[upstream] Stream wrapper URIs are incorrectly flagged as invalid (hostname misinterpreted) due to bug in `justinrainbow/json-schema` — bump minimum version to 6.6.2

An alternative approach could be:

• Detect whether the value is a Drupal stream wrapper URI.
• If it is, resolve it to its external URL using getExternalUrl().
• Run the resolved URL through UriValidator, falling back to the original value if no stream wrapper applies.

public function validate(mixed $value, Constraint $constraint): void {
  $value = $this->getStreamWrapperForUri($value)?->getExternalUrl() ?? $value;

  $is_valid = match ($constraint->allowReferences) {
    TRUE => UriValidator::isValid($value) || RelativeReferenceValidator::isValid($value),
    FALSE => UriValidator::isValid($value),
  };

}
private function getStreamWrapperForUri(string $uri): ?StreamWrapperInterface {
  $stream_wrapper = $this->streamWrapperManager->getViaUri($uri);
  return $stream_wrapper instanceof StreamWrapperInterface ? $stream_wrapper : NULL;
}

However, this also less likely would catch invalid URIs. As getExternalUrl() normalizes and encodes the path component, turning the invalid stream wrapper URIs into valid HTTP URLs. For example, the invalid URI public://test/file name with spaces.txt becomes https://my-drupal-site.com/sites/default/files/file%20name%20with%20spaces.txt, which passes validation. We can use rawurldecode($value) and then validate, but it might decode the input uri as well.

I independently discovered this bug yesterday:

2. That led me to a whole saga of discoveries. I presumed justinrainbow/json-schema to correctly validate URIs. So I concluded that we'd need to change how json-schema-definitions:// worked. So I implemented that … and then discovered that actually, their URI validation is wrong:

— #3515074-32: Shape matching MUST work with the resolved equivalents of $refs AND must be compatible with core's upcoming $ref resolving in SDCs

Wow: #3352063-69: Allow schema references in Single Directory Component prop schemas → we can now just make Canvas require https://github.com/jsonrainbow/json-schema/releases/tag/6.6.2 to fix this!

I think this ought to be a stable blocker. Because it'll require bumping our versions.

Reviewed and validated and looks good

Thanks!

Oops, one tiny oversight: we should now be able to remove

    // @todo Remove this line once https://www.drupal.org/project/drupal/issues/3352063#comment-16363119 is fixed, or justinrainbow/json-schema's UriValidator has been fixed upstream.
    unset($refSchema['id']);

… to avoid continuing to carry this technical debt.

Removed that bit of code.

👌🏽

Thanks!

Nice, thanks!