Dependabot alert GHSA-677m-j7p3-52f9: socket.io-parser >=4.0.0 <4.2.6 is vulnerable to Prototype Pollution (high severity). The package was pinned at 4.2.4 in kotlin-js-store/yarn.lock.
socket.io-parser@4.2.4 is a transitive dependency of socket.io, which is pulled in by karma (the Kotlin/JS browser test runner). The vulnerability allows crafted socket.io messages to pollute Object prototypes. The yarn.lock was pinned to the vulnerable 4.2.4 rather than the patched 4.2.6.
Updated kotlin-js-store/yarn.lock:
socket.io-parser from 4.2.4 → 4.2.6 (sha: 19156bf, integrity updated).debug@~4.4.1 entry (version 4.4.1) because 4.2.6 tightened its debug peer from ~4.3.1 to ~4.4.1. The ms@^2.1.3 sub-dependency was already present; no additional entry needed.The Nightly Bug Hunt (Kraken) correctly identified this via open Dependabot alerts. Transitive npm CVEs in kotlin-js-store/yarn.lock require manual edits since yarn is not installed on the dev box; the correct approach is to fetch tarball metadata from the npm registry (curl https://registry.npmjs.org/<pkg>/<ver>), update the resolved URL, integrity, and version fields, then validate with a Gradle WASM build before committing. Do not use kotlinUpgradeYarnLock for targeted security bumps — it regenerates from scratch and may inadvertently pull in other changes.