Dependabot / Kraken Nightly Bug Hunt flagged GHSA-37ch-88jc-xwx2: path-to-regexp < 0.1.13 allows a ReDoS attack via a specially crafted path string. The vulnerable version was pinned as a transitive npm dependency: webpack-dev-server → express@4.21.2 → path-to-regexp@0.1.12.
Express 4.21.2 pins path-to-regexp to exactly "0.1.12" in its package.json. The Kotlin WasmJs build toolchain includes webpack-dev-server (and therefore express) for the development server used during wasmJsBrowserDevelopmentWebpack. The yarn.lock in kotlin-js-store/ preserved the vulnerable pinned version.
Two-layer fix:
kotlin-js-store/yarn.lock — changed the express dependency specifier entry from path-to-regexp "0.1.12" to "0.1.13" and replaced the path-to-regexp@0.1.12 lock entry with a path-to-regexp@0.1.13 entry carrying the correct resolved URL and sha512 integrity hash.rootProject.plugins.withType<WasmYarnPlugin> { extensions.configure<BaseYarnRootExtension> { resolution("path-to-regexp", "0.1.13") } } in build.gradle.kts so that ./gradlew kotlinUpgradeYarnLock cannot silently revert the fix.This dependency is build/toolchain only — it is NOT on the shipped Ktor server or Compose runtime classpath.
WasmYarnPlugin.resolution() override in build.gradle.kts alongside the lockfile edit so kotlinUpgradeYarnLock respects the floor.https://registry.yarnpkg.com/<pkg>/-/<pkg>-<ver>.tgz#<shasum> (yarnpkg.com CDN, shasum appended as fragment) to match the existing lockfile style.curl -s "https://registry.yarnpkg.com/<pkg>/<ver>" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d['dist']['integrity'])" before editing the lockfile manually.