chore(deps-dev): bump js-cookie from 3.0.5 to 3.0.7 in /web#3877
Conversation
Bumps [js-cookie](https://github.com/js-cookie/js-cookie) from 3.0.5 to 3.0.7. - [Release notes](https://github.com/js-cookie/js-cookie/releases) - [Commits](js-cookie/js-cookie@v3.0.5...v3.0.7) --- updated-dependencies: - dependency-name: js-cookie dependency-version: 3.0.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Security review (PR 3877)
Outcome: No medium, high, or critical issues introduced or exposed by this change.
What changed: web/package-lock.json only — js-cookie 3.0.5 → 3.0.7 under the dev chain (js-beautify → js-cookie). No application source was modified; the web app does not declare or import js-cookie directly.
Analysis: Lockfile integrity (resolved + integrity) remains the standard npm registry entries. This bump aligns with upstream v3.0.7, which documents a fix for cookie attribute injection (CVE-2026-46625), so the dependency move is security-positive rather than regressing.
Residual / non-reportable: js-cookie 3.0.7 declares engines.node: ">=20" in the lockfile metadata; that is a potential CI / install constraint if builds still run Node 18 with engine-strict, not an exploitable app vulnerability from this diff.
Slack summary: PR 3877 reviewed — lockfile-only dev transitive bump (js-cookie 3.0.5→3.0.7). No new security findings. Change matches upstream fix for CVE-2026-46625 (cookie attribute injection). Optional heads-up: watch Node engine vs CI if strict.
Sent by Cursor Automation: Find vulnerabilities
1 participant
Bumps js-cookie from 3.0.5 to 3.0.7.
Release notes
Sourced from js-cookie's releases.
Commits
17bacbaCraft v3.0.7 releaseadb823cFix release workflow halting atgit tag5f9e759May remove Git user config from release workflow6ac9211Fix release workflow not able to push commit + tag2278bc5Fix missing package version bumpeb3c40ePrevent cookie attribute injectionf6f157fBump globals from 17.5.0 to 17.6.0f409d02Bump eslint from 10.2.0 to 10.3.0a686883Bump protobufjs in the npm_and_yarn group across 1 directoryc6112d2Bump@protobufjs/utf8in the npm_and_yarn group across 1 directoryMaintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for js-cookie since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.