fix: update virtualenv requirement from <=20.36.1 to <=20.39.0

[dependabot]

Updates the requirements on virtualenv to permit the latest version.

Release notes

Sourced from virtualenv's releases.

20.39.0

What's Changed

• Move from extras to dependency-groups by @​gaborbernat in pypa/virtualenv#3056
• 🐛 fix(sdist): include tox.toml in sdist by @​gaborbernat in pypa/virtualenv#3063
• 🐛 fix(seed): add --ignore-installed to pip invoke seeder by @​gaborbernat in pypa/virtualenv#3064
• 👷 ci(brew): add missing Homebrew Python versions and fix discovery by @​gaborbernat in pypa/virtualenv#3066
• 🧪 test(discovery): fix test_py_info_cache_clear outside venv by @​gaborbernat in pypa/virtualenv#3065
• Add architecture (ISA) awareness to Python discovery by @​rahuldevikar in pypa/virtualenv#3058
• 🐛 fix(discovery): resolve version-manager shims to real binaries by @​gaborbernat in pypa/virtualenv#3067
• Add auto-upgrade workflow for embedded dependencies by @​rahuldevikar in pypa/virtualenv#3057

Full Changelog: pypa/virtualenv@20.38.0...20.39.0

Changelog

Sourced from virtualenv's changelog.

Features - 20.39.0

• Automatically resolve version manager shims (pyenv, mise, asdf) to the real Python binary during discovery, preventing incorrect interpreter selection when shims are on PATH - by :user:gaborbernat. (:issue:3049)
• Add architecture (ISA) awareness to Python discovery — users can now specify a CPU architecture suffix in the --python spec string (e.g. cpython3.12-64-arm64) to distinguish between interpreters that share the same version and bitness but target different architectures. Uses sysconfig.get_platform() as the data source, with cross-platform normalization (amd64 ↔ x86_64, aarch64 ↔ arm64). Omitting the suffix preserves existing behavior - by :user:rahuldevikar. (:issue:3059)

---

v20.38.0 (2026-02-19)

---

Features - 20.38.0

• Store app data (pip/setuptools/wheel caches) under the OS cache directory (platformdirs.user_cache_dir) instead of the data directory (platformdirs.user_data_dir). Existing app data at the old location is automatically migrated on first use. This ensures cached files that can be redownloaded are placed in the standard cache location (e.g. ~/.cache on Linux, ~/Library/Caches on macOS) where they are excluded from backups and can be cleaned by system tools - by :user:rahuldevikar. (:issue:1884) (:issue:1884)
• Add PKG_CONFIG_PATH environment variable support to all activation scripts (Bash, Batch, PowerShell, Fish, C Shell, Nushell, and Python). The virtualenv's lib/pkgconfig directory is now automatically prepended to PKG_CONFIG_PATH on activation and restored on deactivation, enabling packages that use pkg-config during build/install to find their configuration files - by :user:rahuldevikar. (:issue:2637)
• Upgrade embedded pip to 26.0.1 from 25.3 and setuptools to 82.0.0, 75.3.4 from 75.3.2, 80.9.0
  • by :user:rahuldevikar. (:issue:3027)
• Replace ty: ignore comments with proper type narrowing using assertions and explicit None checks - by :user:rahuldevikar. (:issue:3029)

Bugfixes - 20.38.0

• Exclude pywin32 DLLs (pywintypes*.dll, pythoncom*.dll) from being copied to the Scripts directory during virtualenv creation on Windows. This fixes compatibility issues with pywin32, which expects its DLLs to be installed in site-packages/pywin32_system32 by its own post-install script - by :user:rahuldevikar. (:issue:2662)
• Preserve symlinks in pyvenv.cfg paths to match venv behavior. Use os.path.abspath() instead of os.path.realpath() to normalize paths without resolving symlinks, fixing issues with Python installations accessed via symlinked directories (common in network-mounted filesystems) - by :user:rahuldevikar. Fixes :issue:2770. (:issue:2770)
• Fix Windows activation scripts to properly quote python.exe path, preventing failures when Python is installed in a path with spaces (e.g., C:\Program Files) and a file named C:\Program exists on the filesystem - by :user:rahuldevikar. (:issue:2985)
• Fix bash -u (set -o nounset) compatibility in bash activation script by using ${PKG_CONFIG_PATH:-} and ${PKG_CONFIG_PATH:+:${PKG_CONFIG_PATH}} to handle unset PKG_CONFIG_PATH - by :user:Fridayai700. (:issue:3044)
• Gracefully handle corrupted on-disk cache and invalid JSON from Python interrogation subprocess instead of crashing with unhandled JSONDecodeError or KeyError - by :user:gaborbernat. (:issue:3054)

... (truncated)

Commits

• ad56e78 release 20.39.0
• ae90556 Add auto-upgrade workflow for embedded dependencies (#3057)
• 4582e41 🐛 fix(discovery): resolve version-manager shims to real binaries (#3067)
• e32d82d Add architecture (ISA) awareness to Python discovery (#3058)
• f8f7f48 🧪 test(discovery): fix test_py_info_cache_clear outside venv (#3065)
• c22b548 👷 ci(brew): add missing Homebrew Python versions and fix discovery (#3066)
• a852cbb 🐛 fix(seed): add --ignore-installed to pip invoke seeder (#3064)
• 6d22c9e 🐛 fix(sdist): include tox.toml in sdist (#3063)
• 01e8f51 Move from extras to dependency-groups (#3056)
• fbbb97d release 20.38.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[deepsource-io]

DeepSource Code Review

We reviewed changes in bcceac0...cf3e988 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
Python		Feb 24, 2026 1:07p.m.	Review ↗

[deepsource-io]

DeepSource Code Review

We reviewed changes in bcceac0...cf3e988 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
Python		Feb 24, 2026 1:07p.m.	Review ↗

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	virtualenv@​20.36.1 ⏵ 20.39.0

View full report

[dependabot]

Superseded by #108.