chore(deps): bump js-cookie from 2.2.1 to 3.0.7

[dependabot]

Bumps js-cookie from 2.2.1 to 3.0.7.

Release notes

Sourced from js-cookie's releases.

v3.0.7

• Prevent cookie attribute injection: CVE-2026-46625 (eb3c40e)
• Add Partitioned attribute to readme (b994768)
• Publish to npm registry via trusted publisher exclusively (4dc71be)
• Ensure consistent behaviour for get('name') + get() (1953d30)

v3.0.5

• Remove npm version restriction in package.json - #818

v3.0.4

• Publish to npmjs.com with package provenance

v3.0.1

• Make package.json accessible in export - #727

v3.0.0

• Removed defaults in favor of a builder: now to supply an api instance with particular predefined (cookie) attributes there's Cookies.withAttributes(), e.g.:

const api = Cookies.withAttributes({
  path: '/',
  secure: true
})
api.set('key', 'value') // writes cookie with path: '/' and secure: true...

• The attributes that an api instance is configured with are exposed as attributes property; it's an immutable object and unlike defaults cannot be changed to configure the api.
• The mechanism to fall back to the standard, internal converter by returning a falsy value in a custom read converter has been removed. Instead the default converters are now exposed as Cookies.converter, which allows for implementing self-contained custom converters providing the same behavior:

const customReadConverter = (value, name) => {
  if (name === 'special') {
    return unescape(value)
  }
  return Cookies.converter.read(value)
}

• withConverter() no longer accepts a function as argument to be turned into a read converter. It is now required to always pass an object with the explicit type(s) of converter(s):

const api = Cookies.withConverter({
  read: (value, name) => unescape(value)
})

• The converter(s) that an api instance is configured with are exposed as converter property; it's an immutable object and cannot be changed to configure the api.
• Started providing library as ES module, in addition to UMD module. The module field in package.json points to an ES module variant of the library.
• Started using browser field instead of main in package.json (for the UMD variant of the library).
• Dropped support for IE < 10.
• Removed built-in JSON support, i.e. getJSON() and automatic stringifying in set(): use Cookies.set('foo', JSON.stringify({ ... })) and JSON.parse(Cookies.get('foo')) instead.
• Removed support for Bower.
• Added minified versions to package - #501
• Improved support for url encoded cookie values (support case insensitive encoding) - #466, #530
• Expose default path via API - #541
• Handle falsy arguments passed to getters - #399

... (truncated)

Commits

• 17bacba Craft v3.0.7 release
• adb823c Fix release workflow halting at git tag
• 5f9e759 May remove Git user config from release workflow
• 6ac9211 Fix release workflow not able to push commit + tag
• 2278bc5 Fix missing package version bump
• eb3c40e Prevent cookie attribute injection
• f6f157f Bump globals from 17.5.0 to 17.6.0
• f409d02 Bump eslint from 10.2.0 to 10.3.0
• a686883 Bump protobufjs in the npm_and_yarn group across 1 directory
• c6112d2 Bump @​protobufjs/utf8 in the npm_and_yarn group across 1 directory
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for js-cookie since your current version.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b2513ab203

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Restore full workspace lockfile entries

This lockfile rewrite dropped most workspace descriptors (the @app/*@workspace:apps/* section now starts at @app/address-service and only a handful of app workspaces remain), even though the repository is configured to include all apps/* and packages/* workspaces. Because CI uses immutable installs (yarn install --immutable in .github/workflows/nodejs.condo.ci.yml and yarn --immutable in .github/workflows/packages.release.yml), missing workspace entries will force lockfile regeneration and fail those jobs. Please regenerate yarn.lock from the full monorepo so all workspace entries are present again.

Useful? React with 👍 / 👎.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.