es-cookie is breaking CJS versions

[benjervis]

Describe the problem

auth0-spa-js depends on es-cookie, which has recently gone ESM only, and done it as a minor version. This is breaking CJS projects using auth0-spa-js.

In our case, this is a Jest test that's failing on unknown token export.

Auth0 should look to move off this library to maintain CJS support.

Reproduction

https://github.com/benjervis/auth0-escookie-issue

Environment

• Version of auth0-spa-js used: 1.22.2
• Which browsers have you tested in? N/A
• Which framework are you using, if applicable (Angular, React, etc): N/A
• Other modules/plugins/libraries that might be involved: es-cookie, I guess Jest also

[theodorejb]

Author of es-cookie here. I suppose auth0-spa-js could also pin "1.3.2" specifically (instead of "^1.3.2") in package.json to retain CommonJS support.

I'm surprised there are still many CJS-only projects, though. It seems like that would be increasingly limiting as more and more libraries are designed for ESM from the start.

[weyert]

One of the reasons is that I am not smart enough to get ESM packages working with Jest + Typescript ☹️ Personally, I think making an package ESM is breaking change as the public API changed

[mrm007]

I'm surprised there are still many CJS-only projects, though.

96% of the packages in the npm registry, to be more precise. ESM including dual CJS/ESM is today at 4%.
Source: https://twitter.com/wooorm/status/1555258256582385664

[frederikprijck]

Thanks for raising this. I have pinned es-cookie to the latest patch versions only.

[frederikprijck]

Should be fixed as part of 1.22.3.