Skip to content

fix: update virtualenv requirement from <=20.36.1 to <=20.38.0#105

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/virtualenv-lte-20.38.0
Closed

fix: update virtualenv requirement from <=20.36.1 to <=20.38.0#105
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/virtualenv-lte-20.38.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Feb 19, 2026

Updates the requirements on virtualenv to permit the latest version.

Release notes

Sourced from virtualenv's releases.

20.38.0

What's Changed

New Contributors

Full Changelog: pypa/virtualenv@20.37.0...20.38.0

Changelog

Sourced from virtualenv's changelog.

Features - 20.38.0

  • Store app data (pip/setuptools/wheel caches) under the OS cache directory (platformdirs.user_cache_dir) instead of the data directory (platformdirs.user_data_dir). Existing app data at the old location is automatically migrated on first use. This ensures cached files that can be redownloaded are placed in the standard cache location (e.g. ~/.cache on Linux, ~/Library/Caches on macOS) where they are excluded from backups and can be cleaned by system tools - by :user:rahuldevikar. (:issue:1884) (:issue:1884)
  • Add PKG_CONFIG_PATH environment variable support to all activation scripts (Bash, Batch, PowerShell, Fish, C Shell, Nushell, and Python). The virtualenv's lib/pkgconfig directory is now automatically prepended to PKG_CONFIG_PATH on activation and restored on deactivation, enabling packages that use pkg-config during build/install to find their configuration files - by :user:rahuldevikar. (:issue:2637)
  • Upgrade embedded pip to 26.0.1 from 25.3 and setuptools to 82.0.0, 75.3.4 from 75.3.2, 80.9.0
    • by :user:rahuldevikar. (:issue:3027)
  • Replace ty: ignore comments with proper type narrowing using assertions and explicit None checks - by :user:rahuldevikar. (:issue:3029)

Bugfixes - 20.38.0

  • Exclude pywin32 DLLs (pywintypes*.dll, pythoncom*.dll) from being copied to the Scripts directory during virtualenv creation on Windows. This fixes compatibility issues with pywin32, which expects its DLLs to be installed in site-packages/pywin32_system32 by its own post-install script - by :user:rahuldevikar. (:issue:2662)
  • Preserve symlinks in pyvenv.cfg paths to match venv behavior. Use os.path.abspath() instead of os.path.realpath() to normalize paths without resolving symlinks, fixing issues with Python installations accessed via symlinked directories (common in network-mounted filesystems) - by :user:rahuldevikar. Fixes :issue:2770. (:issue:2770)
  • Fix Windows activation scripts to properly quote python.exe path, preventing failures when Python is installed in a path with spaces (e.g., C:\Program Files) and a file named C:\Program exists on the filesystem - by :user:rahuldevikar. (:issue:2985)
  • Fix bash -u (set -o nounset) compatibility in bash activation script by using ${PKG_CONFIG_PATH:-} and ${PKG_CONFIG_PATH:+:${PKG_CONFIG_PATH}} to handle unset PKG_CONFIG_PATH - by :user:Fridayai700. (:issue:3044)
  • Gracefully handle corrupted on-disk cache and invalid JSON from Python interrogation subprocess instead of crashing with unhandled JSONDecodeError or KeyError - by :user:gaborbernat. (:issue:3054)

v20.36.1 (2026-01-09)

Bugfixes - 20.36.1

  • Fix TOCTOU vulnerabilities in app_data and lock directory creation that could be exploited via symlink attacks - reported by :user:tsigouris007, fixed by :user:gaborbernat. (:issue:3013)

v20.36.0 (2026-01-07)

... (truncated)

Commits
  • fbbb97d release 20.38.0
  • c5240c7 🔧 chore(tox): migrate tox.ini to tox.toml (#3050)
  • 6ff2e3e 🐛 fix(discovery): harden subprocess interrogation and test reliability (#3054)
  • d7919e5 Fix bash activate PKG_CONFIG_PATH unbound variable under bash -u (#3047)
  • 39568b0 [pre-commit.ci] pre-commit autoupdate (#3043)
  • f745000 🔒 security(workflows): add explicit permissions to all jobs
  • fda5bbc 🐛 fix(release): clear coverage env vars in release env
  • 1ecf0ed 👷 ci(release): split into release and tag-triggered publish (#3042)
  • 4fb0401 📝 docs: restructure to follow Diataxis framework (#3041)
  • 834c7ff 👷 ci(release): scope GH_RELEASE_TOKEN to release environment
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
fix: update virtualenv requirement from <=20.36.1 to <=20.38.0
db29e9d 
Updates the requirements on [virtualenv](https://github.com/pypa/virtualenv) to permit the latest version.
- [Release notes](https://github.com/pypa/virtualenv/releases)
- [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst)
- [Commits](pypa/virtualenv@1.2...20.38.0)

---
updated-dependencies:
- dependency-name: virtualenv
  dependency-version: 20.38.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Feb 19, 2026
@dependabot dependabot Bot mentioned this pull request Feb 19, 2026
Closed
@deepsource-io
Copy link
Copy Markdown
Contributor

deepsource-io Bot commented Feb 19, 2026
edited
Loading

DeepSource Code Review

DeepSource reviewed changes in the commit range bcceac0...db29e9d on this pull request. Below is the summary for the review, and you can see the individual issues we found as review comments.

For detailed review results, please see the PR on DeepSource ↗

PR Report Card

Security × 0 issues Overall PR Quality   

Reliability × 0 issues
Complexity × 0 issues
Hygiene × 0 issues

Code Review Summary

Analyzer Status Summary Details
Python No new issues detected. Review ↗
How are these analyzer statuses calculated?

Administrators can configure which issue categories are reported and cause analysis to be marked as failed when detected. This helps prevent bad and insecure code from being introduced in the codebase. If you're an administrator, you can modify this in the repository's settings.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Feb 19, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedvirtualenv@​20.36.1 ⏵ 20.38.096100100100100

View full report

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Feb 24, 2026

Superseded by #107.

@dependabot dependabot Bot closed this Feb 24, 2026
@dependabot dependabot Bot deleted the dependabot/pip/virtualenv-lte-20.38.0 branch February 24, 2026 13:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants