Dependabot flagged two open CVEs (GHSA-3v7f-55p6-f55p medium, GHSA-c2c7-rcm5-vvqj high) against picomatch < 2.3.2 in kotlin-js-store/yarn.lock. The package is a transitive npm dependency used by Kotlin’s JS/Wasm toolchain — not shipped on the runtime classpath.
picomatch was pinned to 2.3.1 in kotlin-js-store/yarn.lock. The vulnerability affects path-traversal handling in glob patterns. Although the package is build/toolchain-only (not runtime-shipped), the high-severity alert warranted resolution.
Updated the single consolidated entry in kotlin-js-store/yarn.lock from version "2.3.1" to version "2.3.2" with the matching resolved URL and SHA-512 integrity hash sourced from the npm registry.
Nightly dependency-CVE scans (Kraken → Blue) catch this class of issue promptly. For yarn.lock bumps, verify the new integrity hash against the npm registry before committing — never just increment the version string without updating the hash.