diff --git a/src/node/utils/tar.json b/src/node/utils/tar.json
index 7f1fe0135..e6caa3e67 100644
--- a/src/node/utils/tar.json
+++ b/src/node/utils/tar.json
@@ -2,7 +2,7 @@
   "pad.js": [
     "pad.js"
   , "pad_utils.js"
-  , "$js-cookie/src/js.cookie.js"
+  , "$js-cookie/dist/js.cookie.js"
   , "security.js"
   , "$security.js"
   , "vendors/browser.js"
@@ -21,7 +21,7 @@
   , "pad_connectionstatus.js"
   , "chat.js"
   , "vendors/gritter.js"
-  , "$js-cookie/src/js.cookie.js"
+  , "$js-cookie/dist/js.cookie.js"
   , "$tinycon/tinycon.js"
   , "vendors/farbtastic.js"
   , "skin_variants.js"
@@ -33,7 +33,7 @@
   , "colorutils.js"
   , "draggable.js"
   , "pad_utils.js"
-  , "$js-cookie/src/js.cookie.js"
+  , "$js-cookie/dist/js.cookie.js"
   , "vendors/browser.js"
   , "pad_cookie.js"
   , "pad_editor.js"
@@ -73,7 +73,7 @@
   , "scroll.js"
   , "caretPosition.js"
   , "pad_utils.js"
-  , "$js-cookie/src/js.cookie.js"
+  , "$js-cookie/dist/js.cookie.js"
   , "security.js"
   , "$security.js"
   ]
diff --git a/src/package-lock.json b/src/package-lock.json
index 5e66a91fe..e30e67e83 100644
--- a/src/package-lock.json
+++ b/src/package-lock.json
@@ -3372,9 +3372,9 @@
       }
     },
     "js-cookie": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-2.2.1.tgz",
-      "integrity": "sha512-HvdH2LzI/EAZcUwA8+0nKNtWHqS+ZmijLA30RwZA0bo7ToCckjK5MkGhjED9KoRcXO6BaGI3I9UIzSA1FKFPOQ=="
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.0.tgz",
+      "integrity": "sha512-oUbbplKuH07/XX2YD2+Q+GMiPpnVXaRz8npE7suhBH9QEkJe2W7mQ6rwuMXHue3fpfcftQwzgyvGzIHyfCSngQ=="
     },
     "js-tokens": {
       "version": "4.0.0",
diff --git a/src/package.json b/src/package.json
index 5ed26653e..8eaa4924a 100644
--- a/src/package.json
+++ b/src/package.json
@@ -45,7 +45,7 @@
     "find-root": "1.1.0",
     "formidable": "1.2.2",
     "http-errors": "1.8.0",
-    "js-cookie": "^2.2.1",
+    "js-cookie": "^3.0.0",
     "jsdom": "^16.7.0",
     "jsonminify": "0.4.1",
     "languages4translatewiki": "0.1.3",
diff --git a/src/static/js/pad_utils.js b/src/static/js/pad_utils.js
index 7b2d50604..6fb46fde0 100644
--- a/src/static/js/pad_utils.js
+++ b/src/static/js/pad_utils.js
@@ -383,17 +383,18 @@ const inThirdPartyIframe = () => {
 // This file is included from Node so that it can reuse randomString, but Node doesn't have a global
 // window object.
 if (typeof window !== 'undefined') {
-  exports.Cookies = require('js-cookie/src/js.cookie');
-  // Use `SameSite=Lax`, unless Etherpad is embedded in an iframe from another site in which case
-  // use `SameSite=None`. For iframes from another site, only `None` has a chance of working
-  // because the cookies are third-party (not same-site). Many browsers/users block third-party
-  // cookies, but maybe blocked is better than definitely blocked (which would happen with `Lax`
-  // or `Strict`). Note: `None` will not work unless secure is true.
-  //
-  // `Strict` is not used because it has few security benefits but significant usability drawbacks
-  // vs. `Lax`. See https://stackoverflow.com/q/41841880 for discussion.
-  exports.Cookies.defaults.sameSite = inThirdPartyIframe() ? 'None' : 'Lax';
-  exports.Cookies.defaults.secure = window.location.protocol === 'https:';
+  exports.Cookies = require('js-cookie/dist/js.cookie').withAttributes({
+    // Use `SameSite=Lax`, unless Etherpad is embedded in an iframe from another site in which case
+    // use `SameSite=None`. For iframes from another site, only `None` has a chance of working
+    // because the cookies are third-party (not same-site). Many browsers/users block third-party
+    // cookies, but maybe blocked is better than definitely blocked (which would happen with `Lax`
+    // or `Strict`). Note: `None` will not work unless secure is true.
+    //
+    // `Strict` is not used because it has few security benefits but significant usability drawbacks
+    // vs. `Lax`. See https://stackoverflow.com/q/41841880 for discussion.
+    sameSite: inThirdPartyIframe() ? 'None' : 'Lax',
+    secure: window.location.protocol === 'https:',
+  });
 }
 exports.randomString = randomString;
 exports.padutils = padutils;
diff --git a/src/tests/frontend/index.html b/src/tests/frontend/index.html
index 9f542ee13..22c42ab15 100644
--- a/src/tests/frontend/index.html
+++ b/src/tests/frontend/index.html
@@ -18,7 +18,7 @@
     <script src="../../static/js/vendors/jquery.js"></script>
     <script src="lib/sendkeys.js"></script>
     <script src="../../static/js/vendors/browser.js"></script>
-    <script src="../../static/plugins/js-cookie/src/js.cookie.js"></script>
+    <script src="../../static/plugins/js-cookie/dist/js.cookie.js"></script>
     <script src="lib/underscore.js"></script>
 
     <script src="lib/mocha.js"></script>