elastic
diff --git a/‎.ci/Dockerfile‎
Lines changed: 1 addition & 1 deletion b/‎.ci/Dockerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.eslintignore‎
Lines changed: 1 addition & 0 deletions b/‎.eslintignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/CODEOWNERS‎
Lines changed: 8 additions & 0 deletions b/‎.github/CODEOWNERS‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 0 deletions b/‎.gitignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.node-version‎
Lines changed: 1 addition & 1 deletion b/‎.node-version‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.nvmrc‎
Lines changed: 1 addition & 1 deletion b/‎.nvmrc‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎BUILD.bazel‎
Lines changed: 2 additions & 0 deletions b/‎BUILD.bazel‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎WORKSPACE.bazel‎
Lines changed: 6 additions & 6 deletions b/‎WORKSPACE.bazel‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎dev_docs/assets/kibana_template_no_data_config.png‎
512 KB b/‎dev_docs/assets/kibana_template_no_data_config.png‎
512 KB
diff --git a/‎dev_docs/best_practices.mdx‎
Lines changed: 55 additions & 53 deletions b/‎dev_docs/best_practices.mdx‎
Lines changed: 55 additions & 53 deletions
@@ -1,7 +1,7 @@
 # NOTE: This Dockerfile is ONLY used to run certain tasks in CI. It is not used to run Kibana or as a distributable.
 # If you're looking for the Kibana Docker image distributable, please see: src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.ts
 
-ARG NODE_VERSION=14.17.3
+ARG NODE_VERSION=14.17.5
 
 FROM node:${NODE_VERSION} AS base
 
 
@@ -27,6 +27,7 @@ snapshots.js
 /x-pack/plugins/canvas/shareable_runtime/build
 /x-pack/plugins/canvas/storybook/build
 /x-pack/plugins/reporting/server/export_types/printable_pdf/server/lib/pdf/assets/**
+/x-pack/plugins/reporting/server/export_types/printable_pdf_v2/server/lib/pdf/assets/**
 
 # package overrides
 /packages/elastic-eslint-config-kibana
 
@@ -107,6 +107,8 @@
 /x-pack/plugins/observability/public/components/shared/exploratory_view @elastic/uptime
 /x-pack/test/functional_with_es_ssl/apps/uptime  @elastic/uptime
 /x-pack/test/functional/apps/uptime @elastic/uptime
+/x-pack/test/functional/es_archives/uptime @elastic/uptime
+/x-pack/test/functional/services/uptime @elastic/uptime
 /x-pack/test/api_integration/apis/uptime @elastic/uptime
 
 # Client Side Monitoring / Uptime (lives in APM directories but owned by Uptime)
@@ -123,6 +125,12 @@
 
 # Presentation
 /src/plugins/dashboard/ @elastic/kibana-presentation
+/src/plugins/expression_error/ @elastic/kibana-presentation
+/src/plugins/expression_image/ @elastic/kibana-presentation
+/src/plugins/expression_metric/ @elastic/kibana-presentation
+/src/plugins/expression_repeat_image/ @elastic/kibana-presentation
+/src/plugins/expression_reveal_image/ @elastic/kibana-presentation
+/src/plugins/expression_shape/ @elastic/kibana-presentation
 /src/plugins/input_control_vis/ @elastic/kibana-presentation
 /src/plugins/vis_type_markdown/ @elastic/kibana-presentation
 /src/plugins/presentation_util/ @elastic/kibana-presentation
 
@@ -75,6 +75,9 @@ report.asciidoc
 # TS incremental build cache
 *.tsbuildinfo
 
+# Automatically generated and user-modifiable
+/tsconfig.refs.json
+
 # Yarn local mirror content
 .yarn-local-mirror
 
 
@@ -1 +1 @@
-14.17.3
+14.17.5
@@ -1 +1 @@
-14.17.3
+14.17.5
@@ -3,7 +3,9 @@
 exports_files(
   [
     "tsconfig.base.json",
+    "tsconfig.bazel.json",
     "tsconfig.browser.json",
+    "tsconfig.browser_bazel.json",
     "tsconfig.json",
     "package.json"
   ],
 
