chore(deps): bump the cookiecutter group with 3 updates

[dependabot]

Bumps the cookiecutter group with 3 updates: cookiecutter, chardet and binaryornot.

Updates cookiecutter from 2.6.0 to 2.7.1

Release notes

Sourced from cookiecutter's releases.

Cookiecutter 2.7.1: The One Where It Knows Its Own Name

You know that thing where you release an album, it's on the shelves, people are buying it, and then someone points out the spine says it's your previous album? That's what happened with Cookiecutter 2.7.0. We put out the long-awaited release with 27 improvements and 17 contributors, and cookiecutter -V proudly announced: 2.6.0.

$ cookiecutter -V
Cookiecutter 2.6.0
$ # narrator voice: it was not 2.6.0

Go on, run this and see for yourself that the 2.7.1 release knows its own version number now:

uv tool upgrade cookiecutter

What's fixed

cookiecutter -V now reports the real version. Rather than patch VERSION.txt, this release removes it entirely. The version is now read from package metadata at runtime, so pyproject.toml is the single source of truth and there's nothing left to drift. Thanks @​bollwyvl for the bug report PR and for suggesting the importlib.metadata approach, and thanks @​tranzystorekk for filing #2195!

What's better

CI runs each Python version as its own job. Tests for 3.10 through 3.14 used to run sequentially inside a single job per OS, which pushed Windows past 30 minutes. Each version now runs in parallel with a 15-minute timeout. Windows tests focus on the boundary versions (3.10 and 3.14) since intermediate versions add little signal beyond Ubuntu and macOS.

Contributors

@​audreyfeldroy (Audrey M. Roy Greenfeld) and @​pydanny (Daniel Roy Greenfeld) built this release, with help from Claude roleplaying as David Bowie.

Thanks to @​bollwyvl (Nicholas Bollweg) for the version fix PR and the importlib.metadata suggestion, and @​tranzystorekk for reporting the version mismatch.

2.7.0

Cookiecutter 2.7.0 is tested on Python 3.10 through 3.14, ships with a security policy documenting the trust model for template hook scripts, and publishes to PyPI with cryptographic provenance so you can verify every release. Seventeen contributors from the community helped build it.

uv tool upgrade cookiecutter

What's new

A security policy that explains what you're trusting. Cookiecutter templates can run arbitrary code through hook scripts, and that's by design. The new SECURITY.md lays out the trust model: what Cookiecutter sandboxes (nothing), what's in scope for vulnerability reports, and how to report them privately through GitHub. If you maintain templates or run unfamiliar ones, this is worth reading.

Python 3.10 through 3.14. Full test coverage across five Python versions. If you're on 3.7, 3.8, or 3.9, this is the release where you'll want to upgrade.

Pretty-printed JSON in templates. The jsonify Jinja2 extension takes an indent argument, so you can generate formatted JSON in your templates instead of single-line blobs. Thanks @​pabloxio! (#2050)

Boolean variables from the command line. Pass use_docker=y via --no-input and it arrives as a proper boolean in your template context. Thanks @​tylermilner! (#2029)

Structured bug reports. The GitHub issue form collects environment details upfront, so maintainers can reproduce your issue faster.

Tutorial videos and slides. Conference talk recordings and slide decks linked from the docs. Thanks @​datasharp! (#2137)

... (truncated)

Commits

• 083dd3c Release 2.7.1
• 59e7eb1 Ground the runtime version in package metadata instead of a hand-maintained file
• 730d2eb Run each Python version as its own CI job instead of sequentially
• db674d8 Reflect that PyPI publishing runs automatically on tag push
• 718f685 Release 2.7.0
• 14da090 Let contributors focus on what interests them, not a milestone plan
• a4a7e99 Give release managers a safe, documented path from version bump to PyPI
• cf3bd2f Drop the Release Drafter integration
• 0ff1fa8 Tell template creators what Cookiecutter actually gives them
• 154d946 Modernize the README around uv and a leaner project page
• Additional commits viewable in compare view

Updates chardet from 5.2.0 to 7.0.1

Release notes

Sourced from chardet's releases.

7.0.1

Fixes

• Fixed false UTF-7 detection of SHA-1 git hashes (#324, fixing #323) — requirements files with VCS pins (e.g., +4bafdea3...) were misdetected as UTF-7, breaking tools like tox
• Fixed _SINGLE_LANG_MAP missing aliases for single-language encoding lookup (e.g., big5 → big5hkscs)
• Fixed PyPy TypeError in UTF-7 codec handling

Improvements

• Retrained bigram models — 24 previously failing test cases now pass
• Updated language equivalences for mutual intelligibility (Slovak/Czech, East Slavic + Bulgarian, Malay/Indonesian, Scandinavian languages)

New Contributors

• @​rembish made their first contribution — both reporting the UTF-7 false detection issue and submitting the fix! (#323, #324)

7.0.0

Ground-up, MIT-licensed rewrite of chardet. Same package name, same public API — drop-in replacement for chardet 5.x/6.x. Just way faster and more accurate!

Highlights:

• MIT license (previous versions were LGPL)
• 96.8% accuracy on 2,179 test files (+2.3pp vs chardet 6.0.0, +7.7pp vs charset-normalizer)
• 41x faster than chardet 6.0.0 with mypyc (28x pure Python), 7.5x faster than charset-normalizer
• Language detection for every result (90.5% accuracy across 49 languages)
• 99 encodings across six eras (MODERN_WEB, LEGACY_ISO, LEGACY_MAC, LEGACY_REGIONAL, DOS, MAINFRAME)
• 12-stage detection pipeline — BOM, UTF-16/32 patterns, escape sequences, binary detection, markup charset, ASCII, UTF-8 validation, byte validity, CJK gating, structural probing, statistical scoring, post-processing
• Bigram frequency models trained on CulturaX multilingual corpus data for all supported language/encoding pairs
• Optional mypyc compilation — 1.49x additional speedup on CPython
• Thread-safe detect() and detect_all() with no measurable overhead; scales on free-threaded Python 3.13t+
• Negligible import memory (96 B)
• Zero runtime dependencies

Breaking changes vs 6.0.0:

• detect() and detect_all() now default to encoding_era=EncodingEra.ALL (6.0.0 defaulted to MODERN_WEB)
• Internal architecture is completely different (probers replaced by pipeline stages). Only the public API is preserved.
• LanguageFilter is accepted but ignored (deprecation warning emitted)
• chunk_size is accepted but ignored (deprecation warning emitted)

6.0.0.post1

• Fixed version number in chardet/version.py still being set to 6.0.0dev0. Otherwise identical to 6.0.0.

6.0.0

Features

• Unified single-byte charset detection: Instead of only having trained language models for a handful of languages (Bulgarian, Greek, Hebrew, Hungarian, Russian, Thai, Turkish) and relying on special-case Latin1Prober and MacRomanProber heuristics for Western encodings, chardet now treats all single-byte charsets the same way: every encoding gets proper language-specific bigram models trained on CulturaX corpus data. This means chardet can now accurately detect both the encoding and the language for all supported single-byte encodings.
• 38 new languages: Arabic, Belarusian, Breton, Croatian, Czech, Danish, Dutch, English, Esperanto, Estonian, Farsi, Finnish, French, German, Icelandic, Indonesian, Irish, Italian, Kazakh, Latvian, Lithuanian, Macedonian, Malay, Maltese, Norwegian, Polish, Portuguese, Romanian, Scottish Gaelic, Serbian, Slovak, Slovene, Spanish, Swedish, Tajik, Ukrainian, Vietnamese, and Welsh. Existing models for Bulgarian, Greek, Hebrew, Hungarian, Russian, Thai, and Turkish were also retrained with the new pipeline.
• EncodingEra filtering: New encoding_era parameter to detect allows filtering by an EncodingEra flag enum (MODERN_WEB, LEGACY_ISO, LEGACY_MAC, LEGACY_REGIONAL, DOS, MAINFRAME, ALL) allows callers to restrict detection to encodings from a specific era. detect() and detect_all() default to MODERN_WEB. The new MODERN_WEB default should drastically improve accuracy for users who are not working with legacy data. The tiers are:
  • MODERN_WEB: UTF-8/16/32, Windows-125x, CP874, CJK multi-byte (widely used on the web)

... (truncated)

Changelog

Sourced from chardet's changelog.

7.0.1 (2026-03-04)

Fixes:

• Fixed false UTF-7 detection of SHA-1 git hashes ([#324](https://github.com/chardet/chardet/issues/324) <https://github.com/chardet/chardet/issues/324>_)
• Fixed _SINGLE_LANG_MAP missing aliases for single-language encoding lookup (e.g., big5 → big5hkscs)
• Fixed PyPy TypeError in UTF-7 codec handling

Improvements:

• Retrained bigram models — 24 previously failing test cases now pass
• Updated language equivalences for mutual intelligibility (Slovak/Czech, East Slavic + Bulgarian, Malay/Indonesian, Scandinavian languages)

7.0.0 (2026-03-02)

Ground-up, MIT-licensed rewrite of chardet. Same package name, same public API — drop-in replacement for chardet 5.x/6.x.

Highlights:

• MIT license (previous versions were LGPL)
• 96.8% accuracy on 2,179 test files (+2.3pp vs chardet 6.0.0, +7.7pp vs charset-normalizer)
• 41x faster than chardet 6.0.0 with mypyc (28x pure Python), 7.5x faster than charset-normalizer
• Language detection for every result (90.5% accuracy across 49 languages)
• 99 encodings across six eras (MODERN_WEB, LEGACY_ISO, LEGACY_MAC, LEGACY_REGIONAL, DOS, MAINFRAME)
• 12-stage detection pipeline — BOM, UTF-16/32 patterns, escape sequences, binary detection, markup charset, ASCII, UTF-8 validation, byte validity, CJK gating, structural probing, statistical scoring, post-processing
• Bigram frequency models trained on CulturaX multilingual corpus data for all supported language/encoding pairs
• Optional mypyc compilation — 1.49x additional speedup on CPython
• Thread-safe detect() and detect_all() with no measurable overhead; scales on free-threaded Python 3.13t+
• Negligible import memory (96 B)
• Zero runtime dependencies

Breaking changes vs 6.0.0:

• detect() and detect_all() now default to encoding_era=EncodingEra.ALL (6.0.0 defaulted to MODERN_WEB)

... (truncated)

Commits

• 330e41e docs: update benchmark numbers for expanded test suite (2,510 files)
• 83eb965 fix: remove unused cached_specs and add version mismatch diagnostic
• b5ef193 feat: skip venv creation when full cache exists for detector
• d98e26a fix: use project_root parameter instead of pip_args[0] in _resolve_version_wi...
• 5a85c25 feat: add helpers for venv-less version/tag resolution and cache checking
• f4917a3 Remove plans
• 06ae339 Use package name in cache filenames and enrich display labels
• 90fff1d Fix precommit hook failures
• 611fc0b Bump coverage requirements up to 95% since we have 100%
• cc21964 Add separate lint job back
• Additional commits viewable in compare view

Updates binaryornot from 0.4.4 to 0.6.0

Release notes

Sourced from binaryornot's releases.

BinaryOrNot 0.6.0: Three Layers of Detection

BinaryOrNot identifies binary files three ways: by extension, by file signature, and by content analysis. Pass it any file path and it tells you binary or text, accurately, across PNGs, PDFs, executables, archives, fonts, CJK-encoded text, and hundreds of other formats.

uv pip install --upgrade binaryornot

What's new

131 file types recognized by name. is_binary() checks the filename extension against a curated list of binary types (images, audio, video, archives, executables, fonts, documents, databases, 3D models, CAD files, scientific data formats, game ROMs) before reading any bytes. A .png or .mp4 is classified instantly with zero file I/O. The extension list ships as binary_extensions.csv and is easy to inspect or extend. (#648)

