This was originally started in #48026 but the PR was closed because renovate kept messing up @spalger's work.
Some of the direct/transitive dependencies of Hapi are being falsely flagged by security vulnerability scanners.
/cc @elastic/kibana-security
