Lately I've been catching up on open source. This is the backstory behind the Cookiecutter release cascade. One quick release turned into four all-consuming releases, a licensing dispute, chardet removal, a new decision tree classifier in binaryornot, and my new interest in becoming an expert at designing classifiers.
You know that thing where you release an album, it's on the shelves, people are buying it, and then someone points out the spine says it's your previous album? That's what happened with Cookiecutter 2.7.0. We put out the long-awaited release with 27 improvements and 17 contributors, and cookiecutter -V proudly announced: **2.6.0**.
Cookiecutter 2.7.0 is tested on Python 3.10 through 3.14, ships with a security policy documenting the trust model for template hook scripts, and publishes to PyPI with cryptographic provenance so you can verify every release. Seventeen contributors from the community helped build it.
If you maintain a Cookiecutter template that generates GitHub Actions workflows, you have a quiet problem: Dependabot keeps your outer repo's action SHAs current, but it completely ignores the template's workflows. The generated projects ship with whatever versions you happened to pin last.
I've put out the biggest release of cookiecutter-pypackage since the modern rewrite. Generated projects now ship with a documentation site, type checking, cross-version coverage enforcement, and security-hardened CI, all configured and working out of the box.