Update platform security modules (main)

[elastic-renovate-prod]

This PR contains the following updates:

Package	Type	Update	Change
@types/lodash (source)	devDependencies	patch	^4.17.16 -> ^4.17.20
@types/node-forge (source)	devDependencies	patch	^1.3.11 -> ^1.3.13
dependency-cruiser	devDependencies	major	^16.10.0 -> ^17.0.1
js-sha256	dependencies	patch	^0.11.0 -> ^0.11.1
xml-crypto	devDependencies	minor	^6.0.1 -> ^6.1.2

---

Release Notes

sverweij/dependency-cruiser (dependency-cruiser)

v17.0.1

Compare Source

🐛 fixes

• 2f31ab0 fix(types): enable IDE autocompletion for OutputType candidates (#​1005) (thanks @​sushichan044 for the pull request!)
• 4dbfa19 chore(types): removes now unused lint warning + associated comment

📖 documentation

• 7f3e5fc doc(cli): adds more references to the options, corrects typos

👷 maintenance

• d339300 refactor(report): replaces teamcity-service-messages with local functions (#​1008)
• 990d139 chore(npm): updates external devDependencies

v17.0.0

Compare Source

🚨 breaking

• a20a11c chore!: drops support for node 18, 21 and 23 BREAKING (#​1004)

... so still supported are node ^20(.12), ^22 and >=24 and this will remain so at least as long as node.js supports hem.

We try to prevent breaking changes - and have been able to for ~a year and 7 months. However, dropping node versions is inevitable as dependencies we use did this as well, and we want to keep up to date for obvious reasons. We also believe that most of dependency-cruiser's users have migrated away from node 18 (21, 23) a long time ago, given the release dates of their successors (april 2023, 2024 and 2025 respectively) - so the impact should be minimal.

Reference: https://nodejs.org/en/about/previous-releases

🧑‍🏭 maintenance

• 684e123 refactor!: replaces picocolors with native node:util/styleText (#​1002)

♻️ life cycle management

• a2cfc91/ 3f258c1 build(npm): updates external dependencies

v16.10.4

Compare Source

🐛 fixes

• 06b548a fix(enrich): enables ignoring reachability (, instability) validations as well (#​999)
  thanks @​hugotiger for raising the issue, reproduction repo and testing the beta('s) with the fix!

👷 maintenance

• 06b548a (same commit as the fix) - updates 3rd party dependencies a.o. acorn-loose and acorn thanks @​brocef for alerting there's an issue in acorn-loose that's fixed after bumping to latest.
• 66f1e32 fix(ci): fixes code scanning alerts on github actions (#​1000)

🧹 chores

• 581596a chore: lets prettier target .mjs as well
• 62e8fc6 chore(npm): recreates package-lock

v16.10.3

Compare Source

📖 documentation

• 48a9e2a doc(real-world-samples): updates commander.js example picture (thanks @​cristiano-belloni for noticing the previous graph displayed commander's internals as they were 10 years ago)

👷 maintenance

• 9db465e/ 35e1f9c/ d3e38d1 build(npm): updates external dependencies
• 13616e4 chore: adds instructions for copilot
• 6aa6e82 refactor(cli): replaces commander with node:util/parseArgs - depcruise-fmt (#​995)
• d5bf4bd refactor(cli): replaces commander with node:util/parseArgs - depcruise-baseline (#​994)

v16.10.2

Compare Source

🐛 fixes

• 4fc3732 fix: adds support for node v24 (#​993) - thanks to @​7rulnik for the PR so quick after the official node 24 release!

👷 maintenance and chores

• 4bc31b1 build(npm): updates external dependencies
• 6ad4f12 chore(ci): configures CodeQL for GitHub actions (#​992)
• 699f19e chore: adds 7rulnik to contributors in package manifest

v16.10.1

Compare Source

🐛 fixes

• 42ea09b fix(enrich/derive): makes reachable calculation faster (#​990) - thanks to @​neelance for the improvement suggestion as well as the patch the PR was built on!

👷 maintenance

• 4b75ec0 build(npm): updates external dependencies

node-saml/xml-crypto (xml-crypto)

v6.1.2

Compare Source

• Remove all reference XML data if any are corrupted (#​502) (cac1c8d)

v6.1.1

Compare Source

• Adjust deprecation to better reflect real-world usage (#​499) (ab1c69e)

v6.1.0

Compare Source

• Introduce new .getSignedReferences() function of signature to help prevent signature wrapping attacks (#​489) (badaf20)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[elastic-renovate-prod]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[legrego]

/ci

[legrego]

/ci

[legrego]

/ci

[janmonschke]

@legrego I'm unable to bootstrap this PR locally. It fails when compiling native dependencies. Have you managed to run it on your machine?

[azasypkin]

@legrego I'm unable to bootstrap this PR locally. It fails when compiling native dependencies. Have you managed to run it on your machine?

I haven't tried last week, but I've just merged the latest main locally and bootstrap passed. Let me merge upstream here and see if it helps @janmonschke.

[azasypkin]

@elasticmachine merge upstream

[azasypkin]

/ci

[janmonschke]

kibana-cases changes lgtm

[ymao1]

response ops changes LGTM

[kibanamachine]

Starting backport for target branches: 8.18, 8.19, 9.1

https://github.com/elastic/kibana/actions/runs/17268663923

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: c648619

Metrics [docs]

✅ unchanged

History

• 💚 Build #332099 succeeded 26ef49f
• 💛 Build #330999 was flaky 6133de1
• 💔 Build #330527 failed a306eb7
• 💔 Build #330478 failed 9f92977

[kibanamachine]

💔 Some backports could not be created

Status	Branch	Result
❌	8.18	Backport failed because of merge conflicts
❌	8.19	Backport failed because of merge conflicts You might need to backport the following PRs to 8.19: - [ska] delete x-pack/test_serverless directory (#232186) - Update OpenFeature (main) (#232332) - [ska] relocate chat serverless api & functional tests (#230527)
✅	9.1

Note: Successful backport PRs will be merged automatically after passing CI.

Manual backport

To create the backport manually run:

node scripts/backport --pr 232111

Questions ?

Please refer to the Backport tool documentation

[legrego]

💚 All backports created successfully

Status	Branch	Result
✅	8.19
✅	8.18

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

[kibanamachine]

Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync.