Two high-severity Dependabot alerts for fast-uri (GHSA-v39h-62p7-jpjc affecting ≤3.1.1, GHSA-q3j6-qgpj-74h6 affecting ≤3.1.0). Nightly Kraken dependency scan surfaced these as a cluster pointing to kotlin-js-store/yarn.lock pinned at 3.0.6.
kotlin-js-store/yarn.lock resolved fast-uri@^3.0.1 to 3.0.6. The ^3.0.1 specifier permits any 3.x.x ≥ 3.0.1, but the lockfile was never updated after 3.1.2 was released with both CVE fixes. Both CVEs affect the same package — 3.1.2 is the first_patched version that satisfies both advisory ranges. The dependency is build/dev-tooling only (webpack-dev-server transitive); it is not on the shipped runtime classpath.
kotlin-js-store/yarn.lock to resolve fast-uri@^3.0.1 to 3.1.2.resolved URL to https://registry.yarnpkg.com/fast-uri/-/fast-uri-3.1.2.tgz#8af3d4fc9d3e71b11572cc2673b514a7d1a8c8ec.integrity to sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==.Yarn lockfiles with open ^semver specifiers drift behind patched releases. Running yarn upgrade in kotlin-js-store/ during release prep would surface this proactively. The Nightly Bug Hunt caught this correctly — no process change needed beyond keeping the nightly scan running.