Symptom

Kraken’s nightly dependency-CVE scan reported three qs Dependabot alerts (GHSA-q8mj-m7cp-5q26 medium, GHSA-w7fw-mjwx-w883 low, GHSA-6rw7-vpxm-498p medium) in kotlin-js-store/yarn.lock. The scan was run at commit 79cd4283a (June 15) and filed as issue #547 before any fix had landed.

Root cause

kotlin-js-store/yarn.lock was an orphaned artifact from the project’s old Kotlin/JS (js()) target. After the migration to Kotlin/Wasm (wasmJs()), all npm management moved to kotlin-js-store/wasm/yarn.lock. The orphaned file was never deleted and kept accumulating Dependabot alerts against stale packages (including qs) that were no longer part of any build.

Fix

PR #546 (fix(build-ci): remove orphaned kotlin-js-store/yarn.lock) deleted the file entirely. The active kotlin-js-store/wasm/yarn.lock does not contain qs at all, so no version bump was needed — all three CVEs were resolved by the deletion. Issue #547 (filed by Kraken before #546 landed) was therefore already resolved by the time Blue picked it up.

Prevention

• After migrating a KMP target (e.g. js() → wasmJs()), explicitly delete any lockfiles (yarn.lock, package-lock.json) that were produced by the old target. Leaving them causes ghost Dependabot alerts against packages the project no longer uses.
• Before implementing a nightly security lead, verify that the referenced file still exists in HEAD and confirm the alert is not already resolved by a concurrent PR. git show HEAD -- <path> returns non-empty only if the file still exists.