[8.19] chore(axios,security-solution): remove axios from telemetry/role scripts (#267944) (#268475)

# Backport

This will backport the following commits from `main` to `8.19`:
- [chore(axios,security-solution): remove axios from telemetry/role
scripts (#267944)](#267944)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Aleh
Zasypkin","email":"aleh.zasypkin@elastic.co"},"sourceCommit":{"committedDate":"2026-05-08T14:53:10Z","message":"chore(axios,security-solution):
remove axios from telemetry/role scripts (#267944)\n\n## Summary\n\n>
[!IMPORTANT]\n> **NOTE TO CODE OWNERS:** I'm modifying code I don't own
day to day.\nPlease verify the changes still work as expected. For these
migrations a\nquick run of the affected scripts/tests is worth more than
a code-only\nreview.\n\nThis PR removes the `axios` dependency for files
owned by\n`@elastic/security-solution`. Phase 4 of the axios migration
tracked\nunder #266556.\n\n### Why\n\nNode.js 22 ships a native `fetch`
API built on undici, and every browser\nKibana targets supports `fetch`
natively. Removing axios cuts one\nruntime dependency and continues the
per-team rollout that mirrors the\nearlier node-fetch
migration\n([#250719](#250719) and
siblings).\n\n### Changes\n\nThree files migrated, two files **deferred
to a later phase**:\n\n- `scripts/telemetry/build_ebt_data_view.ts`: 1
axios.get + 1 axios.put.\nReplaced with `fetch`, `res.ok` check, and
typed `await res.json()` for\nthe data-view fetch.\n-
`scripts/telemetry/build_ebt_data_view.test.ts`: was
mocking\n`axios.put` for `upsertRuntimeFields`. Switched to
`jest.spyOn(global,\n'fetch')`. The 16 existing test cases pass
unchanged in intent:\nname/type/url assertions adapted to read the
`fetch(url, init)` argument\nshape (`init.body` is now
`JSON.stringify(payload)` rather than the\nthird axios arg). Header
equality and dotted-name handling
assertions\nunchanged.\n-\n`server/lib/detection_engine/scripts/roles_users/create_role_and_user.ts`:\n2
axios.put calls. Replaced with `fetch` and an explicit non-2xx
throw\nthat preserves status+body in the error message.\n\nRemoved the
`scripts/telemetry/**` and\n`server/lib/detection_engine/scripts/**`
entries from\n`AXIOS_LEGACY_CONSUMERS` in `.eslintrc.js`. New axios
usage in either of\nthose directories is now blocked by the existing
global ban.\n\n**Deferred to a later
phase**:\n`server/integration_tests/configuration.test.ts`
and\n`server/integration_tests/telemetry.test.ts` mock `axios` at the
module\nlevel for code under `server/lib/telemetry/*`, which is owned
by\n`@elastic/security-data-analytics` and not yet migrated. Test mocks
must\nflip in lockstep with the production code they intercept; these
two\ntests will migrate alongside that team's PR.\n\n### Behavior
parity\n\nNative fetch does not throw on non-2xx, so each call site
explicitly\nchecks `res.ok` / `res.status`. Errors thrown inside the
migrated\nscripts now have the form `${status}:${body}` to keep the
same\ndiagnostic content the original axios errors carried. The diff
is\nintentionally minimal: variable names, comment placement,
try-catch\nstructure, and error-handling shape from the original axios
code
are\npreserved.","sha":"312e26c1241eb65a63c33c6d5acc3593ef6956d1","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["chore","release_note:skip","backport:all-open","v9.5.0"],"title":"chore(axios,security-solution):
remove axios from telemetry/role
scripts","number":267944,"url":"https://github.com/elastic/kibana/pull/267944","mergeCommit":{"message":"chore(axios,security-solution):
remove axios from telemetry/role scripts (#267944)\n\n## Summary\n\n>
[!IMPORTANT]\n> **NOTE TO CODE OWNERS:** I'm modifying code I don't own
day to day.\nPlease verify the changes still work as expected. For these
migrations a\nquick run of the affected scripts/tests is worth more than
a code-only\nreview.\n\nThis PR removes the `axios` dependency for files
owned by\n`@elastic/security-solution`. Phase 4 of the axios migration
tracked\nunder #266556.\n\n### Why\n\nNode.js 22 ships a native `fetch`
API built on undici, and every browser\nKibana targets supports `fetch`
natively. Removing axios cuts one\nruntime dependency and continues the
per-team rollout that mirrors the\nearlier node-fetch
migration\n([#250719](#250719) and
siblings).\n\n### Changes\n\nThree files migrated, two files **deferred
to a later phase**:\n\n- `scripts/telemetry/build_ebt_data_view.ts`: 1
axios.get + 1 axios.put.\nReplaced with `fetch`, `res.ok` check, and
typed `await res.json()` for\nthe data-view fetch.\n-
`scripts/telemetry/build_ebt_data_view.test.ts`: was
