Skip to content

⬆️ Updates cookiecutter to v2 [SECURITY]#3536

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/pypi-cookiecutter-vulnerability
Open

⬆️ Updates cookiecutter to v2 [SECURITY]#3536
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/pypi-cookiecutter-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Mar 26, 2026

This PR contains the following updates:

Package Change Age Confidence
cookiecutter ==1.7.3==2.1.1 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-24065

The package cookiecutter before 2.1.1 is vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Release Notes

cookiecutter/cookiecutter (cookiecutter)

v2.1.1

Compare Source

Documentation updates

Bugfixes

This release is made by wonderful contributors:

@​alkatar21, @​ericof and @​jensens

v2.1.0

Compare Source

Preamble

This release log lists all changes from 1.7.3 to this release.
It includes the log of the 2.0.x releases, which were never published on PyPI.
Because of that it might look a bit blurry.

We release the current stable state of the project, knowing there are a bunch of open pull requests.
Those will be reviewed by the core-committers and merged or dropped.

Future releases will happen more frequently. Stay tuned.

Fetch fresh from PyPI https://pypi.org/project/cookiecutter/2.1.0/

Changes

Breaking Changes

Minor Changes

CI/CD and QA changes

Documentation updates

Bugfixes

Deprecations

This release is made by wonderfull contributors:

@​Cadair, @​Casyfill, @​Cy-dev-tex, @​HosamAlmoghraby, @​MaciejPatro, @​SharpEdgeMarshall, @​agateau, @​audreyfeldroy, @​brettcannon, @​browniebroke, @​chrisbrake, @​cjolowicz, @​cxnstantius, @​dHannasch, @​doobrie, @​ericof, @​gliptak, @​glumia, @​graue70, @​insspb, @​jaklan, @​javiersanp, @​jensens, @​jonaswre, @​jsoref, @​juhuebner, @​logworthy, @​luzfcb, @​lyz-code, @​michaeljoseph, @​milonimrod, @​mwesterhof, @​ndclt, @​noirbizarre, @​noone234, @​oncleben31, @​ozer550, @​pydanny, @​rgreinho, @​sebix, @​simobasso, @​smoothml, @​ssbarnea, @​steltenpower, @​wouterdb, @​xyb, Christopher Wolfe and Hosam Almoghraby ( RIAG Digital )

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@auto-assign auto-assign bot requested a review from AlexRogalskiy March 26, 2026 17:13
@github-actions github-actions bot added the docs label Mar 26, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 26, 2026
edited
Loading

@check-spelling-bot Report

Unrecognized words, please review:

