Update dependency virtualenv to v20.36.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
virtualenv	==20.26.3 → ==20.36.1

GitHub Vulnerability Alerts

CVE-2024-53899

virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.

CVE-2026-22702

Impact

TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations.

Affected versions: All versions up to and including 20.36.1

Affected users: Any user running virtualenv on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where VIRTUALENV_OVERRIDE_APP_DATA points to a user-writable location.

Attack scenarios:

• Cache poisoning: Attacker corrupts wheels or Python metadata in the cache
• Information disclosure: Attacker reads sensitive cached data or metadata
• Lock bypass: Attacker controls lock file semantics to cause concurrent access violations
• Denial of service: Lock starvation preventing virtualenv operations

Patches

The vulnerability has been patched by replacing check-then-act patterns with atomic os.makedirs(..., exist_ok=True) operations.

Fixed in: PR #​3013

Versions with the fix: 20.36.2 and later

Users should upgrade to version 20.36.2 or later.

Workarounds

If you cannot upgrade immediately:

1. Ensure VIRTUALENV_OVERRIDE_APP_DATA points to a directory owned by the current user with restricted permissions (mode 0700)
2. Avoid running virtualenv in shared temporary directories where other users have write access
3. Use separate user accounts for different projects to isolate app_data directories

References

• GitHub PR: https://github.com/pypa/virtualenv/pull/3013
• Vulnerability reported by: @​tsigouris007
• CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (TOCTOU)
• CWE-59: Improper Link Resolution Before File Access

---

Release Notes

pypa/virtualenv (virtualenv)

v20.36.1

Compare Source

What's Changed

• release 20.36.0 by @​gaborbernat in #​3011
• fix: resolve TOCTOU vulnerabilities in app_data and lock directory creation by @​gaborbernat in #​3013

Full Changelog: pypa/virtualenv@20.36.0...20.36.1

v20.36.0

Compare Source

What's Changed

• release 20.35.3 by @​gaborbernat in #​2981
• fix: Prevent NameError when accessing _DISTUTILS_PATCH during file ov… by @​gracetyy in #​2982
• Upgrade pip and fix 3.15 picking old wheel by @​gaborbernat in #​2989
• release 20.35.4 by @​gaborbernat in #​2990
• fix: wrong path on migrated venv by @​sk1234567891 in #​2996
• test_too_many_open_files: assert on errno.EMFILE instead of strerror by @​pltrz in #​3001
• fix: update filelock dependency version to 3.20.1 to fix CVE CVE-2025-68146 by @​pythonhubdev in #​3002
• fix: resolve EncodingWarning in tox upgrade environment by @​gaborbernat in #​3007
• Fix Interpreter discovery bug wrt. Microsoft Store shortcut using Latin-1 by @​rahuldevikar in #​3006
• Add support for PEP 440 version specifiers in the --python flag. by @​rahuldevikar in #​3008

New Contributors

• @​gracetyy made their first contribution in #​2982
• @​sk1234567891 made their first contribution in #​2996
• @​pltrz made their first contribution in #​3001
• @​pythonhubdev made their first contribution in #​3002
• @​rahuldevikar made their first contribution in #​3006

Full Changelog: pypa/virtualenv@20.35.3...20.36.0

v20.35.4

Compare Source

What's Changed

• release 20.35.3 by @​gaborbernat in #​2981
• fix: Prevent NameError when accessing _DISTUTILS_PATCH during file ov… by @​gracetyy in #​2982
• Upgrade pip and fix 3.15 picking old wheel by @​gaborbernat in #​2989

New Contributors

• @​gracetyy made their first contribution in #​2982

Full Changelog: pypa/virtualenv@20.35.3...20.35.4

v20.35.3

Compare Source

What's Changed

• release 20.35.1 by @​gaborbernat in #​2976
• Revert out effort to extract discovery by @​gaborbernat in #​2978
• release 20.35.2 by @​gaborbernat in #​2980
• test_too_many_open_files fails by @​gaborbernat in #​2979

Full Changelog: pypa/virtualenv@20.35.1...20.35.3

v20.35.2

Compare Source

What's Changed

• release 20.35.1 by @​gaborbernat in #​2976
• Revert out effort to extract discovery by @​gaborbernat in #​2978

Full Changelog: pypa/virtualenv@20.35.1...20.35.2

v20.35.1

Compare Source

What's Changed

• release 20.34.0 by @​gaborbernat in #​2954
• refactor: Decouple discovery module by @​esafak in #​2956
• feat: ensure creation of python3.exe and python3 on Windows by @​esafak in #​2957
• fix: Use getattr for tcl/tk library paths by @​esafak in #​2945
• fix: Import fs_is_case_sensitive absolutely in py_info.py by @​esafak in #​2960
• Declare 3.14 support by @​gaborbernat in #​2970
• release 20.35.0 by @​gaborbernat in #​2971
• fix: Patch get_interpreter to handle missing cache and app_data by @​esafak in #​2974
• Fix backwards incompatible changes on PythonInfo by @​gaborbernat in #​2975

Full Changelog: pypa/virtualenv@20.34.0...20.35.1

v20.35.0

Compare Source

What's Changed

• release 20.34.0 by @​gaborbernat in #​2954
• refactor: Decouple discovery module by @​esafak in #​2956
• feat: ensure creation of python3.exe and python3 on Windows by @​esafak in #​2957
• fix: Use getattr for tcl/tk library paths by @​esafak in #​2945
• fix: Import fs_is_case_sensitive absolutely in py_info.py by @​esafak in #​2960
• chore(deps): bump pypa/gh-action-pypi-publish from 1.12.3 to 1.13.0 in /.github/workflows by @​dependabot[bot] in #​2964
• Declare 3.14 support by @​gaborbernat in #​2970

Full Changelog: pypa/virtualenv@20.34.0...20.35.0

v20.34.0

Compare Source

What's Changed

• release 20.33.1 by @​gaborbernat in #​2943
• fix: Improve file limit test to catch SystemExit or RuntimeError by @​esafak in #​2936
• feat: Abstract out caching in discovery by @​esafak in #​2946
• CI: Add PyPy 3.11 to CI checks by @​esafak in #​2934
• feat: Decouple FileCache from py_info by @​esafak in #​2947
• feat: Remove references to py_info from FileCache by @​esafak in #​2948
• refactor: Decouple discovery from creator plugins by @​esafak in #​2949
• refactor: Decouple discovery by duplicating info utils by @​esafak in #​2951
• fix: Python in PATH takes precedence over uv-managed Pythons by @​edgarrmondragon in #​2952
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​2950
• Bump pip to 25.2 by @​gaborbernat in #​2953

Full Changelog: pypa/virtualenv@20.33.1...20.34.0

v20.33.1

Compare Source

What's Changed

• release 20.33.0 by @​gaborbernat in #​2929
• fix(test): Restore mtime of py_info.py in test by @​esafak in #​2938
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​2937
• fix: Correctly unpack _get_tcl_tk_libs() response in PythonInfo by @​esafak in #​2940
• chore: Request shell and python details in bug reports by @​esafak in #​2942

Full Changelog: pypa/virtualenv@20.33.0...20.33.1

v20.33.0

Compare Source

What's Changed

• release 20.32.0 by @​gaborbernat in #​2908
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​2909
• Fix nushell deprecation warnings by @​gaborbernat in #​2910
• test: Use @pytest.mark.flaky instead of @flaky.flaky by @​mgorny in #​2911
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​2912
• fix: handle StopIteration in discovery by @​esafak in #​2913
• fix: Improve symlink check and sysconfig path handling by @​esafak in #​2914
• docs: Recommend specific python version for virtualenv by @​esafak in #​2916
• fix: Force UTF-8 encoding for pip subprocess by @​esafak in #​2918
• fix: Prevent crash on file in PATH during discovery by @​esafak in #​2917
• fix: --try-first-with was overriding an absolute --python path by @​esafak in #​2921
• fix 'Too many open files' error and improve error message by @​esafak in #​2922
• fix(testing): Prevent logging setup when --help is passed by @​esafak in #​2923
• fix cache invalidation for PythonInfo by @​esafak in #​2925
• fix: Update venv redirector detection for Python 3.13 on Windows by @​esafak in #​2920
• feat: Add Tcl/Tkinter support by @​esafak in #​2928

Full Changelog: pypa/virtualenv@20.32.0...20.33.0

v20.32.0

Compare Source

What's Changed

• release 20.31.2 by @​gaborbernat in #​2886
• Fix the CI by @​gaborbernat in #​2904
• activate.fish: update fish major version check by @​r5d in #​2891
• Fix: Ignore missing absolute paths for python discovery by @​esafak in #​2907
• Discover uv-managed Python installations by @​edgarrmondragon in #​2902
• Add warning for incorrect usage of Nushell activation script by @​esafak in #​2906
• Update index.rst, compatibility section added, other subheadings created by @​velle in #​2897
• Bump setuptools version by @​gaborbernat in #​2900

New Contributors

• @​r5d made their first contribution in #​2891
• @​esafak made their first contribution in #​2907
• @​edgarrmondragon made their first contribution in #​2902
• @​velle made their first contribution in #​2897

Full Changelog: pypa/virtualenv@20.31.2...20.32.0

v20.31.2

Compare Source

What's Changed

• release 20.31.1 by @​gaborbernat in #​2882
• Reintroduce the --wheel CLI option, even though it has no effect on Python > 3.8 by @​hroncok in #​2884

Full Changelog: pypa/virtualenv@20.31.1...20.31.2

v20.31.1

Compare Source

What's Changed

• release 20.31.0 by @​gaborbernat in #​2879
• Bump setuptools and pip by @​gaborbernat in #​2880

Full Changelog: pypa/virtualenv@20.31.0...20.31.1

v20.31.0

Compare Source

What's Changed

• release 20.30.0 by @​gaborbernat in #​2864
• Stop including 'wheel', setuptools 70.1 has native bdist_wheel support by @​stefanor in #​2868
• Revert a large part of the wheel removal, to support Python 3.8 by @​stefanor in #​2876
• Fix HelpFormatter for Python 3.14 by @​cdce8p in #​2878
• Fix get_embed_wheel for unknown wheels by @​tiran in #​2877

