From 86c7d888432fbf0efd33afaf392769fffac241fc Mon Sep 17 00:00:00 2001
From: Lotus Bot <lotus@lotusguild.org>
Date: Fri, 22 May 2026 13:50:05 -0400
Subject: [PATCH] fix: override js-cookie to >=3.0.6 to resolve high severity
 CVE

GHSA-qjx8-664m-686j: prototype hijack in js-cookie <= 3.0.5 used
transitively via react-use in @giphy/react-components.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 package-lock.json | 11 +++++++----
 package.json      |  3 ++-
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 469a1a246..21f5986dc 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -11282,10 +11282,13 @@
       }
     },
     "node_modules/js-cookie": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-2.2.1.tgz",
-      "integrity": "sha512-HvdH2LzI/EAZcUwA8+0nKNtWHqS+ZmijLA30RwZA0bo7ToCckjK5MkGhjED9KoRcXO6BaGI3I9UIzSA1FKFPOQ==",
-      "license": "MIT"
+      "version": "3.0.7",
+      "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.7.tgz",
+      "integrity": "sha512-z/wZZgDrkNV1eA0ULjM/F9/50Ya8fbzgKneSpoPsXSGd0KnpdtHfOZWK+GcwLk+EZbS4F9RBhU+K2RgzuDaItw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=20"
+      }
     },
     "node_modules/js-tokens": {
       "version": "4.0.0",
diff --git a/package.json b/package.json
index 119f4edf0..ab15d7ac2 100644
--- a/package.json
+++ b/package.json
@@ -173,6 +173,7 @@
   "overrides": {
     "@giphy/js-util": {
       "dompurify": ">=3.3.4"
-    }
+    },
+    "js-cookie": ">=3.0.6"
   }
 }