Dependabot (via Kraken nightly scan) flagged two high-severity CVEs against flatted in kotlin-js-store/yarn.lock: GHSA-rf6f-7fwh-wjgh (<=3.4.1) and GHSA-25h7-pfq9-p65f (<3.4.0). The installed version was 3.3.3, which falls within both vulnerable ranges.
flatted is a transitive dependency of webpack (part of the Kotlin/JS Gradle plugin toolchain). It was not upgraded when the CVEs were published because Dependabot alerts for kotlin-js-store/yarn.lock are easy to overlook — this lockfile is auto-generated by the Gradle KotlinJS plugin and not typically hand-maintained. The package is build-only (not on the JVM or WASM runtime classpath).
Updated the flatted@^3.2.7 entry in kotlin-js-store/yarn.lock from version 3.3.3 to 3.4.2, replacing the resolved URL, SHA1 hash, and SRI integrity value with those from the npm registry for 3.4.2.
kotlin-js-store/yarn.lock Dependabot alerts the same as any other dependency alert. Even though the vulnerability is build-only, keeping the lockfile current avoids alert accumulation.