⬆️ Updates cookiecutter to v2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
cookiecutter	==1.7.3 → ==2.1.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-24065

The package cookiecutter before 2.1.1 is vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

---

Release Notes

cookiecutter/cookiecutter (cookiecutter)

v2.1.1

Compare Source

Documentation updates

• Fix local extensions documentation (#​1686) @​alkatar21

Bugfixes

• Sanitize Mercurial branch information before checkout. (#​1689) @​ericof

This release is made by wonderful contributors:

@​alkatar21, @​ericof and @​jensens

v2.1.0

Compare Source

Preamble

This release log lists all changes from 1.7.3 to this release.
It includes the log of the 2.0.x releases, which were never published on PyPI.
Because of that it might look a bit blurry.

We release the current stable state of the project, knowing there are a bunch of open pull requests.
Those will be reviewed by the core-committers and merged or dropped.

Future releases will happen more frequently. Stay tuned.

Fetch fresh from PyPI https://pypi.org/project/cookiecutter/2.1.0/

Changes

• Move contributors and backers to credits section (#​1599) @​doobrie
• test_generate_file_verbose_template_syntax_error fixed (#​1671) @​MaciejPatro
• Removed changes related to setuptools_scm (#​1629) @​ozer550
• Release 2.0.1 (#​1620) @​audreyfeldroy

Breaking Changes

• Release preparation for 2.0.1rc1 (#​1608) @​audreyfeldroy
• Replace poyo with pyyaml. (#​1489) @​dHannasch
• Added: Path templates will be rendered when copy_without_render used (#​839) @​noirbizarre
• Added: End of line detection and configuration. (#​1407) @​insspb
• Remove support for python2.7 (#​1386) @​ssbarnea

Minor Changes

• Documentation overhaul (#​1677) @​jensens
• Feature/local extensions (#​1240) @​mwesterhof
• Adopt setuptools-scm packaging (#​1577) @​ssbarnea
• Log the error message when git clone fails, not just the return code (#​1505) @​logworthy
• allow jinja 3.0.0 (#​1548) @​wouterdb
• Added uuid extension to be able to generate uuids (#​1493) @​jonaswre
• Alert user if choice is invalid (#​1496) @​dHannasch
• Replace poyo with pyyaml. (#​1489) @​dHannasch
• update AUTHOR lead (#​1532) @​HosamAlmoghraby
• Add Python 3.9 (#​1478) @​gliptak
• Added: --list-installed cli option, listing already downloaded cookiecutter packages (#​1096) @​chrisbrake
• Added: Jinja2 Environment extension on files generation stage (#​1419) @​insspb
• Added: --replay-file cli option, for replay file distributing (#​906) @​Cadair
• Added: _output_dir to cookiecutter context (#​1034) @​Casyfill
• Added: CLI option to ignore hooks (#​992) @​rgreinho
• Changed: Generated projects can use multiple type hooks at same time. (sh + py) (#​974) @​milonimrod
• Added: Path templates will be rendered when copy_without_render used (#​839) @​noirbizarre
• Added: End of line detection and configuration. (#​1407) @​insspb
• Making code python 3 only: Remove python2 u' sign, fix some strings (#​1402) @​insspb
• py3: remove futures, six and encoding (#​1401) @​insspb
• Render variables starting with an underscore. (#​1339) @​smoothml
• Tests refactoring: test_utils write issues fixed #​1405 (#​1406) @​insspb

CI/CD and QA changes

• Check manifest: pre-commit, fixes, cleaning (#​1683) @​jensens
• Follow PyPA guide to release package using GitHub Actions. (#​1682) @​ericof
• enable branch coverage (#​1542) @​simobasso
• Make release-drafter diff only between master releases (#​1568) @​SharpEdgeMarshall
• ensure filesystem isolation during tests execution (#​1564) @​simobasso
• add safety ci step (#​1560) @​simobasso
• pre-commit: add bandit hook (#​1559) @​simobasso
• Replace tmpdir in favour of tmp_path (#​1545) @​SharpEdgeMarshall
• Fix linting in CI (#​1546) @​SharpEdgeMarshall
• Coverage 100% (#​1526) @​SharpEdgeMarshall
• Run coverage with matrix (#​1521) @​SharpEdgeMarshall
• Lint rst files (#​1443) @​ssbarnea
• Python3: Changed io.open to build-in open (PEP3116) (#​1408) @​insspb
• Making code python 3 only: Remove python2 u' sign, fix some strings (#​1402) @​insspb
• py3: remove futures, six and encoding (#​1401) @​insspb
• Removed: Bumpversion, setup.py arguments. (#​1404) @​insspb
• Tests refactoring: test_utils write issues fixed #​1405 (#​1406) @​insspb
• Added: Automatic PyPI deploy on tag creation (#​1400) @​insspb
• Changed: Restored coverage reporter (#​1399) @​insspb

