Problem/Motivation

During the course of #3352063: Allow schema references in Single Directory Component prop schemas we realized we need a library to parse JSON Schema in order to de-reference sub-schemas and leverage some of the more advanced features of this standard.

We are currently using justinrainbow/json-schema as a require-dev dependency for SDC and JSON:API to validate data against pre-defined schemas during development time. We restrict this to development environments by wrapping the validation in assertions.

Proposed resolution

If we are to support these more advanced features we will need to do so outside of development environments. This means that justinrainbow/json-schema would need to be vetted as a dependency for drupal/core.

Remaining tasks

  1. Discuss if the feature described in #3352063: Allow schema references in Single Directory Component prop schemas justifies including this new dependency in core. @catch and @alexpott are on board.
  2. Vet the new dependency: https://www.drupal.org/about/core/policies/core-dependency-policies/depe...

Dependency Evalution

Maintainership of the package
jsonrainbow/json-schema is an open source project with ~300M installs: https://packagist.org/packages/justinrainbow/json-schema

It was stuck in the 5.x branch for years — with https://github.com/jsonrainbow/json-schema/tree/5.2.12 3 years ago, https://github.com/jsonrainbow/json-schema/tree/5.2.13 2 years ago, and none of the ecosystem-impacting bugs were getting fixed. In part this was due to Composer depending using it, and it being reliant on a specific behavior, which made it hard for the library to move forward.

But then https://github.com/DannyvdSluijs took over maintainership, collaboration with the Composer maintainers happened and … it resulted in https://github.com/jsonrainbow/json-schema/tree/6.0.0 last year (July 30 2024), and now we're up to https://github.com/jsonrainbow/json-schema/tree/6.6.0 last week (Oct 10, 2025)!

In fact, as of April 3, 2025, Composer itself bumped in its 2.8.7 release to depend on justinrainbow/json-schema 6.x!

Security policies of the package
SECURITY.md says both 5.x and 6.x have security support, and instructs how to safely report security vulnerabilities.
Expected release and support cycles
6.0: July 2024, 6.1: Feb 2025, 6.2: Feb 2025, 6.3: Mar 2025, 6.4: Apr 2025, 6.5: Aug 2025, 6.6: October 2025 → definitely actively maintained. Technical debt is being erased, and it's adding support for newer JSON Schema versions: https://github.com/jsonrainbow/json-schema/pull/835
Code quality
The source code is well maintained and includes automated tests.
Other dependencies it would add, if any (the full tree, not just direct dependencies), and evaluations for those dependencies as well
It has 1 dependency: https://github.com/marc-mabe/php-enum, which itself has 27M installs, is well-maintained, has automated tests, is licensed under the BSD 3-Clause license which is a GNU compatible license.

(It was just necessary to get PHP Enum support ahead of native PHP support, back in 2017: https://github.com/jsonrainbow/json-schema/pull/364. It is likely to eventually get dropped.)

License
The license is MIT, which is listed as a GNU compatible license.

Issue fork drupal-3365985

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

e0ipso created an issue. See original summary.

e0ipso’s picture

e0ipso
Primary language Catalan
Location Can Picafort
commented
Issue tags: +Needs release manager review

I imagine that adding a new dependecy to core is a big deal and we do not take that lightly. For that reason I am inclined to move the feature described in #3352063: Allow schema references in Single Directory Component prop schemas to contrib.

Note that contrib modules that extend SDC already bring in this library as a run-time dependency anyways.

However, if core release managers think that it's not a big deal, and we should include the new dependency, I think it'd be nice to support #3352063: Allow schema references in Single Directory Component prop schemas in core.

I am marking this as "Needs release manager review" since I think we cannot make a decision here without their guidance.

dieterholvoet’s picture

dieterholvoet commented
Component: render system » single directory components

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Title: Vet require-dev dependency justinrainbow/json-schema as a require dependency » Promote justinrainbow/json-schema from dev-dependency to full dependency
Priority: Normal » Major
Status: Active » Reviewed & tested by the community
Issue tags: +Contributed project blocker, +blocker
Related issues: +#3395586: Add Symfony's Filesystem and Finder components to core, +#2843147: Add JSON:API to core as a stable module

We last moved two dependencies from require-dev to require in #3395586: Add Symfony's Filesystem and Finder components to core. The dependency evaluations happened in #3369121: Promote symfony/filesystem from dev-dependency to full dependency and #3369120: Promote symfony/finder from dev-dependency to full dependency.

https://github.com/justinrainbow/json-schema is a well-maintained package with >200 million downloads. It was added as a dev dependency >5 years ago, in #2843147: Add JSON:API to core as a stable module.

Landing this would unblock #3352063: Allow schema references in Single Directory Component prop schemas, which in turn would unblock the Drupal ecosystem to do very interesting new things on top of SDC, especially now that SDC is stable in 10.3!.

We already can see some of the cool things that enables in the ui_patterns module's 2.0.x branch, see #3352063-17: Allow schema references in Single Directory Component prop schemas for an explanation. The way they get around this issue not having landed yet is … by making their contrib module require justinrainbow/json-schema as a non-dev dependency! 😄

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Needs work

Making this a non-dev dependency means that we need to do a fuller evaluation of the security policies of justinrainbow/json-schema and it's dependencies. What's interesting is that master branch has more dependencies than the version we are currently on. It looks like people are trying revive the library a bit but we do need to think about the possibility of adding marc-mabe/php-enum and icecave/parity. It would be great to reach out the current library maintainers to see if they still plan to add these dependencies to the next version. I think we do need some idea about where the library is going and who is doing the maintaining going forward.