mocking\n`axios.put` for `upsertRuntimeFields`. Switched to
`jest.spyOn(global,\n'fetch')`. The 16 existing test cases pass
unchanged in intent:\nname/type/url assertions adapted to read the
`fetch(url, init)` argument\nshape (`init.body` is now
`JSON.stringify(payload)` rather than the\nthird axios arg). Header
equality and dotted-name handling
assertions\nunchanged.\n-\n`server/lib/detection_engine/scripts/roles_users/create_role_and_user.ts`:\n2
axios.put calls. Replaced with `fetch` and an explicit non-2xx
throw\nthat preserves status+body in the error message.\n\nRemoved the
`scripts/telemetry/**` and\n`server/lib/detection_engine/scripts/**`
entries from\n`AXIOS_LEGACY_CONSUMERS` in `.eslintrc.js`. New axios
usage in either of\nthose directories is now blocked by the existing
global ban.\n\n**Deferred to a later
phase**:\n`server/integration_tests/configuration.test.ts`
and\n`server/integration_tests/telemetry.test.ts` mock `axios` at the
module\nlevel for code under `server/lib/telemetry/*`, which is owned
by\n`@elastic/security-data-analytics` and not yet migrated. Test mocks
must\nflip in lockstep with the production code they intercept; these
two\ntests will migrate alongside that team's PR.\n\n### Behavior
parity\n\nNative fetch does not throw on non-2xx, so each call site
explicitly\nchecks `res.ok` / `res.status`. Errors thrown inside the
migrated\nscripts now have the form `${status}:${body}` to keep the
same\ndiagnostic content the original axios errors carried. The diff
is\nintentionally minimal: variable names, comment placement,
try-catch\nstructure, and error-handling shape from the original axios
code
are\npreserved.","sha":"312e26c1241eb65a63c33c6d5acc3593ef6956d1"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/267944","number":267944,"mergeCommit":{"message":"chore(axios,security-solution):
remove axios from telemetry/role scripts (#267944)\n\n## Summary\n\n>
[!IMPORTANT]\n> **NOTE TO CODE OWNERS:** I'm modifying code I don't own
day to day.\nPlease verify the changes still work as expected. For these
migrations a\nquick run of the affected scripts/tests is worth more than
a code-only\nreview.\n\nThis PR removes the `axios` dependency for files
owned by\n`@elastic/security-solution`. Phase 4 of the axios migration
tracked\nunder #266556.\n\n### Why\n\nNode.js 22 ships a native `fetch`
API built on undici, and every browser\nKibana targets supports `fetch`
natively. Removing axios cuts one\nruntime dependency and continues the
per-team rollout that mirrors the\nearlier node-fetch
migration\n([#250719](#250719) and
siblings).\n\n### Changes\n\nThree files migrated, two files **deferred
to a later phase**:\n\n- `scripts/telemetry/build_ebt_data_view.ts`: 1
axios.get + 1 axios.put.\nReplaced with `fetch`, `res.ok` check, and
typed `await res.json()` for\nthe data-view fetch.\n-
`scripts/telemetry/build_ebt_data_view.test.ts`: was
mocking\n`axios.put` for `upsertRuntimeFields`. Switched to
`jest.spyOn(global,\n'fetch')`. The 16 existing test cases pass
unchanged in intent:\nname/type/url assertions adapted to read the
`fetch(url, init)` argument\nshape (`init.body` is now
`JSON.stringify(payload)` rather than the\nthird axios arg). Header
equality and dotted-name handling
assertions\nunchanged.\n-\n`server/lib/detection_engine/scripts/roles_users/create_role_and_user.ts`:\n2
axios.put calls. Replaced with `fetch` and an explicit non-2xx
throw\nthat preserves status+body in the error message.\n\nRemoved the
`scripts/telemetry/**` and\n`server/lib/detection_engine/scripts/**`
entries from\n`AXIOS_LEGACY_CONSUMERS` in `.eslintrc.js`. New axios
usage in either of\nthose directories is now blocked by the existing
global ban.\n\n**Deferred to a later
phase**:\n`server/integration_tests/configuration.test.ts`
and\n`server/integration_tests/telemetry.test.ts` mock `axios` at the
module\nlevel for code under `server/lib/telemetry/*`, which is owned
by\n`@elastic/security-data-analytics` and not yet migrated. Test mocks
must\nflip in lockstep with the production code they intercept; these
two\ntests will migrate alongside that team's PR.\n\n### Behavior
parity\n\nNative fetch does not throw on non-2xx, so each call site
explicitly\nchecks `res.ok` / `res.status`. Errors thrown inside the
migrated\nscripts now have the form `${status}:${body}` to keep the
same\ndiagnostic content the original axios errors carried. The diff
is\nintentionally minimal: variable names, comment placement,
try-catch\nstructure, and error-handling shape from the original axios
code
are\npreserved.","sha":"312e26c1241eb65a63c33c6d5acc3593ef6956d1"}}]}]
BACKPORT-->

