Update @elastic/kibana-core dependencies (main)

[elastic-renovate-prod]

This PR contains the following updates:

Package	Type	Update	Change	Pending
@apidevtools/json-schema-ref-parser (source)	dependencies	major	14.1.1 -> 15.1.3	15.2.2 (+2)
@​types/fetch-mock	devDependencies	major	7.3.1 -> 9.2.2
@types/mock-fs (source)	devDependencies	patch	4.13.1 -> 4.13.4
@types/node-fetch (source)	devDependencies	patch	2.6.4 -> 2.6.13
@types/type-detect (source)	devDependencies	patch	4.0.1 -> 4.0.3
axios (source)	dependencies	minor	1.12.1 -> 1.13.2	1.13.3
axios (source)	dependencies	minor	^1.8.3 -> ^1.13.2	1.13.3
cacheable-lookup	dependencies	major	6 -> 7.0.0
fetch-mock (source)	devDependencies	major	10.1.0 -> 12.6.0
inversify (source)	dependencies	minor	7.9.0 -> 7.11.0
load-json-file	dependencies	major	6.2.0 -> 7.0.1
mock-fs	devDependencies	minor	5.1.2 -> 5.5.0
node-fetch	resolutions	major	2.7.0 -> 3.3.2
node-fetch	dependencies	major	2.7.0 -> 3.3.2
react-intl (source)	dependencies	major	6.6.6 -> 8.0.11	8.1.1 (+1)

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

APIDevTools/json-schema-ref-parser (@​apidevtools/json-schema-ref-parser)

v15.1.3

Compare Source

Bug Fixes

• imports: remove node imports to fix browser bundle (89743a2)

v15.1.2

Compare Source

Bug Fixes

• path: replace win32 usages with custom functions, prettier (83643fe)

v15.1.1

Compare Source

Bug Fixes

• add main property back to package.json (#​400) (9ff9a37)

v15.1.0

Compare Source

Features

• callback: pass additional parameters to canRead (57534d6)

v15.0.1

Compare Source

Bug Fixes

• port: dont override port (6efef32)

v15.0.0

Compare Source

• Respect RFC 6901, use ESM output, add new mergeKeys dereference option. (#​398) (fbb56b5), closes #​383 #​356 #​370

BREAKING CHANGES

• Change URL encoding to use strict RFC 6901, add new mergeKeys dereference option

v14.2.1

Compare Source

Bug Fixes

• yaml: support non standard yaml as a fallback (6a469b7)

v14.2.0

Compare Source

Bug Fixes

• substr: fix and improve substring matching (39b2963)

Features

• deps: bump deps, lower tsconfig target, fix lints, update attribution (2962dad)

axios/axios (axios)

v1.13.2

Compare Source

Bug Fixes

• http: fix 'socket hang up' bug for keep-alive requests when using timeouts; (#​7206) (8d37233)
• http: use default export for http2 module to support stubs; (#​7196) (0588880)

Performance Improvements

• http: fix early loop exit; (#​7202) (12c314b)

Contributors to this release

• Dmitriy Mozgovoy
• Kasper Isager Dalsgarð

v1.13.1

Compare Source

Bug Fixes

• http: fixed a regression that caused the data stream to be interrupted for responses with non-OK HTTP statuses; (#​7193) (bcd5581)

Contributors to this release

• Anchal Singh
• Dmitriy Mozgovoy

v1.13.0

Compare Source

Bug Fixes

• fetch: prevent TypeError when config.env is undefined (#​7155) (015faec)
• resolve issue #​7131 (added spacing in mergeConfig.js) (#​7133) (9b9ec98)

Features

• http: add HTTP2 support; (#​7150) (d676df7)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi
• Aviraj2929
• prasoon patel
• Samyak Dandge
• Anchal Singh
• Rahul Kumar
• Amit Verma
• Abhishek3880
• Dhvani Maktuporia
• Usama Ayoub
• ikuy1203
• Nikhil Simon Toppo
• Jane Wangari
• Supakorn Ieamgomol
• Kian-Meng Ang
• UTSUMI Keiji

1.12.2 (2025-09-14)

Bug Fixes

• fetch: use current global fetch instead of cached one when env fetch is not specified to keep MSW support; (#​7030) (cf78825)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi

1.12.1 (2025-09-12)

Bug Fixes

• types: fixed env config types; (#​7020) (b5f26b7)

Contributors to this release

• Dmitriy Mozgovoy

v1.12.2

Compare Source

Bug Fixes

• fetch: use current global fetch instead of cached one when env fetch is not specified to keep MSW support; (#​7030) (cf78825)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi

szmarczak/cacheable-lookup (cacheable-lookup)

v7.0.0

Compare Source

Breaking

• Require Node.js 14 (#​69) 08a6478
• This package is now pure ESM. Please read this.

