Two open Dependabot alerts against tmp in kotlin-js-store/yarn.lock: GHSA-ph9p-34f9-6g65 (high — temp file creation via insecure permissions, tmp < 0.2.6) and GHSA-52f5-9888-hmc6 (low — tmp <= 0.2.3). The package was pinned at 0.2.3.
tmp@0.2.3 is a transitive dependency of karma@6.4.4 (the Kotlin/JS browser test runner). The yarn.lock was pinned to the vulnerable 0.2.3 rather than the patched 0.2.6. The tmp package is build/test tooling only — it is not shipped in any runtime artifact.
Updated kotlin-js-store/yarn.lock:
tmp@^0.2.1 from version 0.2.3 → 0.2.6. Updated resolved URL (shasum 0dfac10) and integrity (sha512). tmp@0.2.6 has no runtime dependencies, so no sub-dependency entries changed.Nightly Bug Hunt (Kraken) correctly identified this via open Dependabot alerts. Transitive npm CVEs in kotlin-js-store/yarn.lock require manual edits (yarn is not installed on the dev box). Fetch metadata via curl https://registry.yarnpkg.com/<pkg>/<ver>, update version, resolved, and integrity fields. Validate with a Gradle WASM build before committing. Do not use kotlinUpgradeYarnLock for targeted security bumps — it regenerates from scratch and may pull in unintended changes.