Co-authored-by: Aleh Zasypkin <aleh.zasypkin@elastic.co>

Author: kibanamachine

.eslintrc.js

@@ -345,9 +345,7 @@ const AXIOS_LEGACY_CONSUMERS = [
   'x-pack/solutions/security/plugins/security_solution/common/endpoint/format_axios_error.ts',
   'x-pack/solutions/security/plugins/security_solution/common/endpoint/utils/**/*.{js,mjs,ts,tsx}',
   'x-pack/solutions/security/plugins/security_solution/scripts/endpoint/**/*.{js,mjs,ts,tsx}',
-  'x-pack/solutions/security/plugins/security_solution/scripts/telemetry/**/*.{js,mjs,ts,tsx}',
   'x-pack/solutions/security/plugins/security_solution/server/integration_tests/**/*.{js,mjs,ts,tsx}',
-  'x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/scripts/**/*.{js,mjs,ts,tsx}',
   'x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/**/*.{js,mjs,ts,tsx}',
   'x-pack/solutions/security/test/osquery_cypress/utils.ts',
   'x-pack/solutions/security/test/security_solution_api_integration/config/services/**/*.{js,mjs,ts,tsx}',

x-pack/solutions/security/plugins/security_solution/scripts/telemetry/build_ebt_data_view.test.ts

@@ -6,15 +6,9 @@
  */
 /* eslint-disable @typescript-eslint/no-explicit-any */
 
-import axios from 'axios';
 import { flattenSchema, upsertRuntimeFields } from './build_ebt_data_view';
 
-jest.mock('axios', () => ({
-  __esModule: true,
-  default: {
-    put: jest.fn(),
-  },
-}));
+const mockedFetch = jest.spyOn(global, 'fetch');
 
 describe('upsertRuntimeFields', () => {
   const url = 'http://fake_url';
@@ -26,7 +20,7 @@ describe('upsertRuntimeFields', () => {
 
   beforeEach(() => {
     jest.resetAllMocks();
-    (axios.put as jest.Mock).mockResolvedValue({});
+    mockedFetch.mockResolvedValue(new Response(null, { status: 200 }));
   });
 
   test('sends one PUT per string field with correct payload and headers', async () => {
@@ -38,26 +32,30 @@ describe('upsertRuntimeFields', () => {
 
     await upsertRuntimeFields(fields, url, headers);
 
-    expect(axios.put).toHaveBeenCalledTimes(3);
+    expect(mockedFetch).toHaveBeenCalledTimes(3);
 
-    const calls = (axios.put as jest.Mock).mock.calls.map(([callUrl, payload, opts]) => ({
-      callUrl,
-      name: payload.name,
-      type: payload.runtimeField?.type,
-      opts,
-    }));
+    const calls = mockedFetch.mock.calls.map(([callUrl, opts]) => {
+      const payload = JSON.parse(opts?.body as string);
+      return {
+        callUrl,
+        method: opts?.method,
+        name: payload.name,
+        type: payload.runtimeField?.type,
+        headers: opts?.headers,
+      };
+    });
 
     const names = new Set(calls.map((c) => c.name));
     const types = new Set(calls.map((c) => c.type));
     const urls = new Set(calls.map((c) => c.callUrl));
-    const allHeadersOk = calls.every(
-      (c) => JSON.stringify(c.opts?.headers) === JSON.stringify(headers)
-    );
+    const allHeadersOk = calls.every((c) => JSON.stringify(c.headers) === JSON.stringify(headers));
+    const allMethodsOk = calls.every((c) => c.method === 'PUT');
 
     expect(names).toEqual(new Set(['properties.a', 'properties.nested.b', 'properties.deep.x.y']));
     expect(types).toEqual(new Set(['keyword', 'long', 'date']));
     expect(urls).toEqual(new Set([url]));
     expect(allHeadersOk).toBe(true);
+    expect(allMethodsOk).toBe(true);
   });
 
   test('ignores non-string field values', async () => {
@@ -70,15 +68,16 @@ describe('upsertRuntimeFields', () => {
 
     await upsertRuntimeFields(fields as any, url, headers);
 
