Update dependency @elastic/ecs to v9.3.0 (main)

[elastic-renovate-prod]

This PR contains the following updates:

Package	Type	Update	Change
@elastic/ecs	dependencies	minor	9.2.0 -> 9.3.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

elastic/ecs-typescript (@​elastic/ecs)

v9.3.0

Compare Source

@​elastic/ecs v9.3.0

TypeScript definitions for Elastic Common Schema (ECS) version 9.3.0.

Installation

npm install @​elastic/ecs@9.3.0

### or
yarn add @​elastic/ecs@9.3.0

npm Package

https://www.npmjs.com/package/@​elastic/ecs/v/9.3.0

Changes

This release includes updated TypeScript definitions generated from ECS schema version 9.3.0.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[elasticmachine]

Pinging @elastic/obs-onboarding-team (Team:obs-onboarding)

[elasticmachine]

⏳ Build in-progress, with failures

• Buildkite Build
• Commit: 720670c

Failed CI Steps

• Jest Tests #3
• Jest Tests #3
• Jest Tests #6
• Jest Tests #6
• FTR Configs #30
• FTR Configs #30
• FTR Configs #57
• FTR Configs #57
• FTR Configs #69
• FTR Configs #69

Test Failures

• [job] [logs] FTR Configs #57 / Alerting check alert schemas should not have discrepancies from the alert field map or the field map specific to a rule type
• [job] [logs] FTR Configs #57 / Alerting check alert schemas should not have discrepancies from the alert field map or the field map specific to a rule type
• [job] [logs] Jest Tests #6 / asLoggerFactory() only allows to create new loggers.
• [job] [logs] Jest Tests #6 / asLoggerFactory() only allows to create new loggers.
• [job] [logs] Jest Tests #3 / es_query utils getSourceFields should generate the correct source fields
• [job] [logs] Jest Tests #3 / es_query utils getSourceFields should generate the correct source fields
• [job] [logs] Jest Tests #6 / flushes memory buffer logger and switches to real logger once config is provided
• [job] [logs] Jest Tests #6 / flushes memory buffer logger and switches to real logger once config is provided
• [job] [logs] FTR Configs #30 / Maps endpoints apis maps_telemetry should return the correct telemetry values for map saved objects
• [job] [logs] FTR Configs #30 / Maps endpoints apis maps_telemetry should return the correct telemetry values for map saved objects
• [job] [logs] FTR Configs #69 / rules security and spaces enabled: basic ruleRegistryAlertsSearchStrategy siem "before all" hook for "should return alerts from siem rules"
• [job] [logs] FTR Configs #69 / rules security and spaces enabled: basic ruleRegistryAlertsSearchStrategy siem "before all" hook for "should return alerts from siem rules"

History

[rStelmach]

/ralph Investigate the CI failure only. Analyze the build artifacts, identify the root cause of those test failures, and post your findings here. Do not create a PR or make code changes.

[rStelmach]

CI failure analysis from build 393116 (step 019c4d09-eb0e-459c-b62a-3cd732c2e97f):\n\n- Root cause: the failing job is a single setup failure in (, SIEM ) where Elasticsearch rejects index creation with .\n- Evidence: and all 3 artifacts (, , ) consistently show one failing testcase at fixture load time () while creating . XML metadata also shows this as one failure (, , ) with later SIEM tests skipped after the failed .\n- Impact: this is a mapping-size/field-count ceiling breach in alert index setup, not multiple independent test regressions.\n- Relation to this PR ( 9.2.0 -> 9.3.0): likely causal/high confidence. Alerting composes ECS mappings from () and applies ; Security detection rules use ECS mappings (), so additional ECS fields in 9.3.0 can push the merged mapping past the limit and trigger this exact error.\n- Next action: either (a) raise/revisit the total fields limit for this alert index path, or (b) trim/disable non-essential ECS fields for this index to keep total mapped fields under 2500; then rerun the failing integration suite.\n\nPer request, this was investigation-only: no code changes were made and no new PR was created.

[rStelmach]

Formatting correction for the previous comment — reposting the same findings cleanly.