Improvements

• Add stats for query and cache requests (#​65) ab8d286

wheresrhys/fetch-mock (fetch-mock)

v12.6.0

Compare Source

Features

• implement host: matcher (2b0a43d)

Documentation Changes

• document new host matcher (6205357)

v12.5.6

Compare Source

Bug Fixes

• clean abort event listener once it's called or response is returned (4606250)
• clean abort event listener once it's called or response is returned (ca51920)

v12.5.5

Compare Source

Bug Fixes

• do not try to get a reader from a locked request oder response to cancel them (8c23ecf)
• use optional chaining operator and do not try to cancel locked request or response to prevent errors (b1ff114)
• use optional chaining operator to prevent errors (87f8399)

v12.5.4

Compare Source

Bug Fixes

• apply browser exports fix for fetch-mock package (318cd94)

v12.5.3

Compare Source

Bug Fixes

• add wrapper class to fix type ambiguity (b093bb0)
• add wrapper class to fix type ambiguity (ea45aec)

v12.5.2

Compare Source

Bug Fixes

• allow matching body for delete requests (891197c)

v12.5.1

Compare Source

Bug Fixes

• improve handling of abort (5c1085d)
• remove deprecated is-subset-of (a2546ef)

v12.4.0

Compare Source

Features

• add ability to wait for multiple routes (c3dc9c3)
• implement waitFor option (5500228)

Bug Fixes

• clone response before using (2ccf18e)
• use a promise, no function, to implement waitFor (8783101)

v12.3.0

Compare Source

Features

• added overwriteRoutes: true rule to codemods (b3d1468)
• implemented modifyRoute() method (f62e3d6)
• implemented removeRoute method (584a861)

Bug Fixes

• make types for modify route config more accurate (6894569)
• prevented overwriting stickiness of a route (87f8c9b)

v12.2.1

Compare Source

Bug Fixes

• fix failure to spy in browsers (bfaa5f3)

v12.2.0

Compare Source

Features

• implement new hardReset method (d7e0776)
• update codemods to use hardReset() (757d480)

v12.1.0

Compare Source

Features

• fetch-mock: add include: matcher for urls (02f880c)

v12.0.2

Compare Source

Bug Fixes

• allow sending responses with status 0 (92c06e9)

v12.0.1

Compare Source

Bug Fixes

• clearHistory() can deal with unmatched calls (012e9ca)

v12.0.0

Compare Source

⚠ BREAKING CHANGES

• Replaced legacy fetch-mock code with fetch-mock/core code

Features

• Replaced legacy fetch-mock code with fetch-mock/core code (999ce92)

v11.1.5: fetch-mock: v11.1.5

Compare Source

Bug Fixes

• change export order so default is last (bc9c41d)

v11.1.4: fetch-mock: v11.1.4

Compare Source

Documentation Changes

• another occurrence of the cheatsheet ref (875e4f6)
• fix link to cheatsheet (33e75b1)

v11.1.3: fetch-mock: v11.1.3

Compare Source

Bug Fixes

• add missing metadata to package.json files (4ab78b9)

v11.1.1: fetch-mock: v11.1.1

Compare Source

Bug Fixes

• roll back to glob-to-regexp (b114124)

v11.1.0: fetch-mock: v11.1.0

Compare Source

Features

• remove debug mode from fetch-mock (89890b6)

v11.0.2: fetch-mock: v11.0.2

Compare Source

Bug Fixes

• add license file to each package (9b36f89)

v11.0.1: fetch-mock: v11.0.1

Compare Source

Bug Fixes

• fixes importimng into .mts files (98ad40e)

v11.0.0: fetch-mock: v11.0.0

Compare Source

⚠ BREAKING CHANGES

• force fetch-mock major release

Bug Fixes

• force fetch-mock major release (1b31416)

v10.1.1: fetch-mock: v10.1.1

Compare Source

Bug Fixes

• change module system declaratuions to avoid top level type: module (ed00140)

inversify/monorepo (inversify)

