Problem/Motivation

We should update all of core's remaining JavaScript dependencies prior to 9.0.0-beta1, including any major version updates that may be available.

Proposed resolution

Here's a table of all core's JS dependencies and what to do with them:

Remaining tasks

Create issues for the above where an update is available (or locate existing issues, e.g. for Normalizer). Re-review the versions immediately prior to 9.0.0-beta1.

User interface changes

API changes

Data model changes

Release notes snippet

Update from 4.13.1 to 4.14.

4.14 was released the day after Drupal 8.8.3 shipped: https://ckeditor.com/blog/CKEditor-4.14-with-Paste-from-LibreOffice-rele...

CKEditor 4.14 adds support from pasting from LibreOffice, fixes two XSS vulnerabilities of which only one affects our CKEditor build (and fortunately it is very obscure, but sadly we didn't get advance notice nor coordination with the Drupal Security Team — presumably because of the obscurity). There are also significant Widget system improvements that allows us to finally fix #3064572: [PP-1] Add mask to prevent interaction with embedded media!

See also:

#1858210: [meta] Content editing experience follow-ups — in-place editing and WYSIWYG
#1950098: Update CKEditor library to 4.1
#2036253: Update CKEditor library to 4.2
#2039163: Update CKEditor library to 4.4
#2271051: Update CKEditor library to 4.4.4
#2345961: Update CKEditor library to 4.4.5
#2384581: Security: Update CKEditor library to 4.4.6
#2415111: Update CKEditor library to 4.4.7
#2521820: Update CKEditor library to 4.5.3
#2321583: Update CKEditor library to 4.5.5
#2663566: Update CKEditor library to 4.5.7
#2698587: Update CKEditor library to 4.5.8
#2724225: Update CKEditor library to 4.5.9
#2765751: Update CKEditor library to 4.5.10
#2797427: Update CKEditor library to 4.5.11
#2828494: Update CKEditor library to 4.6
#2848215: Update CKEditor library to 4.6.2
#2893566: Update CKEditor library to 4.7.1
#2904142: Update CKEditor library to 4.7.2
#2908864: Update CKEditor library to 4.7.3
#2926932: Update CKEditor library to 4.8.0
#2962330: Update CKEditor library to 4.9.2
#2983516: Update CKEditor library to 4.10.0
#2999691: Update CKEditor library to 4.10.1
#3035933: Update CKEditor to 4.11.3
#3050757: Update CKEditor to 4.11.4
#3072382: Update CKEditor to version 4.13
#3105327: Update CKEditor to version 4.13.1

Release notes snippet

CKEditor has been updated from from 4.13.1 to 4.14, which includes numerous bugfixes and improvements.

moving locale.bulk.js into a separate folder caused issue mentioned in the comment #11 of issue 3099577 and it was suggested to create a separate issue for it and addit as a blocker for the parent issue.

Problem/Motivation

(Originally written at #2544020-28: CKEditor plugin not written with CKEditor >=4.4 in mind; rewrite it based on core's `drupalimage` plugin.)

One thing I learned from https://codepen.io/f1ames/pen/arQaYJ is https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_plugins_widget.h...— which is a single property that automatically masks the embedded content:

the widget's element will be covered with a transparent mask. This will prevent its content from being clickable, which matters in case of special elements like embedded Flash or iframes that generate a separate "context".

Yay, exactly what we need for Youtube embeds for example!

Unfortunately using that masks the entire widget, we need the caption editable to still be available for interaction in #2282957: Caption should work like the drupalimage plugin (editable in WYSIWYG, not in dialog). He came up with a clever hack to solve this: figcaption { position: relative; z-index: 1; }. 😀

Unfortunately … it doesn't work at all for us. 😩 Our combination of display: table plus float: right (for a right-aligned captioned embed) on <figure class="caption align-right"> means the widget CKEditor plugin's mask functionality doesn't work, because it relies on position: absolute; top:0; left:0; width:100%; heigh:100%; display:block; to cover the parent exactly through pure CSS. But our CSS — which we've had for more than half a decade and we cannot change since it'd break BC — makes that trick impossible.

