Problem/Motivation

The documentation on the Drupal\Core\Render\Element\Select element doesn't warns that using #empty_value could lead to overwriting a value in #options.

See #1936636: Fix the documentation for #empty_value for more details.

Steps to reproduce

N/A

Proposed resolution

Add a warning in the comments about this situation.

Remaining tasks

User interface changes

API changes

None.

Data model changes

None.

Release notes snippet

None.

Issue summary updated as of comment #17

Problem/Motivation

Image field formatter URL of image needs option Absolute URL.
Usage:
- Display full image URL on page.
- Image field URL in Views data export (XML, CSV).

Steps to reproduce

Add Image field to content.
Alter field options to enable Use absolute URL.

User interface changes

Followup #2999721: [META] Deprecate the legacy include files before Drupal 9

Problem/Motivation

Kill includes

Proposed resolution

Convert drupal_rebuilddrupal_flush_all_caches and _drupal_flush_css_js functions into cache Rebulder class methods. Class methods have to be static as they are used in container rebuild process.

Remaining tasks

1. Add new methods
2. Replace body of the function with new method call
   Replace old function calls with the new method
3. Create CR
4. Add @deprecated annotation with message for the deprecated functions
5. Call @trigger_error function in the deprecated functions
6. Add the legacy tests

User interface changes

none

API changes

New class Drupal\Core\Cache\Rebuilder
drupal_rebuilddrupal_flush_all_caches and _drupal_flush_css_js functions become deprecated.

Data model changes

none

Problem/Motivation

Translation is not deleted when following edit link from admin/content page.

Steps to reproduce

- Enable Content Translation module
- Add additional language
- Set up translation for default 'Basic page' node type (or any else)
- Create a node and add translation for it
- Visit /admin/content page
- Click on edit link for previously added node translation
- Click on "Delete translation" button

Expected result:
- User should be redirected to node delete form (/node/NID/delete)

Actual result:
- User redirected to url that set on 'destination' url query parameter
- Translation isn't removed

Proposed resolution

TBA

Remaining tasks

Update the patch
Review
Commit

User interface changes

API changes

Data model changes

Release notes snippet

Sorry, can't find any mentions for exact behavior, so I created this one

Problem/Motivation

field.module:

/*
 * Load all public Field API functions. Drupal currently has no
 * mechanism for auto-loading core APIs, so we have to load them on
 * every page request.
 */
require_once __DIR__ . '/field.purge.inc';

field.purge.inc only contains three functions; these can be moved to field.module.

Steps to reproduce

Proposed resolution

Move functions to field.module and deprecate field.purge.inc as per https://www.drupal.org/about/core/policies/core-change-policies/drupal-d...

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Problem/Motivation

Note (& Cover My Ass-disclaimer): This issue been discussed with @longwave wearing his Drupal Security Team hat (which I must admit matches the color of his eyes perfectly) and he was OK with this being handled in the public queue.

Also it was decided it would be OK to update all the SA-flagged dependencies in one issue, since splitting this up per dependency would basically be sendig us on a reroll-rampage since they all affect core/yarn.lock.

Note 2:: This topic might cause RSI from too much scrolling for too few comments. No animals were harmed in the making of this issue though.

Right, with the legalities out of the way: We currently have a few SA-flagged JavaScript dependencies in core.

$ yarn audit
yarn audit v1.22.19
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.7.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint > meow > read-pkg-up > read-pkg >                  │
│               │ normalize-package-data > semver                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092459                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Uncaught Exception in yaml                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yaml                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eslint-plugin-yml                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ eslint-plugin-yml > yaml-eslint-parser > yaml                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1091871                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cspell                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cspell > semver                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092461                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint > meow > normalize-package-data > semver           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092461                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ tough-cookie Prototype Pollution vulnerability               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tough-cookie                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.1.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jsdom                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jsdom> tough-cookie                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092470                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Stylelint has vulnerability in semver dependency             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ stylelint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=15.10.1                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ stylelint                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092471                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ word-wrap vulnerable to Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ word-wrap                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eslint                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ eslint > optionator > word-wrap                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092330                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eslint-config-airbnb-base                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ eslint-config-airbnb-base > semver                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092460                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ postcss-url                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ postcss-url > make-dir > semver                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092460                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cspell                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cspell > cspell-lib > configstore > make-dir > semver        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092460                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nightwatch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nightwatch > semver                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092461                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
11 vulnerabilities found - Packages audited: 826
Severity: 1 Low | 9 Moderate | 1 High
Done in 1.64s.

