Update dependency js-cookie to v3.0.7 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
js-cookie	3.0.1 → 3.0.7

---

JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection

CVE-2026-46625 / GHSA-qjx8-664m-686j

More information

Details

Summary

js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys.

Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down.

Impact

Any application that forwards a JSON-derived object as the attributes argument to Cookies.set, Cookies.remove, Cookies.withAttributes, or Cookies.withConverter is vulnerable. This is the standard pattern when cookie configuration comes from a backend:

const cfg = await fetch('/config').then(r => r.json());
Cookies.set('session', token, cfg.cookieAttrs);   // cfg.cookieAttrs influenced by attacker

A payload of {"__proto__":{"domain":"evil.example","secure":"false","samesite":"None"}} causes js-cookie to emit:

Set-Cookie: session=TOKEN; path=/; domain=evil.example; secure=false; samesite=None

Affected code

// src/assign.mjs — full file
export default function (target) {
  for (var i = 1; i < arguments.length; i++) {
    var source = arguments[i]
    for (var key in source) {                 // includes own enumerable '__proto__'
      target[key] = source[key]                // [[Set]] form - fires __proto__ setter
    }
  }
  return target
}

Proof of concept

Node 22.11.0, no third-party deps:

Environment setup

mkdir -p /tmp/jscookie-poc && cd /tmp/jscookie-poc
npm init -y
npm i js-cookie

PoC

ubuntu@kuber:/tmp/jscookie-poc$ cat poc.mjs
let lastSetCookie = '';
globalThis.document = {
  get cookie() { return ''; },
  set cookie(v) { lastSetCookie = v; }
};

const { default: Cookies } = await import('js-cookie');

const attackerAttrs = JSON.parse(
  '{"__proto__":{"secure":"false","domain":"evil.com","samesite":"None","expires":-1}}'
);

Cookies.set('session', 'TOKEN', attackerAttrs);

console.log('Set-Cookie that js-cookie wrote to document.cookie:');
console.log(lastSetCookie);

Execution:

Suggested patch

--- a/src/assign.mjs
+++ b/src/assign.mjs
@​@​
 export default function (target) {
   for (var i = 1; i < arguments.length; i++) {
     var source = arguments[i]
-    for (var key in source) {
-      target[key] = source[key]
-    }
+    for (var key in source) {
+      if (key === '__proto__' || key === 'constructor' || key === 'prototype') continue
+      Object.defineProperty(target, key, {
+        value: source[key],
+        writable: true,
+        enumerable: true,
+        configurable: true,
+      })
+    }
   }
   return target
 }

Equivalent one-liner alternative - iterate own names only and filter:

for (const key of Object.getOwnPropertyNames(source)) {
  if (key === '__proto__') continue
  target[key] = source[key]
}

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/js-cookie/js-cookie/security/advisories/GHSA-qjx8-664m-686j
• https://github.com/advisories/GHSA-qjx8-664m-686j

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

js-cookie/js-cookie (js-cookie)

v3.0.7

Compare Source

• Prevent cookie attribute injection: CVE-2026-46625 (eb3c40e)
• Add Partitioned attribute to readme (b994768)
• Publish to npm registry via trusted publisher exclusively (4dc71be)
• Ensure consistent behaviour for get('name') + get() (1953d30)

v3.0.6

Compare Source

v3.0.5

Compare Source

• Remove npm version restriction in package.json - #​818

v3.0.4

Compare Source

• Publish to npmjs.com with package provenance

v3.0.3

Compare Source

v3.0.2

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm WARN config optional Use `--omit=optional` to exclude optional dependencies, or
npm WARN config `--include=optional` to include them.
npm WARN config 
npm WARN config     Default value does install optional deps unless otherwise omitted.
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: ajv-keywords@3.5.2
npm WARN Found: ajv@8.6.3
npm WARN node_modules/ajv
npm WARN   dev ajv@"8.6.3" from the root project
npm WARN   1 more (table)
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer ajv@"^6.9.1" from ajv-keywords@3.5.2
npm WARN node_modules/ajv-keywords
npm WARN   ajv-keywords@"^3.5.2" from schema-utils@3.0.0
npm WARN   node_modules/copy-webpack-plugin/node_modules/schema-utils
npm WARN   3 more (schema-utils, schema-utils, schema-utils)
npm WARN 
npm WARN Conflicting peer dependency: ajv@6.15.0
npm WARN node_modules/ajv
npm WARN   peer ajv@"^6.9.1" from ajv-keywords@3.5.2
npm WARN   node_modules/ajv-keywords
npm WARN     ajv-keywords@"^3.5.2" from schema-utils@3.0.0
npm WARN     node_modules/copy-webpack-plugin/node_modules/schema-utils
npm WARN     3 more (schema-utils, schema-utils, schema-utils)
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: jest-puppeteer@5.0.4
npm ERR! Found: puppeteer@13.1.2
npm ERR! node_modules/puppeteer
npm ERR!   dev puppeteer@"13.1.2" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer puppeteer@">= 1.5.0 < 10" from jest-puppeteer@5.0.4
npm ERR! node_modules/jest-puppeteer
npm ERR!   dev jest-puppeteer@"5.0.4" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: puppeteer@9.1.1
npm ERR! node_modules/puppeteer
npm ERR!   peer puppeteer@">= 1.5.0 < 10" from jest-puppeteer@5.0.4
npm ERR!   node_modules/jest-puppeteer
npm ERR!     dev jest-puppeteer@"5.0.4" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /runner/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /runner/cache/others/npm/_logs/2026-05-22T01_41_47_823Z-debug-0.log