deps: Bump js-cookie to 3.0.0

src/static/js/pad_utils.js

@@ -383,17 +383,18 @@ const inThirdPartyIframe = () => {
 // This file is included from Node so that it can reuse randomString, but Node doesn't have a global
 // window object.
 if (typeof window !== 'undefined') {
-  exports.Cookies = require('js-cookie/src/js.cookie');
-  // Use `SameSite=Lax`, unless Etherpad is embedded in an iframe from another site in which case
-  // use `SameSite=None`. For iframes from another site, only `None` has a chance of working
-  // because the cookies are third-party (not same-site). Many browsers/users block third-party
-  // cookies, but maybe blocked is better than definitely blocked (which would happen with `Lax`
-  // or `Strict`). Note: `None` will not work unless secure is true.
-  //
-  // `Strict` is not used because it has few security benefits but significant usability drawbacks
-  // vs. `Lax`. See https://stackoverflow.com/q/41841880 for discussion.
-  exports.Cookies.defaults.sameSite = inThirdPartyIframe() ? 'None' : 'Lax';
-  exports.Cookies.defaults.secure = window.location.protocol === 'https:';
+  exports.Cookies = require('js-cookie/dist/js.cookie').withAttributes({
+    // Use `SameSite=Lax`, unless Etherpad is embedded in an iframe from another site in which case
+    // use `SameSite=None`. For iframes from another site, only `None` has a chance of working
+    // because the cookies are third-party (not same-site). Many browsers/users block third-party
+    // cookies, but maybe blocked is better than definitely blocked (which would happen with `Lax`
+    // or `Strict`). Note: `None` will not work unless secure is true.
+    //
+    // `Strict` is not used because it has few security benefits but significant usability drawbacks
+    // vs. `Lax`. See https://stackoverflow.com/q/41841880 for discussion.
+    sameSite: inThirdPartyIframe() ? 'None' : 'Lax',
+    secure: window.location.protocol === 'https:',
+  });
 }
 exports.randomString = randomString;
 exports.padutils = padutils;