Steps to reproduce

$ yarn install
$ yarn audit

Proposed resolution

yarn upgrade stylelint eslint-plugin-yml cspell jsdom eslint eslint-config-airbnb-base postcss-url

Since we don't want to facilitate installing unsafe dependencies I bumped the versions of the above in core/package.json where needed.

We need to special case nightwatch since:

a) Upgrading it currently makes TestBot _really_ unhappy (See #3323988: Update Nightwatch from 2.4.2 to 2.6.19)
b) Even upgrading it locally to the latest 2.x version didn't solve the semver issue.

Adding a "resolutions"-section to core/package.json and a $ yarn installdid the trick and $ yarn audit now returns a happy 0 vulnerabilities found - Packages audited: 814.

Since we're updating cspell, I also created a new dictionary.txt.

EDIT: Seems the above introduced 3 new errors when doing a yarn check -s

error "acorn" is wrong version: expected "8.8.2", got "8.10.0"
error "espree#acorn" not installed
error "espree#acorn-jsx" not installed
error Found 3 errors.

which I basically don't care about, but breaks drupal CI (#3369993-43: [Ignore] In space (and/or this issue), no one can hear patches scream VII).

Digging around the only dependency using acorn 8.8.2 is terser.
So I ended up doing an update on that as well, including the version bump in package.json.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

From #2320253-10: FIC/FSC::preSave() do not call the parent implementation :

not sure why we initialize default settings in preSave(), this leaves freshly created entities broken for runtime use (incomplete settings) until they are actually saved. We should do this as early as postCreate().

Actually, default settings should be merged :
- on postCreate(), so that the entity is valid for runtime use straight after it's created
- on postLoad(), so that existing fields stay valid fro runtime if the field type module was updated and added new settings in a point release . This adds minor runtime overhead (array += ...), but is cached in EntityManager.

Similarly, FieldStorageConfig::$module is currently only populated in preSave(), meaning the entity is not reliable until that point. Should be done in postCreate().

Last, FieldStorageConfig::preSave() initializes $this->id, which seems pointless as no other config entity seems to be doing it. Looks like it can be removed

Problem/Motivation

There's some deprecations in upcoming PHP 8.3

- https://wiki.php.net/rfc/deprecate_functions_with_overloaded_signatures
- https://wiki.php.net/rfc/assert-string-eval-cleanup

Proposed resolution

https://wiki.php.net/rfc/deprecate_functions_with_overloaded_signatures#...
- Replace deprecated get_class() call without argument

$ git grep 'get_class()'
core/lib/Drupal/Component/Plugin/PluginManagerBase.php:128:    throw new \BadMethodCallException(get_class() . '::getFallbackPluginId() not implemented.');

https://wiki.php.net/rfc/deprecate_functions_with_overloaded_signatures#...
- ReflectionMethod::__construct() with 1 argument

core/lib/Drupal/Component/Utility/ArgumentsResolver.php:126:      return new \ReflectionMethod($callable);

https://wiki.php.net/rfc/deprecate_functions_with_overloaded_signatures#...

$ git grep -A 5 ReflectionProperty|grep setValue
core/tests/Drupal/Tests/Component/Utility/HtmlTest.php-31-    $property->setValue(NULL);

Problem/Motivation

Since #3277784: copyRawVariables should support default route parameters menu active trail information is missing from menu items under certain circumstances. In my case I've got a view with a path and menu entry and the rendered menu item no longer sets in_active_trail to TRUE when accessing the view on a page with the menu.

