Four medium-severity Dependabot alerts flagging webpack-dev-server versions below 5.2.5 (GHSA-mx8g-39q3-5c79, GHSA-79cf-xcqc-c78w, GHSA-9jgg-88mc-972h, GHSA-4v9v-hfq4-rm2v) in kotlin-js-store/yarn.lock.
kotlin-js-store/yarn.lock is an orphaned legacy file left over from when the project had a regular Kotlin/JS (js()) target. After migrating to Kotlin/Wasm (wasmJs), all active npm management moved to kotlin-js-store/wasm/yarn.lock (maintained by kotlinWasm* Gradle tasks). The root lockfile was never removed from the repo, so Dependabot continued scanning it and flagging its stale webpack-dev-server@4.15.2 entry. No current Gradle task reads or writes the root lockfile; webpack and webpack-dev-server for the wasmJs dev server are provided by the Kotlin toolchain npm cache at ~/.kotlin/kotlin-npm-tooling/, not by the project’s own yarn.lock.
Deleted kotlin-js-store/yarn.lock. No build task referenced it; deleting it removes the Dependabot alert surface entirely. The active kotlin-js-store/wasm/yarn.lock and its resolution("path-to-regexp", "0.1.13") guard in build.gradle.kts are unaffected.
When Dependabot alerts fire for an npm manifest, verify the manifest is actually consumed by a current build task before patching it. Run ./gradlew tasks --all | grep -i yarn to see which lock files Gradle actively manages. Any yarn.lock not listed there is a candidate for deletion if it’s no longer generated or restored by a Gradle task.