v3.0.0-beta.3

• Fixed importing ES module when not using a bundler - #583
• Made attributes + converter properties on api instance immutable again

v3.0.0-beta.2

• Fixed noConflict() no longer being present; as a result the api instance is no longer immutable again - #580

v3.0.0-beta.1

• Removed defaults in favor of a builder: now to supply an api instance with particular predefined (cookie) attributes there's Cookies.withAttributes(), e.g.:

const api = Cookies.withAttributes({
  path: '/',
  secure: true
})
api.set('key', 'value') // writes cookie with path: '/' and secure: true...

• The attributes that an api instance is configured with are exposed as attributes property; it's an immutable object and unlike defaults cannot be changed to configure the api.
• The mechanism to fall back to the standard, internal converter by returning a falsy value in a custom read converter has been removed. Instead the default converters are now exposed as Cookies.converter, which allows for implementing self-contained custom converters providing the same behavior:

const customReadConverter = (value, name) => {
  if (name === 'special') {
    return unescape(value)
  }
  return Cookies.converter.read(value)
}

• withConverter() no longer accepts a function as argument to be turned into a read converter. It is now required to always pass an object with the explicit type(s) of converter(s):

const api = Cookies.withConverter({
  read: (value, name) => unescape(value)
})

• The converter(s) that an api instance is configured with are exposed as converter property; it's an immutable object and cannot be changed to configure the api.
• The entire api instance is now immutable.

v3.0.0-beta.0

• Started providing library as ES module, in addition to UMD module. The module field in package.json points to an ES module variant of the library.
• Started using browser field instead of main in package.json (for the UMD variant of the library).
• Dropped support for IE < 10.
• Removed getJSON(): use Cookies.set('foo', JSON.stringify({ ... })) and JSON.parse(Cookies.get('foo')) instead.
• Removed support for Bower.
• Added minified versions to package - #501
• Improved support for url encoded cookie values (support case insensitive encoding) - #466, #530
• Expose default path via API - #541
• Handle falsy arguments passed to getters - #399
• No longer support Node 6 when building (LTS versions only).
• From < 900 bytes gzipped to < 800 bytes gzipped.

v2.2.1

• #400: Prevent XSS in the cookie attributes
• #350: Document npm package manager usage

v2.2.0

• #221: Only include files in src/ when building the npm package.
• #293: Allow undocumented attributes to be passed when creating a cookie
• #276 (comment): Support for SameSite cookie (Strict vs Lax)
• #371: Add jsDelivr CDN to the README (Update is supported by jsDelivr and the community)
• #363: getJSON() does not work on cookie with escaped quotes

v2.1.4

• #321: Create a security disclosure e-mail
• #291: Fix the "converters" header link in the README
• #273: Add more information about #remove method

v2.1.3

• #205: Add expired cookie detail to docs
• #215: Clarify the interoperability of default encoding
• #207: Add support for uglifyJS 'unsafe' option
• #223: Create an example in the docs for creating a cookie that expire in hours/minutes
• #225: Add a note in the README for cookies that expires in less than a day
• #250: Do not parse as JSON when window has a truthy 'json' prop
• #239: Add support for ES6 module imports
• #257: Register in AMD and UMD if both available

v2.1.2

• #189, #180, #177: Minor documentation improvements
• #204: Fix the docs, because It is not necessary the secure attribute when removing a cookie
• #196: Should not throw a Malformed URI Error when an unrelated cookie contains a malformed percent-encoding name according to the default encoding mechanism

v2.1.1

• #164: The library should not throw an error if the methods are used in node
• #145: Should not create a cookie if the .set() API is used incorrectly
• #130: Document Tomcat 8.0.15 non-compliance with RFC 6265 and workaround
• #171: Consider when js-cookie is included after a script that doesn't use semicolon