This issue is broken out from a different regression: #3358402: [regression] route defaults are now automatically route parameters. There a few relevant comments there:

Comment from @znerol:

I think that $this->routeMatech->getRawParameters()->all() returns a different set of key-value pairs which in turn leads to an empty result from $this->menuLinkManager->loadLinksByroute() in MenuActiveTrail::getActiveLink():

  public function getActiveLink($menu_name = NULL) {
    [...]
      $route_parameters = $this->routeMatch->getRawParameters()->all();

      // Load links matching this route.
      $links = $this->menuLinkManager->loadLinksByRoute($route_name, $route_parameters, $menu_name);
      // Select the first matching link.
      if ($links) {
        $found = reset($links);
      }
    [...]
  }

Comment from @lisotton:

I have some routes that share the same Controller and Action, but in the route declaration it declares default parameters. For example I have the route mymodule.news_list (/news) which have the controller ListPageController::entryPoint with a default parameter called type with value news-list. Then I have another route called mymodule.articles_list (/articles) which shares the same controller, but the default parameter type with value articles-list.

Before when I was calling \Drupal::service('plugin.manager.menu.link')->loadLinksByRoute('news_list'), without any second second parameter (route params), it was returning me the menu links, but with the change in 9.5.9, I'm enforced to call \Drupal::service('plugin.manager.menu.link')->loadLinksByRoute('news_list', ['type' => 'news-list').

For me this broke many small things, like breadcrumbs, custom menu blocks, etc.

Steps to reproduce

1. Log in as admin.
2. Navigate to /admin/structure/views/add.
3. Add a view with options:
   • View name: Site content
   • Create a page: checked
   • Create a menu link: checked
   • Menu: Main navigation
4. Navigate to /site-content.
5. Inspect "Site content" main navigation item with browser tools and confirm class primary-nav__menu-link--active-trailis not present on a element.
6. Revert changes from #3277784: copyRawVariables should support default route parameters (or just comment out core/lib/Drupal/Core/Routing/Enhancer/ParamConversionEnhancer.php#L71-75).
7. Rebuild caches.
8. Navigate to /site-content.
9. Inspect "Site content" main navigation item with browser tools and confirm class primary-nav__menu-link--active-trailis present on a element.

Proposed resolution

None yet.

Remaining tasks

Come with a proposed resolution and MR.

After upgrading from Drupal 7, no users are able to log into the site until clearing cookies (or presumably, waiting 3 weeks until the cookie expires).

Before and after the upgrade, the site is hosted on https and with www.

Unfortunately, since I cleared my cookies I don't have the Drupal 7 cookie anymore, but comparing with other sites, it looks like the cookie name / value are the same format across D7/D8, both are HttpOnly and Secure, path is the same. However, the D8 cookie includes the www. in the cookie domain while the D7 one does not.

Drupal 7 cookie: .example.com
Drupal 8 cookie: .www.example.com

I also tried to login using the one-time login created with drush uli, but even this wouldn't work.

Proposed Solution:
Unset or ignore any cookies that do not correspond to an active session.

Problem/Motivation

Several process plugins contain lookups against hardcoded migration ids. These ids can change in contrib, or custom migrations with different ids should be able to work with the process plugins.

A scenario where this is a problem is exampled in issue summary of the duplicate.

Process plugins:
[x] BlockPluginId.php used in d6_block.yml and d7_block.
[X] BlockVisibility.php used in d6_block.yml and d7_block.
[x] d7/FieldBundle.php used in d7_field_instance.yml
[X] d6/FieldFile.php OK. This is added to the migration by defineValueProcessPipeline so it is installed in the yaml as a process.
[X] d6/FilterFormatPermission.php used in d6_user_role.yml
[(x)] MenuLinkParent.phpdoes a self lookup, so no change needed

Furthermore there are migrateLookup->lookup() calls in

• MigrateLookupTest
• MigrateStubTest
• MenuLinkParentTest
• MigrationLookupTest

unsure if these also have to be adjusted.