See what happens when we just enable mask: true:

Proposed resolution

Figure out a way to use https://ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_plugins_widget.h... that does work.

Remaining tasks

TBD

User interface changes

Unable to interact with embedded entities.

API changes

None.

Data model changes

None.

Problem/Motivation

During the installation of Drupal we rebuilding and invalidate the caches a lot. This does a lot of queries on the database.

Proposed resolution

Use the MemoryBackend during installation - which results in the following comparison of installing standard via drush: https://blackfire.io/profiles/compare/9d742dcd-4160-45c2-96a9-09d2c5b56f...

Also during the interactive installer we are over 1.5 secs quicker and make at least one less query during the install. See #20 and #21.

The query count is also instructive - for a standard installer without this patch we do 17723 queries - with this patch we do 10733 queries.

Remaining tasks

User interface changes

None

API changes

CacheFactory gets a new boolean injected to determine whether or not drupal is installing.

Data model changes

None

Original issue summary

From comment #2294569-18: Determine cause of high memory consumption:

Performance wise I will open an issue to disable all caches during installation - this brings down to the time to install standard.profile from 35s to 9s.

Doing so! :)

Steps:
1) Navigate to Structure> Taxonomy> Add Vocabulary
2) Observe the screenshot

Expected: Proper spacing is required between the text box and the text
Actual: The 'M' of 'Machine name' overlaps with the green border around the text box.

#3115388 will lead to the removal of \Drupal\Core\Database\Connection::getDriverClass() in Drupal 10. We need to trigger an error in Drupal 9.1.

Problem/Motivation

The autocomplete element does not align in views exposed forms:

Steps to reproduce

1. Install Standard profile
2. Expose 'field_tags' on /admin/content

Proposed resolution

Align the filters by removing the additional margin from the autocomplete element.

Remaining tasks

1. Write a patch
2. Review
3. Commit

User interface changes

Autocomplete input in views exposed filters aligns with select and text inputs.

API changes

None.

Data model changes

None.

Problem/Motivation

Currently the access to the admin/reports is determined by the permission 'access site reports'. Assume you want to facilitate GDPR auditing by exposing a custom site report on admin/reports/audit and expose the report through the toolbar. This would require adding the 'access site reports' permission to the account. However, this permission is also used to display the 'Recent log messages' page of the drupal/dblog module. Allowing a GDPR auditor access to this page is counterproductive for a positive GDPR audit.

Proposed resolution

Allow access to 'admin/reports' based on the 'access site reports' permission in line with admin/structure and admin/config.

Remaining tasks

1. Write a patch
2. Review
3. Commit

User interface changes

Users with the 'access site reports' can access 'admin/reports'.

On the flip side, this will make #296693: Restrict access to empty top level administration pages more visible. This is commonly fixed by using the admin_toolbar_links_access_filter module that comes with the Admin toolbar module or a similar solution.

API changes

None.

Data model changes

None.

Problem/Motivation

Currently, across core and contrib there are a number of modules and issues that attempt to override the menu link tree. However lacking a core way to alter this behavior these overrides conflict with each other. The issue summary of #2854013 outlines some of these existing conflicts.

A quick look through the issue queue found these additional use cases:

• Add classes and attributes
• Add conditional query parameters to a link (ex. ?destination=<current_route>)
• Show links regardless of user access.
• Hide links to unpublished entities regardless of user access.
• Hide links without a translation.

Core can't cover all of these possible combinations but we should facilitate contrib and custom modules to cover them.

Proposed resolution

Dispatch an event within \Drupal\Core\Menu\MenuLinkTree::transform() that modules can subscribe to and alter menu link manipulators.

This solution is similar to #2854013 except that it applies to any menu link tree regardless of how it is built (ex. via a block or theme preprocess). This decouples the building of a menu link tree from how it is rendered.

