Bump cookiecutter from 2.6.0 to 2.7.0

[dependabot]

Bumps cookiecutter from 2.6.0 to 2.7.0.

Release notes

Sourced from cookiecutter's releases.

2.7.0

This release brings Cookiecutter up to Python 3.14, hardens the dependency tree against a batch of known vulnerabilities, and ships a proper security policy so researchers know where to report issues.

What's changed

Python 3.10 through 3.14. Cookiecutter now requires Python 3.10 or later and is tested through Python 3.14. If you're on 3.7, 3.8, or 3.9, this is the release where you'll need to upgrade.

What's new

• Security policy. A SECURITY.md documents how to report vulnerabilities, what Cookiecutter does and doesn't sandbox, and the trust model around template hook scripts.

• Bug report form. GitHub issue reporters get a structured form with required fields for environment details, replacing the freeform template.

• jsonify indent parameter. The jsonify Jinja2 extension accepts an optional indent argument for controlling JSON formatting in templates. Thanks @​pabloxio! (#2050)

• Boolean CLI overrides work correctly. Passing --no-input with boolean variables from the command line (e.g., use_docker=y) properly converts them to booleans instead of leaving them as strings. Thanks @​tylermilner! (#2029)

• Tutorial videos and slides. The docs link to conference talk recordings and slides for the Cookiecutter tutorials. Thanks @​datasharp! (#2137)

What's better

• Deterministic directory ordering across platforms. Template generation produces the same file conflict resolution regardless of OS. Thanks @​RaulWCosta! (#2099)

• ZipFile handles closed properly. Zip-based templates release their file handles immediately after extraction, preventing locked-file issues on Windows. Thanks @​mohiuddin-khan-shiam! (#2147)

• Comprehensive type checking. mypy coverage expanded across the entire codebase, with type hints added to the CLI module and mypy whitelists reduced module by module. Thanks @​danieleades! (#2015, #2041, #2042, #2051, #2053–#2056, #2059, #2060)

• Ruff for linting and formatting. The project moved from flake8/isort/black to Ruff, with expanded lint groups covering pyflakes, pygrep, perf, and string formatting rules. Thanks @​danieleades! (#2012, #2014, #2016, #2019, #2020, #2061)

• Modernized packaging. Configuration moved from setup.cfg to pyproject.toml, dependency groups separated for lint and test, and the build system uses current standards. Thanks @​jensens! (#2040)

• Trusted publishing with build provenance. PyPI releases are published via OpenID Connect (no stored API tokens) and include SLSA provenance attestations, so users can verify that a package was built from this repository's CI.

• Clearer installation docs. The README includes pipx as an installation alternative, and the programmatic usage example is corrected. Thanks @​swikrityy-yy and @​christine-ho-dev! (#2165, #2122)

What's fixed

• Empty list in cookiecutter.json no longer crashes. A template with [] as a default value raises a clear ValueError instead of an IndexError. Thanks @​meganlkm! (#2171)

• Directory names render correctly. Template directory names that render to empty strings are handled gracefully instead of failing silently. Thanks @​DanielZhangD! (#1991)

Security

Eight dependency vulnerabilities resolved through lockfile upgrades, all in transitive dependencies of the safety vulnerability scanner in the lint dependency group:

• nltk 3.9.1 → 3.9.3 — Zip Slip remote code execution (CVE-2025-14009)
• urllib3 2.5.0 → 2.6.3 — decompression bomb via redirects (CVE-2026-21441)
• cryptography 45.0.6 → 46.0.5 — SECT curve subgroup attack (CVE-2026-26007)
• authlib 1.6.1 → 1.6.8 — four issues including account takeover and JOSE handling
• filelock 3.16.1 → 3.25.0 — TOCTOU symlink attacks in SoftFileLock

... (truncated)

Commits

• 0baf519 Release 2.7.0
• 14da090 Let contributors focus on what interests them, not a milestone plan
• a4a7e99 Give release managers a safe, documented path from version bump to PyPI
• cf3bd2f Drop the Release Drafter integration
• 0ff1fa8 Tell template creators what Cookiecutter actually gives them
• 154d946 Modernize the README around uv and a leaner project page
• 379053c Ship releases with trusted publishing and build provenance attestations
• ff98787 Point docs at GitHub releases instead of a local changelog file
• 4858eb7 Organize release notes as individual files in CHANGELOG/
• 7e00f8a Prevent DoS via marshmallow's many=True deserialization (Dependabot alert 9)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)