Proposed resolution

Either allow the ids to be overridden in configuration or switch to a tag based lookup system

Remaining tasks

Review

User interface changes

API changes

Data model changes

Release notes snippet

As discussed in #3068310: Composite primary key with specified index length fails the NOT NULL check, limited length keys are applicable only to indexes, not to primary and unique keys.

See #11 there:

A fundamental/conceptual question here: are we sure we want to support partial lenght columns in a unique key context here (primary/unique keys)? IMHO it seems weird you design a table with fields that you want to be kind of unique via PK, then to have a PK that would fatally fail when trying to insert records that lead to duplicate key, which can happen if your field varies in the part that is not part of the key -- how are we going to decide which is the 'right' key and record?

Recently, Doctrine DBAL have introduced partial length support to indexes https://github.com/doctrine/dbal/pull/2412, but have done so only for indexes, that allow duplicated keys - not for primary/unique keys.

It should be clarified in the docs that this is the case, and enforce in code that trying to create PKs or unique keys with limited length throws a SchemaException or similar.

Problem/Motivation

As link widget for internal links allows to have entity reference autocomplete, it would be nice to have opportunity to select the reference method the same way as it is possible for entity reference field. This way it would be possible to easily find content that is needed using, for example, views entity reference handler.

Steps to reproduce

Standard Drupal installation, article content type, add link field allowing both internal and external links or only internal.

Proposed resolution

Add 'handler' and 'handler_settings' field settings to link field type.

Remaining tasks

Create patch or MR

User interface changes

Field settings for link field type would have "Reference method" setting, the same as entity reference field.

API changes

None

Data model changes

None

Release notes snippet

Problem/Motivation

The tabs on the node edit form cannot be reordered via the UI. Some of the tabs map to a field in the 'Manage form display' settings, but as this is based on fields, these settings do not affect the tab display.

You can reorder fields within tabs, e.g. Authored on and Authored by within the Authoring info tab, or Sticky and Promoted within the Promotion options tab. But the tab order is hardcoded, although this isn't as obvious with fields that are mapped 1-1 with a tab like URL alias or Comments.

Proposed resolution

Develop a method (TBC) for reordering the tabs within the UI.

Remaining tasks

1. Agree on an approach
2. Write a patch with tests
3. Review

User interface changes

TBC but it would add a UI for reordering the tabs.

API changes

TBC

Data model changes

TBC

Release notes snippet

N/A

Original report by chrisck

Problem/Motivation

The URL alias field and URL redirect field are not respecting their weight order on the content edit/create page. I know URL redirect is a module while URL alias is part of core, but it just so happens both of these fields' weights are not working. I've tried using both the drag handles and editing the row weights.

Steps to reproduce

1. Go to admin/structure/types/manage/page/form-display
2. Move URL alias field above "authored by" or "authored on" field using the drag handles or row weights

Problem/Motivation

HTML5 proposes/solidifies asynchronous loading of JavaScript files based on two attributes: defer and async. Drupal has supported defer since at least D6, and support for async is currently in the works (#1140356: Add async, onload property to script tags).

Current behavior (as of 8.6) is that scripts with the defer attribute do not ever get aggregated (even in the case where there are multiple scripts added through one library).

Proposed resolution

Presumably, something will be added to drupal_group_js that groups "async" values with one another and "defer" values with one another, respecting their weights.

Remaining tasks

• Related issue: #1140356: Add async, onload property to script tags
• Related issue: #865536: drupal_add_js() is missing the 'browsers' option
• Patch, test, etc.

User interface changes

None

API changes

Though this affects JavaScript aggregation, this should have little-to-no API impact.

Problem/Motivation

Amongst the current suppressions found in the PHPStan level 1 baseline is: Variable $foo might not be defined..

This issue exists to fix all of those caused by non-exhaustive switch statements. See https://github.com/phpstan/phpstan/issues/7521#issuecomment-1164581820

Steps to reproduce

- Run PHPStan on level 1 and see the above issue amongst all others.