Documentation updates

• Fix typo in dict_variables.rst (#​1680) @​ericof
• Documentation overhaul (#​1677) @​jensens
• Fixed incorrect link on docs. (#​1649) @​luzfcb
• Fix pull requests checklist reference (#​1537) @​glumia
• Fix author name (#​1544) @​HosamAlmoghraby
• Add missing contributors (#​1535) @​glumia
• Update CONTRIBUTING.md (#​1529) @​glumia
• Update LICENSE (#​1519) @​simobasso
• docs: rewrite the conditional files / directories example description. (#​1437) @​lyz-code
• Fix incorrect years in release history (#​1473) @​graue70
• Add slugify in the default extensions list (#​1470) @​oncleben31
• Renamed cookiecutter.package to API (#​1442) @​cxnstantius
• Fixed wording detail (#​1427) @​steltenpower
• Changed: CLI Commands documentation engine (#​1418) @​insspb
• Added: Example for conditional files / directories in hooks (#​1397) @​xyb
• Changed: README.md PyPI URLs changed to the modern PyPI last version (#​1391) @​brettcannon
• Fixed: Comma in README.md (#​1390) @​Cy-dev-tex
• Fixed: Replaced no longer maintained pipsi by pipx (#​1395) @​ndclt

Bugfixes

• Restore accidentally deleted support for click 8.x (#​1643) @​jaklan
• Fix Python version number in cookiecutter --version and test on Python 3.10 (#​1621) @​ozer550
• Add support for click 8.x (#​1569) @​cjolowicz
• Force click<8.0.0 (#​1562) @​SharpEdgeMarshall
• Remove direct dependency on markupsafe (#​1549) @​ssbarnea
• fixes prompting private rendered dicts (#​1504) @​juhuebner
• User's JSON parse error causes ugly Python exception #​809 (#​1468) @​noone234
• config: set default on missing default_context key (#​1516) @​simobasso
• Fixed: Values encoding on Windows (#​1414) @​agateau
• Fixed: Fail with gitolite repositories (#​1144) @​javiersanp
• MANIFEST: Fix file name extensions (#​1387) @​sebix

Deprecations

• Removed: Bumpversion, setup.py arguments. (#​1404) @​insspb

This release is made by wonderfull contributors:

@​Cadair, @​Casyfill, @​Cy-dev-tex, @​HosamAlmoghraby, @​MaciejPatro, @​SharpEdgeMarshall, @​agateau, @​audreyfeldroy, @​brettcannon, @​browniebroke, @​chrisbrake, @​cjolowicz, @​cxnstantius, @​dHannasch, @​doobrie, @​ericof, @​gliptak, @​glumia, @​graue70, @​insspb, @​jaklan, @​javiersanp, @​jensens, @​jonaswre, @​jsoref, @​juhuebner, @​logworthy, @​luzfcb, @​lyz-code, @​michaeljoseph, @​milonimrod, @​mwesterhof, @​ndclt, @​noirbizarre, @​noone234, @​oncleben31, @​ozer550, @​pydanny, @​rgreinho, @​sebix, @​simobasso, @​smoothml, @​ssbarnea, @​steltenpower, @​wouterdb, @​xyb, Christopher Wolfe and Hosam Almoghraby ( RIAG Digital )

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

@check-spelling-bot Report

Unrecognized words, please review:

• adr
• akka
• alexrogalskiy
• allcontributors
• api
• arcver
• assing
• badgen
• BETTERCODE
• betterjavacode
• blogspot
• boopickle
• bootcamp
• brightgreen
• bugfixes
• buymeacoffee
• ceb
• codeready
• codesandbox
• codetriage
• committers
• configmaps
• debezium
• demystified
• dependabot
• devcases
• devfile
• dirtyreload
• DOI
• dreamix
• dropdown
• eab
• eap
• eisele
• embeddableinstantiator
• embeddables
• facebook
• fastai
• fastpages
• fastparse
• firsttimersonly
• flushmode
• forthebadge
• frapsoft
• freemarker
• FRP
• fthomas
• gerrit
• getquill
• GIFs
• gitbook
• gitflow
• githubbox
• gitpod
• GPLv
• Gradle
• grunwald
• guideslines
• gunnar
• Hashids
• Hasids
• helloworld
• hitsofcode
• hmil
• infoworld
• insidejava
• Instantiator
• IPhone
• istio
• janssen
• japgolly
• javacodegeeks
• javafx
• javamelody
• javaone
• JAVAPROG
• jboss
• jcliff
• jdbc
• jdk
• jextract
• jfr
• jfrunit
• johan
• jpa
• JRE
• jsonignore
• jsp
• jsparty
• julienrf
• Jupyter
• kubernetes
• latestdoi
• LETSTALK
• letstalkaboutjava
• LGPL
• LGPLv
• lihaoyi
• liskov
• logfile
• mades
• makeapullrequest
• markdownguide
• markus
• matryoshka
• mcve
• mega
• microservices
• milessabin
• mirrorring
• mkdocs
• modelviewculture
• monix
• mtl
• mutationquery
• namespaces
• nestjs
• Netflix
• newreleases
• nullables
• nvie
• objectmappers
• odl
• openapi
• opengraph
• opentelemetry
• osslifecycle
• oyanglul
• pagespeedresultmobile
• pasteable
• patreon
• paypal
• PITMP
• plumbr
• podcast
• precog
• pufler
• pypa
• quarkus
• quicklens
• RANDOMTHOUGHTS
• randomthoughtsonjavaprogramming
• rce
• reactify
• readthedocs
• reddit
• renovatebot
• reporoster
• repostatus
• resteasy
• rfm
• Rogalskiy
• rogalsky
• rubyonrails
• runtimes
• scalacss
• scalafiddle
• scalafmt
• scalajs
• scalameta
• scalanlp
• scalastyle
• scalaz
• scm
• seeyoufarm
• selectionquery
• softwaremill
• sourcegraph
• spamming
• splunk
• sql
• squants
• squbs
• sscce
• stakeholders
• starchart
• sttp
• stylegu
• suggestig
• suzaku
• thejavaprogrammer
• thorben
• tilda
• tokei
• trufoj
• tsb
• tsbleo
• tscojc
• tscqlg
• tsd
• tsdllr
• typelevel
• udash
• upickle
• urt
• ussue
• violoate
• vos
• wget
• wildfly
• wix
• workspaces
• zenodo
• zgc
• zio