CI failure analysis from build 393116 (step 019c4d09-eb0e-459c-b62a-3cd732c2e97f):

• Root cause: the failing job is a single setup failure in X-Pack Rule Registry Alerts Client API Integration Tests (security_and_spaces/tests/basic/search_strategy.ts, SIEM before all) where Elasticsearch rejects index creation with illegal_argument_exception: Limit of total fields [2500] has been exceeded.
• Evidence: bk-build-info.md and all 3 artifacts (...html, ...xml, ...json) consistently show one failing testcase at fixture load time (x-pack/solutions/security/test/fixtures/es_archives/security_solution/alerts/8.1.0) while creating .internal.alerts-security.alerts-default-000001. XML metadata also shows this as one failure (tests=662, failures=1, skipped=186) with later SIEM tests skipped after the failed before all.
• Impact: this is a mapping-size/field-count ceiling breach in alert index setup, not multiple independent test regressions.
• Relation to this PR (@elastic/ecs 9.2.0 -> 9.3.0): likely causal/high confidence. Alerting composes ECS mappings from EcsFlat (ecsFieldMap) and applies TOTAL_FIELDS_LIMIT = 2500; Security detection rules use ECS mappings (useEcs: true), so additional ECS fields in 9.3.0 can push the merged mapping past the limit and trigger this exact error.
• Next action: either (a) raise/revisit the total fields limit for this alert index path, or (b) trim/disable non-essential ECS fields for this index to keep total mapped fields under 2500; then rerun the failing integration suite.

Per request, this was investigation-only: no code changes were made and no new PR was created.

[rStelmach]

/ralph now Investigate ALL CI failures in this build - analyze artifacts from every failed job, identify root causes, and post findings here. Do not create a PR or make code changes.

[rStelmach]

Investigated all 5 failed CI jobs in build 393116 (Jest #3, Jest #6, FTR #30, FTR #57, FTR #69) using the linked Buildkite summaries plus job artifacts.

Confirmed causes

1. Jest Tests Populate scope with country name, not only country codes. #3 (es_query/util.test.ts): inline snapshot for getSourceFields() fails because received field set expanded (+324 entries, including entity.*, entity.target.*, host.target.*).

   • Direct trigger path: getSourceFields() -> Object.keys(ecsFieldMap); ecsFieldMap is built from EcsFlat from @elastic/ecs.
   • Interpretation: deterministic snapshot drift from ECS field expansion after bump.

2. Jest Tests Time series histogram widget #6 (logging_system.test.ts): all failing snapshot hunks are ecs.version string change only (\"9.3.0-dev\" -> \"9.3.0\").

   • Direct trigger path: JsonLayout emits ecs.version from EcsVersion in @elastic/ecs.
   • Interpretation: deterministic snapshot mismatch from dependency-provided version value.

3. FTR Configs Fix parallel coordinates when used with ordinal/time scales #57 (generate_alert_schemas.ts): generated-files cleanliness assertion fails because src/platform/packages/shared/kbn-alerts-as-data-utils/src/schemas/generated/ecs_schema.ts is modified.

   • Direct trigger path: schema generation consumes ecsFieldMap, and ecsFieldMap is derived from EcsFlat from @elastic/ecs.
   • Interpretation: direct generated-schema drift from ECS definition changes.

High-confidence hypotheses (artifact-backed, but indirect)

4. FTR Configs Global field list #30 (maps_telemetry.ts): geo_point count assertion fails (expected 63, got 71, delta +8).

   • Likely linkage: telemetry reflects installed mappings; ECS-backed mapping growth increases field-type counts.

5. FTR Configs mortini's create panel button suggestion #69 (search_strategy.ts before-all): archive load fails with illegal_argument_exception (Limit of total fields [2500] has been exceeded).

   • Likely linkage: ECS-derived template growth pushes composed mappings over fixed total-fields limit.

Root-cause synthesis

The five failures align to a single dependency-change cluster from @elastic/ecs 9.2.0 -> 9.3.0:

• Direct/confirmed manifestations: snapshot drift (Jest #3, Jest #6) and generated schema drift (FTR #57).
• Runtime downstream manifestations (high confidence): mapping-count telemetry drift (FTR #30) and total-fields overflow during archive setup (FTR #69).

No code changes or PR creation were performed as part of this investigation.