build(deps): bump js-cookie from 2.2.1 to 3.0.7 by dependabot[bot] · Pull Request #173 · bigcommerce/request-sender-js

dependabot · 2026-05-21T23:46:35Z

Bumps js-cookie from 2.2.1 to 3.0.7.

Release notes

v3.0.7

Prevent cookie attribute injection: CVE-2026-46625 (eb3c40e)

Add Partitioned attribute to readme (b994768)

Publish to npm registry via trusted publisher exclusively (4dc71be)

Ensure consistent behaviour for get('name') + get() (1953d30)

v3.0.5

Remove npm version restriction in package.json - #818

v3.0.4

Publish to npmjs.com with package provenance

v3.0.1

Make package.json accessible in export - #727

v3.0.0

Removed defaults in favor of a builder: now to supply an api instance with particular predefined (cookie) attributes there's Cookies.withAttributes(), e.g.:
const api = Cookies.withAttributes({
  path: '/',
  secure: true
})
api.set('key', 'value') // writes cookie with path: '/' and secure: true...
The attributes that an api instance is configured with are exposed as attributes property; it's an immutable object and unlike defaults cannot be changed to configure the api.

The mechanism to fall back to the standard, internal converter by returning a falsy value in a custom read converter has been removed. Instead the default converters are now exposed as Cookies.converter, which allows for implementing self-contained custom converters providing the same behavior:
const customReadConverter = (value, name) => {
  if (name === 'special') {
    return unescape(value)
  }
  return Cookies.converter.read(value)
}
withConverter() no longer accepts a function as argument to be turned into a read converter. It is now required to always pass an object with the explicit type(s) of converter(s):
const api = Cookies.withConverter({
  read: (value, name) => unescape(value)
})
The converter(s) that an api instance is configured with are exposed as converter property; it's an immutable object and cannot be changed to configure the api.

Started providing library as ES module, in addition to UMD module. The module field in package.json points to an ES module variant of the library.

Started using browser field instead of main in package.json (for the UMD variant of the library).

Dropped support for IE < 10.

Removed built-in JSON support, i.e. getJSON() and automatic stringifying in set(): use Cookies.set('foo', JSON.stringify({ ... })) and JSON.parse(Cookies.get('foo')) instead.

Removed support for Bower.

Added minified versions to package - #501

Improved support for url encoded cookie values (support case insensitive encoding) - #466, #530

Expose default path via API - #541

Handle falsy arguments passed to getters - #399

... (truncated)

Commits

17bacba Craft v3.0.7 release
adb823c Fix release workflow halting at git tag
5f9e759 May remove Git user config from release workflow
6ac9211 Fix release workflow not able to push commit + tag
2278bc5 Fix missing package version bump
eb3c40e Prevent cookie attribute injection
f6f157f Bump globals from 17.5.0 to 17.6.0
f409d02 Bump eslint from 10.2.0 to 10.3.0
a686883 Bump protobufjs in the npm_and_yarn group across 1 directory
c6112d2 Bump @protobufjs/utf8 in the npm_and_yarn group across 1 directory
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for js-cookie since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Medium Risk
Upgrades js-cookie across a major version, which may introduce breaking API/module-format/type changes that affect cookie access used for CSRF header injection and test mocks. Also updates the lockfile to a version that declares a node >= 20 engine requirement for js-cookie.

Overview
Updates the js-cookie dependency from ^2.2.1 to ^3.0.7 in package.json and refreshes package-lock.json accordingly.

The lockfile now pulls js-cookie@3.0.7 (including its updated metadata/engine constraints), with no accompanying source changes in how cookies are read.

^{Reviewed by Cursor Bugbot for commit 00f0118. Bugbot is set up for automated code reviews on this repo. Configure here.}

Bumps [js-cookie](https://github.com/js-cookie/js-cookie) from 2.2.1 to 3.0.7. - [Release notes](https://github.com/js-cookie/js-cookie/releases) - [Commits](js-cookie/js-cookie@v2.2.1...v3.0.7) --- updated-dependencies: - dependency-name: js-cookie dependency-version: 3.0.7 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

cursor

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 00f0118. Configure here.}

cursor · 2026-05-21T23:52:18Z

    "@types/js-cookie": "^2.2.7",
    "@types/query-string": "^6.3.0",
-    "js-cookie": "^2.2.1",
+    "js-cookie": "^3.0.7",


Namespace import incompatible with js-cookie v3 default export

High Severity

Bumping js-cookie to v3 without updating the import style or type definitions breaks the library. js-cookie v3 only provides a default export, so import * as cookie from 'js-cookie' (used in create-request-sender.ts) results in a namespace object where cookie.get is undefined when resolved by ESM-aware bundlers like webpack. Additionally, @types/js-cookie remains at ^2.2.7 which is documented as incompatible with js-cookie v3. This silently breaks XSRF-TOKEN reading at runtime in production builds.

Additional Locations (1)

package.json#L38-L39

^{Reviewed by Cursor Bugbot for commit 00f0118. Configure here.}

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 21, 2026

cursor Bot reviewed May 21, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump js-cookie from 2.2.1 to 3.0.7#173

build(deps): bump js-cookie from 2.2.1 to 3.0.7#173
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/js-cookie-3.0.7

dependabot Bot commented on behalf of github May 21, 2026 •

edited by cursor Bot

Loading

Uh oh!

cursor Bot left a comment

Uh oh!

cursor Bot May 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 21, 2026 • edited by cursor Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v3.0.7

v3.0.5

v3.0.4

v3.0.1

v3.0.0

Uh oh!

cursor Bot left a comment

Choose a reason for hiding this comment

Uh oh!

cursor Bot May 21, 2026

Choose a reason for hiding this comment

Namespace import incompatible with js-cookie v3 default export

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github May 21, 2026 •

edited by cursor Bot

Loading