@@ -27,13 +27,13 @@ check_rules_nodejs_version(minimum_version_string = "3.7.0")
 # we can update that rule.
 node_repositories(
   node_repositories = {
-    "14.17.3-darwin_amd64": ("node-v14.17.3-darwin-x64.tar.gz", "node-v14.17.3-darwin-x64", "522f85db1d1fe798cba5f601d1bba7b5203ca8797b2bc934ff6f24263f0b7fb2"),
-    "14.17.3-linux_arm64": ("node-v14.17.3-linux-arm64.tar.xz", "node-v14.17.3-linux-arm64", "80f4143d3c2d4cf3c4420eea3202c7bf16788b0a72fd512e60bfc8066a08a51c"),
-    "14.17.3-linux_s390x": ("node-v14.17.3-linux-s390x.tar.xz", "node-v14.17.3-linux-s390x", "4f69c30732f94189b9ab98f3100b17f1e4db2000848d56064e887be1c28e81ae"),
-    "14.17.3-linux_amd64": ("node-v14.17.3-linux-x64.tar.xz", "node-v14.17.3-linux-x64", "d659d78144042a1801f35dd611d0fab137e841cde902b2c6a821163a5e36f105"),
-    "14.17.3-windows_amd64": ("node-v14.17.3-win-x64.zip", "node-v14.17.3-win-x64", "170fb4f95539d1d7e1295fb2556cb72bee352cdf81a02ffb16cf6d50ad2fefbf"),
+    "14.17.5-darwin_amd64": ("node-v14.17.5-darwin-x64.tar.gz", "node-v14.17.5-darwin-x64", "2e40ab625b45b9bdfcb963ddd4d65d87ddf1dd37a86b6f8b075cf3d77fe9dc09"),
+    "14.17.5-linux_arm64": ("node-v14.17.5-linux-arm64.tar.xz", "node-v14.17.5-linux-arm64", "3a2e674b6db50dfde767c427e8f077235bbf6f9236e1b12a4cc3496b12f94bae"),
+    "14.17.5-linux_s390x": ("node-v14.17.5-linux-s390x.tar.xz", "node-v14.17.5-linux-s390x", "7d40eee3d54241403db12fb3bc420cd776e2b02e89100c45cf5e74a73942e7f6"),
+    "14.17.5-linux_amd64": ("node-v14.17.5-linux-x64.tar.xz", "node-v14.17.5-linux-x64", "2d759de07a50cd7f75bd73d67e97b0d0e095ee3c413efac7d1b3d1e84ed76fff"),
+    "14.17.5-windows_amd64": ("node-v14.17.5-win-x64.zip", "node-v14.17.5-win-x64", "a99b7ee08e846e5d1f4e70c4396265542819d79ed9cebcc27760b89571f03cbf"),
   },
-  node_version = "14.17.3",
+  node_version = "14.17.5",
   node_urls = [
     "https://nodejs.org/dist/v{version}/{filename}",
   ],
 
@@ -22,8 +22,10 @@ Refer to [divio documentation](https://documentation.divio.com/) for guidance on
 
 <DocLink id="kibDevDocsWelcome" text="Getting started" /> and
 <DocLink id="kibPlatformIntro" text="Key concepts" /> sections are both _explanation_ oriented,
-<DocLink id="kibDevTutorialBuildAPlugin" text="Tutorials" /> covers both _tutorials_ and _How to_, and
-the <DocLink id="kibDevDocsApiWelcome" text="API documentation" /> section covers _reference_ material.
+<DocLink id="kibDevTutorialDebugging" text="Tutorials" /> covers both _tutorials_ and _How to_, and the <DocLink
+  id="kibDevDocsApiWelcome"
+  text="API documentation"
+/> section covers _reference_ material.
 
 #### Location
 
@@ -256,17 +258,17 @@ links](https://elastic.github.io/eui/#/navigation/link#link-validation), and a r
 
 **Best practices**
 
-* Check for dangerous functions or assignments that can result in unescaped user input in the browser DOM. Avoid using:
-  * **React:** [`dangerouslySetInnerHtml`](https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml).
-  * **Browser DOM:** `Element.innerHTML` and `Element.outerHTML`.
-* If using the aforementioned unsafe functions or assignments is absolutely necessary, follow [these XSS prevention
-rules](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#xss-prevention-rules) to ensure that
-user input is not inserted into unsafe locations and that it is escaped properly.
-* Use EUI components to build your UI, particularly when rendering `href` links. Otherwise, sanitize user input before rendering links to
-ensure that they do not use the `javascript:` protocol.
-* Don't use the `eval`, `Function`, and `_.template` functions -- these are restricted by ESLint rules.
-* Be careful when using `setTimeout` and `setInterval` in client-side code. If an attacker can manipulate the arguments and pass a string to
-one of these, it is evaluated dynamically, which is equivalent to the dangerous `eval` function.
+- Check for dangerous functions or assignments that can result in unescaped user input in the browser DOM. Avoid using:
+  - **React:** [`dangerouslySetInnerHtml`](https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml).
+  - **Browser DOM:** `Element.innerHTML` and `Element.outerHTML`.
+- If using the aforementioned unsafe functions or assignments is absolutely necessary, follow [these XSS prevention
+  rules](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#xss-prevention-rules) to ensure that
+  user input is not inserted into unsafe locations and that it is escaped properly.
+- Use EUI components to build your UI, particularly when rendering `href` links. Otherwise, sanitize user input before rendering links to
+  ensure that they do not use the `javascript:` protocol.
+- Don't use the `eval`, `Function`, and `_.template` functions -- these are restricted by ESLint rules.
+- Be careful when using `setTimeout` and `setInterval` in client-side code. If an attacker can manipulate the arguments and pass a string to
+  one of these, it is evaluated dynamically, which is equivalent to the dangerous `eval` function.
 
