Update dependency virtualenv to v20.36.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
virtualenv	20.35.4 → 20.36.1
virtualenv	20.33.1 → 20.36.1

GitHub Vulnerability Alerts

CVE-2026-22702

Impact

TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations.

Affected versions: All versions up to and including 20.36.1

Affected users: Any user running virtualenv on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where VIRTUALENV_OVERRIDE_APP_DATA points to a user-writable location.

Attack scenarios:

• Cache poisoning: Attacker corrupts wheels or Python metadata in the cache
• Information disclosure: Attacker reads sensitive cached data or metadata
• Lock bypass: Attacker controls lock file semantics to cause concurrent access violations
• Denial of service: Lock starvation preventing virtualenv operations

Patches

The vulnerability has been patched by replacing check-then-act patterns with atomic os.makedirs(..., exist_ok=True) operations.

Fixed in: PR #​3013

Versions with the fix: 20.36.2 and later

Users should upgrade to version 20.36.2 or later.

Workarounds

If you cannot upgrade immediately:

1. Ensure VIRTUALENV_OVERRIDE_APP_DATA points to a directory owned by the current user with restricted permissions (mode 0700)
2. Avoid running virtualenv in shared temporary directories where other users have write access
3. Use separate user accounts for different projects to isolate app_data directories

References

• GitHub PR: https://github.com/pypa/virtualenv/pull/3013
• Vulnerability reported by: @​tsigouris007
• CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (TOCTOU)
• CWE-59: Improper Link Resolution Before File Access

---

Release Notes

pypa/virtualenv (virtualenv)

v20.36.1

Compare Source

What's Changed

• release 20.36.0 by @​gaborbernat in #​3011
• fix: resolve TOCTOU vulnerabilities in app_data and lock directory creation by @​gaborbernat in #​3013

Full Changelog: pypa/virtualenv@20.36.0...20.36.1

v20.36.0

Compare Source

What's Changed

• release 20.35.3 by @​gaborbernat in #​2981
• fix: Prevent NameError when accessing _DISTUTILS_PATCH during file ov… by @​gracetyy in #​2982
• Upgrade pip and fix 3.15 picking old wheel by @​gaborbernat in #​2989
• release 20.35.4 by @​gaborbernat in #​2990
• fix: wrong path on migrated venv by @​sk1234567891 in #​2996
• test_too_many_open_files: assert on errno.EMFILE instead of strerror by @​pltrz in #​3001
• fix: update filelock dependency version to 3.20.1 to fix CVE CVE-2025-68146 by @​pythonhubdev in #​3002
• fix: resolve EncodingWarning in tox upgrade environment by @​gaborbernat in #​3007
• Fix Interpreter discovery bug wrt. Microsoft Store shortcut using Latin-1 by @​rahuldevikar in #​3006
• Add support for PEP 440 version specifiers in the --python flag. by @​rahuldevikar in #​3008

New Contributors

• @​gracetyy made their first contribution in #​2982
• @​sk1234567891 made their first contribution in #​2996
• @​pltrz made their first contribution in #​3001
• @​pythonhubdev made their first contribution in #​3002
• @​rahuldevikar made their first contribution in #​3006

Full Changelog: pypa/virtualenv@20.35.3...20.36.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At 12:00 PM, only on Tuesday ( 0 12 * * 2 ) (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: requirements-dev-py39.txt