v7.11.0

Compare Source

Minor Changes

• Added Container.unbindAllSync

Patch Changes

• Updated dependencies
  • @​inversifyjs/core@​9.2.0
  • @​inversifyjs/container@​1.15.0

v7.10.8

Compare Source

Patch Changes

• Updated BindToFluentSyntax.toResolvedValue to allow non multiple array ServiceIdentifier injectOptions
• Updated dependencies
  • @​inversifyjs/container@​1.14.5

v7.10.7

Compare Source

Patch Changes

• Updated circular dependency detection to handle V8 issues on nearly exhausted call stack scenarios
• Updated dependencies
  • @​inversifyjs/core@​9.1.2
  • @​inversifyjs/container@​1.14.4

v7.10.6

Compare Source

Patch Changes

• Updated metadata to reflect side effects
• Updated dependencies
  • @​inversifyjs/container@​1.14.3

v7.10.5

Compare Source

Patch Changes

• Updated entrypoint to import 'reflect-metadata/lite' instead of 'reflect-metadata'
• Updated dependencies
  • @​inversifyjs/container@​1.14.2

v7.10.4

Compare Source

Patch Changes

• Updated dependencies
  • @​inversifyjs/core@​9.1.1
  • @​inversifyjs/container@​1.14.1

v7.10.3

Compare Source

Patch Changes

• Updated BindToFluentSyntax.factory to allow async factory builders

• Updated Factory to allow async functions

• Updated dependencies

  • @​inversifyjs/container@​1.14.0
  • @​inversifyjs/core@​9.1.0

v7.10.2

Compare Source

Patch Changes

• Updated dependencies
  • @​inversifyjs/container@​1.13.2
  • @​inversifyjs/core@​9.0.1

v7.10.1

Patch Changes

• Added MapToResolvedValueInjectOptions type

• Updated dependencies

  • @​inversifyjs/container@​1.13.1

sindresorhus/load-json-file (load-json-file)

v7.0.1

Compare Source

• Fix Node.js 12 compatibility dc9799d

v7.0.0

Compare Source

Breaking

• Require Node.js 12.20 9138c28
• This package is now pure ESM. Please read this.
• Changed from a default export to named exports.

Improvements

• No dependencies!

Other

• It no longer uses graceful-fs
  That package is too hacky and the fs implementation in Node.js has improved a lot.

tschaub/mock-fs (mock-fs)

v5.5.0

Compare Source

• Add test and fix exists behaviour for relative symlinks (thanks @​timvahlbrock, see [#​415][#​415])
• Add test showing fs.createWriteStream() with append (see [#​412][#​412])
• encoding utf8 strings in node 20 (thanks @​everett1992, see [#​409][#​409])

Dependency Updates

• bump semver from 7.6.3 to 7.7.0 (see [#​413][#​413])
• bump eslint-config-tschaub from 14.1.2 to 15.2.0 (see [#​408][#​408])
• bump mocha from 11.0.1 to 11.1.0 (see [#​410][#​410])
• bump mocha from 10.8.2 to 11.0.1 (see [#​407][#​407])
• bump mocha from 10.7.3 to 10.8.2 (see [#​402][#​402])

v5.4.1

Compare Source

• Avoid errors in fs.existsSync (see [#​401][#​401])

v5.4.0

Compare Source

• Use setImmediate instead of process.nextTick (thanks @​regseb, see [#​360][#​360])

Dependency Updates

• bump chai from 4.3.4 to 4.5.0
• bump eslint from 8.21.0 to 8.57.1

v5.3.0

Compare Source

• Remove conditions for untested versions
• Remove disabled tests for mock.fs (thanks @​everett1992, see [#​391][#​391])
• Fix tests on node 20 (thanks @​everett1992, see [#​387][#​387])
• Fix timeout in failing test (thanks @​everett1992, see [#​390][#​390])
• Stop testing on Node 12 and 14