 ### Cross-Site Request Forgery (CSRF/XSRF)
 
@@ -280,10 +282,10 @@ Headers](https://www.elastic.co/guide/en/kibana/master/api.html#api-request-head
 
 **Best practices**
 
-* Ensure all HTTP routes are registered with the [Kibana HTTP service](https://www.elastic.co/guide/en/kibana/master/http-service.html) to
-take advantage of the custom request header security control.
-  * Note that HTTP GET requests do **not** require the custom request header; any routes that change data should [adhere to the HTTP
-specification and use a different method (PUT, POST, etc.)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
+- Ensure all HTTP routes are registered with the [Kibana HTTP service](https://www.elastic.co/guide/en/kibana/master/http-service.html) to
+  take advantage of the custom request header security control.
+  - Note that HTTP GET requests do **not** require the custom request header; any routes that change data should [adhere to the HTTP
+    specification and use a different method (PUT, POST, etc.)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
 
 ### Remote Code Execution (RCE)
 
@@ -295,11 +297,11 @@ ESLint rules to restrict vulnerable functions, and by hooking into or hardening
 
 **Best practices**
 
-* Don't use the `eval`, `Function`, and `_.template` functions -- these are restricted by ESLint rules.
-* Don't use dynamic `require`.
-* Check for usages of templating libraries. Ensure that user-provided input doesn't influence the template and is used only as data for
-rendering the template.
-* Take extra caution when spawning child processes with any user input or parameters that are user-controlled.
+- Don't use the `eval`, `Function`, and `_.template` functions -- these are restricted by ESLint rules.
+- Don't use dynamic `require`.
+- Check for usages of templating libraries. Ensure that user-provided input doesn't influence the template and is used only as data for
+  rendering the template.
+- Take extra caution when spawning child processes with any user input or parameters that are user-controlled.
 
 ### Prototype Pollution
 
@@ -309,26 +311,26 @@ hardening sensitive functions (such as those exposed by `child_process`), and by
 
 **Best practices**
 
-* Check for instances of `anObject[a][b] = c` where `a`, `b`, and `c` are controlled by user input. This includes code paths where the
-following logical code steps could be performed in separate files by completely different operations, or by recursively using dynamic
-operations.
-* Validate all user input, including API URL parameters, query parameters, and payloads. Preferably, use a schema that only allows specific
-keys and values. At a minimum, implement a deny-list that prevents `__proto__` and `prototype.constructor` from being used within object
-keys.
-* When calling APIs that spawn new processes or perform code generation from strings, protect against Prototype Pollution by checking if
-`Object.hasOwnProperty` has arguments to the APIs that originate from an Object. An example is the defunct Code app's
-[`spawnProcess`](https://github.com/elastic/kibana/blob/b49192626a8528af5d888545fb14cd1ce66a72e7/x-pack/legacy/plugins/code/server/lsp/workspace_command.ts#L40-L44)
-function.
-  * Common Node.js offenders: `child_process.spawn`, `child_process.exec`, `eval`, `Function('some string')`, `vm.runInContext(x)`,
-`vm.runInNewContext(x)`, `vm.runInThisContext()`
-  * Common client-side offenders: `eval`, `Function('some string')`, `setTimeout('some string', num)`, `setInterval('some string', num)`
+- Check for instances of `anObject[a][b] = c` where `a`, `b`, and `c` are controlled by user input. This includes code paths where the
+  following logical code steps could be performed in separate files by completely different operations, or by recursively using dynamic
+  operations.
+- Validate all user input, including API URL parameters, query parameters, and payloads. Preferably, use a schema that only allows specific
+  keys and values. At a minimum, implement a deny-list that prevents `__proto__` and `prototype.constructor` from being used within object
+  keys.
+- When calling APIs that spawn new processes or perform code generation from strings, protect against Prototype Pollution by checking if
+  `Object.hasOwnProperty` has arguments to the APIs that originate from an Object. An example is the defunct Code app's
+  [`spawnProcess`](https://github.com/elastic/kibana/blob/b49192626a8528af5d888545fb14cd1ce66a72e7/x-pack/legacy/plugins/code/server/lsp/workspace_command.ts#L40-L44)
+  function.
+  - Common Node.js offenders: `child_process.spawn`, `child_process.exec`, `eval`, `Function('some string')`, `vm.runInContext(x)`,
+    `vm.runInNewContext(x)`, `vm.runInThisContext()`
+  - Common client-side offenders: `eval`, `Function('some string')`, `setTimeout('some string', num)`, `setInterval('some string', num)`
 
