GitHub security suggest to upgrade cryptiles to version 4.1.2 or later as it is affected by CVE-2018-1000620 (high severity).
Vulnerable dependency can be found at: https://github.com/wikimedia/mediawiki/blob/dd69e92a2c133574d72147cfcd0210f6add6025a/package-lock.json#L1409
I've never worked with package-lock.json files nor NPM much.
Thank you.