Update hapi related packages

[kobelb]

This was originally started in #48026 but the PR was closed because renovate kept messing up @spalger's work.

Some of the direct/transitive dependencies of Hapi are being falsely flagged by security vulnerability scanners.

/cc @elastic/kibana-security

[elasticmachine]

Pinging @elastic/kibana-operations (Team:Operations)

[elasticmachine]

Pinging @elastic/kibana-platform (Team:Platform)

[watson]

I'm upgrading a big bunch of them here in #80468. However, of the packages listed in #48026, this PR isn't upgrading @hapi/wreck, apollo-server-hapi, good-squeeze, or joi. I think however, that this issue could be considered closed once the PR lands and if we want to upgrade any of the 4 remaining packages, we should probably make separate issues for each of them.

Should I mark the PR so it closes this issue?

[legrego]

We can probably close this once #80468 is resolved, but I'd be interested in seeing what the new vulnerability report looks like after it merges. We will certainly close some existing findings, but we don't yet know what kind of new findings we'll see.

[watson]

It would be nice if we could enable snyk to run on PRs so we can see if a PR introduces new vulnerabilities

[legrego]

It would be nice if we could enable snyk to run on PRs so we can see if a PR introduces new vulnerabilities

I remember @jportner experimented with this a while back, and ran into some complications, but I don't know if they're are still issues, or if we just haven't had the time to revisit (I know I haven't...)

[jportner]

I remember @jportner experimented with this a while back, and ran into some complications, but I don't know if they're are still issues, or if we just haven't had the time to revisit (I know I haven't...)

I didn't so much experiment with it as I accidentally enabled it 🙃 haven't taken a closer look than that!

[mshustov]

@watson I created an issue for our team #82240
we need find owners for @hapi/wreck (Kibana operations?) & apollo-server-hapi version updates

[watson]

Quick update regarding @hapi/wreck: I just checked again, and while I didn't intentionally upgrade wreck in the hapi upgrade PR, it is actually upgraded in the sense that we no longer depend on wreck - without the prefix - which we depended upon indirectly via hapi.

However, we still have a direct dependency on @hapi/wreck which is used here:

kibana/src/cli_plugin/install/downloaders/http.js

Line 55 in a6dc527

const promise = Wreck.request('GET', sourceUrl, reqOptions);

Now this direct dependency is just also used by hapi it self and we're currently locked on version 15.1.0, which is the latest v15.x version. And version 15.x is the one compatible with version 18 of hapi, so we're all good here 👍

[mshustov]

@watson my point was that maybe we can use nodejs API to remove this dependency. WDYT @elastic/kibana-operations ?