Dependabot / Kraken nightly scan flagged an open CVE (GHSA-r4q5-vmmm-2653) against follow-redirects <= 1.15.11 in kotlin-js-store/yarn.lock.
follow-redirects 1.15.9 was pinned in the yarn lockfile as a transitive dependency of http-proxy (a webpack/Karma build-tool dependency). Version 1.15.9 falls within the vulnerable range; 1.16.0 is the first patched release.
Manually updated follow-redirects from 1.15.9 → 1.16.0 in kotlin-js-store/yarn.lock, substituting the resolved URL, SHA1, and integrity hash sourced from the npm registry. The wasm lockfile (kotlin-js-store/wasm/yarn.lock) does not reference follow-redirects and needed no change.
kotlin-js-store/, bump manually by looking up the patched version’s tarball shasum and integrity on registry.npmjs.org/<pkg>/<version>.