chore(shared): Bump js-cookie to 3.0.7

[jacekradko]

Summary

• backport the @clerk/shared js-cookie bump from 3.0.5 to 3.0.7 for the Core 2 release line
• update the core-2 pnpm lockfile so the workspace resolves the patched version
• add a patch changeset for @clerk/shared

Context

Backport for #8626 and GHSA-qjx8-664m-686j. This covers the @clerk/shared 3.x / @clerk/backend 2.x line.

Verification

• pnpm install --lockfile-only
• pnpm install --ignore-scripts
• pnpm -C packages/shared build
• pnpm why -r js-cookie
• git diff --check
• node runtime check confirmed proto cookie attributes are not emitted with js-cookie@3.0.7

Note: full pnpm install without --ignore-scripts is blocked on this branch by the existing marked-terminal git dependency build-script allowlist.

[changeset-bot]

🦋 Changeset detected

Latest commit: 6afe234

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 22 packages

Name	Type
@clerk/shared	Patch
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/backend	Patch
@clerk/chrome-extension	Patch
@clerk/clerk-js	Patch
@clerk/elements	Patch
@clerk/expo-passkeys	Patch
@clerk/clerk-expo	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/clerk-react	Patch
@clerk/remix	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch
@clerk/themes	Patch
@clerk/types	Patch
@clerk/vue	Patch
@clerk/localizations	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	May 22, 2026 7:22pm

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 73f83a23-e582-4388-a1e1-404c2d98dbe6

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jacek/bump-js-cookie-security-core-2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}