Commit 3172b3f
authored
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
Bump virtualenv from 21.2.0 to 21.2.4 (#12378)
Bumps [virtualenv](https://github.com/pypa/virtualenv) from 21.2.0 to
21.2.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/virtualenv/releases">virtualenv's
releases</a>.</em></p>
<blockquote>
<h2>21.2.4</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>🐛 fix(periodic-update): refuse unverified HTTPS to PyPI by default
by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3122">pypa/virtualenv#3122</a></li>
<li>🐛 fix(zipapp): enforce ROOT containment with Path.relative_to by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3121">pypa/virtualenv#3121</a></li>
<li>🐛 fix(seed): validate distribution and version before pip download
by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3120">pypa/virtualenv#3120</a></li>
<li>🐛 fix(seed): verify sha256 of bundled wheels on load by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3119">pypa/virtualenv#3119</a></li>
<li>🐛 fix(seed): validate wheel zip entries before extraction by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3118">pypa/virtualenv#3118</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/pypa/virtualenv/compare/21.2.3...21.2.4">https://github.com/pypa/virtualenv/compare/21.2.3...21.2.4</a></p>
<h2>21.2.3</h2>
<!-- raw HTML omitted -->
<p><strong>Full Changelog</strong>: <a
href="https://github.com/pypa/virtualenv/compare/21.2.2...21.2.3">https://github.com/pypa/virtualenv/compare/21.2.2...21.2.3</a></p>
<h2>21.2.2</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>bump python-discovery minimum to 1.2.2 by <a
href="https://github.com/rahuldevikar"><code>@rahuldevikar</code></a>
in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3117">pypa/virtualenv#3117</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/pypa/virtualenv/compare/21.2.1...21.2.2">https://github.com/pypa/virtualenv/compare/21.2.1...21.2.2</a></p>
<h2>21.2.1</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>Upgrade embedded pip/setuptools/wheel by <a
href="https://github.com/github-actions"><code>@github-actions</code></a>[bot]
in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3093">pypa/virtualenv#3093</a></li>
<li>Enhance upgrade workflow: age check, dedup, issue tracking by <a
href="https://github.com/rahuldevikar"><code>@rahuldevikar</code></a>
in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3094">pypa/virtualenv#3094</a></li>
<li>🐛 fix(create): use commonpath for correct path validation by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3097">pypa/virtualenv#3097</a></li>
<li>🔒 ci(workflows): add zizmor security auditing by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3099">pypa/virtualenv#3099</a></li>
<li>Add current and previous maintainers by <a
href="https://github.com/rahuldevikar"><code>@rahuldevikar</code></a>
in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3101">pypa/virtualenv#3101</a></li>
<li>🔧 fix(ci): restore git credentials for release and upgrade jobs by
<a href="https://github.com/gaborbernat"><code>@gaborbernat</code></a>
in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3102">pypa/virtualenv#3102</a></li>
<li>Fix broken Installation link in README by <a
href="https://github.com/Bahtya"><code>@Bahtya</code></a> in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3106">pypa/virtualenv#3106</a></li>
<li>fix: use terminal width for help formatting instead of hardcoded 240
by <a href="https://github.com/Bahtya"><code>@Bahtya</code></a> in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3110">pypa/virtualenv#3110</a></li>
<li>🐛 fix(nushell): surface actionable hint in deactivate error output
by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3112">pypa/virtualenv#3112</a></li>
<li>👷 ci: fix setup-uv warnings and drop brew@3.9 by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3113">pypa/virtualenv#3113</a></li>
<li>fix(ci): fix pre-release push and release note generation by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3114">pypa/virtualenv#3114</a></li>
<li>fix(ci): check out repo in publish job for gh release notes by <a
href="https://github.com/gaborbernat"><code>@gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3115">pypa/virtualenv#3115</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/github-actions"><code>@github-actions</code></a>[bot]
made their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3093">pypa/virtualenv#3093</a></li>
<li><a href="https://github.com/Bahtya"><code>@Bahtya</code></a> made
their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3106">pypa/virtualenv#3106</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst">virtualenv's
changelog</a>.</em></p>
<blockquote>
<h1>Bugfixes - 21.2.4</h1>
<ul>
<li>Security hardening: validate each entry of a seed wheel archive
before extracting it so a tampered wheel cannot escape
the app-data image directory via an absolute path or <code>..</code>
traversal. (:issue:<code>3118</code>)</li>
<li>Security hardening: verify the SHA-256 of every bundled seed wheel
when it is loaded so a corrupted or tampered file
on disk fails loud instead of being handed to pip. The hash table is
generated alongside <code>BUNDLE_SUPPORT</code> by
<code>tasks/upgrade_wheels.py</code>. (:issue:<code>3119</code>)</li>
<li>Security hardening: validate the distribution name and version
specifier passed to <code>pip download</code> when acquiring a
seed wheel so extras, pip flags, or shell metacharacters cannot be
smuggled into the subprocess command line.
