pypi cookiecutter 2.7.0
on Python PyPI

8 hours ago

This release brings Cookiecutter up to Python 3.14, hardens the dependency tree against a batch of known vulnerabilities, and ships a proper security policy so researchers know where to report issues.

What's changed

Python 3.10 through 3.14. Cookiecutter now requires Python 3.10 or later and is tested through Python 3.14. If you're on 3.7, 3.8, or 3.9, this is the release where you'll need to upgrade.

What's new

  • Security policy. A SECURITY.md documents how to report vulnerabilities, what Cookiecutter does and doesn't sandbox, and the trust model around template hook scripts.

  • Bug report form. GitHub issue reporters get a structured form with required fields for environment details, replacing the freeform template.

  • jsonify indent parameter. The jsonify Jinja2 extension accepts an optional indent argument for controlling JSON formatting in templates. Thanks @pabloxio! (#2050)

  • Boolean CLI overrides work correctly. Passing --no-input with boolean variables from the command line (e.g., use_docker=y) properly converts them to booleans instead of leaving them as strings. Thanks @tylermilner! (#2029)

  • Tutorial videos and slides. The docs link to conference talk recordings and slides for the Cookiecutter tutorials. Thanks @datasharp! (#2137)

What's better

  • Deterministic directory ordering across platforms. Template generation produces the same file conflict resolution regardless of OS. Thanks @RaulWCosta! (#2099)

  • ZipFile handles closed properly. Zip-based templates release their file handles immediately after extraction, preventing locked-file issues on Windows. Thanks @mohiuddin-khan-shiam! (#2147)

  • Comprehensive type checking. mypy coverage expanded across the entire codebase, with type hints added to the CLI module and mypy whitelists reduced module by module. Thanks @danieleades! (#2015, #2041, #2042, #2051, #2053#2056, #2059, #2060)

  • Ruff for linting and formatting. The project moved from flake8/isort/black to Ruff, with expanded lint groups covering pyflakes, pygrep, perf, and string formatting rules. Thanks @danieleades! (#2012, #2014, #2016, #2019, #2020, #2061)

  • Modernized packaging. Configuration moved from setup.cfg to pyproject.toml, dependency groups separated for lint and test, and the build system uses current standards. Thanks @jensens! (#2040)

  • Trusted publishing with build provenance. PyPI releases are published via OpenID Connect (no stored API tokens) and include SLSA provenance attestations, so users can verify that a package was built from this repository's CI.

  • Clearer installation docs. The README includes pipx as an installation alternative, and the programmatic usage example is corrected. Thanks @swikrityy-yy and @christine-ho-dev! (#2165, #2122)

What's fixed

  • Empty list in cookiecutter.json no longer crashes. A template with [] as a default value raises a clear ValueError instead of an IndexError. Thanks @meganlkm! (#2171)

  • Directory names render correctly. Template directory names that render to empty strings are handled gracefully instead of failing silently. Thanks @DanielZhangD! (#1991)

Security

Eight dependency vulnerabilities resolved through lockfile upgrades, all in transitive dependencies of the safety vulnerability scanner in the lint dependency group:

  • nltk 3.9.1 → 3.9.3 — Zip Slip remote code execution (CVE-2025-14009)
  • urllib3 2.5.0 → 2.6.3 — decompression bomb via redirects (CVE-2026-21441)
  • cryptography 45.0.6 → 46.0.5 — SECT curve subgroup attack (CVE-2026-26007)
  • authlib 1.6.1 → 1.6.8 — four issues including account takeover and JOSE handling
  • filelock 3.16.1 → 3.25.0 — TOCTOU symlink attacks in SoftFileLock
  • marshmallow 4.0.0 → 4.2.2 — DoS via Schema.load(many=True)

Contributors

@audreyfeldroy (Audrey M. Roy Greenfeld) designed and built this release: the security policy, Python 3.14 support, dependency hardening, bug report form, and packaging modernization.

@pydanny (Daniel Roy Greenfeld) modernized the CI/CD workflow, migrated docs to justfile, and updated Python version support.

Thanks to:

  • @danieleades for the massive type checking and linting overhaul across the entire codebase
  • @tylermilner (Tyler Milner) for fixing boolean CLI overrides
  • @pabloxio (Pablo Jaramillo) for the jsonify indent parameter
  • @RaulWCosta (Raul Wagner Costa) for deterministic directory ordering
  • @meganlkm (Megan Wood) for the empty list crash fix
  • @mohiuddin-khan-shiam for proper ZipFile handle cleanup
  • @DanielZhangD (Daniel Zhang) for the directory name rendering fix
  • @jensens (Jens W. Klein) for migrating configuration to pyproject.toml
  • @kurtmckee (Kurt McKee) for upgrading to safety v3
  • @luzfcb (Fábio C. Barrionuevo da Luz) for pytest config modernization
  • @datasharp (Kayla Sharp) for tutorial video and slide links
  • @christine-ho-dev (Christine Ho) for fixing the README programmatic example
  • @swikrityy-yy (Swikriti Adhikari) for clarifying installation instructions
  • @krishivs789 (Krishiv S) for stabilizing the README logo URL
  • @Fred-si (Frédéric) for updating CONTRIBUTING.md
  • @jkomalley (Kyle) for fixing outdated README shield URLs
  • @dominiqueplante (Dominique Plante) for README updates
Check out latest releases or
releases around cookiecutter 2.7.0

Don't miss a new cookiecutter release

NewReleases is sending notifications on new releases.

Get notifications