fix(router-core): update cookie-es dependency to v2.0.0

[gtg7784]

Description

When deploying applications that use @tanstack/router-core on AWS Amplify Hosting, the deployment fails with the following error:

H3Error: Cannot find package '/var/task/node_modules/cookie-es/index.js' 
imported from /var/task/node_modules/@tanstack/router-core/dist/esm/ssr/headers.js

Root Cause

The @tanstack/router-core package imports cookie-es but was using an older version (^1.2.2) that may have compatibility issues in certain deployment environments.

Solution

Updated cookie-es dependency from ^1.2.2 to ^2.0.0 in @tanstack/router-core's package.json.

This aligns with other packages in the monorepo that are already using cookie-es v2.0.0.

Fixes #5137

Summary by CodeRabbit

• Chores

  • Upgraded a cookie handling dependency to the latest major version within the routing module to improve stability, compatibility, and security posture.
  • No changes to public APIs or expected app behavior.

• Documentation

  • Not applicable.

• Tests

  • Not applicable.

• Bug Fixes

  • Not applicable.

[coderabbitai]

Walkthrough

Updated the cookie-es dependency version in packages/router-core/package.json from ^1.2.2 to ^2.0.0.

Changes

Cohort / File(s)	Summary
Dependency update packages/router-core/package.json	Bumped cookie-es dependency from ^1.2.2 to ^2.0.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks (5 passed)

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "fix(router-core): update cookie-es dependency to v2.0.0" clearly and concisely describes the primary change (updating the cookie-es dependency in router-core), follows conventional-commit style, and is specific and on-topic for the changeset.
Linked Issues Check	✅ Passed	The PR updates cookie-es in packages/router-core/package.json from ^1.2.2 to ^2.0.0, which directly implements the linked issue #5137's requested fix to declare/align the cookie-es dependency; the raw_summary shows this is the single code change, so the coding-related requirement is satisfied.
Out of Scope Changes Check	✅ Passed	The diff contains only a version bump for cookie-es in packages/router-core/package.json and no other file or code changes, so there are no out-of-scope or unrelated modifications present in this PR.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

Poem

I nibble through deps with a hop and a cheer,
Cookie-es bumped—now the path is clear.
No crumbs left behind in the build parade,
Ship it swift through the Amplify glade.
Thump-thump! Version two, unafraid.

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/router-core/package.json (1)

84-84: Add a patch changeset for router-core

Since this change fixes a production install/runtime issue, add a patch changeset for @tanstack/router-core to ensure a release is cut.

Example changeset (create under .changeset/ e.g. fix-router-core-cookie-es.md):

---
"@tanstack/router-core": patch
---

fix(router-core): declare cookie-es as a dependency and bump to ^2.0.0 to prevent SSR module resolution failures on AWS Amplify/Lambda.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ca84fb0 and 166fb55.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• packages/router-core/package.json (1 hunks)

🔇 Additional comments (1)

packages/router-core/package.json (1)

84-84: Add cookie-es as a runtime dependency (dependencies) at ^2.0.0

Declare/move "cookie-es" into dependencies in packages/router-core/package.json to avoid SSR module-not-found; verify v2.x is the intended upstream release and ESM/CJS behavior.

File: packages/router-core/package.json — current line:

    "cookie-es": "^2.0.0",

Sanity checks to run:

• Search for subpath imports that could break across bundlers/CDNs:

rg -nP -C2 "(from|require\()\s*['\"]cookie-es(?:/index\.js|/index|/.+)['\"]" -g "packages/**"
rg -nP -C2 "(from|require\()\s*['\"]cookie-es['\"]" packages/router-core/src

• Verify no other packages in the monorepo still use ^1.x:

rg -n '"cookie-es":' -g "packages/**/package.json"

• If deploying on AWS Amplify/Lambda, confirm the SSR host Node runtime is >=16/18 to avoid resolution issues.

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 166fb55

Command	Status	Duration	Result
nx affected --targets=test:eslint,test:unit,tes...	✅ Succeeded	5m 3s	View ↗
nx run-many --target=build --exclude=examples/*...	✅ Succeeded	1m 30s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-09-13 05:38:25 UTC

[schiller-manuel]

closed in favor of #5195

[gtg7784]

closed in favor of #5195

Thanks :_