API changes

• Dispatch an event to alter the array of manipulators in MenuLinkTree::transform()
• Allow adding cache metadata to menu links by implementing \Drupal\Core\Cache\RefinableCacheableDependencyTrait.

Problem/Motivation

At the moment every contrib module that needs to add/alter tree manipulators require to override Drupal\system\Plugin\Block\SystemMenuBlock (or implement their own).

The only possible solution for contrib now is to override block class via hook_block_alter() but when more then one module installed only last override wins.
This collisions affects following contrib modules:
- https://www.drupal.org/project/superfish
- https://www.drupal.org/project/menu_multilingual
- https://www.drupal.org/project/menu_block
- https://www.drupal.org/project/domain_entity to incorporate https://github.com/skilld-labs/domain_menu_access
- https://www.drupal.org/project/menu_per_role
- https://www.drupal.org/project/menu_item_visibility
- https://www.drupal.org/project/menu_manipulator

Proposed resolution

Implement a new hook that allows menu tree manipulators to be altered.

Remaining tasks

- Decide on hook name - hook_system_menu_tree_manipulators_alter()
- File change record
- Commit

User interface changes

No

API additions

Adds hook_system_menu_tree_manipulators_alter to alter manipulators used in menu blocks

Data model changes

No

Just a suggestion, I guess its not needed in core but I need a sortArray for Config Entities (with a weight property).
It would slot alongside existing sortArrays in

namespace Drupal\Component\Utility\SortArray;

/**
 * Config entity is really any object to be sorted by a top level property
 * @param Drupal\Core\Config\Entity\ConfigEntityInterface $a 
 *   First item for comparison. The compared items should have a property called after the 3rd parameter
 * @param Drupal\Core\Config\Entity\ConfigEntityInterface $b
 *   Second item for comparison. The compared items should have a property called after the 3rd parameter
 * @param string $key 
 *   a key with a numeric or string value
  */
 */
public static function sortConfigEntityKey($a, $b, $key) {
  $a_weight = (is_object($a) && property_exists($a, $key)) ? $a->{$key} : 0;
  $b_weight = (is_object($b) && property_exists($b, $key)) ? $b->{$key} : 0;
  if ($a_weight == $b_weight) {
    return 0;
  }
  return ($a_weight < $b_weight) ? -1 : 1;
}

Calculates and adds dependencies of views display extender plugins.
See attached patch.

The description for the output of Crypt::randomBytesBase64() says it will be up to 4 * $count, but that is not true.

Using the Base64 encoding the output of $count bytes is 4/3 * $count bytes.

Instead of describing the maximum output length, which is not specific for the Drupal implementation, the description for the output should be similar to the one used for Crypt::hashBase64(), for example.

A base-64 encoded string, with + replaced with -, / with _ and any = padding characters removed.

Problem/Motivation

#3112476: Always set $info['namespace'] on database connection info results in \Drupal\Core\Database\Database::getDatabaseDriverNamespace not being needed. Let's deprecate it for removal in D10.

Also we should deprecate calling \Drupal\Core\Database\Connection::__construct() without a 'namespace' key in the $connection_options array. Which will allow us to simplify \Drupal\Core\Database\Connection::getDriverClass and remove the override in \Drupal\database_statement_monitoring_test\LoggedStatementsTrait

Proposed resolution

Do it.

Remaining tasks

User interface changes

None

API changes

\Drupal\Core\Database\Database::getDatabaseDriverNamespace is deprecated.

Data model changes

None

Release notes snippet

N/a

Problem/Motivation

Two different Drupal installations on the same domain share the same session cookie name. This can be tested by serving the different installations over different ports.
This leads to being logged out of both when trying to login into them and is probably generally not a good idea to share a session cookie name between different sites.

Proposed resolution

Adding the hash salt to the session name before hashing it would create unique names for different sites.

