Vaadin Framework version: 8, all versions

There is a major error in the class com.vaadin.server.VaadinSession (and possibly other classes too, if this is some kind of cargo cult programming in the Vaadin team)

Most public methods in the class use assertions to "check" if the session has the lock. This is fundamentally wrong. Assertions are the wrong tool to check preconditions in public meth

The API is problematic as users keep using it to workaround problems in their layouting when the grid is not expanding (see for example vaadin/flow#10511) without realizing that it will make all rows shown and in the worst case fetched from the backend. No, they are not reading the javadocs either https://github.com/vaadin/flow-components/blob/master/vaadin-grid-flow-parent/vaadin-grid-flow/src/ma

Warning: Non-constant format string in String.format() (CWE-134)

The software uses a function that accepts a format string as an argument,
but the format string originates from an external source.

When an attacker can modify an externally-controlled format string, this
can lead to denial of service or data representation problems.

I

The component currently uses a plain <vaadin-text-field> internally, which can be problematic when it comes to theming. Create and change the template to use an extension (<vaadin-combo-box-text-field>) instead.

Related change in <vaadin-date-picker>

Here are the 3 possible default error messages that may happen when uploading:

serverUnavailable: 'Server Unavailable',
unexpectedServerError: 'Unexpected Server Error',
forbidden: 'Forbidden'

And [here](https://github.com/vaadin/vaadin-web-components/blob/master/

Description

The vaadin-split-layout defines the style transform: translateZ(0). This causes problems for placing elements inside with position: fixed.

It has been introduced in this commit. Is there a reason why it is there? It seems to be a workaround to force GPU rendering. It would