Previously acknowledged words that are now absent

acl activesupport adaoraul addons aeiou AFile afterall Alexey alfredxing algolia allowfullscreen Anatoliy andreyvit Ankit Anning apps appveyor arengu args ariejan arounds asciinema asdf ashmaroli attr Autobuild autocompletion autogenerated Autolink autoload autoreconf autosave awood awscli backport backtick barcamp baseurl bashrc baz bbatsov bdimcheff bellvat benbalter Beney binstubs bip bitbucket Blogger blogging bonafide Bou breadcrumbs briandoll bridgetown bridgetownrb brightbox brighterplanet buddyworks Bugfix Burela byparker cachegrind calavera callgraphs cartera cavalle CDNs cgi changefreq chango charset Chayoung chcp chdir Cheatsheet Checkoway chmod chown Chrononaut chruby cibuild cimg circleci CJK classname cloudcannon Cloudinary cloudsh CLT CODEOWNERS coderay codeslinger coffeescript colorator commandline commonmark compat compatibilize concat configyml contentblocks CORS Cov CRLFs cron crontab cruft css csv Currin CVE CWD cygwin daringfireball Dassonville datafiles datetime DCEU Debian debuggability defunkt delegators deployer deps dest Devkit devops digitalocean dirs disqus ditaa dnf doclist doctype doeorg dommmel dotfile Dousse downcase downcased duckduckgo duritong Dusseau dysinger ecf editorconfig eduardoboucas Elasticsearch elsif Emacs emails endcapture endcomment endfor endhighlight endif endraw endrender endtablerow Enumerables EOL erb errordocument Espinaco eugenebolshakov evaled exe execjs extensionpack extname exts favicon Fengyun ffi figcaption filesystem Finazzo firstimage FIXME flakey flickr fnmatch fontello forloop formcake formcarry formester formingo formkeep formspark formspree formx Forwardable frameborder freenode frontend frontmatter fsnotify ftp fullstory Gaudino gcc gcnovus gemfile gemset gemspec getform getset getsimpleform gettalong gfm ghp ghpages giraffeacademy githubcom gitignore gitlab gjtorikian globbed globbing google gotcha Goulven gridism GSo gsub gsubbing Hakiri hardcode hashbang hashmap helaili henrik heredoc heroku highlighter hilighting Hoizey hostman hostname htaccess htm htmlproofer httpd httpdocs hyperlinks Iaa ial ico icomoon iconset ified iframe Impl Inlining invokables irc ivey ize jalali jameshamann jamstackthemes jan Jax jayferd jcon jdoe jeffreytse jeffrydegrande Jekpack jekyllbot jekyllconf Jekyllers Jekyllin Jekylling jekyllized jekylllayoutconcept jekyllrb jekyllthemes jemoji jmcglone jneen johnreilly jpg jqr jruby jsonify juretta jwarby Kacper Kasberg kbd Kentico Kewin keycdn kickster Kinnula kiwifruit Kolesky konklone kontent Kotvinsky kramdown Kulig Kwokfu Lamprecht laquo lastmod launchctl launchy laurilehmijoki ldquo learnxinyminutes lexer LGTM libcurl libffi lightgray limjh linenos linkify linux liufengyun livereload localheinz localtime Locher loglevel Losslessly lovin lsi lsquo lstrip lyche macos macromates mademistakes Manmeet markdownify Maroli Marsceill maruku mathjax mathml mattr Maximiliano mchung mdash memberspace Memoize memoized memoizing mentoring mergable Mertcan mertkahyaoglu microdata mimetype mingw minibundle minifier minitest Mittal mixin mkasberg mkd mkdir mkdn mkdown mmistakes modernizr mojombo moncefbelyamani moz mreid msdn mswin MSYS mtime multiline munging Mvvm myblog mycontent mydata mydoc myimage mypage myposts myproject myrepo mysite myvalue myvar myvariable Nadjib nakanishi namespace namespaced navbar nbsp nearlyfreespeech nethack netlify netlifycms Neue nginx ngx nielsenramon nior noifniof nokogiri notextile onclick onebox oneclick onschedule openssl Optim orderofinterpretation orgs OSVDB osx packagecontrol pacman paginator pandoc pantulis params parkr parseable paspagon passthrough pathawks Pathutil paywall pdf Pelykh permalink PHP pinboard Piwigo pjhyett pkill pkpass placeholders planetjekyll plantuml plugin podcasts popen Porcel Posterous postfiles postlayout postmodern prefetching preinstalled prepends Prioritise Probot projectlist pubstorm pufuwozu pwa pwd pygments qrush Quaid rackup Rakefile razorops rbenv rdiscount rdoc rdquo realz rebund redcarpet redcloth redgreen refactor Refheap regen regex regexp remi reqs Responsify revertable rfc rfelix RHEL ridk roadmap rowspan rspec rsquo rstrip rsync rtomayko Rubo rubocop rubychan rubygem rubyinstaller rubyprof Ruparelia Rusiczki rvm ryanflorence saas samplelist samrayner sandboxed Sassc sassify schemastore Schroers Schwartzian scp scrollbar scroller scss scssify sdk SDKROOT sectore seo serverless setenv SFTP shingo shopify shortlog shoulda sieversii sigpipe simplecov Singhaniya siteleaf sitemap SITENAME Slicehost slugified slugify smartforms smartify snipcart somedir sonnym Sonomy sourced sourcemaps spam spotify ssg ssh SSL staticfiles staticman statictastic STDERR stdout Stickyposts strftime stringified Stringify stylesheet subdir subdomain subfolder subfolderitems subnav subpages subpath subpiece subsubfolderitems subthing subvalues subwidget sudo superdirectories superdirs SUSE sverrirs svn swfobject swupd symlink symlinking tablerow tada Taillandier talkyard tbody technicalpickles templating templatize Termux textilize textpattern thead therubyracer Theunissen Thornquest thoughtbot throughs Tidelift timeago timezone titleize TLS tmm tmp toc tok tomjoht toml tomo toolset toshimaru triaged triaging truncatewords tsv ttf Tudou Tumblr Tweetsert txtpen Tyborska tzinfo ubuntu uby ujh ultron undumpable unencode Unescape unescaping unicode uniq upcase uppercasing uri urlset username usr utf utils utime vanpelt Vasovi vendored vercel versioned vertycal Veyor vilcans Vishesh visualstudio vnd vohedge vps vscode vwochnik Walkthroughs wdm We'd webfont webhook webhosting webmentions webrick weekdate whitelist whitelisting wikipedia wildcards willcodeforfoo woff wordpress Workaround wsl xcode xcrun xdg Xhmikos xhtml Xiaoiver XMinutes xmlns xmlschema yajl Yarp Yashu Yastreb Youku youtube yunbox zeropadding Zlatan zlib zoneinfo zpinter Zsh zshrc zypper zzot

