Remove usage of Lodash template

[paulstn]

Description

The overall goal of this PR is to not use lodash template anymore, since it uses the Function constructor, which violates the script-src 'unsafe-eval' directive due to it executing dynamically generated code.

Put in ES Lint rules

Errors will be thrown if lodash template is used in any capacity.

Remove the use of lodash template

Did this within color.ts, source.ts, and point_series.js, replacing the used template with working code that has the same functionality.

Remove lodash.template security hardening module

Removed

• src/setup_node_env/harden/lodash_template.js - Security hardening wrapper
• test/harden/lodash_template.js - Associated test file
• Reference in src/setup_node_env/harden/index.js

Why it's safe to remove

These files implemented runtime security hardening for lodash.template, which is a known
security risk when used with user input. However:

1. No usage in codebase: lodash.template is not used anywhere in the OpenSearch
   Dashboards codebase
2. Already prevented by linting: ESLint rules already block any new usage of
   lodash.template with the message "lodash.template is not allowed due to security
   concerns"
3. Defense in depth no longer needed: Since the function is banned at the linting
   level and has zero usage, runtime hardening provides no additional value

The security protections remain in place through ESLint rules, which prevent the
vulnerable function from being introduced in the first place.

Testing the changes

Added or used relevant tests to ensure the behavior remains the same with the

Changelog

• breaking: Remove usage of lodash template
• infra: Add in eslint rule to prevent the use of lodash template

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[github-actions]

❌ Empty Changelog Section

The Changelog section in your PR description is empty. Please add a valid changelog entry or entries. If you did add a changelog entry, check to make sure that it was not accidentally included inside the comment block in the Changelog section.

[paulstn]

Adds in tests for testing the output of htmlConvert within source.ts, since this wasn't in there beforehand.

[codecov]

Codecov Report

❌ Patch coverage is 71.42857% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 60.78%. Comparing base (127fd2e) to head (fd13147).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...islib/public/vislib/visualizations/point_series.js	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #10920      +/-   ##
==========================================
+ Coverage   60.75%   60.78%   +0.03%     
==========================================
  Files        4533     4531       -2     
  Lines      122211   122219       +8     
  Branches    20483    20488       +5     
==========================================
+ Hits        74250    74292      +42     
+ Misses      42720    42689      -31     
+ Partials     5241     5238       -3     

Flag	Coverage Δ
Linux_1	26.56% <0.00%> (-0.02%)	⬇️
Linux_2	38.91% <0.00%> (-0.01%)	⬇️
Linux_3	39.49% <100.00%> (+0.04%)	⬆️
Linux_4	33.74% <0.00%> (-0.01%)	⬇️
Windows_1	26.57% <0.00%> (-0.02%)	⬇️
Windows_2	38.89% <0.00%> (-0.01%)	⬇️
Windows_3	39.49% <100.00%> (+0.04%)	⬆️
Windows_4	33.74% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[angle943]

were u able to test this visually by any chance?

[angle943]

change looks good, thanks! One note is that CIs are failing, but i don't believe it is related to this change. We have a chat started in the OSD maintainer channel to look into it