Dependency Updates

• chore(deps-dev): bump rimraf from 3.0.2 to 6.0.1
• chore(deps): bump actions/checkout from 2 to 4
• chore(deps-dev): bump mocha from 9.2.2 to 10.7.3
• chore(deps-dev): bump braces from 3.0.2 to 3.0.3
• chore(deps-dev): bump word-wrap from 1.2.3 to 1.2.4
• chore(deps): bump json5 from 1.0.1 to 1.0.2

v5.2.0

Compare Source

• Fix EACCES error on access by root user (thanks @​danielkatz, see [#​369][#​369])
• Fix bug on utimes and futimes; add support of lutimes (thanks @​3cp, see [#​366][#​366])

v5.1.4

Compare Source

• Fix for BigInt stats in Node 16.7 (thanks @​ahippler, see [#​363][#​363])

v5.1.3

Compare Source

• Fix for BigInt stats in Node 18.7 (thanks @​3cp, see [#​361][#​361])

node-fetch/node-fetch (node-fetch)

v3.3.2

Compare Source

Bug Fixes

• Remove the default connection close header. (#​1736) (8b3320d), closes #​1735 #​1473

v3.3.1

Compare Source

Bug Fixes

• release "Allow URL class object as an argument for fetch()" #​1696 (#​1716) (7b86e94)

v3.3.0

Compare Source

Features

• add static Response.json (#​1670) (55a4870)

v3.2.10

Compare Source

Bug Fixes

• ReDoS referrer (#​1611) (2880238)

v3.2.9

Compare Source

Bug Fixes

• Headers: don't forward secure headers on protocol change (#​1599) (e87b093)

v3.2.8

Compare Source

Bug Fixes

• possibly flaky test (#​1523) (11b7033)

v3.2.7

Compare Source

Bug Fixes

• always warn Request.data (#​1550) (4f43c9e)

v3.2.6

Compare Source

Bug Fixes

• undefined reference to response.body when aborted (#​1578) (1c5ed6b)

v3.2.5

Compare Source

Bug Fixes

• use space in accept-encoding values (#​1572) (a92b5d5), closes #​1571

v3.2.4

Compare Source

Bug Fixes

• don't uppercase unknown methods (#​1542) (004b3ac)

v3.2.3

Compare Source

Bug Fixes

• handle bom in text and json (#​1482) (6425e20)

v3.2.2

Compare Source

Bug Fixes

• add missing formdata export to types (#​1518) (a4ea5f9), closes #​1517

v3.2.1

Compare Source

Bug Fixes

• cancel request example import (#​1513) (61b3b5a)

v3.2.0

Compare Source

Features

• export Blob, File and FormData + utilities (#​1463) (81b1378)

v3.1.1

Compare Source

Security patch release

Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred

What's Changed

• core: update fetch-blob by @​jimmywarting in https://github.com/node-fetch/node-fetch/pull/1371
• docs: Fix typo around sending a file by @​jimmywarting in https://github.com/node-fetch/node-fetch/pull/1381
• core: (http.request): Cast URL to string before sending it to NodeJS core by @​jimmywarting in https://github.com/node-fetch/node-fetch/pull/1378
• core: handle errors from the request body stream by @​mdmitry01 in https://github.com/node-fetch/node-fetch/pull/1392
• core: Better handle wrong redirect header in a response by @​tasinet in https://github.com/node-fetch/node-fetch/pull/1387
• core: Don't use buffer to make a blob by @​jimmywarting in https://github.com/node-fetch/node-fetch/pull/1402
• docs: update readme for TS @​types/node-fetch by @​adamellsworth in https://github.com/node-fetch/node-fetch/pull/1405
• core: Fix logical operator priority to disallow GET/HEAD with non-empty body by @​maxshirshin in https://github.com/node-fetch/node-fetch/pull/1369
• core: Don't use global buffer by @​jimmywarting in https://github.com/node-fetch/node-fetch/pull/1422
• ci: fix main branch by @​dnalborczyk in https://github.com/node-fetch/node-fetch/pull/1429
• core: use more node: protocol imports by @​dnalborczyk in https://github.com/node-fetch/node-fetch/pull/1428
• core: Warn when using data by @​jimmywarting in https://github.com/node-fetch/node-fetch/pull/1421
• docs: Create SECURITY.md by @​JamieSlome in https://github.com/node-fetch/node-fetch/pull/1445
• core: don't forward secure headers to 3th party by @​jimmywarting in https://github.com/node-fetch/node-fetch/pull/1449

New Contributors

• @​mdmitry01 made their first contribution in https://github.com/node-fetch/node-fetch/pull/1392
• @​tasinet made their first contribution in https://github.com/node-fetch/node-fetch/pull/1387
• @​adamellsworth made their first contribution in https://github.com/node-fetch/node-fetch/pull/1405
• @​maxshirshin made their first contribution in https://github.com/node-fetch/node-fetch/pull/1369
• @​JamieSlome made their first contribution in https://github.com/node-fetch/node-fetch/pull/1445

