Dependabot alerts (GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74, GHSA-3ppc-4f35-3m26) fired against the committed kotlin-js-store/yarn.lock for multiple minimatch ranges: 3.x < 3.1.4, 5.x < 5.1.8, and 9.x < 9.0.7.
The kotlin-js-store/yarn.lock is a committed lockfile managed by the Kotlin/JS Gradle plugin. Three separate semver ranges resolved to vulnerable minimatch versions: glob@7.x pulled minimatch@3.1.2, glob@8.x pulled minimatch@5.1.6, and the webpack toolchain pulled minimatch@9.0.5. All three are build/toolchain-only transitive dependencies — not on the shipped runtime classpath.
Patched kotlin-js-store/yarn.lock to resolve the three ranges to their patched versions (3.1.4, 5.1.8, 9.0.7) with correct SHA512 integrity values sourced from the npm registry. The wasm lockfile (kotlin-js-store/wasm/yarn.lock) had no minimatch entries.
Nightly Kraken CVE scan correctly identified and classified these as build-tool-only alerts. For future minimatch-family bumps: fetch integrity hashes directly from https://registry.npmjs.org/minimatch/<version> (the dist.integrity field) and update all three range groups in kotlin-js-store/yarn.lock in one change. Running ./gradlew kotlinUpgradeYarnLock is an alternative but upgrades all packages — surgical patching is safer for security-only bumps.