Upgrade Joi version or remove dependency on it

[mshustov]

@watson update Hapi to v18 in #54168 However, the core team code still relies on an old joi version. We should consider updating our code to use a newer version or get rid of the package.

[elasticmachine]

Pinging @elastic/kibana-core (Team:Core)

[legrego]

Our old 13.x version of Joi depends on a version of hoek that is now vulnerable to a prototype pollution attack. Fortunately, we are not impacted, but this appears on our scanners now, and is something we'll have to continue to monitor: snyk.io/vuln/SNYK-JS-HAPIHOEK-548452

The upgrade to newer versions of Joi is non-trivial. There are a lot of breaking changes from 13.x -> 17.x, and my very brief look into this suggests that we'll require extensive changes to @kbn/config-schema in order to function correctly. The bulk of the breaking changes appear to have happened at 16.0: the release notes indicate that this will not be an easy transition.

[afharo]

AFAIK, @pgayvallet has almost completed the upgrade.

Apart from the security benefits mentioned by @legrego, we also noticed considerable improvements in performance (gcanti/io-ts-benchmarks#6)

[pgayvallet]

Added link to the upgrade PR: #99899

[watson]

Besides joi 13 there's a few other dependencies that depend on hoek. I've just created two PRs that should get rid of them all (besides joi which is dealt with in #99899). With these we'll be 100% free of any non-@hapi-namespace packages from the hapi ecosystem.

• Upgrade accept 3.0.2 and @hapi/accept 5.0.1 to @hapi/accept 5.0.2 Upgrade accept 3.0.2 and @hapi/accept 5.0.1 to @hapi/accept 5.0.2 #100294
• Remove unused module oppsy from package.json Remove unused module oppsy from package.json #100295

[watson]

Btw, in case anybody needs this in the future, I have been using a regex to find non-@hapi-namespaces packages from the hapi package ecosystem:

(yar|wreck|vision|vise|topo|teamwork|subtext|statehood|somever|shot|scooter|podium|pez|oppsy|nigel|nes|mimos|lab|iron|inert|hoek|heavy|h2o2|glue|eslint-plugin-hapi|cryptiles|crumb|hapi-auth-cookie|content|code|catbox-redis|catbox-memory|catbox-memcached|catbox|call|bourne|bounce|bossy|boom|bell|hapi-auth-basic|b64|ammo|accept|hapi)

For searching in yarn.lock it can be modified as such:

^(yar|wreck|vision|vise|topo|teamwork|subtext|statehood|somever|shot|scooter|podium|pez|oppsy|nigel|nes|mimos|lab|iron|inert|hoek|heavy|h2o2|glue|eslint-plugin-hapi|cryptiles|crumb|hapi-auth-cookie|content|code|catbox-redis|catbox-memory|catbox-memcached|catbox|call|bourne|bounce|bossy|boom|bell|hapi-auth-basic|b64|ammo|accept|hapi)@

[pgayvallet]

Besides joi 13 there's a few other dependencies that depend on hoek

I can confirm that after rebasing my PR, hoek got removed from the package-lock, so I guess we're good now.

[legrego]

Fantastic, thanks @pgayvallet!