Proposed resolution

- Solve all of the reported issues for the above mentioned.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Problem/Motivation

From the DrupalCon Barcelona Hard Problems Meeting on performance:

1. ImageStyle/derivative stuff aggregate generation - remove state gets, file_exists(), cold cache memory/cpu
2. Cron subscriber: state get/config get on EVERY request, we can only get rid of the config get by moving it into a module; we’ll still need a config get, but then you can at least avoid the config get if you uninstall that module https://www.drupal.org/node/2507031
   • Alex: can’t we cache that?
   • Berdir: No, wasn’t able to do so even after 6 months of trying. I used a cache collector, but that didn’t work out.
   • Patch: https://www.drupal.org/node/2575105

Proposed resolution

The state service / \Drupal\Core\State\State extends \Drupal\Core\Cache\CacheCollector. This results in less queries to the database as a single cache entry stores commonly accessed state items.

Most code will not need to make any changes.

NOTE: due to a mistake proper discussion of the issue takes place in #2 -> #35 and #65 and after.

Remaining tasks

None.

User interface changes

None.

API changes

\Drupal\Core\State\State::__construct now requires a cache backend and the lock service to be injected. Support for calling this without those services is removed in Drupal 10.

Data model changes

None.

Release notes snippet

I don't think this is necessary.

Updated: Comment #N

Problem/Motivation

OutboundPathProcessorInterface::processOutbound currently accepts an optional $request parameter. The only subsystem requiring the request when processing outbound paths is the various language path processors.

At the same time it is desirable to remove the dependency of UrlGenerator from the request service. In order to do so, outbound path processing needs to be possible without having to inject the request (or request_stack) into the UrlGenerator.

Proposed resolution

• Remove the optional request parameter from OutboundPathProcessorInterface::processOutbound()

Removing the request dependency from the UrlGenerator completely should be done in a follow-up issue.

Remaining tasks

evaluate and commit

User interface changes

no

API changes

\Drupal\Core\PathProcessor\OutboundPathProcessorInterface::processOutbound() optional argument removal

-  public function processOutbound($path, &$options = array(), Request $request = NULL, CacheableMetadata $cacheable_metadata = NULL);
+  public function processOutbound($path, &$options = array(), CacheableMetadata $cacheable_metadata = NULL);

Beta phase evaluation

Problem/Motivation

  public function processOutbound($path, &$options = [], Request $request = NULL, BubbleableMetadata $bubbleable_metadata = NULL);

but:

   * @param \Symfony\Component\HttpFoundation\Request $request
   *   The HttpRequest object representing the current request.

The docs should say that $request could be NULL, and also they should say what it means when this happens.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Suggested commit message: Issue #2363351 by chx, larowlan: CMI (or anything cached) can'\''t be used from a Service Provider.

Problem/Motivation

The cache_factory service needs %cache_default_bin_backends. This parameter is added by ListCacheBinsPass. This runs after service providers which, as a corollary can't use CMI. LanguageServiceProvider is an example which tries to use CMI and abuses the bootstrap config storage to do so because it can't use the normal service. There's a @todo to replace it with config.storage. This issue is about resolving that @todo.

Another example that if you would like to try to access a module's path in a service provider you get a You have requested a non-existent parameter "cache_default_bin_backends". :

final class MY_MODULE_ServiceProvider implements ServiceProviderInterface {

  /**
   * {@inheritdoc}
   */
  public function register(ContainerBuilder $container): void {
    /** @var \Drupal\Core\Extension\ModuleHandlerInterface $module_handler */
    $module_handler = $container->get('module_handler');
    try {
      $path = $module_handler->getModule(MY_MODULE)->getPath();
    } catch (\Exception $e) {
      throw new LogicException('Unable to identify installation path of this module.');
    }
  }

Proposed resolution

Add cache_default_bin_backends: null by default and if NULL return NullBackend unconditionally from the CacheBackend.

Remaining tasks

User interface changes

API changes