-    expect(axios.put).toHaveBeenCalledTimes(1);
-    const [callUrl, payload, opts] = (axios.put as jest.Mock).mock.calls[0];
+    expect(mockedFetch).toHaveBeenCalledTimes(1);
+    const [callUrl, opts] = mockedFetch.mock.calls[0];
 
     expect(callUrl).toBe(url);
-    expect(payload).toEqual({
+    expect(opts?.method).toBe('PUT');
+    expect(JSON.parse(opts?.body as string)).toEqual({
       name: 'properties.ok',
       runtimeField: { type: 'ip' },
     });
-    expect(opts).toEqual({ headers });
+    expect(opts?.headers).toEqual(headers);
   });
 
   test('handles dotted field names correctly', async () => {
@@ -88,7 +87,8 @@ describe('upsertRuntimeFields', () => {
 
     await upsertRuntimeFields(fields, url, headers);
 
-    const [, payload] = (axios.put as jest.Mock).mock.calls[0];
+    const [, opts] = mockedFetch.mock.calls[0];
+    const payload = JSON.parse(opts?.body as string);
     expect(payload.name).toBe('properties.one.two.three');
     expect(payload.runtimeField.type).toBe('double');
   });

x-pack/solutions/security/plugins/security_solution/scripts/telemetry/build_ebt_data_view.ts

@@ -6,7 +6,6 @@
  */
 
 import { ToolingLog } from '@kbn/tooling-log';
-import axios from 'axios';
 import { events as genAiEvents } from '@kbn/elastic-assistant-plugin/server/lib/telemetry/event_based_telemetry';
 
 import { isObject } from 'lodash';
@@ -62,13 +61,16 @@ async function cli(): Promise<void> {
 
   try {
     logger.info(`Fetching data view "${dataViewName}"...`);
-    const {
-      data: { data_view: ourDataView },
-    } = await axios.get(dataViewApiUrl, {
+    const response = await fetch(dataViewApiUrl, {
       headers: requestHeaders,
     });
+    if (!response.ok) {
+      throw new Error(`${response.status}:${await response.text()}`);
+    }
+
+    const responseBody = (await response.json()) as { data_view: unknown };
 
-    if (!ourDataView) {
+    if (!responseBody.data_view) {
       throw new Error(
         `Data view "${dataViewName}" not found, check your data view is spelled correctly and is defined in the ${spaceId} space`
       );
@@ -195,9 +197,14 @@ export async function upsertRuntimeFields(
       };
 
       try {
-        await axios.put(requestUrl, payload, {
+        const response = await fetch(requestUrl, {
+          method: 'PUT',
           headers: requestHeaders,
+          body: JSON.stringify(payload),
         });
+        if (!response.ok) {
+          throw new Error(`${response.status}:${await response.text()}`);
+        }
       } catch (error) {
         throw new Error(`Error upserting field '${fieldName}: ${fieldType}' - ${error.message}`);
       }

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/create_role_and_user.ts

@@ -5,7 +5,6 @@
  * 2.0.
  */
 
-import axios from 'axios';
 import yargs from 'yargs';
 import { ToolingLog } from '@kbn/tooling-log';
 import {
@@ -46,20 +45,22 @@ async function cli(): Promise<void> {
   const requestHeaders = {
     Authorization: `Basic ${btoa(`${USERNAME}:${PASSWORD}`)}`,
     'kbn-xsrf': 'xxx',
+    'Content-Type': 'application/json',
   };
 
   try {
     logger.info(`Creating role "${role}"...`);
-    await axios.put(
-      `${KIBANA_URL}/api/security/role/${role}`,
-      {
+    const response = await fetch(`${KIBANA_URL}/api/security/role/${role}`, {
+      method: 'PUT',
+      headers: requestHeaders,
+      body: JSON.stringify({
         elasticsearch: selectedRoleDefinition.elasticsearch,
         kibana: selectedRoleDefinition.kibana,
-      },
-      {
-        headers: requestHeaders,
-      }
-    );
+      }),
+    });
+    if (!response.ok) {
+      throw new Error(`${response.status}:${await response.text()}`);
+    }
 
     logger.info(`Role "${role}" has been created`);
   } catch (e) {
@@ -69,18 +70,19 @@ async function cli(): Promise<void> {
 
   try {
     logger.info(`Creating user "${userName}"...`);
-    await axios.put(
-      `${ELASTICSEARCH_URL}/_security/user/${userName}`,
-      {
+    const response = await fetch(`${ELASTICSEARCH_URL}/_security/user/${userName}`, {
+      method: 'PUT',
+      headers: requestHeaders,
+      body: JSON.stringify({
         password,
         roles: [role],
         full_name: role,
         email: `role@example.com`,
-      },
-      {
-        headers: requestHeaders,
-      }
-    );
+      }),
+    });
+    if (!response.ok) {
+      throw new Error(`${response.status}:${await response.text()}`);
+    }
 
     logger.info(`User "${userName}" has been created (password "${password}")`);
   } catch (e) {