chore(deps): bump virtualenv from 20.26.6 to 20.36.1#5639
Merged
Conversation
Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.26.6 to 20.36.1. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](pypa/virtualenv@20.26.6...20.36.1) --- updated-dependencies: - dependency-name: virtualenv dependency-version: 20.36.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
rtibblesbot
approved these changes
Feb 11, 2026
rtibblesbot
left a comment
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency Update Review
Package: virtualenv 20.26.6 → 20.36.1
Semver risk: Minor (20.26 → 20.36 within same major version)
Dependency type: Dev dependency (via pre-commit, in requirements-dev.txt only)
CI status: Passing (linting + Python unit tests)
Changelog Analysis
Sources consulted:
Breaking changes: None found. All releases remain in the 20.x series with backward-compatible changes.
Security fixes:
- v20.36.1: Fix TOCTOU vulnerabilities in
app_dataand lock directory creation that could be exploited via symlink attacks (#3013) - v20.36.0: Updated
filelockdependency to 3.20.1 to fix CVE-2025-68146 (#3002)
Notable changes across 10 minor releases (20.27.0 → 20.36.1):
- Added Tcl/Tkinter support (v20.33.0)
- Added PyPy 3.11 support (v20.34.0)
- Declared Python 3.14 support (v20.35.0)
- Added PEP 440 version specifier support for
--pythonflag (v20.36.0) - Added discovery of uv-managed Python installations (v20.32.0)
- Multiple bug fixes for cache invalidation, file descriptor leaks, Windows compatibility, and Nushell activation scripts
- Embedded pip upgraded from 24.2 to 25.3; setuptools upgraded
Deprecations: None found.
Compatibility Assessment
- Project uses affected APIs: No — virtualenv is used indirectly via
pre-commitas a dev tool. The project does not call virtualenv APIs directly. - Peer dependency requirements satisfied: Yes — the only new transitive dependency note is
typing-extensionswhich is already present in the project. - Code changes required: No — only
requirements-dev.txtversion pin change. - Prior attempts: No maintainer comments or prior reverts found for this upgrade.
Recommendation
APPROVE — This is a minor version bump of a dev-only dependency with no breaking changes, two security fixes, and all CI checks passing.
rtibbles
approved these changes
Feb 13, 2026
Member
rtibbles
left a comment
rtibbles
left a comment
There was a problem hiding this comment.
No concerns in changelog, dev only dependency, only minor version bump.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps virtualenv from 20.26.6 to 20.36.1.
Release notes
Sourced from virtualenv's releases.
... (truncated)
Changelog
Sourced from virtualenv's changelog.
... (truncated)
Commits
d0ad11drelease 20.36.1dec4cecMerge pull request #3013 from gaborbernat/fix-sec5fe5d38release 20.36.0 (#3011)9719376release 20.36.00276db6Add support for PEP 440 version specifiers in the--pythonflag. (#3008)4f900c2Fix Interpreter discovery bug wrt. Microsoft Store shortcut using Latin-1 (#3...13afcc6fix: resolve EncodingWarning in tox upgrade environment (#3007)31b5d31[pre-commit.ci] pre-commit autoupdate (#2997)7c28422fix: update filelock dependency version to 3.20.1 to fix CVE CVE-2025-68146 (...365628ctest_too_many_open_files: assert onerrno.EMFILEinstead ofstrerror(#3001)You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.