Remaining tasks

User interface changes

API changes

Data model changes

Problem/Motivation

There are sort direction constants in the class TableSort

# core/lib/Drupal/Core/Utility/TableSort.php

class TableSort {

  const ASC = 'asc';
  const DESC = 'desc';

For me, would be great if they are generic ones. For example:

• Sort::ASC
• Sort::DESC

Then, while writing entity queries, do not need to worry about misspelling them, especially, for non-English speakers.

$query->sort('fieldname', Sort::ASC);

Proposed resolution

Add sort direction constants to \Drupal\Core\Entity\Query\QueryInterface as per suggestion form @longwave #2

Remaining tasks

Needs review

Problem/Motivation

Background:

Given that the PHP version is "PHP7.3"
Installed Drupal with the "standard" installation profile with number of contrib modules
Enabled"Update Manager" module
Having"All messages, with backtrace information" for "Error messages to display" in "Logging and errors"
And login as the site admin or user number 1

Scenario:

When we go to any "/admin/*" page
Then we should not have any Notices

Notice: Undefined index: status in _update_project_status_sort() (line 634 of core/modules/update/update.module).
_update_project_status_sort(Array, Array)
uasort(Array, '_update_project_status_sort') (Line: 55)
update_requirements('runtime') (Line: 186)
update_page_top(Array) (Line: 336)
Drupal\Core\Render\MainContent\HtmlRenderer->buildPageTopAndBottom(Array) (Line: 135)
Drupal\Core\Render\MainContent\HtmlRenderer->renderResponse(Array, Object, Object) (Line: 90)
Drupal\Core\EventSubscriber\MainContentViewSubscriber->onViewRenderArray(Object, 'kernel.view', Object)
call_user_func(Array, Object, 'kernel.view', Object) (Line: 111)
Drupal\Component\EventDispatcher\ContainerAwareEventDispatcher->dispatch('kernel.view', Object) (Line: 156)
Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object, 1) (Line: 68)
Symfony\Component\HttpKernel\HttpKernel->handle(Object, 1, 1) (Line: 67)
Drupal\simple_oauth\HttpMiddleware\BasicAuthSwap->handle(Object, 1, 1) (Line: 57)
Drupal\Core\StackMiddleware\Session->handle(Object, 1, 1) (Line: 47)
Drupal\Core\StackMiddleware\KernelPreHandle->handle(Object, 1, 1) (Line: 106)
Drupal\page_cache\StackMiddleware\PageCache->pass(Object, 1, 1) (Line: 85)
Drupal\page_cache\StackMiddleware\PageCache->handle(Object, 1, 1) (Line: 47)
Drupal\Core\StackMiddleware\ReverseProxyMiddleware->handle(Object, 1, 1) (Line: 52)
Drupal\Core\StackMiddleware\NegotiationMiddleware->handle(Object, 1, 1) (Line: 23)
Stack\StackedHttpKernel->handle(Object, 1, 1) (Line: 694)
Drupal\Core\DrupalKernel->handle(Object) (Line: 19)

Proposed resolution

If we can't parse a version string, instead of leaving the project status empty and letting the rest of Update Manager blow up in unexpected ways, we should always set a status. In the case of an un-recognized version string, use UPDATE_UNKNOWN (or UpdateFetcherInterface::UNKNOWN for >=8.9.x).

If the version is empty, we print "Empty version".
If the version is defined, but can't be parsed, we print "Invalid version: X".
(Screenshots below).

Remaining tasks

• Troubleshoot with contrib and custom modules
• Provide a patch#39 and #41
• Bikeshed about the new message when we can't parse a version string.
• Other reviews, improvements.
• RTBC.
• Commit (e.g. #58 to 9.0.x branch and cherry-pick to 8.9.x, and commit the 8.8.x-specific patch (e.g. #59 to 8.8.x

User interface changes

Adds a new message on the Available updates report for projects where we can't parse the currently installed version string:

Pre #3074993 (e.g. 8.8.2)

Before / current (as of 8.8.3)

After (with patch #41)

API changes

N/A

Data model changes

N/A

Problem/Motivation

Many core administrative permissions do not have "restrict access" enabled, which means there is not a warning on the permissions page when granting that permission to a role.

