Skip to content

Bump js-cookie from 2.2.1 to 3.0.7#856

Closed
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/js-cookie-3.0.7
Closed

Bump js-cookie from 2.2.1 to 3.0.7#856
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/js-cookie-3.0.7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 21, 2026

Copy link
Copy Markdown
Contributor

Bumps js-cookie from 2.2.1 to 3.0.7.

Release notes

Sourced from js-cookie's releases.

v3.0.7

  • Prevent cookie attribute injection: CVE-2026-46625 (eb3c40e)
  • Add Partitioned attribute to readme (b994768)
  • Publish to npm registry via trusted publisher exclusively (4dc71be)
  • Ensure consistent behaviour for get('name') + get() (1953d30)

v3.0.5

  • Remove npm version restriction in package.json - #818

v3.0.4

  • Publish to npmjs.com with package provenance

v3.0.1

  • Make package.json accessible in export - #727

v3.0.0

  • Removed defaults in favor of a builder: now to supply an api instance with particular predefined (cookie) attributes there's Cookies.withAttributes(), e.g.:
const api = Cookies.withAttributes({
  path: '/',
  secure: true
})
api.set('key', 'value') // writes cookie with path: '/' and secure: true...
  • The attributes that an api instance is configured with are exposed as attributes property; it's an immutable object and unlike defaults cannot be changed to configure the api.
  • The mechanism to fall back to the standard, internal converter by returning a falsy value in a custom read converter has been removed. Instead the default converters are now exposed as Cookies.converter, which allows for implementing self-contained custom converters providing the same behavior:
const customReadConverter = (value, name) => {
  if (name === 'special') {
    return unescape(value)
  }
  return Cookies.converter.read(value)
}
  • withConverter() no longer accepts a function as argument to be turned into a read converter. It is now required to always pass an object with the explicit type(s) of converter(s):
const api = Cookies.withConverter({
  read: (value, name) => unescape(value)
})
  • The converter(s) that an api instance is configured with are exposed as converter property; it's an immutable object and cannot be changed to configure the api.
  • Started providing library as ES module, in addition to UMD module. The module field in package.json points to an ES module variant of the library.
  • Started using browser field instead of main in package.json (for the UMD variant of the library).
  • Dropped support for IE < 10.
  • Removed built-in JSON support, i.e. getJSON() and automatic stringifying in set(): use Cookies.set('foo', JSON.stringify({ ... })) and JSON.parse(Cookies.get('foo')) instead.
  • Removed support for Bower.
  • Added minified versions to package - #501
  • Improved support for url encoded cookie values (support case insensitive encoding) - #466, #530
  • Expose default path via API - #541
  • Handle falsy arguments passed to getters - #399

... (truncated)

Commits
  • 17bacba Craft v3.0.7 release
  • adb823c Fix release workflow halting at git tag
  • 5f9e759 May remove Git user config from release workflow
  • 6ac9211 Fix release workflow not able to push commit + tag
  • 2278bc5 Fix missing package version bump
  • eb3c40e Prevent cookie attribute injection
  • f6f157f Bump globals from 17.5.0 to 17.6.0
  • f409d02 Bump eslint from 10.2.0 to 10.3.0
  • a686883 Bump protobufjs in the npm_and_yarn group across 1 directory
  • c6112d2 Bump @​protobufjs/utf8 in the npm_and_yarn group across 1 directory
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for js-cookie since your current version.


@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 21, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/js-cookie-3.0.7 branch from d3c16dc to c1ec61a Compare May 27, 2026 10:02
Bumps [js-cookie](https://github.com/js-cookie/js-cookie) from 2.2.1 to 3.0.7.
- [Release notes](https://github.com/js-cookie/js-cookie/releases)
- [Commits](js-cookie/js-cookie@v2.2.1...v3.0.7)

---
updated-dependencies:
- dependency-name: js-cookie
  dependency-version: 3.0.7
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/js-cookie-3.0.7 branch from c1ec61a to 1c0427e Compare May 27, 2026 11:12
@sonarqubecloud

Copy link
Copy Markdown

@edwh edwh closed this Jul 13, 2026
@edwh edwh deleted the dependabot/npm_and_yarn/js-cookie-3.0.7 branch July 13, 2026 20:50
@dependabot @github

dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant