audrey.feldroy.com

Cookiecutter 2.7.0: Python 3.14, a Security Trust Model, and Verified Releases

By Audrey M. Roy Greenfeld • Tue, Mar 3, 2026

Cookiecutter 2.7.0 is tested on Python 3.10 through 3.14, ships with a security policy documenting the trust model for template hook scripts, and publishes to PyPI with cryptographic provenance so you can verify every release. Seventeen contributors from the community helped build it.

uv tool upgrade cookiecutter

What's new

A security policy that explains what you're trusting. Cookiecutter templates can run arbitrary code through hook scripts, and that's by design. The new SECURITY.md lays out the trust model: what Cookiecutter sandboxes (nothing), what's in scope for vulnerability reports, and how to report them privately through GitHub. If you maintain templates or run unfamiliar ones, this is worth reading.

Python 3.10 through 3.14. Full test coverage across five Python versions. If you're on 3.7, 3.8, or 3.9, this is the release where you'll want to upgrade.

Pretty-printed JSON in templates. The jsonify Jinja2 extension takes an indent argument, so you can generate formatted JSON in your templates instead of single-line blobs. Thanks @pabloxio! (#2050)

Boolean variables from the command line. Pass use_docker=y via --no-input and it arrives as a proper boolean in your template context. Thanks @tylermilner! (#2029)

Structured bug reports. The GitHub issue form collects environment details upfront, so maintainers can reproduce your issue faster.

Tutorial videos and slides. Conference talk recordings and slide decks linked from the docs. Thanks @datasharp! (#2137)

What's better

Verified PyPI releases. Every release is published via OpenID Connect (no stored API tokens) with SLSA provenance attestations. You can cryptographically verify that the package you installed was built from this repository's CI.

Same results on every OS. Template generation produces deterministic directory ordering regardless of platform. No more platform-specific file conflict surprises. Thanks @RaulWCosta! (#2099)

Zip-based templates release file handles immediately. No more locked-file issues on Windows when using cached zip templates. Thanks @mohiuddin-khan-shiam! (#2147)

Type-checked top to bottom. mypy coverage spans the entire codebase, with type hints added module by module. Thanks @danieleades for the massive effort! (#2015, #2041, #2042, #2051, #2053#2056, #2059, #2060)

Ruff everywhere. Linting and formatting moved from flake8/isort/black to Ruff, with expanded rule groups covering pyflakes, pygrep, perf, and string formatting. Thanks @danieleades! (#2012, #2014, #2016, #2019, #2020, #2061)

Modern packaging. Config lives in pyproject.toml, with separated dependency groups for lint and test. Thanks @jensens! (#2040)

Clearer installation docs. The README includes pipx as an alternative, and the programmatic usage example is corrected. Thanks @swikrityy-yy and @christine-ho-dev! (#2165, #2122)

What's fixed

Empty lists in cookiecutter.json raise a clear error. A template with [] as a default value gets a helpful ValueError instead of a confusing IndexError. Thanks @meganlkm! (#2171)

Directory names that render to empty strings. Handled gracefully instead of failing silently. Thanks @DanielZhangD! (#1991)

Development dependency updates (no user impact)

The safety vulnerability scanner in the lint dependency group pulls in its own tree of transitive dependencies. These packages are never installed by pip install cookiecutter or uv tool install cookiecutter. We updated the lockfile to resolve 8 CVEs across nltk, urllib3, cryptography, authlib, filelock, and marshmallow (CVE-2025-14009, CVE-2026-21441, CVE-2026-26007, and 5 others).

No Cookiecutter user was exposed to these vulnerabilities.

Contributors

@audreyfeldroy (Audrey M. Roy Greenfeld) designed and built this release: the security policy, Python 3.14 support, dependency hardening, bug report form, and packaging modernization.

@pydanny (Daniel Roy Greenfeld) modernized the CI/CD workflow, migrated docs to justfile, and updated Python version support.

Thanks to:

  • @danieleades for the massive type checking and linting overhaul across the entire codebase
  • @tylermilner (Tyler Milner) for boolean CLI variable conversion
  • @pabloxio (Pablo Jaramillo) for the jsonify indent parameter
  • @RaulWCosta (Raul Wagner Costa) for deterministic directory ordering
  • @meganlkm (Megan Wood) for the empty list error handling
  • @mohiuddin-khan-shiam for proper ZipFile handle cleanup
  • @DanielZhangD (Daniel Zhang) for the directory name rendering fix
  • @jensens (Jens W. Klein) for migrating configuration to pyproject.toml
  • @kurtmckee (Kurt McKee) for upgrading to safety v3
  • @luzfcb (Fábio C. Barrionuevo da Luz) for pytest config modernization
  • @datasharp (Kayla Sharp) for tutorial video and slide links
  • @christine-ho-dev (Christine Ho) for fixing the README programmatic example
  • @swikrityy-yy (Swikriti Adhikari) for clarifying installation instructions
  • @krishivs789 (Krishiv S) for stabilizing the README logo URL
  • @Fred-si (Frédéric) for updating CONTRIBUTING.md
  • @jkomalley (Kyle) for fixing outdated README shield URLs
  • @dominiqueplante (Dominique Plante) for README updates

Tags: python, cookiecutter, open-source