Proposed resolution

We should add "restrict access" to all permissions with "Administer" in the title, as well as auditing all other permissions to see where this would be a fit.

Remaining tasks

1. Write a patch.

2. Backport the patch to Drupal 7.

User interface changes

More warnings will be shown on the permissions page.

API changes

None.

Data model changes

None.

Release notes snippet

n/a

Views gives duplicate result

Steps to produce this issue.

Add a paragraph type (multi value) to content type. enable revision, have more revisions of the same content
Create a view (REST Export) with relationship to paragraph and taxonomy term in paragraph
Make query settings distinct
Enable aggregation, and in settings of uuid group by value

The result shows duplicate results

I have printed the query and executed on mysql server, which does not give duplicate results

Below is the sql query

SELECT DISTINCT paragraphs_item_field_data_node__field_vehicle_colors_section__paragraph__field_vehicle_color_image.field_vehicle_color_image_target_id AS paragraphs_item_field_data_node__field_vehicle_colors_sectio, paragraphs_item_field_data_node__field_vehicle_colors_section.langcode AS paragraphs_item_field_data_node__field_vehicle_colors_sectio_1, taxonomy_term_field_data_paragraph__field_vehicl_color_thumb__taxonomy_term__field_color_image_thumbnail.field_color_image_thumbnail_target_id AS taxonomy_term_field_data_paragraph__field_vehicl_color_thumb, taxonomy_term_field_data_paragraph__field_vehicl_color_thumb.langcode AS taxonomy_term_field_data_paragraph__field_vehicl_color_thumb_1, paragraphs_item_field_data_node__field_vehicle_colors_section__paragraph__field_vehicl_color_thumb.field_vehicl_color_thumb_target_id AS paragraphs_item_field_data_node__field_vehicle_colors_sectio_2, node_field_data.langcode AS node_field_data_langcode, node__field_360_degree.field_360_degree_value AS node__field_360_degree_field_360_degree_value, taxonomy_term_field_data_paragraph__field_vehicl_color_thumb__taxonomy_term_data.uuid AS taxonomy_term_field_data_paragraph__field_vehicl_color_thumb_2, node_field_data.created AS node_field_data_created, node__field_weight.field_weight_value AS node__field_weight_field_weight_value, node_field_data.nid AS nid, MIN(node_field_data.nid) AS nid_1, MIN(paragraphs_item_field_data_node__field_vehicle_colors_section.id) AS paragraphs_item_field_data_node__field_vehicle_colors_sectio_3, MIN(taxonomy_term_field_data_paragraph__field_vehicl_color_thumb.tid) AS taxonomy_term_field_data_paragraph__field_vehicl_color_thumb_3
FROM
node_field_data node_field_data
LEFT JOIN node__field_vehicle_colors_section node__field_vehicle_colors_section ON node_field_data.nid = node__field_vehicle_colors_section.entity_id AND (node__field_vehicle_colors_section.deleted = '0' AND node__field_vehicle_colors_section.langcode = node_field_data.langcode)
LEFT JOIN paragraphs_item_field_data paragraphs_item_field_data_node__field_vehicle_colors_section ON node__field_vehicle_colors_section.field_vehicle_colors_section_target_revision_id = paragraphs_item_field_data_node__field_vehicle_colors_section.revision_id
LEFT JOIN paragraph__field_vehicl_color_thumb paragraphs_item_field_data_node__field_vehicle_colors_section__paragraph__field_vehicl_color_thumb ON paragraphs_item_field_data_node__field_vehicle_colors_section.id = paragraphs_item_field_data_node__field_vehicle_colors_section__paragraph__field_vehicl_color_thumb.entity_id AND (paragraphs_item_field_data_node__field_vehicle_colors_section__paragraph__field_vehicl_color_thumb.deleted = '0' AND paragraphs_item_field_data_node__field_vehicle_colors_section__paragraph__field_vehicl_color_thumb.langcode = paragraphs_item_field_data_node__field_vehicle_colors_section.langcode)