  • adr
  • akka
  • alexrogalskiy
  • allcontributors
  • api
  • arcver
  • assing
  • badgen
  • BETTERCODE
  • betterjavacode
  • blogspot
  • boopickle
  • bootcamp
  • brightgreen
  • bugfixes
  • buymeacoffee
  • ceb
  • codeready
  • codesandbox
  • codetriage
  • committers
  • configmaps
  • debezium
  • demystified
  • dependabot
  • devcases
  • devfile
  • dirtyreload
  • DOI
  • dreamix
  • dropdown
  • eab
  • eap
  • eisele
  • embeddableinstantiator
  • embeddables
  • facebook
  • fastai
  • fastpages
  • fastparse
  • firsttimersonly
  • flushmode
  • forthebadge
  • frapsoft
  • freemarker
  • FRP
  • fthomas
  • gerrit
  • getquill
  • GIFs
  • gitbook
  • gitflow
  • githubbox
  • gitpod
  • GPLv
  • Gradle
  • grunwald
  • guideslines
  • gunnar
  • Hashids
  • Hasids
  • helloworld
  • hitsofcode
  • hmil
  • infoworld
  • insidejava
  • Instantiator
  • IPhone
  • istio
  • janssen
  • japgolly
  • javacodegeeks
  • javafx
  • javamelody
  • javaone
  • JAVAPROG
  • jboss
  • jcliff
  • jdbc
  • jdk
  • jextract
  • jfr
  • jfrunit
  • johan
  • jpa
  • JRE
  • jsonignore
  • jsp
  • jsparty
  • julienrf
  • Jupyter
  • kubernetes
  • latestdoi
  • LETSTALK
  • letstalkaboutjava
  • LGPL
  • LGPLv
  • lihaoyi
  • liskov
  • logfile
  • mades
  • makeapullrequest
  • markdownguide
  • markus
  • matryoshka
  • mcve
  • mega
  • microservices
  • milessabin
  • mirrorring
  • mkdocs
  • modelviewculture
  • monix
  • mtl
  • mutationquery
  • namespaces
  • nestjs
  • Netflix
  • newreleases
  • nullables
  • nvie
  • objectmappers
  • odl
  • openapi
  • opengraph
  • opentelemetry
  • osslifecycle
  • oyanglul
  • pagespeedresultmobile
  • pasteable
  • patreon
  • paypal
  • PITMP
  • plumbr
  • podcast
  • precog
  • pufler
  • pypa
  • quarkus
  • quicklens
  • RANDOMTHOUGHTS
  • randomthoughtsonjavaprogramming
  • rce
  • reactify
  • readthedocs
  • reddit
  • renovatebot
  • reporoster
  • repostatus
  • resteasy
  • rfm
  • Rogalskiy
  • rogalsky
  • rubyonrails
  • runtimes
  • scalacss
  • scalafiddle
  • scalafmt
  • scalajs
  • scalameta
  • scalanlp
  • scalastyle
  • scalaz
  • scm
  • seeyoufarm
  • selectionquery
  • softwaremill
  • sourcegraph
  • spamming
  • splunk
  • sql
  • squants
  • squbs
  • sscce
  • stakeholders
  • starchart
  • sttp
  • stylegu
  • suggestig
  • suzaku
  • thejavaprogrammer
  • thorben
  • tilda
  • tokei
  • trufoj
  • tsb
  • tsbleo
  • tscojc
  • tscqlg
  • tsd
  • tsdllr
  • typelevel
  • udash
  • upickle
  • urt
  • ussue
  • violoate
  • vos
  • wget
  • wildfly
  • wix
  • workspaces
  • zenodo
  • zgc
  • zio
Previously acknowledged words that are now absent acl activesupport adaoraul addons aeiou AFile afterall Alexey alfredxing algolia allowfullscreen Anatoliy andreyvit Ankit Anning apps appveyor arengu args ariejan arounds asciinema asdf ashmaroli attr Autobuild autocompletion autogenerated Autolink autoload autoreconf autosave awood awscli backport backtick barcamp baseurl bashrc baz bbatsov bdimcheff bellvat benbalter Beney binstubs bip bitbucket Blogger blogging bonafide Bou breadcrumbs briandoll bridgetown bridgetownrb brightbox brighterplanet buddyworks Bugfix Burela byparker cachegrind calavera callgraphs cartera cavalle CDNs cgi changefreq chango charset Chayoung chcp chdir Cheatsheet Checkoway chmod chown Chrononaut chruby cibuild cimg circleci CJK classname cloudcannon Cloudinary cloudsh CLT CODEOWNERS coderay codeslinger coffeescript colorator commandline commonmark compat compatibilize concat configyml contentblocks CORS Cov CRLFs cron crontab cruft css csv Currin CVE CWD cygwin daringfireball Dassonville datafiles datetime DCEU Debian debuggability defunkt delegators deployer deps dest Devkit devops digitalocean dirs disqus ditaa dnf doclist doctype doeorg dommmel dotfile Dousse downcase downcased duckduckgo duritong Dusseau dysinger ecf editorconfig eduardoboucas Elasticsearch elsif Emacs emails endcapture endcomment endfor endhighlight endif endraw endrender endtablerow Enumerables EOL erb errordocument Espinaco eugenebolshakov evaled exe execjs extensionpack extname exts favicon Fengyun ffi figcaption filesystem Finazzo firstimage FIXME flakey flickr fnmatch fontello forloop formcake formcarry formester formingo formkeep formspark formspree formx Forwardable frameborder freenode