Problem/Motivation
jquery.cookie is no longer a maintained library. A replacement should be found.
> git grep core/jquery.cookie core\core.libraries.yml | wc -l
3
> git grep -l cookie -- "*.js"
core/assets/vendor/jquery-joyride/jquery.joyride-2.1.min.js
core/assets/vendor/jquery.cookie/jquery.cookie.min.js
This is used in jquery.joyride and the only real usage I have found. Also, jquery.joyride is not hard dependency on cookies.
https://github.com/zurb/joyride/blob/v2.1.0/jquery.joyride-2.1.js#L32
Proposed resolution
Replace jquery.cookie with js-cookie library adding a backwards-compatibility layer. We can model the BC layer off of js-cookie v1.5.1 as well as the js-cookie v2.0.0 release notes (#26).
This approach was originally reviewed by droplet and confirmed by _nod in 2017. There is now a major version 3 in js-cookie that has a beta release. This is being evaluated in #3118726: Evaluate/upgrade to js.cookie 3.
jquery.cookie, js-cookie, and the object.assign polyfill are correctly loaded when using Internet Explorer 11. See #153 and #154.
jquery.joyride will no longer depend on jquery.cookie because tour module does not use the functionality that uses cookies.
Remaining tasks
- Add more tests
- Review approach by JavaScript subsystem maintainers
API changes
Yes, with backwards-compatibility layer.
Dependency evaluation
Maintainership of the package: Maintained by the excellent carhartl, who also maintained jQuery cookie. It is actively maintained and the issue queue is very clean. I reviewed closed issues over the past several months and the response time is quite fast.
Security policies of the package: A documented security policy is not available online. Since this library is essentially a successor to jquery.cookie, the security approval granted to that library may extend to this one, but this is a judgement best suited to someone from the security team. In particular I'm not sure if 2.x will be supported once 3.x is out of beta. Issue to ask the maintainer opened at: https://github.com/js-cookie/js-cookie/issues/614
Expected release and support cycles: The release schedule is irregular based on the maintainer's availability and need, but there tend to be a few releases a year. The releases are available at https://github.com/js-cookie/js-cookie/releases. The maintainer follows semver strictly insofar as one can with a JavaScript library. (Dots are used in tags for pre-release versions which differs from Drupal but is valid semver.
Code quality: > 2800 dependents, available in all popular package managers. It's trusted by many and any concerns will likely be assuaged by quickly reviewing the 163 lines (including whitespace) .
Other dependencies it would add, if any: no dependencies, only dev dependencies that Drupal never pulls in.
Release notes snippet
jquery.cookie has been replaced with js-cookie version 2. The core/js-cookie library is introduced, and a backwards-compatible shim is provided as core/jquery.cookie for Drupal 9. We may upgrade to js-cookie 3 if it is available before 9.0.0-rc1.