LEFT JOIN taxonomy_term_field_data taxonomy_term_field_data_paragraph__field_vehicl_color_thumb ON paragraphs_item_field_data_node__field_vehicle_colors_section__paragraph__field_vehicl_color_thumb.field_vehicl_color_thumb_target_id = taxonomy_term_field_data_paragraph__field_vehicl_color_thumb.tid
LEFT JOIN paragraph__field_vehicle_color_image paragraphs_item_field_data_node__field_vehicle_colors_section__paragraph__field_vehicle_color_image ON paragraphs_item_field_data_node__field_vehicle_colors_section.id = paragraphs_item_field_data_node__field_vehicle_colors_section__paragraph__field_vehicle_color_image.entity_id AND (paragraphs_item_field_data_node__field_vehicle_colors_section__paragraph__field_vehicle_color_image.deleted = '0' AND paragraphs_item_field_data_node__field_vehicle_colors_section__paragraph__field_vehicle_color_image.langcode = paragraphs_item_field_data_node__field_vehicle_colors_section.langcode)
LEFT JOIN taxonomy_term__field_color_image_thumbnail taxonomy_term_field_data_paragraph__field_vehicl_color_thumb__taxonomy_term__field_color_image_thumbnail ON taxonomy_term_field_data_paragraph__field_vehicl_color_thumb.tid = taxonomy_term_field_data_paragraph__field_vehicl_color_thumb__taxonomy_term__field_color_image_thumbnail.entity_id AND taxonomy_term_field_data_paragraph__field_vehicl_color_thumb__taxonomy_term__field_color_image_thumbnail.deleted = '0'
LEFT JOIN node__field_colo node__field_colo ON node_field_data.nid = node__field_colo.entity_id AND (node__field_colo.deleted = '0' AND node__field_colo.langcode = node_field_data.langcode)
LEFT JOIN node__field_360_degree node__field_360_degree ON node_field_data.nid = node__field_360_degree.entity_id AND (node__field_360_degree.deleted = '0' AND node__field_360_degree.langcode = node_field_data.langcode)
INNER JOIN taxonomy_term_data taxonomy_term_field_data_paragraph__field_vehicl_color_thumb__taxonomy_term_data ON taxonomy_term_field_data_paragraph__field_vehicl_color_thumb.tid = taxonomy_term_field_data_paragraph__field_vehicl_color_thumb__taxonomy_term_data.tid
LEFT JOIN node__field_weight node__field_weight ON node_field_data.nid = node__field_weight.entity_id AND (node__field_weight.deleted = '0' AND node__field_weight.langcode = node_field_data.langcode)
WHERE ((node_field_data.nid = '5')) AND ((node_field_data.status = '1') AND (node_field_data.type IN ('vehicle')) AND (paragraphs_item_field_data_node__field_vehicle_colors_section.langcode IN ('', '', '', 'en')) AND (node_field_data.langcode IN ('en')))
GROUP BY node_field_data.nid, paragraphs_item_field_data_node__field_vehicle_colors_sectio, paragraphs_item_field_data_node__field_vehicle_colors_sectio_1, taxonomy_term_field_data_paragraph__field_vehicl_color_thumb, taxonomy_term_field_data_paragraph__field_vehicl_color_thumb_1, paragraphs_item_field_data_node__field_vehicle_colors_sectio_2, node_field_data_langcode, node__field_360_degree_field_360_degree_value, taxonomy_term_field_data_paragraph__field_vehicl_color_thumb_2, node_field_data_created, node__field_weight_field_weight_value
ORDER BY node_field_data_created DESC, node__field_weight_field_weight_value ASC
LIMIT 25 OFFSET 0