We will need to add this to https://www.drupal.org/about/core/policies/core-dependency-policies-and-... so we will need:
Repository link, release cycle info, security policy info, security issue reporting and contact details

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented

An additional concern here is this we probably want to add a hook requirements to jsonapi module that warns when asserts are on because asserts + this package in production adds a lot of performance overhead to json API requests (yes I have seen this while auditing 'slow' sites)

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented

FYI: the current version of justinrainbow/json-schema (version 5.x) has severe bugs that have been fixed in 6.x:

Create an SDC with this as the schema of one of its props:

      properties:
        src:
          title: "Image URL"
          type: string
          format: uri-reference
          pattern: "^(/|https?://)?.*\\.(png|gif|jpg|jpeg|webp)(\\?.*)?(#.*)?$"

This is valid per https://json-schema.org/understanding-json-schema/reference/regular_expr....

But it triggers a InvalidComponentException: [props.properties.image.properties.src.pattern] Invalid regex format ^(/|https?://)?.*\.(png|gif|jpg|jpeg|webp)(\?.*)?(#.*)?$ !

Turns out it's due to a bug that's been fixed years ago: https://github.com/jsonrainbow/json-schema/issues/508.

(More detail: #3515074-5: Shape matching MUST work with the resolved equivalents of $refs AND must be compatible with core's upcoming $ref resolving in SDCs.)

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Related issues: +#3472008: Avoid JSON:API schema validation by default when assert is enabled

#7 would be solved by #3472008: Avoid JSON:API schema validation by default when assert is enabled

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Related issues: +#3499279: Make link widget autocomplete work (for uri and uri-reference props)

Adding #3499279: Make link widget autocomplete work (for uri and uri-reference props) which also requires the 6.3.1 version - the fix in https://github.com/jsonrainbow/json-schema/pull/800 is needed to support entity:node/3 style URIs in experience builder

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Related issues: +#3516348: Allow 6.x version of justinrainbow/json-schema

Added #3516348: Allow 6.x version of justinrainbow/json-schema for adding support for both 5.x and 6.x at the same time

andypost’s picture

andypost
he/him
Primary language Russian
commented

is this still needed?

pdureau’s picture

pdureau commented

it is still needed by #3352063: Allow schema references in Single Directory Component prop schemas on which I am currently working on.

A commit addressing the current issue has been pushed in the MR of the other issue: https://git.drupalcode.org/project/drupal/-/merge_requests/13457/commits

#3516348: Allow 6.x version of justinrainbow/json-schema was about version management. This issue is about moving dependency out of dev.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Issue tags: +Experience Builder

#13++

It would also benefit Canvas, because https://git.drupalcode.org/project/canvas/-/blob/1.x/composer.json?ref_t... has this as a full dependency too, and in fact the SOLE non-core dependency:

    …
    "require": {
        "drupal/core": "^11.2",
        "justinrainbow/json-schema": "^6.3"
    },
    …

wim leers opened merge request !13507

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Status: Needs work » Needs review
Issue tags: +Vienna2025

Discussed with @alexpott & @catch at DrupalCon.

I forgot the process, and e.g. #3369120: Promote symfony/finder from dev-dependency to full dependency didn't document it either, so I think it's

composer require justinrainbow/json-schema "^5.2 || ^6.5.2" -W

So created an MR for that!

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Issue summary: View changes

Added the dependency evaluation.

But basically: if it's good enough for Composer, surely it also is for us? 😅

pdureau’s picture

pdureau commented
Status: Needs review » Reviewed & tested by the community

Reviewed OK because similar to what was done in https://git.drupalcode.org/project/drupal/-/merge_requests/13457/commits

  • catch committed e00353f2 on 11.x 
    Issue #3365985 by e0ipso, alexpott, larowlan, wim leers, pdureau:...
catch’s picture

catch
he/him
Primary language English
commented
Status: Reviewed & tested by the community » Fixed
Issue tags: -Needs release manager review +Needs followup

Discussed this with @Wim Leers, @pdureau and others at DrupalCon - the improvements in the library since this issue was original opened are very encouraging, and we have a very clear use case in the schema reference support.

I think we need an explicit followup for #3365985: Promote justinrainbow/json-schema from dev-dependency to full dependency so it doesn't get lost and then rediscovered by a website. Asserts should be off in production anyway? Maybe we can add a generic status report warning for them when 'dev mode' isn't enabled?

Now that this issue is closed, please review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, please credit people who helped resolve this issue.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented

@catch I think #3472008: Avoid JSON:API schema validation by default when assert is enabled is a good enough followup already?

catch closed merge request !13507

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Issue tags: -Needs followup

#22++

I cannot possibly express how strongly I agree with @catch's Asserts should be off in production anyway? 😅, so was bold and rescoped/retitled #3472008 in #3472008-22: Avoid JSON:API schema validation by default when assert is enabled 😇

EDIT: also, I think #3478689 becomes now more important too, as @longwave noted at #3478689-4: Investigate if ComponentValidator should have soft dependency on justinrainbow/json-schema.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented

BTW, any reason why we can't drop justinrainbow/json-schema's ^5.2 support? 😇 Especially given that that branch is barely maintained?

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.