Three Dependabot alerts for lodash (GHSA-r5fr-rjxr-66jc high, GHSA-f23m-r3pf-42rh medium, GHSA-xxjr-mmjv-4gpg medium) for versions ≤ 4.17.23. Nightly Kraken dependency scan surfaced these as a cluster requiring a single bump to 4.18.0.
kotlin-js-store/yarn.lock had lodash@^4.17.15, lodash@^4.17.21 pinned to 4.17.21 — a transitive dependency of the Kotlin/JS webpack-dev-server toolchain. The ^4 specifier allows 4.18.0 but the lockfile never received the bump after 4.18.0 was released with the security fixes.
Updated kotlin-js-store/yarn.lock to resolve both lodash@^4.17.15 and lodash@^4.17.21 to 4.18.0 with the correct SHA-512 integrity and SHA-1 resolved URL. The dependency is build/dev-tooling only (webpack-dev-server transitive); it is not on the shipped runtime classpath.
The Nightly Bug Hunt caught this correctly. Yarn lockfiles need periodic refresh — when ^semver specifiers exist and the upper-bound is open, the lockfile can drift behind patched releases. Running yarn upgrade against kotlin-js-store/ during release prep would surface this proactively.