(:issue:<code>3120</code>)</li>
<li>Security hardening: replace the string-prefix containment check in
<code>virtualenv.util.zipapp</code> with
<code>Path.relative_to</code> so the zipapp extraction helpers refuse
any path that does not resolve under the archive root.
(:issue:<code>3121</code>)</li>
<li>Security hardening: do not silently fall back to an unverified HTTPS
context when the periodic update request to PyPI
fails TLS verification. The returned metadata drives which wheel version
virtualenv considers "up to date", so
accepting an unverified response lets a network-level attacker suppress
security updates. Set
<code>VIRTUALENV_PERIODIC_UPDATE_INSECURE=1</code> to restore the
previous behavior on hosts with broken trust stores.
(:issue:<code>3122</code>)</li>
</ul>
<hr />
<p>v21.2.3 (2026-04-14)</p>
<hr />
<p>No significant changes.</p>
<hr />
<p>v21.2.2 (2026-04-13)</p>
<hr />
<h1>Bugfixes - 21.2.2</h1>
<ul>
<li>Bump <code>python-discovery</code> minimum to
<code>>=1.2.2</code> to include <code>normalize_isa</code> support -
by :user:<code>rahuldevikar</code>.
(:issue:<code>3117</code>)</li>
</ul>
<hr />
<p>v21.2.1 (2026-04-09)</p>
<hr />
<h1>Bugfixes - 21.2.1</h1>
<ul>
<li>
<p>Upgrade embedded wheels:</p>
<ul>
<li>setuptools to <code>82.0.1</code> from <code>82.0.0</code>
(:issue:<code>3093</code>)</li>
</ul>
</li>
<li>
<p>Use terminal width for help formatting instead of hardcoded 240.
(:issue:<code>3110</code>)</p>
</li>
</ul>
<hr />
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/virtualenv/commit/15063c10b3afae1d3fa3234e99f956434051f7b5"><code>15063c1</code></a>
release 21.2.4</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/754602d6f07d262f4f352cc590bd3f9ef3b157fe"><code>754602d</code></a>
🐛 fix(seed): validate wheel zip entries before extraction (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3118">#3118</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/43deabf249c10896d09a282aa254a837fdcef9b5"><code>43deabf</code></a>
🐛 fix(seed): verify sha256 of bundled wheels on load (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3119">#3119</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/4e412b0ba38284487267f481026ea218689fa9bd"><code>4e412b0</code></a>
🐛 fix(seed): validate distribution and version before pip download (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3120">#3120</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/130981834946a828174e37ecdd250f530f09832f"><code>1309818</code></a>
🐛 fix(zipapp): enforce ROOT containment with Path.relative_to (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3121">#3121</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/48f6fdcc14b8654236f9081adbff10a32f536940"><code>48f6fdc</code></a>
🐛 fix(periodic-update): refuse unverified HTTPS to PyPI by default (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3122">#3122</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/a5fb4a290d60776e2b3f81696bd7291913aa25d4"><code>a5fb4a2</code></a>
release 21.2.3</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/7f91a9a0bfbc549fc10274164135cf02c8ca8167"><code>7f91a9a</code></a>
release 21.2.2</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/33348d69426ef49ea26dcab7f12b474706968813"><code>33348d6</code></a>
bump python-discovery minimum to 1.2.2 (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3117">#3117</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/d73ff7c2dccd6a60223b5c4ed673d7f3e7df9a43"><code>d73ff7c</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3116">#3116</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/virtualenv/compare/21.2.0...21.2.4">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>1 parent 925ba85 commit 3172b3f
3 files changed
+3
-3
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
281 | 281 | | |
282 | 282 | | |
283 | 283 | | |
284 | | - | |
| 284 | + | |
285 | 285 | | |
286 | 286 | | |
287 | 287 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
271 | 271 | | |
272 | 272 | | |
273 | 273 | | |
274 | | - | |
| 274 | + | |
275 | 275 | | |
276 | 276 | | |
277 | 277 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
129 | 129 | | |
130 | 130 | | |
131 | 131 | | |
132 | | - | |
| 132 | + | |
133 | 133 | | |
134 | 134 | | |
135 | 135 | | |
0 commit comments