deps: Replace expr-eval with expr-eval-fork

[jotamartos]

Summary

expr-eval includes different security vulnerabilities that were fixed in expr-eval-fork@3.0.0

The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted variables object into the evaluate() function and trigger arbitrary code execution.

GHSA-jc85-fpwf-qm7x

npm package expr-eval is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.

https://nvd.nist.gov/vuln/detail/CVE-2025-13204

yarn remove expr-eval
yarn add expr-eval-fork

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The release_note:breaking label should be applied in these situations.
• Flaky Test Runner was used on any tests changed
• The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines
• Review the backport guidelines and apply applicable backport:* labels.

Identify risks

I do not see any reference in the Kibana code to this dependency, so I do not know if it can be even removed. I'm not sure if this change need to be migrated to any other repo. Please let me know.

[cla-checker-service]

💚 CLA has been signed

[kibanamachine]

Dependency Review Bot Analysis 🔍

Found 1 new third-party dependencies:

Package	Version	Vulnerabilities	Health Score
expr-eval-fork	^3.0.0	🔴 C: 0, 🟠 H: 0, 🟡 M: 0, 🟢 L: 0

---

Self Checklist

To help with the review, please update the PR description to address the following points for each new third-party dependency listed above:

• Purpose: What is this dependency used for? Briefly explain its role in your changes.
• Justification: Why is adding this dependency the best approach?
• Alternatives explored: Were other options considered (e.g., using existing internal libraries/utilities, implementing the functionality directly)? If so, why was this dependency chosen over them?
• Existing dependencies: Does Kibana have a dependency providing similar functionality? If so, why is the new one preferred?

Thank you for providing this information!

[jotamartos]

I already signed the contributor agreement and the commit belongs to the same email.

Description is updated with the new CVE: CVE-2025-13204

[jotamartos]

Dependency removed here: #244805