Skip to content

chore(deps-dev): bump virtualenv from 20.35.4 to 20.36.1#542

Open
dependabot[bot] wants to merge 2 commits intomainfrom
dependabot/pip/virtualenv-20.36.1
Open

chore(deps-dev): bump virtualenv from 20.35.4 to 20.36.1#542
dependabot[bot] wants to merge 2 commits intomainfrom
dependabot/pip/virtualenv-20.36.1

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 13, 2026
edited
Loading

Bumps virtualenv from 20.35.4 to 20.36.1.

Release notes

Sourced from virtualenv's releases.

20.36.1

What's Changed

Full Changelog: pypa/virtualenv@20.36.0...20.36.1

20.36.0

What's Changed

New Contributors

Full Changelog: pypa/virtualenv@20.35.3...20.36.0

Changelog

Sourced from virtualenv's changelog.

v20.36.1 (2026-01-09)

Bugfixes - 20.36.1

- Fix TOCTOU vulnerabilities in app_data and lock directory creation that could be exploited via symlink attacks - reported by :user:`tsigouris007`, fixed by :user:`gaborbernat`. (:issue:`3013`)

v20.36.0 (2026-01-07)


Features - 20.36.0

  • Add support for PEP 440 version specifiers in the --python flag. Users can now specify Python versions using operators like >=, <=, ~=, etc. For example: virtualenv --python=">=3.12" myenv . (:issue:2994`)
Commits
  • d0ad11d release 20.36.1
  • dec4cec Merge pull request #3013 from gaborbernat/fix-sec
  • 5fe5d38 release 20.36.0 (#3011)
  • 9719376 release 20.36.0
  • 0276db6 Add support for PEP 440 version specifiers in the --python flag. (#3008)
  • 4f900c2 Fix Interpreter discovery bug wrt. Microsoft Store shortcut using Latin-1 (#3...
  • 13afcc6 fix: resolve EncodingWarning in tox upgrade environment (#3007)
  • 31b5d31 [pre-commit.ci] pre-commit autoupdate (#2997)
  • 7c28422 fix: update filelock dependency version to 3.20.1 to fix CVE CVE-2025-68146 (...
  • 365628c test_too_many_open_files: assert on errno.EMFILE instead of strerror (#3001)
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot bot added dependencies python Pull requests that update Python code labels Jan 13, 2026
@dependabot dependabot bot requested a review from a team as a code owner January 13, 2026 20:08
@dependabot dependabot bot added dependencies python Pull requests that update Python code labels Jan 13, 2026
@dependabot dependabot bot force-pushed the dependabot/pip/virtualenv-20.36.1 branch from 3a8010a to 3f08b0f Compare February 2, 2026 02:47
@dependabot dependabot bot force-pushed the dependabot/pip/virtualenv-20.36.1 branch from 3f08b0f to a0d6965 Compare February 11, 2026 08:05
@dependabot
chore(deps-dev): bump virtualenv from 20.35.4 to 20.36.1
5536843 
Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.35.4 to 20.36.1.
- [Release notes](https://github.com/pypa/virtualenv/releases)
- [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst)
- [Commits](pypa/virtualenv@20.35.4...20.36.1)

---
updated-dependencies:
- dependency-name: virtualenv
  dependency-version: 20.36.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/pip/virtualenv-20.36.1 branch from a0d6965 to 5536843 Compare February 11, 2026 13:52
@ebrattli
Copy link
Contributor

ebrattli commented Feb 13, 2026

/gemini review

@ebrattli ebrattli added waiting-for-risk-review Waiting for a member of the risk review team to take an action auto-merge Bulldozer auto-merge labels Feb 13, 2026
gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 13, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the virtualenv dependency to version 20.36.1, which includes important security fixes. However, the poetry.lock file appears to have been generated with a downgraded version of Poetry (2.2.1 instead of the previous 2.3.2). This has caused incorrect dependency resolution, where several optional dependencies are now marked as required. This will lead to unnecessary packages being installed, bloating the environment. I've added a critical comment with details on how to resolve this. The lock file needs to be regenerated using a newer version of Poetry before this PR can be merged.

@codecov
Copy link

codecov bot commented Feb 13, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.09%. Comparing base (99b915e) to head (d50db72).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #542   +/-   ##
=======================================
  Coverage   91.09%   91.09%           
=======================================
  Files         111      111           
  Lines        4201     4201           
  Branches      552      552           
=======================================
  Hits         3827     3827           
  Misses        231      231           
  Partials      143      143
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions
Copy link

github-actions bot commented Feb 13, 2026

Unit Test Results

    18 files  ±0      18 suites  ±0   35m 27s ⏱️ + 1m 23s
 1 212 tests ±0   1 212 ✅ ±0  0 💤 ±0  0 ❌ ±0 
15 840 runs  ±0  15 840 ✅ +9  0 💤  - 9  0 ❌ ±0 

Results for commit d50db72. ± Comparison against base commit 99b915e.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ebrattli ebrattli ebrattli approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

auto-merge Bulldozer auto-merge dependencies python Pull requests that update Python code waiting-for-risk-review Waiting for a member of the risk review team to take an action

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ebrattli