You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Risk HIGH: Upgrades js-cookie from 3.0.5 to 3.0.7 to address a security vulnerability.
Reasons
package.json is modified, which is an automatic HIGH risk trigger per classification rules
yarn.lock is modified with updated dependency resolution
The change itself is a minimal semver patch bump (3.0.5 → 3.0.7) for a single dependency
The diff is very small (5 additions, 5 deletions across 2 files) with no functional code changes
No application code, components, or content files are affected
Notes
Despite the HIGH classification (triggered by package.json/yarn.lock modification), the actual risk profile of this change is low — it is a straightforward minor version bump of a single dependency for a security fix
The reason will be displayed to describe this comment to others. Learn more.
this honestly feels like a complete unnecessary dependency. only used in one place too. might just be better to remove it and refactor the one place it's used.
this honestly feels like a complete unnecessary dependency. only used in one place too. might just be better to remove it and refactor the one place it's used.
Won't merge this quite yet, Let me audit the usages across our codebase
The reason will be displayed to describe this comment to others. Learn more.
Risk HIGH: Removes the js-cookie dependency entirely and replaces it with native document.cookie helpers in lib/attribution.ts.
Reasons
lib/attribution.ts is modified — a .ts file in lib/ triggers HIGH risk per classification rules
package.json is modified (removes js-cookie from dependencies and @types/js-cookie from devDependencies), which is an automatic HIGH risk trigger
yarn.lock is modified with dependency removals, and contains unresolved merge conflict markers (<<<<<<< HEAD, =======, >>>>>>>) that will break installs
The refactor replaces a well-tested library with custom cookie read/write functions (38 new lines of utility code), which introduces functional risk around cookie encoding, expiry handling, and edge cases
Total diff is small (46+/21- across 3 files), limiting blast radius despite the HIGH classification
Notes
Critical: The yarn.lock file contains unresolved git merge conflict markers (lines with <<<<<<< HEAD, =======, and >>>>>>>) — this must be resolved before merging or yarn install will fail
Reviewer should verify the custom getCookie regex handles all cookie name characters correctly (the regex escapes special chars, but edge cases with encoded values should be considered)
The setCookie function accepts expires as either a number (days) or a Date — verify the 864e5 constant (86,400,000 ms = 1 day) produces correct expiry behavior
The CookieOptions.sameSite is typed as string rather than a union type ("Strict" | "Lax" | "None") — consider tightening this for type safety
Confirm the Vercel preview deployment builds and the UTM cookie attribution flow works end-to-end per the author's test steps
The reason will be displayed to describe this comment to others. Learn more.
Merge conflict markers detected. This file contains unresolved git conflict markers (<<<<<<< HEAD, =======, >>>>>>>) which will cause yarn install to fail. This needs to be resolved before merging.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
andy-knock
requested review from
a team,
BenaventeX24 and
meryldakin
and removed request for
a team
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
kylemcd
left a comment
Description
https://linear.app/knock/issue/KNO-13317/control-marketing-site-docs-small-upgrade-for-js-cookie
@kylemcd pointed out our usage is pretty trivial.
I rewrote the code to remove the dependency entirely instead of maintaining it
Test steps:
Open
http://localhost:3002?utm_source=test&utm_medium=manualVerify that cookies are set correctly
Refresh page without utm headers, verify cookies persist