frontend frontmatter fsnotify ftp fullstory Gaudino gcc gcnovus gemfile gemset gemspec getform getset getsimpleform gettalong gfm ghp ghpages giraffeacademy githubcom gitignore gitlab gjtorikian globbed globbing google gotcha Goulven gridism GSo gsub gsubbing Hakiri hardcode hashbang hashmap helaili henrik heredoc heroku highlighter hilighting Hoizey hostman hostname htaccess htm htmlproofer httpd httpdocs hyperlinks Iaa ial ico icomoon iconset ified iframe Impl Inlining invokables irc ivey ize jalali jameshamann jamstackthemes jan Jax jayferd jcon jdoe jeffreytse jeffrydegrande Jekpack jekyllbot jekyllconf Jekyllers Jekyllin Jekylling jekyllized jekylllayoutconcept jekyllrb jekyllthemes jemoji jmcglone jneen johnreilly jpg jqr jruby jsonify juretta jwarby Kacper Kasberg kbd Kentico Kewin keycdn kickster Kinnula kiwifruit Kolesky konklone kontent Kotvinsky kramdown Kulig Kwokfu Lamprecht laquo lastmod launchctl launchy laurilehmijoki ldquo learnxinyminutes lexer LGTM libcurl libffi lightgray limjh linenos linkify linux liufengyun livereload localheinz localtime Locher loglevel Losslessly lovin lsi lsquo lstrip lyche macos macromates mademistakes Manmeet markdownify Maroli Marsceill maruku mathjax mathml mattr Maximiliano mchung mdash memberspace Memoize memoized memoizing mentoring mergable Mertcan mertkahyaoglu microdata mimetype mingw minibundle minifier minitest Mittal mixin mkasberg mkd mkdir mkdn mkdown mmistakes modernizr mojombo moncefbelyamani moz mreid msdn mswin MSYS mtime multiline munging Mvvm myblog mycontent mydata mydoc myimage mypage myposts myproject myrepo mysite myvalue myvar myvariable Nadjib nakanishi namespace namespaced navbar nbsp nearlyfreespeech nethack netlify netlifycms Neue nginx ngx nielsenramon nior noifniof nokogiri notextile onclick onebox oneclick onschedule openssl Optim orderofinterpretation orgs OSVDB osx packagecontrol pacman paginator pandoc pantulis params parkr parseable paspagon passthrough pathawks Pathutil paywall pdf Pelykh permalink PHP pinboard Piwigo pjhyett pkill pkpass placeholders planetjekyll plantuml plugin podcasts popen Porcel Posterous postfiles postlayout postmodern prefetching preinstalled prepends Prioritise Probot projectlist pubstorm pufuwozu pwa pwd pygments qrush Quaid rackup Rakefile razorops rbenv rdiscount rdoc rdquo realz rebund redcarpet redcloth redgreen refactor Refheap regen regex regexp remi reqs Responsify revertable rfc rfelix RHEL ridk roadmap rowspan rspec rsquo rstrip rsync rtomayko Rubo rubocop rubychan rubygem rubyinstaller rubyprof Ruparelia Rusiczki rvm ryanflorence saas samplelist samrayner sandboxed Sassc sassify schemastore Schroers Schwartzian scp scrollbar scroller scss scssify sdk SDKROOT sectore seo serverless setenv SFTP shingo shopify shortlog shoulda sieversii sigpipe simplecov Singhaniya siteleaf sitemap SITENAME Slicehost slugified slugify smartforms smartify snipcart somedir sonnym Sonomy sourced sourcemaps spam spotify ssg ssh SSL staticfiles staticman statictastic STDERR stdout Stickyposts strftime stringified Stringify stylesheet subdir subdomain subfolder subfolderitems subnav subpages subpath subpiece subsubfolderitems subthing subvalues subwidget sudo superdirectories superdirs SUSE sverrirs svn swfobject swupd symlink symlinking tablerow tada Taillandier talkyard tbody technicalpickles templating templatize Termux textilize textpattern thead therubyracer Theunissen Thornquest thoughtbot throughs Tidelift timeago timezone titleize TLS tmm tmp toc tok tomjoht toml tomo toolset toshimaru triaged triaging truncatewords tsv ttf Tudou Tumblr Tweetsert txtpen Tyborska tzinfo ubuntu uby ujh ultron undumpable unencode Unescape unescaping unicode uniq upcase uppercasing uri urlset username usr utf utils utime vanpelt Vasovi vendored vercel versioned vertycal Veyor vilcans Vishesh visualstudio vnd vohedge vps vscode vwochnik Walkthroughs wdm We'd webfont webhook webhosting webmentions webrick weekdate whitelist whitelisting wikipedia wildcards willcodeforfoo woff wordpress Workaround wsl xcode xcrun xdg Xhmikos xhtml Xiaoiver XMinutes xmlns xmlschema yajl Yarp Yashu Yastreb Youku youtube yunbox zeropadding Zlatan zlib zoneinfo zpinter Zsh zshrc zypper zzot
To accept these unrecognized words as correct (and remove the previously acknowledged and now absent words), run the following commands

