Transitive dep hapi@16 > cryptiles@3.1.4 triggers incorrect security advisory warnings on github

[olizilla]

The ipfs-desktop repo has a incrorrect sercurity advisory on it's transitive dep on cryptiles, which it gets via ipfsd-ctl > hapi > cryptiles.

$ npm ls cryptiles
ipfs-desktop@1.0.0 /Users/oli/Code/ipfs-shipyard/ipfs-desktop
└─┬ ipfsd-ctl@0.40.0
  └─┬ hapi@16.7.0
    ├── cryptiles@3.1.4 
    ├─┬ iron@4.0.5
    │ └── cryptiles@3.1.4  deduped
    └─┬ statehood@5.0.3
      └── cryptiles@3.1.4  deduped

The alert https://github.com/ipfs-shipyard/ipfs-desktop/network/alert/package-lock.json states we have to upgrade to cryptiles>=4.1.2 which would only be possible by updating to hapi@17.

but here we see the fix for the issue backported and release in cryptiles@3.1.3

• randomDigits() generates biased random digits hapijs/cryptiles#35

This is just a record of the digging I did so others can rest easy. As long as you see cryptiles>=3.1.3 you can ignore the alert. It's annoying, I know.

[achingbrain]

This should be fixed by #353 as it upgrades hapi to v18 which depends on @hapi/cryptiles@4.2.0