Bump cookiecutter from 2.6.0 to 2.7.1

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Bumps cookiecutter from 2.6.0 to 2.7.1.

Release notes

Sourced from cookiecutter's releases.

Cookiecutter 2.7.1: The One Where It Knows Its Own Name

You know that thing where you release an album, it's on the shelves, people are buying it, and then someone points out the spine says it's your previous album? That's what happened with Cookiecutter 2.7.0. We put out the long-awaited release with 27 improvements and 17 contributors, and cookiecutter -V proudly announced: 2.6.0.

$ cookiecutter -V
Cookiecutter 2.6.0
$ # narrator voice: it was not 2.6.0

Go on, run this and see for yourself that the 2.7.1 release knows its own version number now:

uv tool upgrade cookiecutter

What's fixed

cookiecutter -V now reports the real version. Rather than patch VERSION.txt, this release removes it entirely. The version is now read from package metadata at runtime, so pyproject.toml is the single source of truth and there's nothing left to drift. Thanks @​bollwyvl for the bug report PR and for suggesting the importlib.metadata approach, and thanks @​tranzystorekk for filing #2195!

What's better

CI runs each Python version as its own job. Tests for 3.10 through 3.14 used to run sequentially inside a single job per OS, which pushed Windows past 30 minutes. Each version now runs in parallel with a 15-minute timeout. Windows tests focus on the boundary versions (3.10 and 3.14) since intermediate versions add little signal beyond Ubuntu and macOS.

Contributors

@​audreyfeldroy (Audrey M. Roy Greenfeld) and @​pydanny (Daniel Roy Greenfeld) built this release, with help from Claude roleplaying as David Bowie.

Thanks to @​bollwyvl (Nicholas Bollweg) for the version fix PR and the importlib.metadata suggestion, and @​tranzystorekk for reporting the version mismatch.

2.7.0

Cookiecutter 2.7.0 is tested on Python 3.10 through 3.14, ships with a security policy documenting the trust model for template hook scripts, and publishes to PyPI with cryptographic provenance so you can verify every release. Seventeen contributors from the community helped build it.

uv tool upgrade cookiecutter

What's new

A security policy that explains what you're trusting. Cookiecutter templates can run arbitrary code through hook scripts, and that's by design. The new SECURITY.md lays out the trust model: what Cookiecutter sandboxes (nothing), what's in scope for vulnerability reports, and how to report them privately through GitHub. If you maintain templates or run unfamiliar ones, this is worth reading.

Python 3.10 through 3.14. Full test coverage across five Python versions. If you're on 3.7, 3.8, or 3.9, this is the release where you'll want to upgrade.

Pretty-printed JSON in templates. The jsonify Jinja2 extension takes an indent argument, so you can generate formatted JSON in your templates instead of single-line blobs. Thanks @​pabloxio! (#2050)

Boolean variables from the command line. Pass use_docker=y via --no-input and it arrives as a proper boolean in your template context. Thanks @​tylermilner! (#2029)

Structured bug reports. The GitHub issue form collects environment details upfront, so maintainers can reproduce your issue faster.

Tutorial videos and slides. Conference talk recordings and slide decks linked from the docs. Thanks @​datasharp! (#2137)

... (truncated)

Commits

• 083dd3c Release 2.7.1
• 59e7eb1 Ground the runtime version in package metadata instead of a hand-maintained file
• 730d2eb Run each Python version as its own CI job instead of sequentially
• db674d8 Reflect that PyPI publishing runs automatically on tag push
• 718f685 Release 2.7.0
• 14da090 Let contributors focus on what interests them, not a milestone plan
• a4a7e99 Give release managers a safe, documented path from version bump to PyPI
• cf3bd2f Drop the Release Drafter integration
• 0ff1fa8 Tell template creators what Cookiecutter actually gives them
• 154d946 Modernize the README around uv and a leaner project page
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies, python. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.