To accept these unrecognized words as correct (and remove the previously acknowledged and now absent words), run the following commands

... in a clone of the git@github.com:AlexRogalskiy/java-patterns.git repository
on the renovate/pypi-cookiecutter-vulnerability branch:

update_files() {
perl -e '
my @expect_files=qw('".github/actions/spelling/expect.txt"');
@ARGV=@expect_files;
my @stale=qw('"$patch_remove"');
my $re=join "|", @stale;
my $suffix=".".time();
my $previous="";
sub maybe_unlink { unlink($_[0]) if $_[0]; }
while (<>) {
if ($ARGV ne $old_argv) { maybe_unlink($previous); $previous="$ARGV$suffix"; rename($ARGV, $previous); open(ARGV_OUT, ">$ARGV"); select(ARGV_OUT); $old_argv = $ARGV; }
next if /^(?:$re)(?:(?:\r|\n)*$| .*)/; print;
}; maybe_unlink($previous);'
perl -e '
my $new_expect_file=".github/actions/spelling/expect.txt";
use File::Path qw(make_path);
use File::Basename qw(dirname);
make_path (dirname($new_expect_file));
open FILE, q{<}, $new_expect_file; chomp(my @words = <FILE>); close FILE;
my @add=qw('"$patch_add"');
my %items; @items{@words} = @words x (1); @items{@add} = @add x (1);
@words = sort {lc($a)."-".$a cmp lc($b)."-".$b} keys %items;
open FILE, q{>}, $new_expect_file; for my $word (@words) { print FILE "$word\n" if $word =~ /\w/; };
close FILE;
system("git", "add", $new_expect_file);
'
}

comment_json=$(mktemp)
curl -L -s -S \
  --header "Content-Type: application/json" \
  "https://api.github.com/repos/AlexRogalskiy/java-patterns/issues/comments/4136752233" > "$comment_json"
comment_body=$(mktemp)
jq -r .body < "$comment_json" > $comment_body
rm $comment_json

patch_remove=$(perl -ne 'next unless s{^</summary>(.*)</details>$}{$1}; print' < "$comment_body")
  

patch_add=$(perl -e '$/=undef;
$_=<>;
s{<details>.*}{}s;
s{^#.*}{};
s{\n##.*}{};
s{(?:^|\n)\s*\*}{}g;
s{\s+}{ }g;
print' < "$comment_body")
  
update_files
rm $comment_body
git add -u

If you see a bunch of garbage

If it relates to a ...

well-formed pattern

See if there's a pattern that would match it.

If not, try writing one and adding it to the patterns.txt file.

Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.

Note that patterns can't match multiline strings.

binary-ish string

Please add a file path to the excludes.txt file instead of just accepting the garbage.

File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.

^ refers to the file's path from the root of the repository, so ^README\.md$ would exclude README.md (on whichever branch you're using).

[github-actions]

Scan Summary

Tool	Critical	High	Medium	Low	Status
Dependency Scan (universal)	2	12	14	0	❌
Shell Script Analysis	0	0	0	195	✅
Kotlin Security Audit	0	0	0	0	✅
Security Audit for Infrastructure	14	92	8	32	❌
Kotlin Static Analysis	0	0	0	0	✅
Python Source Analyzer	0	0	0	0	✅
Secrets Audit	0	4	0	0	❌

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