New Contributors

• @​cdce8p made their first contribution in #​2878
• @​tiran made their first contribution in #​2877

Full Changelog: pypa/virtualenv@20.30.0...20.31.0

v20.30.0

Compare Source

What's Changed

• release 20.29.3 by @​gaborbernat in #​2855
• Add GraalPy support by @​timfel in #​2859
• Upgrade setuptools by @​gaborbernat in #​2863

New Contributors

• @​timfel made their first contribution in #​2859

Full Changelog: pypa/virtualenv@20.29.3...20.30.0

v20.29.3

Compare Source

What's Changed

• release 20.29.2 by @​gaborbernat in #​2844
• Remove duplicate bug report template by @​shenxianpeng in #​2850
• Fix debug logging interpolation by @​tipabu in #​2849
• Ignore directories in PATH that can't be opened by @​barneygale in #​2852

New Contributors

• @​shenxianpeng made their first contribution in #​2850
• @​tipabu made their first contribution in #​2849
• @​barneygale made their first contribution in #​2852

Full Changelog: pypa/virtualenv@20.29.2...20.29.3

v20.29.2

Compare Source

What's Changed

• release 20.29.1 by @​gaborbernat in #​2828
• Remove old virtualenv wheel by @​gaborbernat in #​2842
• Bump pip to 25.0.1 by @​gaborbernat in #​2843

Full Changelog: pypa/virtualenv@20.29.1...20.29.2

v20.29.1

Compare Source

What's Changed

• release 20.29.0 by @​gaborbernat in #​2824
• Simplify Solution to --python command-line flag precedence by @​DK96-OS in #​2826
• Change PyInfo cache versioning mechanism by @​robsdedude in #​2827

New Contributors

• @​DK96-OS made their first contribution in #​2826

Full Changelog: pypa/virtualenv@20.29.0...20.29.1

v20.29.0

Compare Source

What's Changed

• release 20.28.1 by @​gaborbernat in #​2818
• Makes --python command-line flag take precedence over env var by @​filiplajszczak in #​2821
• Add free-threaded Python support by @​robsdedude in #​2809
• Upgrade embeded setuptools by @​gaborbernat in #​2823

New Contributors

• @​filiplajszczak made their first contribution in #​2821
• @​robsdedude made their first contribution in #​2809

Full Changelog: pypa/virtualenv@20.28.1...20.29.0

v20.28.1

Compare Source

What's Changed

• release 20.28.0 by @​gaborbernat in #​2807
• Skip tcsh tests on broken tcsh versions by @​gaborbernat in #​2817

Full Changelog: pypa/virtualenv@20.28.0...20.28.1

v20.28.0

Compare Source

What's Changed

• fix: Update run_with_catch log flushing by @​neilramsay in #​2806
• feat: Write CACHEDIR.TAG file by @​neilramsay in #​2805

Full Changelog: pypa/virtualenv@20.27.2...20.28.0

v20.27.1

Compare Source

What's Changed

• release 20.27.0 by @​gaborbernat in #​2785
• Upgrade to pip 24.3 by @​gaborbernat in #​2790

Full Changelog: pypa/virtualenv@20.27.0...20.27.1

v20.27.0

Compare Source

What's Changed

• release 20.26.6 by @​gaborbernat in #​2772
• docs: fix the documentation typo on Extend Functionality page. by @​Mr-Sunglasses in #​2773
• Fix broken Windows zipapp and drop 3.7 support by @​gaborbernat in #​2783
• Skip $PATH entries we cannot check rather than dying with PermissionError by @​hroncok in #​2782

New Contributors

• @​Mr-Sunglasses made their first contribution in #​2773

Full Changelog: pypa/virtualenv@20.26.5...20.27.0

v20.26.6

Compare Source

What's Changed

• release 20.26.5 by @​gaborbernat in #​2766
• Fix #​2768: Quote template strings in activation scripts by @​y5c4l3 in #​2771

New Contributors

• @​y5c4l3 made their first contribution in #​2771

Full Changelog: pypa/virtualenv@20.26.5...20.26.6

v20.26.5

Compare Source

What's Changed

• release 20.26.4 by @​gaborbernat in #​2761
• Use uv over pip by @​gaborbernat in #​2765

Full Changelog: pypa/virtualenv@20.26.4...20.26.5

v20.26.4

Compare Source

What's Changed

• release 20.26.3 by @​gaborbernat in #​2742
• Fix whitespace around backticks in changelog by @​edmorley in #​2751
• Test latest Python 3.13 by @​hugovk in #​2752
• Fix typo in Nushell activation script by @​edmorley in #​2754
• GitHub Actions: Replace deprecated macos-12 with macos-13 by @​hugovk in #​2756
• Fix #​2728: Activating venv create unwanted console output by @​ShootGan in #​2748
• Upgrade bundled wheels by @​gaborbernat in #​2760

New Contributors

• @​ShootGan made their first contribution in #​2748

Full Changelog: pypa/virtualenv@20.26.3...20.26.4

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud