupal CI (#3369993-43: [Ignore] In space (and/or this issue), no one can hear patches scream VII).

Digging around the only dependency using acorn 8.8.2 is terser.
So I ended up doing an update on that as well, including the version bump in package.json.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Greetings,

As I found out that there is possible bug or conflict in language selection of taxonomies on nodes.

Summary of the problem:

Steps

English | French | Turkish
Hello | Bonjour | Merhaba
House | Maison | Ev 

-Create a node type with allowed to translation (Name of the content type: "testing", field name "taxonomy").
-You may translate field's name or other details. (french version "taxonomie", turkish version "taxonomi" ). We choose interface language to display.
-Add a field with term references

-Create a new content, name it "a new content" in Turkish. Lets choose "Merhaba" in "taxonomy" field. Its node number is "5".

-Open this new node example.com/tr/node/5 (default langauge of site is English )
You may see as
taxonomi: Merhaba
-Now use URL as example.com/fr/node/5
you should see
taxonomie: Bonjour
However it appears as
taxonomie: Merhaba
in example.com/node/5, English langauge
taxonomy: Merhaba

If you create translated version of "a new content" as French, example.com/fr/node/5 url will show you as correct one.

taxonomie: Bonjour
But still English would be (example.com/node/5)
taxonomy: Merhaba

The need of the problem is even if user didn't translate the content, taxonomies should appear in correct form, like its field names.

Note: I am not really sure it is a dublicate problem but as I searched in last 2 days, I only found very old examples of problem (exp:
https://www.drupal.org/forum/support/post-installation/2010-03-26/taxono...) and another maybe more up-to-date similar one. (https://www.drupal.org/project/drupal/issues/2930458)

Thanks

I am using this hook "hook_menu_links_discovered_alter" in my module file to add links to my existing custom menu. The feature is working fine but the issue starts coming if I will change these menu ordering or do any modification manually through admin panel. And after these modification, If I am uninstalling my module and then after that opening my custom menu through browser its throws below error. And even after clearing cache the error is not stopping. The only solution to this problem, I found is again install the old module and do the reset of these menu's and after that uninstall the module which would solve the issue.

Symfony\Component\Routing\Exception\RouteNotFoundException: Route "my_module.links_custom_menu" does not exist. in Drupal\Core\Routing\RouteProvider->getRouteByName() (line 206 of /web/core/lib/Drupal/Core/Routing/RouteProvider.php).

Andrew Macpherson writes:

<figure role="group"> can be replaced with <figure>, losing the role attribute entirely. The group role is technically permitted on the figure element, but the default implicit role is figure. The figure role was introduced in ARIA 1.1, and the HMTL 5.2 role mapping was updated accordingly. Our existing use of role=group in our filter figure probably arose because it was created prior to ARIA 1.1 - so that's really a modernization issue.

See #2994702-54: Allow editors to alter embed-specific metadata, as well as `data-align` and `data-caption`

Problem/Motivation

When using the Claro theme with paragraphs and field_group, it can result in not being able to select paragraphs in the dropdown on node creation and edit pages.

Steps to reproduce

Install modules:

• paragraphs
• field_group
• claro (theme)

1. Create a few paragraphs (about 3-4).
2. Create a content type with a paragraph reference field. Make it so all paragraphs are selectable.
3. Add a field_group tabs (vertical) and tab.
4. Put the paragraph field created in step 2 under this tab.
5. Try to add a page with paragraph 4.

Result: Not able to select some items in the dropdown because they are hidden due of the overflow.

Expected: Be able to select any item in the dropdown.

Note that this issue is only at certain widths because of the media rule (@media screen and (min-width: 85em))).

Proposed resolution

Remove overflow: hidden; in @media screen and (min-width: 85em) in claro/css/components/vertical-tabs.css and adjust the vertical-tabs widths.

Remaining tasks

1. Create patch for 9.3, 9.4, and 10
2. Review patch
3. Test patch
4. Commit

User interface changes

API changes

Data model changes

Release notes snippet

Layout Builder emits an "undefined index" PHP notice when overriding a bundle layout for an individual entity.

Steps to reproduce:

1. Enable both Layout builder and Field layout modules.
2. Go to the "Manage display" page of a particular bundle.
3. Go to the "Full content" view mode secondary tab and check both "Use Layout Builder" and "Allow each content item to have its layout customized."
4. On a particular entity, go to to the "Layout" tab.
5. See the PHP notice.

Original report:

I have and PHP Notice every time I open node (not bundle) layout settings.

Notice: Undefined index: region in Drupal\field_layout\FieldLayoutBuilder->buildForm() (line 109 of core/modules/field_layout/src/FieldLayoutBuilder.php).

And stackstrace:

Drupal\field_layout\FieldLayoutBuilder->buildForm(Array, Object) (Line: 64)
field_layout_form_alter(Array, Object, 'node_page_layout_builder_form') (Line: 539)
Drupal\Core\Extension\ModuleHandler->alter('form', Array, Object, 'node_page_layout_builder_form') (Line: 835)
Drupal\Core\Form\FormBuilder->prepareForm('node_page_layout_builder_form', Array, Object) (Line: 29)
Drupal\webprofiler\Form\FormBuilderWrapper->prepareForm('node_page_layout_builder_form', Array, Object) (Line: 277)
Drupal\Core\Form\FormBuilder->buildForm('node_page_layout_builder_form', Object) (Line: 93)
Drupal\Core\Controller\FormController->getContentResult(Object, Object)
call_user_func_array(Array, Array) (Line: 123)
Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->Drupal\Core\EventSubscriber\{closure}() (Line: 582)
Drupal\Core\Render\Renderer->executeInRenderContext(Object, Object) (Line: 124)
Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->wrapControllerExecutionInRenderContext(Array, Array) (Line: 97)
Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->Drupal\Core\EventSubscriber\{closure}() (Line: 151)
Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object, 1) (Line: 68)
Symfony\Component\HttpKernel\HttpKernel->handle(Object, 1, 1) (Line: 57)
Drupal\Core\StackMiddleware\Session->handle(Object, 1, 1) (Line: 47)
Drupal\Core\StackMiddleware\KernelPreHandle->handle(Object, 1, 1) (Line: 106)
Drupal\page_cache\StackMiddleware\PageCache->pass(Object, 1, 1) (Line: 85)
Drupal\page_cache\StackMiddleware\PageCache->handle(Object, 1, 1) (Line: 47)
Drupal\Core\StackMiddleware\ReverseProxyMiddleware->handle(Object, 1, 1) (Line: 38)
Drupal\webprofiler\StackMiddleware\WebprofilerMiddleware->handle(Object, 1, 1) (Line: 52)
Drupal\Core\StackMiddleware\NegotiationMiddleware->handle(Object, 1, 1) (Line: 23)
Stack\StackedHttpKernel->handle(Object, 1, 1) (Line: 693)
Drupal\Core\DrupalKernel->handle(Object) (Line: 19)
require('/var/www/drupal/app/index.php') (Line: 4)

I just created new node type and enable layout builder for it. Then I created a node with layout override.

My env:

Installation profile: Minimal (minimal-8.7.1)
Database updates: Up to date
Entity/field definitions: Up to date
PHP: 7.2.13
It's not clean drupal setup.

Problem/Motivation

I think implementing symfony/runtime could help Drupal achieve a number of disparate features/issues, such as #3051459: Replace error and exception handlers with implementation from Symfony ErrorHandler component, #2218651: [meta] Make Drupal compatible with persistent app servers like ReactPHP, PHP-PM, PHPFastCGI and more. It also gets Drupal further away from managing its own bootstrapping in favor of Symfony conventions, to which we are already tightly coupled.

Steps to reproduce

Proposed resolution

Implement https://symfony.com/doc/current/components/runtime.html

Remaining tasks

User interface changes

API changes

This would change the default bootstrap, however I believe this could be done in a completely BC-compatible way since the "old" index.php would still work as it does now.

Data model changes

Release notes snippet

Problem/Motivation

The \Drupal\language\Config\LanguageConfigOverrideEvents::SAVE_OVERRIDE event is not fired when config is renamed, making it impossible to react to language override renames.

Proposed resolution

Save the renamed config using the \Drupal\language\Config\LanguageConfigOverride object, which will trigger the proper event.

Remaining tasks

Review the patch.

User interface changes

None.

API changes

\Drupal\language\Config\LanguageConfigOverrideEvents::SAVE_OVERRIDE is now fired when config is renamed.

Data model changes

None.

The user picture is provided by a field called user_picture.

If you perform a minimal installation of Drupal 8, this field is not created, so you have no user pictures what so ever. The "User pictures in posts" and "User pictures in comments" options in the theme settings are disabled as well.

If you create a new image field, there is no way to make this field the "user pricture" field. And due to the special naming of the "user_picture" field (instead of eg "field_user_picture") there seems to be no way to achieve this through the interface.

Unless I have got something about the install process really wrong, it's currently necessary to copy a "clean" settings.php to the place you wish the new site to have its settings folder (keeping to the naming convention for settings folders). If you do not do this, Drupal will install the site in the default directory.

This is a real hurdle when you want to set up a new site in a multisite environment with a few simple clicks. See an earlier post I made about it; I hope this suggestion will at least trigger a response.

This is too close to the code freeze for a big feature in 6.x, but here's my suggestion:

- add an extra step to the installer between "locale" and "database".
- have it display a select menu with all possible places where the settings file for the current URL can be located.
- on submitting, have it create a fresh settings.php in the selected location.

eg, on http://my.website.com/drupal have it display the options:

default
website.com
my.website.com
my.website.com.test

(Leaving out "com", which rarely makes sense, but adding "[port]." choices if Drupal detects it is being called on a non-standard port.)

The options where sites are already installed should be removed from the list, of course.

----

To avoid cluttering the installer for people who never use this, perhaps enable it only when at least one site is already installed, or even make it part of the "advanced" settings in the Database Configuration screen.

But really, this would be a great improvement for multi-site environments.

There are modules which try to integrate with all (entity) forms and want to store data for a newly created entity upon form submission.

Node module's node_form() uses both button-level and form-level submit handlers, because it needs to take the "Preview" case into account, which does not create a new entity upon submit.

When hitting "Submit" (not Preview), then the button-level submit handler invokes all form-level submit handlers first. This means that the new node has not been saved yet, so form-level submit handlers do not have a 'nid' or $node to work with.

For example:

@@ -658,7 +658,18 @@ function mollom_form_alter(&$form, &$form_state, $form_id) {
      // Append a submit handler to store Mollom session data. Requires that
      // the primary submit handler has run already, so a potential 'post_id'
      // mapping can be retrieved from $form_state['values'].
      // @todo Core: node_form_submit() uses a button-level submit handler,
      //   which invokes form-level submit handlers before the node/entity is
      //   saved, so $form_state does not contain the new node ID yet. There is
      //   no #post_submit property or form processing phase, we could rely on.
      //   Potentially applies to other contrib entities, too.
      if (isset($form_state['build_info']['base_form_id']) && $form_state['build_info']['base_form_id'] == 'node_form') {
        $form_submit_key = &$form['actions']['submit'];
      }
      else {
        $form_submit_key = &$form;
      }
      $form_submit_key['#submit'][] = 'mollom_form_submit';

This is a can of worms.

There are various kinds of submit handlers:

1. Submit handlers that want to tack submitted form values onto the $entity. Those should use #entity_builders instead.
2. Submit handlers that must not run for previews.
3. Submit handlers that want to run before the entity is saved, in order to adjust/manipulate whatever they need to do.
4. Submit handlers that need to run after the entity was saved, in order to process or save corresponding data.

Problem/Motivation

There are scenarios where it would be useful to have centralized control over permissions lists, such as the form that appears in admin/people/permissions.

Steps to reproduce

Proposed resolution

Create a getFilteredPermissions() method in PermissionHandler that defaults to returning the same value as getPermissions(), but runs the value through a new hook before returning it, so custom/contrib can customize the return value.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Problem/Motivation

Items in the queue cannot be reclaimed or get incorrect lease times leading to unexpected behaviour with expiration and claims.

There are three errors:

- The system cron only resets the expired items of the Database Queue. Memory queue items can never be reclaimed, because their expire value is never set to 0.
- The cron time and the lease time are incorrectly using the same value defined in the annotation of the queue worker.
- The lease time for items in cron-based queues are incorrectly set to 1 second.

Further details available in #25.

Proposed resolution

1. Let queues handle expiration of items themselves.
2. Fix the lease time for cron based queues.
3. Allow queueworkers to set specific lease times as well as cron times.

API changes

Added cron lease time in the QueueWorker annotation definition.

Problem/Motivation

When a "Paragraphs (stable)" widget is used, which uses a long list of dropdowns, those items are only "hidden" with CSS, which means they are still present and causing a very long gap of whitespace at the end of the page.

Steps to reproduce

Create a component which uses the "Paragraphs (stable)" widget display type. Create or edit an item. See large white space gap.

Proposed resolution

Update the Claro theme CSS `dropbutton.css` file for `.dropbutton-wrapper:not(.open) .dropbutton__item:first-of-type ~ .dropbutton__item` items.

Temporary resolution is we added custom theme CSS to change this to `display: none;` but this should be fixed in the theme.

Screenshots attached.

Anyone wanting to give this a spin can enable the toggletip_test module and go to /toggletip-test/toggletips. It's a test module, so $settings['extension_discovery_scan_tests'] = TRUE; must be configured.

Problem/Motivation

Often, the administration interface gets really busy because there’s a lot of information that needs to be available for the user. Especially in long forms, the descriptions and extra information of fields and other elements add a lot of visual complexity.

Proposed resolution

This extra info could be added to a toggle tip (as opposed to a tooltip). A toggletip has a dedicated disclosure button, while a tooltip is triggered by content that already exists on the page.
Such an elementwould simplify the UI and would allow to add extra information when needed.