... in a clone of the git@github.com:AlexRogalskiy/java-patterns.git repository
on the renovate/pypi-cookiecutter-vulnerability branch:

update_files() {
perl -e '
my @expect_files=qw('".github/actions/spelling/expect.txt"');
@ARGV=@expect_files;
my @stale=qw('"$patch_remove"');
my $re=join "|", @stale;
my $suffix=".".time();
my $previous="";
sub maybe_unlink { unlink($_[0]) if $_[0]; }
while (<>) {
if ($ARGV ne $old_argv) { maybe_unlink($previous); $previous="$ARGV$suffix"; rename($ARGV, $previous); open(ARGV_OUT, ">$ARGV"); select(ARGV_OUT); $old_argv = $ARGV; }
next if /^(?:$re)(?:(?:\r|\n)*$| .*)/; print;
}; maybe_unlink($previous);'
perl -e '
my $new_expect_file=".github/actions/spelling/expect.txt";
use File::Path qw(make_path);
use File::Basename qw(dirname);
make_path (dirname($new_expect_file));
open FILE, q{<}, $new_expect_file; chomp(my @words = <FILE>); close FILE;
my @add=qw('"$patch_add"');
my %items; @items{@words} = @words x (1); @items{@add} = @add x (1);
@words = sort {lc($a)."-".$a cmp lc($b)."-".$b} keys %items;
open FILE, q{>}, $new_expect_file; for my $word (@words) { print FILE "$word\n" if $word =~ /\w/; };
close FILE;
system("git", "add", $new_expect_file);
'
}

comment_json=$(mktemp)
curl -L -s -S \
  --header "Content-Type: application/json" \
  "https://api.github.com/repos/AlexRogalskiy/java-patterns/issues/comments/4136752233" > "$comment_json"
comment_body=$(mktemp)
jq -r .body < "$comment_json" > $comment_body
rm $comment_json

patch_remove=$(perl -ne 'next unless s{^</summary>(.*)</details>$}{$1}; print' < "$comment_body")
  

patch_add=$(perl -e '$/=undef;
$_=<>;
s{<details>.*}{}s;
s{^#.*}{};
s{\n##.*}{};
s{(?:^|\n)\s*\*}{}g;
s{\s+}{ }g;
print' < "$comment_body")
  
update_files
rm $comment_body
git add -u
If you see a bunch of garbage

If it relates to a ...

well-formed pattern

See if there's a pattern that would match it.

If not, try writing one and adding it to the patterns.txt file.

Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.

Note that patterns can't match multiline strings.

binary-ish string

Please add a file path to the excludes.txt file instead of just accepting the garbage.

File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.

^ refers to the file's path from the root of the repository, so ^README\.md$ would exclude README.md (on whichever branch you're using).

github-actions[bot]
github-actions bot reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Scan Summary

Tool Critical High Medium Low Status
Dependency Scan (universal) 2 12 14 0
Shell Script Analysis 0 0 0 195
Kotlin Security Audit 0 0 0 0
Security Audit for Infrastructure 14 92 8 32
Kotlin Static Analysis 0 0 0 0
Python Source Analyzer 0 0 0 0
Secrets Audit 0 4 0 0

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

@renovate renovate bot changed the title ⬆️ Updates cookiecutter to v2 [SECURITY] ⬆️ Updates cookiecutter to v2 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate bot closed this Mar 27, 2026
@renovate renovate bot deleted the renovate/pypi-cookiecutter-vulnerability branch March 27, 2026 01:59
@github-actions github-actions bot locked and limited conversation to collaborators Mar 27, 2026
@renovate
⬆️ Updates cookiecutter to v2 [SECURITY]
7b517b0 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot changed the title ⬆️ Updates cookiecutter to v2 [SECURITY] - autoclosed ⬆️ Updates cookiecutter to v2 [SECURITY] Mar 30, 2026
@renovate renovate bot reopened this Mar 30, 2026
@renovate renovate bot force-pushed the renovate/pypi-cookiecutter-vulnerability branch from a05020c to 7b517b0 Compare March 30, 2026 19:04
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@AlexRogalskiy AlexRogalskiy Awaiting requested review from AlexRogalskiy

Assignees

No one assigned

Labels

docs javascript dependencies security findings

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants