Seven high-severity Dependabot alerts for node-forge (CVEs GHSA-2328-f5f3-gj25, GHSA-ppp5-5v6c-4jwp, GHSA-q67f-28xg-22rw, GHSA-5m6q-g25r-mvwx, GHSA-554w-wpv2-vw27, GHSA-65ch-62r8-g69g, GHSA-5gfm-wpxj-wjgq) for versions below 1.4.0. Nightly Kraken dependency scan surfaced these as a cluster.
kotlin-js-store/yarn.lock had node-forge@^1 pinned to 1.3.1 via selfsigned (a webpack-dev-server transitive dependency). The ^1 specifier allows 1.4.0 but the lockfile never received the bump after 1.4.0 was released with the security fixes.
Updated kotlin-js-store/yarn.lock to resolve node-forge@^1 to 1.4.0 with the correct SHA-512 integrity and SHA-1 resolved URL. The dependency is build/dev-tooling only (webpack-dev-server → selfsigned → node-forge); it is not on the shipped runtime classpath.
The Nightly Bug Hunt caught this correctly. Yarn lockfiles need periodic refresh — when ^semver specifiers exist and the upper-bound is open, the lockfile can drift behind patched releases. Running yarn upgrade against kotlin-js-store/ during release prep would surface this proactively.