If you need pure content-based classification, pass check_extensions=False:

from binaryornot.check import is_binary
Extension says binary, but let's check the actual bytes
is_binary("mystery_file.pyc", check_extensions=False)

55 binary format signatures. The detector checks file headers against known magic bytes for PNG, JPEG, PDF, ZIP, ELF, Mach-O, WebAssembly, SQLite, Parquet, Arrow IPC, and 45 more formats. Files that match a known signature are classified as binary immediately, before the statistical model runs. The signature table ships as binary_formats.csv. (#647)

Type annotations on the public API. is_binary(), is_binary_string(), and get_starting_chunk() all have inline type annotations. Editors and type checkers know that is_binary() accepts str, bytes, or pathlib.Path and returns bool. Credit to @​smheidrich for the initial type stubs proposal (#627) and @​AlJohri for requesting pathlib.Path support (#628). (#643)

What's better

Completely retrained decision tree on 4x more data. The detector reads 512 bytes per file instead of 128, and the decision tree was rebuilt from scratch on those larger samples. A new feature, has_magic_signature, gives the tree a second path to the right answer when statistical features are ambiguous. Byte ratios and entropy calculations reflect actual file content rather than header artifacts. (#647)

Python 3.10+ compatibility. BinaryOrNot installs on Python 3.10 through 3.14, supporting Cookiecutter, cookieplone, and other tools that run on older interpreters. Thanks @​wesleybl for raising this. (#645)

Test fixtures ship in the sdist. .pyc and .DS_Store test fixtures are force-included in the source distribution so tests pass when run from the sdist. (#646)

What's fixed

PNGs with ambiguous headers are correctly classified. A 512x512 grayscale+alpha PNG has an IHDR chunk with enough null bytes that the first 128 bytes accidentally decode as UTF-16. Extension checking, signature matching, and the retrained tree each independently prevent this misclassification. Closes #642. (#647)

What's changed

is_binary() has a new keyword argument. check_extensions (default True) controls whether the extension check runs. Existing code that calls is_binary(path) gets the extension check automatically. Code that passes check_extensions=False gets the previous content-only behavior.

Contributors

@​audreyfeldroy (Audrey M. Roy Greenfeld) designed and built this release: the extension detection system, file signature matching, decision tree retraining, type annotations, Python 3.10 compatibility, and sdist fixes.

Thanks to @​smheidrich for the type stubs proposal, @​AlJohri for requesting pathlib.Path support, and @​wesleybl for raising Python 3.10 compatibility.

BinaryOrNot 0.5.0: Zero Dependencies, 128 Bytes, One Trained Classifier

This is the biggest release in BinaryOrNot's history. I rebuilt the detection engine from the ground up. The original used byte ratio heuristics with chardet as a second opinion for ambiguous files. I replaced all of that with a trained decision tree operating on 23 features, covering 49 binary formats and 37 text encodings, with zero external dependencies. It's backed by 211 tests and a training pipeline you can re-run yourself. If you've ever had BinaryOrNot misidentify a UTF-16 file, choke on a CJK-encoded document, or crash because chardet changed its API, this release is for you.

BinaryOrNot now has zero dependencies. The chardet library (2.1 MB installed) is gone, replaced by a decision tree that reads 128 bytes of a file and classifies it as binary or text using 23 features computed from those bytes alone. The API is unchanged: is_binary("file.png") still returns True.

... (truncated)

Commits

• 9c979cd Release 0.6.0
• fba3730 Merge pull request #648 from binaryornot/check-file-extensions
• c375996 Document why bytes filenames matter
• 17540bc Handle bytes filenames in extension check
• bc069ff Classify 131 file types by extension before reading them
• a1ff8d0 Merge pull request #647 from binaryornot/fix-png-misclassification
• 7c1864b Cover 55 binary formats from plists to network captures
• 2a31e62 Apply ruff formatting to slice expression
• 5f6351a Teach the decision tree to use file signatures as evidence
• feb38d8 Give the decision tree 4x more context per file
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.