Full Changelog: node-fetch/node-fetch@v3.1.0...v3.1.1

v3.1.0

Compare Source

What's Changed

• fix(Body): Discourage form-data and buffer() by @​jimmywarting in https://github.com/node-fetch/node-fetch/pull/1212
• fix: Pass url string to http.request by @​serverwentdown in https://github.com/node-fetch/node-fetch/pull/1268
• Fix octocat image link by @​lakuapik in https://github.com/node-fetch/node-fetch/pull/1281
• fix(Body.body): Normalize Body.body into a node:stream by @​jimmywarting in https://github.com/node-fetch/node-fetch/pull/924
• docs(Headers): Add default Host request header to README.md file by @​robertoaceves in https://github.com/node-fetch/node-fetch/pull/1316
• Update CHANGELOG.md by @​jimmywarting in https://github.com/node-fetch/node-fetch/pull/1292
• Add highWaterMark to cloned properties by @​davesidious in https://github.com/node-fetch/node-fetch/pull/1162
• Update README.md to fix HTTPResponseError by @​thedanfernandez in https://github.com/node-fetch/node-fetch/pull/1135
• docs: switch url to URL by @​dhritzkiv in https://github.com/node-fetch/node-fetch/pull/1318
• fix(types): declare buffer() deprecated by @​dnalborczyk in https://github.com/node-fetch/node-fetch/pull/1345
• chore: fix lint by @​dnalborczyk in https://github.com/node-fetch/node-fetch/pull/1348
• refactor: use node: prefix for imports by @​dnalborczyk in https://github.com/node-fetch/node-fetch/pull/1346
• Bump data-uri-to-buffer from 3.0.1 to 4.0.0 by @​dependabot in https://github.com/node-fetch/node-fetch/pull/1319
• Bump mocha from 8.4.0 to 9.1.3 by @​dependabot in https://github.com/node-fetch/node-fetch/pull/1339
• Referrer and Referrer Policy by @​tekwiz in https://github.com/node-fetch/node-fetch/pull/1057
• Add typing for Response.redirect(url, status) by @​c-w in https://github.com/node-fetch/node-fetch/pull/1169
• chore: Correct stuff in README.md by @​Jiralite in https://github.com/node-fetch/node-fetch/pull/1361
• docs: Improve clarity of "Loading and configuring" by @​serverwentdown in https://github.com/node-fetch/node-fetch/pull/1323
• feat(Body): Added support for BodyMixin.formData() and constructing bodies with FormData by @​jimmywarting in https://github.com/node-fetch/node-fetch/pull/1314
• template: Make PR template more task oriented by @​jimmywarting in https://github.com/node-fetch/node-fetch/pull/1224
• docs: Update code examples by @​jimmywarting in https://github.com/node-fetch/node-fetch/pull/1365

New Contributors

• @​serverwentdown made their first contribution in https://github.com/node-fetch/node-fetch/pull/1268
• @​lakuapik made their first contribution in [https://github.com/Fix octocat image link node-fetch/node-fetch#1281](https://github.com/node-fetch/node-fetch/pull/1

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[elasticmachine]

Pinging @elastic/kibana-core (Team:Core)

[afharo]

/ci

[afharo]

/ci

[jbudz]

Approving .buildkite/package-lock.json - I haven't reviewed the rest.

It may make sense to set matchFileNames in renovate.json to keep the reviews limited to core, cc @legrego

[TinaHeiligers]

@jbudz what's our preferred approach for resolving conflicts in renovate PRs?

[afharo]

IMO, this PR will be really hard to merge because fixing all their breaking changes will make this PR really hard to review (and even less backporting to all-open branches).

IMO, we should take that list and create individual PRs (and I'd even suggest creating logical renovate groups).

[legrego]

@afharo feel free to split your deps into more logical groups in renovate. The bot should automatically abandon this PR after updating the configuration

[TinaHeiligers]

@elasticmachine merge upstream

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 24644fe

Failed CI Steps

• Build Kibana Distribution
• Checks
• Check OAS Snapshot
• Check Types

History

• 💔 Build #386585 failed 6731d55
• 💔 Build #254094 failed 5180b54
• 💔 Build #254079 failed 68af32a

[TinaHeiligers]

major package versions need to be handled separately