New CVE mentioning Kotlin Multiplatform! CVE-2022-24329 In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24329

Is this referring to npm locks or gradle locks as kmp often can use both

Not clear on that. Also their issue tracker link for this issue is not public so can't see more details

I'll assume it's referring to yarn.lock that only became persistent in 1.6.10

yeah that makes sense and thus they did couple of public posts about it and then made it default setting as well in 1.6.0 or 1.6.10