Two Dependabot alerts against serialize-javascript in kotlin-js-store/yarn.lock: a high-severity alert (GHSA-5c6j-r48x-rmvq, fixed in 7.0.3) and a medium-severity alert (GHSA-qj8w-gfj5-8c6v, fixed in 7.0.5). The locked version was 6.0.2.
serialize-javascript 6.0.2 was locked in kotlin-js-store/yarn.lock as a transitive dependency of both mocha and terser-webpack-plugin. Both packages request ^6.0.2, but all of 6.x (and 7.0.0–7.0.4) contains the known vulnerabilities. The entire 6.x series is in the affected range — there is no safe 6.x version.
Manually bumped the resolved version in kotlin-js-store/yarn.lock from 6.0.2 to 7.0.5 (the latest patched release) under the serialize-javascript@^6.0.2 key. The lockfile entry version and integrity hash were updated to match the npm registry for 7.0.5. The randombytes dependency was removed because 7.0.5 has no runtime dependencies (it uses globalThis.crypto instead). This is a build-time/toolchain-only dependency — it is not on the shipped runtime classpath.
When a security bump requires crossing a major version boundary (because all of the current major series is vulnerable), update the lockfile version beyond the declared semver range rather than staying within a vulnerable minor. Confirm the target package has no breaking API changes that affect the consumers (mocha, terser-webpack-plugin) before landing. For build-toolchain-only npm deps, Dependabot alerts can be cleared by a direct lockfile edit without requiring the parent packages to release updated semver ranges.