JS: Replace jQuery.cookie with JS-cookie and provide a BC layer

[klonos]

This is the respective issue for https://www.drupal.org/project/drupal/issues/2550717 and its follow-up https://www.drupal.org/project/drupal/issues/3118726.

Problem/Motivation

jquery.cookie is no longer a maintained library. A replacement should be found.

...

This is used in jquery.joyride and the only real usage I have found. Also, jquery.joyride is not hard dependency on cookies.

Proposed resolution

Replace jquery.cookie with js-cookie library adding a backwards-compatibility layer. We can model the BC layer off of js-cookie v1.5.1 as well as the js-cookie v2.0.0 release notes:

We can use js-cookie v1.5.1 as reference for the BC layer as it was back compatible with jquery-cookie at that point.

https://github.com/js-cookie/js-cookie/blob/v1.5.1/src/js.cookie.js

The release notes v2.0.0 also contains some great notes on what we need to do on our BC layer.

https://github.com/js-cookie/js-cookie/releases/tag/v2.0.0

This approach was originally reviewed by droplet and confirmed by _nod in 2017. There is now a major version 3 in js-cookie that has a beta release. This is being evaluated in https://www.drupal.org/project/drupal/issues/3118726

jquery.cookie, js-cookie, and the object.assign polyfill are correctly loaded when using Internet Explorer 11. See #153 and #154.

jquery.joyride will no longer depend on jquery.cookie because tour module does not use the functionality that uses cookies.

Dependency evaluation

Maintainership of the package: Maintained by the excellent @carhartl, who also maintained jQuery cookie. It is actively maintained and the issue queue is very clean. I reviewed closed issues over the past several months and the response time is quite fast.

Security policies of the package: A documented security policy is not available online. Since this library is essentially a successor to jquery.cookie, the security approval granted to that library may extend to this one, but this is a judgement best suited to someone from the security team. In particular I'm not sure if 2.x will be supported once 3.x is out of beta. Issue to ask the maintainer opened at: js-cookie/js-cookie#614

Expected release and support cycles: The release schedule is irregular based on the maintainer's availability and need, but there tend to be a few releases a year. The releases are available at https://github.com/js-cookie/js-cookie/releases. The maintainer follows semver strictly insofar as one can with a JavaScript library. (Dots are used in tags for pre-release versions which differs from Drupal but is valid semver.

Code quality: > 2800 dependents, available in all popular package managers. It's trusted by many and any concerns will likely be assuaged by quickly reviewing the 163 lines (including whitespace) .

Other dependencies it would add, if any: no dependencies, only dev dependencies that Drupal never pulls in.

Release notes snippet

jquery.cookie has been replaced with js-cookie version 2. The core/js-cookie library is introduced, and a backwards-compatible shim is provided as core/jquery.cookie for Drupal 9. We may upgrade to js-cookie 3 if it is available before 9.0.0-rc1.

[indigoxela]

Tiny update on this: deprecated jquery.cookie has also been replaced with js-cookie in Drupal 8.9.0 release.

[klonos]

FTR: this also came up in #4718:

@indigoxela

Backdrop ships with jquery.cookie.js version 1.0 (2006), but that's pretty outdated:
The initial project has been archived and replaced by a new project js-cookie.

It seems that sameSite attribute support has been added in 2016: js-cookie/js-cookie#276

We should really update jquery.cookie.js. (or actually switch to js.cookie)

@quicksketch

Considering js-cookie and jquery.cookie.js were written by the same author, they helpfully provided a backwards-compatible approach that we might be able to use: https://github.com/js-cookie/js-cookie/tree/v1.5.1#migrating-from-jquery-cookie

$.cookie('name', 'value') === Cookies.set('name', 'value')
$.cookie('name') === Cookies.get('name')
$.removeCookie('name') === Cookies.remove('name')
$.cookie() === Cookies.get()

Though I'm not sure if that's really a good idea. Backdrop core's usage of the library is pretty minimal though, only in Tabledrag, Contact module, and Comment module.