I could probably do a PR for this if you think it is likely to get merged. It should make hapi safer by never including "./" and "../" path segments in the routing.
Note that normalization can change the matched route when such relative paths are used. As far as I know, it should not be an issue in browsers, which applies the normalization to outbound requests.
It is also somewhat unlikely that it affect any other clients negatively, but it will be a breaking change (unless it's a non-default option).
Pretty much, yes.
As I said, browsers already do it before sending a request, so no change in behavior there. Even modern versions of curl does it (see https://daniel.haxx.se/blog/2013/07/30/dotdot-removal-in-libcurl/). Makes sense to do it at the server level as well, removing potential attack vectors.