Make it ad

Remaining tasks

• Track down UI examples where this could be implemented.
• Decide on its implementation: render array or new form element? Render array property that can be added to any existing element. It should also be possible to implement it with just markup, using the data-drupal-toggletip-toggle-button attribute.
• Accesibility feedback: what's the best implementation? Like should it be triggered on hover or on click/touch? Click / touch

User interface changes

Initial design explorations: https://www.figma.com/file/OqWgzAluHtsOd5uwm1lubFeH/Drupal-Design-system...

API changes

Data model changes

Release notes snippet

Problem/Motivation

Currently, file_system service depends on three other services:

  file_system:
    class: Drupal\Core\File\FileSystem
    arguments: ['@stream_wrapper_manager', '@settings', '@logger.channel.file']

Inside of Drupal\Core\File\FileSystem class, instance of logger is used only once in the chmod() method to log error when chmod() PHP function returns FALSE.

Not only this is a side effect, but an instance of logger.channel.file contains references to other services: requests stack, current user object. And from the source of Drupal\Core\Logger\LoggerChannel::log() method, it looks like it can even execute a database query.

Logger makes dependency tree of file_system service unnecessary complicated, and I would expect such a low-level service to have as little side-effects as possible.

Proposed resolution

Solution 1

Remove dependency on logger service and throw ChmodFailedException instead of logging. Handle this exception (or not) in all places in core where chmod() method is called, which is just 3-5 in the whole core.

Solution 2

Silently return FALSE from chmod() method and move logging next to method invocations if it is necessary.

Remaining tasks

Decide which API change is better; and if it is needed at all.

User interface changes

None.

API changes

Change of Drupal\Core\File\FileSystem::__construct() signature. New ChmodFailedException exception class.

Data model changes

None.

I fall into problem that if some of buttons changed on client side and form has several submit buttons,
first button will be selected as $form_state['triggering_element'].

There is a related topic for D8 to rely on #name of buttons and ensure that #name is unique within form.
What i want to make with this patch is just backport of same idea.

If button was not identified by #value instead of just take first from buttons, just try to look up within POST data by button's #name if it exists.
Advantage of this approach that all backward compatibility supported.

Problem/Motivation

Currently it is not possible to exclude theme condition from evaluation. Though the select list with themes is not marked as required the user is always bound to select some theme because there is no "empty" option. For other condition plugins there is a workaround. For instance for Node bundle plugin you can uncheck all content types so the condition will always evaluate to TRUE. Same for User role condition plugin. And for Request path you can leave empty pages textarea.

Proposed resolution

Add "- Any -" option to theme select list of the plugin configuration form.

API changes

The current theme condition is available and now there is a new option "- Any -" on the options.

Steps to reproduce:

Seems like the block is the only drupal core entity that uses the "plugin.manager.condition", and the current theme is excluded in this case as explained in previous comments so in the example I will use the google_tag scenario.

• Apply the patch Recovery the current theme condition plugin patch

from issue #3263122: Recovery the current theme condition plugin and the current patch from this issue.

• Install google_tag on version https://www.drupal.org/project/google_tag/releases/2.0.2
• Create or edit a google tag container and configure the insert conditions of the container
• The current theme is available on insert conditions
  
  
• There is a list of enabled themes to choose where to show the element with the "- Any -" condition. and is possible to negate the condition

Problem/Motivation

ckeditor5 defines 2 functions inside other functions. This is both weird, requiring additional function_exist complexity to work but also probably not working as intended since it actually creates the function as a global function so doesn't really provide a lot of value.

Because of that, phpstan doesn't support it and we convert that to either a standard global function or a closure.

Steps to reproduce

Its in the phpstan baseline

Proposed resolution

1) Convert to closure.
2) Convert to global function.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Follow-up to #2701541: Rename Drupal Upgrade UI to Migrate Drupal UI

Problem/Motivation

• "Upgrading" previously referred to using update.php to go from one major version to the next, and was distinguished from "updating" (using update.php to go from one patch/minor version to the next).
• The difference between "upgrading" and "updating" was always confusing to most people including core devs, and Migrate is a drastically different process both internally and for site owners.
• #2701541: Rename Drupal Upgrade UI to Migrate Drupal UI fixes the name of the Migrate Drupal UI module in this regard, but left behind some other uses of "Upgrade" within the module:

Proposed resolution

Find all instances of "upgrade", "upgrading", etc. Replace with consistent terminology that is more consistent when appropriate (e.g., referring to major- or minor-version updates).

Remaining tasks

TBD

User interface changes

TBD (some at least in the Migrate Drupal UI).

API changes

TBD

Data model changes

TBD