Bump virtualenv from 20.36.1 to 20.38.0

[dependabot]

Bumps virtualenv from 20.36.1 to 20.38.0.

Release notes

Sourced from virtualenv's releases.

20.38.0

What's Changed

• Fix Windows activation scripts to handle Python paths with spaces by @​rahuldevikar in pypa/virtualenv#3015
• Exclude pywintypes*.dll and pythoncom*.dll from being copied to Scripts directory by @​rahuldevikar in pypa/virtualenv#3012
• update Automated testing documentation section by @​elmjag in pypa/virtualenv#3016
• Preserver Symlinks in pyvenv.cfg paths by @​rahuldevikar in pypa/virtualenv#3022
• Add PKG_CONFIG_PATH environment variable support to all activation scripts by @​rahuldevikar in pypa/virtualenv#3023
• Add ty type checker to CI via tox by @​rahuldevikar in pypa/virtualenv#3025
• Upgrade embedded dependencies by @​rahuldevikar in pypa/virtualenv#3026
• Fix ty Type Narrowing by @​rahuldevikar in pypa/virtualenv#3030
• Replace ty: ignore with proper type declarations for inheritance patterns by @​rahuldevikar in pypa/virtualenv#3034
• Use user_cache_dir for app data with auto-migration from old location by @​rahuldevikar in pypa/virtualenv#3033
• Fix unhelpful KeyError when using invalid VIRTUALENV_DISCOVERY value by @​veeceey in pypa/virtualenv#3031
• ⚡ perf(test): parallelize test suite with pytest-xdist by @​gaborbernat in pypa/virtualenv#3035
• ✨ feat(create): sync with upstream CPython/PyPy venv by @​gaborbernat in pypa/virtualenv#3036
• Python3.9 dependency range correction by @​reactive-firewall in pypa/virtualenv#3038
• Version bump filelock to latest by @​reactive-firewall in pypa/virtualenv#3039
• Improve error message when discovery plugin is not available by @​veeceey in pypa/virtualenv#3032
• 👷 ci(release): add workflow_dispatch release with zipapp and get-virtualenv by @​gaborbernat in pypa/virtualenv#3040
• 📝 docs: restructure to follow Diataxis framework by @​gaborbernat in pypa/virtualenv#3041
• 👷 ci(release): split into release and tag-triggered publish by @​gaborbernat in pypa/virtualenv#3042
• Fix bash activate PKG_CONFIG_PATH unbound variable under bash -u by @​Fridayai700 in pypa/virtualenv#3047
• 🐛 fix(discovery): harden subprocess interrogation and test reliability by @​gaborbernat in pypa/virtualenv#3054
• 🔧 chore(tox): migrate tox.ini to tox.toml by @​gaborbernat in pypa/virtualenv#3050

New Contributors

• @​elmjag made their first contribution in pypa/virtualenv#3016
• @​veeceey made their first contribution in pypa/virtualenv#3031
• @​reactive-firewall made their first contribution in pypa/virtualenv#3038
• @​Fridayai700 made their first contribution in pypa/virtualenv#3047

Full Changelog: pypa/virtualenv@20.37.0...20.38.0

Changelog

Sourced from virtualenv's changelog.

Features - 20.38.0

• Store app data (pip/setuptools/wheel caches) under the OS cache directory (platformdirs.user_cache_dir) instead of the data directory (platformdirs.user_data_dir). Existing app data at the old location is automatically migrated on first use. This ensures cached files that can be redownloaded are placed in the standard cache location (e.g. ~/.cache on Linux, ~/Library/Caches on macOS) where they are excluded from backups and can be cleaned by system tools - by :user:rahuldevikar. (:issue:1884) (:issue:1884)
• Add PKG_CONFIG_PATH environment variable support to all activation scripts (Bash, Batch, PowerShell, Fish, C Shell, Nushell, and Python). The virtualenv's lib/pkgconfig directory is now automatically prepended to PKG_CONFIG_PATH on activation and restored on deactivation, enabling packages that use pkg-config during build/install to find their configuration files - by :user:rahuldevikar. (:issue:2637)
• Upgrade embedded pip to 26.0.1 from 25.3 and setuptools to 82.0.0, 75.3.4 from 75.3.2, 80.9.0
  • by :user:rahuldevikar. (:issue:3027)
• Replace ty: ignore comments with proper type narrowing using assertions and explicit None checks - by :user:rahuldevikar. (:issue:3029)

Bugfixes - 20.38.0

• Exclude pywin32 DLLs (pywintypes*.dll, pythoncom*.dll) from being copied to the Scripts directory during virtualenv creation on Windows. This fixes compatibility issues with pywin32, which expects its DLLs to be installed in site-packages/pywin32_system32 by its own post-install script - by :user:rahuldevikar. (:issue:2662)
• Preserve symlinks in pyvenv.cfg paths to match venv behavior. Use os.path.abspath() instead of os.path.realpath() to normalize paths without resolving symlinks, fixing issues with Python installations accessed via symlinked directories (common in network-mounted filesystems) - by :user:rahuldevikar. Fixes :issue:2770. (:issue:2770)
• Fix Windows activation scripts to properly quote python.exe path, preventing failures when Python is installed in a path with spaces (e.g., C:\Program Files) and a file named C:\Program exists on the filesystem - by :user:rahuldevikar. (:issue:2985)
• Fix bash -u (set -o nounset) compatibility in bash activation script by using ${PKG_CONFIG_PATH:-} and ${PKG_CONFIG_PATH:+:${PKG_CONFIG_PATH}} to handle unset PKG_CONFIG_PATH - by :user:Fridayai700. (:issue:3044)
• Gracefully handle corrupted on-disk cache and invalid JSON from Python interrogation subprocess instead of crashing with unhandled JSONDecodeError or KeyError - by :user:gaborbernat. (:issue:3054)

---

v20.36.1 (2026-01-09)

---

Commits

• fbbb97d release 20.38.0
• c5240c7 🔧 chore(tox): migrate tox.ini to tox.toml (#3050)
• 6ff2e3e 🐛 fix(discovery): harden subprocess interrogation and test reliability (#3054)
• d7919e5 Fix bash activate PKG_CONFIG_PATH unbound variable under bash -u (#3047)
• 39568b0 [pre-commit.ci] pre-commit autoupdate (#3043)
• f745000 🔒 security(workflows): add explicit permissions to all jobs
• fda5bbc 🐛 fix(release): clear coverage env vars in release env
• 1ecf0ed 👷 ci(release): split into release and tag-triggered publish (#3042)
• 4fb0401 📝 docs: restructure to follow Diataxis framework (#3041)
• 834c7ff 👷 ci(release): scope GH_RELEASE_TOKEN to release environment
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Resolves #3050
Resolves #3054
Resolves #3047
Resolves #3043
Resolves #3042
Resolves #3041
Resolves pypa/virtualenv#3015
Resolves pypa/virtualenv#3012
Resolves pypa/virtualenv#3016
Resolves pypa/virtualenv#3022
Resolves pypa/virtualenv#3023
Resolves pypa/virtualenv#3025
Resolves pypa/virtualenv#3026
Resolves pypa/virtualenv#3030
Resolves pypa/virtualenv#3034
Resolves pypa/virtualenv#3033
Resolves pypa/virtualenv#3031
Resolves pypa/virtualenv#3035
Resolves pypa/virtualenv#3036
Resolves pypa/virtualenv#3038
Resolves pypa/virtualenv#3039
Resolves pypa/virtualenv#3032
Resolves pypa/virtualenv#3040
Resolves pypa/virtualenv#3041
Resolves pypa/virtualenv#3042
Resolves pypa/virtualenv#3047
Resolves pypa/virtualenv#3054
Resolves pypa/virtualenv#3050

[github-actions]

🤖 Claude Code Review

PR Code Review

Summary: This is a minimal dependency bump PR, updating virtualenv from 20.36.1 to 20.38.0 in the development dependencies.

---

Code Quality

• ✅ Style guide: Single line change, no style concerns.
• ✅ No commented-out code: N/A
• ✅ Meaningful variable names: N/A
• ✅ DRY principle: N/A
• ✅ Defects: No logic errors or bugs introduced. This is a straightforward version bump in pyproject.toml:46.

Testing

• ✅ Unit/integration tests: No new code requiring tests.
• ✅ Edge cases: N/A
• ✅ Test coverage: N/A — dependency bump only.

Documentation

• ✅ README: No update needed.
• ✅ API docs: N/A
• ✅ Inline comments: N/A
• ❌ CHANGELOG.md: A CHANGELOG.md entry for this dependency bump was not included in the diff. Depending on project conventions, dependency bumps may warrant a changelog entry (e.g., under a "Dependencies" or "Maintenance" section).
• ✅ Markdown formatting: N/A

Security

• ✅ No hardcoded credentials: N/A
• ✅ Input validation: N/A
• ✅ Error handling: N/A
• ✅ No sensitive data in logs: N/A
• ✅ No license files (.lic) or AQAAAD strings: N/A

---

Overall Assessment

This is a clean, low-risk dependency bump. The only minor note is whether the project convention requires a CHANGELOG.md entry for dependency updates. No blockers.

Automated code review analyzing defects and coding standards