 See also:
 
-* [Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications |
-portswigger.net](https://portswigger.net/daily-swig/prototype-pollution-the-dangerous-and-underrated-vulnerability-impacting-javascript-applications)
-* [Prototype pollution attack in NodeJS application | Olivier
-Arteau](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)
+- [Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications |
+  portswigger.net](https://portswigger.net/daily-swig/prototype-pollution-the-dangerous-and-underrated-vulnerability-impacting-javascript-applications)
+- [Prototype pollution attack in NodeJS application | Olivier
+  Arteau](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)
 
 ### Server-Side Request Forgery (SSRF)
 
@@ -339,12 +341,12 @@ a vector for information disclosure or injection attacks.
 
 **Best practices**
 
-* Ensure that all outbound requests from the Kibana server use hard-coded URLs.
-* If user input is used to construct a URL for an outbound request, ensure that an allow-list is used to validate the endpoints and that
-user input is escaped properly. Ideally, the allow-list should be set in `kibana.yml`, so only server administrators can change it.
-  * This is particularly relevant when using `transport.request` with the Elasticsearch client, as no automatic escaping is performed.
-  * Note that URLs are very hard to validate properly; exact match validation for user input is most preferable, while URL parsing or RegEx
-validation should only be used if absolutely necessary.
+- Ensure that all outbound requests from the Kibana server use hard-coded URLs.
+- If user input is used to construct a URL for an outbound request, ensure that an allow-list is used to validate the endpoints and that
+  user input is escaped properly. Ideally, the allow-list should be set in `kibana.yml`, so only server administrators can change it.
+  - This is particularly relevant when using `transport.request` with the Elasticsearch client, as no automatic escaping is performed.
+  - Note that URLs are very hard to validate properly; exact match validation for user input is most preferable, while URL parsing or RegEx
+    validation should only be used if absolutely necessary.
 
 ### Reverse tabnabbing
 
@@ -356,10 +358,10 @@ buttons, and other vulnerable DOM elements.
 
 **Best practices**
 
-* Use EUI components to build your UI whenever possible. Otherwise, ensure that any DOM elements that have an `href` attribute also have the
-`rel="noreferrer noopener"` attribute specified. For more information, refer to the [OWASP HTML5 Security Cheat
-Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTML5_Security_Cheat_Sheet.md#tabnabbing).
-* If using a non-EUI markdown renderer, use a custom link renderer for rendered links.
+- Use EUI components to build your UI whenever possible. Otherwise, ensure that any DOM elements that have an `href` attribute also have the
+  `rel="noreferrer noopener"` attribute specified. For more information, refer to the [OWASP HTML5 Security Cheat
+  Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTML5_Security_Cheat_Sheet.md#tabnabbing).
+- If using a non-EUI markdown renderer, use a custom link renderer for rendered links.
 
 ### Information disclosure
 
@@ -370,7 +372,7 @@ control, but at a high level, Kibana relies on the hapi framework to automatical
 
 **Best practices**
 
-* Look for instances where sensitive information might accidentally be revealed, particularly in error messages, in the UI, and URL
-parameters that are exposed to users.
-* Make sure that sensitive request data is not forwarded to external resources. For example, copying client request headers and using them
-to make an another request could accidentally expose the user's credentials.
+- Look for instances where sensitive information might accidentally be revealed, particularly in error messages, in the UI, and URL
+  parameters that are exposed to users.
+- Make sure that sensitive request data is not forwarded to external resources. For example, copying client request headers and using them
+  to make an another request could accidentally expose the user's credentials.