chore(deps): bump js-cookie from 2.2.1 to 3.0.7 in /examples/next-js-theme-ui

[dependabot]

Bumps js-cookie from 2.2.1 to 3.0.7.

Release notes

Sourced from js-cookie's releases.

v3.0.7

• Prevent cookie attribute injection: CVE-2026-46625 (eb3c40e)
• Add Partitioned attribute to readme (b994768)
• Publish to npm registry via trusted publisher exclusively (4dc71be)
• Ensure consistent behaviour for get('name') + get() (1953d30)

v3.0.5

• Remove npm version restriction in package.json - #818

v3.0.4

• Publish to npmjs.com with package provenance

v3.0.1

• Make package.json accessible in export - #727

v3.0.0

• Removed defaults in favor of a builder: now to supply an api instance with particular predefined (cookie) attributes there's Cookies.withAttributes(), e.g.:

const api = Cookies.withAttributes({
  path: '/',
  secure: true
})
api.set('key', 'value') // writes cookie with path: '/' and secure: true...

• The attributes that an api instance is configured with are exposed as attributes property; it's an immutable object and unlike defaults cannot be changed to configure the api.
• The mechanism to fall back to the standard, internal converter by returning a falsy value in a custom read converter has been removed. Instead the default converters are now exposed as Cookies.converter, which allows for implementing self-contained custom converters providing the same behavior:

const customReadConverter = (value, name) => {
  if (name === 'special') {
    return unescape(value)
  }
  return Cookies.converter.read(value)
}

• withConverter() no longer accepts a function as argument to be turned into a read converter. It is now required to always pass an object with the explicit type(s) of converter(s):

const api = Cookies.withConverter({
  read: (value, name) => unescape(value)
})

• The converter(s) that an api instance is configured with are exposed as converter property; it's an immutable object and cannot be changed to configure the api.
• Started providing library as ES module, in addition to UMD module. The module field in package.json points to an ES module variant of the library.
• Started using browser field instead of main in package.json (for the UMD variant of the library).
• Dropped support for IE < 10.
• Removed built-in JSON support, i.e. getJSON() and automatic stringifying in set(): use Cookies.set('foo', JSON.stringify({ ... })) and JSON.parse(Cookies.get('foo')) instead.
• Removed support for Bower.
• Added minified versions to package - #501
• Improved support for url encoded cookie values (support case insensitive encoding) - #466, #530
• Expose default path via API - #541
• Handle falsy arguments passed to getters - #399

... (truncated)

Commits

• 17bacba Craft v3.0.7 release
• adb823c Fix release workflow halting at git tag
• 5f9e759 May remove Git user config from release workflow
• 6ac9211 Fix release workflow not able to push commit + tag
• 2278bc5 Fix missing package version bump
• eb3c40e Prevent cookie attribute injection
• f6f157f Bump globals from 17.5.0 to 17.6.0
• f409d02 Bump eslint from 10.2.0 to 10.3.0
• a686883 Bump protobufjs in the npm_and_yarn group across 1 directory
• c6112d2 Bump @​protobufjs/utf8 in the npm_and_yarn group across 1 directory
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for js-cookie since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Medium Risk
Dependency-only change, but it is a major js-cookie upgrade that can introduce runtime/API behavior differences in cookie handling. Low blast radius since it’s limited to an example app, but it may still break any code relying on v2 APIs (e.g., JSON helpers/defaults).

Overview
Bumps js-cookie from ^2.2.1 to ^3.0.7 in the examples/next-js-theme-ui example and updates yarn.lock accordingly.

This pulls in the v3 line of js-cookie (including the security fix for cookie attribute injection), with potential breaking API/behavior changes for any code in the example that depends on v2 semantics.

^{Reviewed by Cursor Bugbot for commit 4a691d8. Bugbot is set up for automated code reviews on this repo. Configure here.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4a691d8

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 4a691d8. Configure here.}

[cursor]

Type definitions incompatible with bumped js-cookie v3

Medium Severity

Bumping js-cookie from v2 to v3 without updating @types/js-cookie from ^2.2.6 to ^3.0.0 leaves the type definitions mismatched with the runtime library. The v2 types describe a different API surface (e.g., getJSON(), defaults, named exports) that no longer exists in v3, which would cause TypeScript compilation errors or hide runtime breakage if any code imports js-cookie.

Additional Locations (1)

• examples/next-js-theme-ui/package.json#L94-L95

 

^{Reviewed by Cursor Bugbot for commit 4a691d8. Configure here.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 4a691d8

Command	Status	Duration	Result
nx test @builder.io/sdk	✅ Succeeded	4s	View ↗
nx typecheck @builder.io/sdks	✅ Succeeded	6s	View ↗
nx test @builder.io/react -- packages/react/src	✅ Succeeded	11s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-05-22 01:00:11 UTC

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 4a691d8

Command	Status	Duration	Result
nx test @builder.io/sdk	✅ Succeeded	4s	View ↗
nx typecheck @builder.io/sdks	✅ Succeeded	6s	View ↗
nx test @builder.io/react -- packages/react/src	✅ Succeeded	11s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-05-22 01:00:11 UTC

[nx-cloud]

🤖 Nx Cloud AI Fix Eligible

An automatically generated fix could have helped fix failing tasks for this run, but Self-healing CI is disabled for this workspace. Visit workspace settings to enable it and get automatic fixes in future runs.

_{To disable these notifications, a workspace admin can disable them in workspace settings.}

---

View your CI Pipeline Execution ↗ for commit 4a691d8

Command	Status	Duration	Result
nx test @snippet/react	❌ Failed	3m 38s	View ↗
nx test @e2e/nextjs-sdk-next-app	✅ Succeeded	7m 18s	View ↗
nx test @e2e/qwik-city	✅ Succeeded	7m 15s	View ↗
nx test @e2e/angular-17	✅ Succeeded	6m 42s	View ↗
nx test @e2e/nuxt	✅ Succeeded	5m 29s	View ↗
nx test @e2e/angular-17-ssr	✅ Succeeded	5m 19s	View ↗
nx test @e2e/angular-19-ssr	✅ Succeeded	5m 11s	View ↗
nx test @e2e/gen1-remix	✅ Succeeded	4m 51s	View ↗
Additional runs (38)	✅ Succeeded	...	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-05-22 01:07:43 UTC