Command failed: pip-compile --generate-hashes --output-file=requirements-dev-py39.txt requirements-dev-py39.in requirements.in --upgrade-package=virtualenv==20.36.1
  ERROR: Cannot install -r requirements-dev-py39.in (line 3), jsonschema, pre-commit, pylint, pytest and typing-extensions==4.13.0 because these package versions have conflicting dependencies.
Discarding typing-extensions==4.13.0 (from -r requirements-dev-py39.txt (line 643)) to proceed the resolution
  ERROR: Cannot install -r requirements-dev-py39.in (line 3), jsonschema, pre-commit, pylint, pytest and typing-extensions==4.13.0 because these package versions have conflicting dependencies.
Traceback (most recent call last):
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/pip/_internal/resolution/resolvelib/resolver.py", line 99, in resolve
    result = self._result = resolver.resolve(
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/pip/_vendor/resolvelib/resolvers/resolution.py", line 601, in resolve
    state = resolution.resolve(requirements, max_rounds=max_rounds)
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/pip/_vendor/resolvelib/resolvers/resolution.py", line 542, in resolve
    raise ResolutionImpossible(self.state.backtrack_causes)
pip._vendor.resolvelib.resolvers.exceptions.ResolutionImpossible: [RequirementInformation(requirement=SpecifierRequirement('typing-extensions==4.13.0'), parent=None), RequirementInformation(requirement=SpecifierRequirement('typing-extensions>=3.10; python_version < "3.10"'), parent=LinkCandidate('https://files.pythonhosted.org/packages/1a/a7/69460c4a6af7575449e615144aa2205b89408dc2969b87bc3df2f262ad0b/pylint-3.3.9-py3-none-any.whl (from https://pypi.org/simple/pylint/) (requires-python:>=3.9.0)')), RequirementInformation(requirement=SpecifierRequirement('typing-extensions>=4; python_version < "3.11"'), parent=LinkCandidate('https://files.pythonhosted.org/packages/af/0f/3b8fdc946b4d9cc8cc1e8af42c4e409468c84441b933d037e101b3d72d86/astroid-3.3.11-py3-none-any.whl (from https://pypi.org/simple/astroid/) (requires-python:>=3.9.0)')), RequirementInformation(requirement=SpecifierRequirement('typing-extensions>=4.6.0; python_version < "3.13"'), parent=LinkCandidate('https://files.pythonhosted.org/packages/8a/0e/97c33bf5009bdbac74fd2beace167cab3f978feb69cc36f1ef79360d6c4e/exceptiongroup-1.3.1-py3-none-any.whl (from https://pypi.org/simple/exceptiongroup/) (requires-python:>=3.7)')), RequirementInformation(requirement=SpecifierRequirement('typing-extensions>=4.4.0; python_version < "3.13"'), parent=LinkCandidate('https://files.pythonhosted.org/packages/c1/b1/3baf80dc6d2b7bc27a95a67752d0208e410351e3feb4eb78de5f77454d8d/referencing-0.36.2-py3-none-any.whl (from https://pypi.org/simple/referencing/) (requires-python:>=3.9)')), RequirementInformation(requirement=SpecifierRequirement('typing-extensions>=4.13.2; python_version < "3.11"'), parent=LinkCandidate('https://files.pythonhosted.org/packages/6a/2a/dc2228b2888f51192c7dc766106cd475f1b768c10caaf9727659726f7391/virtualenv-20.36.1-py3-none-any.whl (from https://pypi.org/simple/virtualenv/) (requires-python:>=3.8)'))]

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/bin/pip-compile", line 6, in <module>
    sys.exit(cli())
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/click/core.py", line 1161, in __call__
    return self.main(*args, **kwargs)
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/click/core.py", line 1082, in main
    rv = self.invoke(ctx)
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/click/core.py", line 1443, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/click/core.py", line 788, in invoke
    return __callback(*args, **kwargs)
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/click/decorators.py", line 33, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/piptools/scripts/compile.py", line 481, in cli
    results = resolver.resolve(max_rounds=max_rounds)
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/piptools/resolver.py", line 642, in resolve
    is_resolved = self._do_resolve(
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/piptools/resolver.py", line 677, in _do_resolve
    resolver.resolve(
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/pip/_internal/resolution/resolvelib/resolver.py", line 108, in resolve
    raise error from e
pip._internal.exceptions.DistributionNotFound: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts

File name: requirements-dev-py39.txt

Command failed: pip-compile --generate-hashes --output-file=requirements-dev-py39.txt requirements-dev-py39.in requirements.in --upgrade-package=virtualenv==20.36.1
  ERROR: Cannot install -r requirements-dev-py39.in (line 3), jsonschema, pre-commit, pylint, pytest and typing-extensions==4.13.0 because these package versions have conflicting dependencies.
Discarding typing-extensions==4.13.0 (from -r requirements-dev-py39.txt (line 643)) to proceed the resolution
  ERROR: Cannot install -r requirements-dev-py39.in (line 3), jsonschema, pre-commit, pylint, pytest and typing-extensions==4.13.0 because these package versions have conflicting dependencies.
Traceback (most recent call last):
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/pip/_internal/resolution/resolvelib/resolver.py", line 99, in resolve
    result = self._result = resolver.resolve(
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/pip/_vendor/resolvelib/resolvers/resolution.py", line 601, in resolve
    state = resolution.resolve(requirements, max_rounds=max_rounds)
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/pip/_vendor/resolvelib/resolvers/resolution.py", line 542, in resolve
    raise ResolutionImpossible(self.state.backtrack_causes)
pip._vendor.resolvelib.resolvers.exceptions.ResolutionImpossible: [RequirementInformation(requirement=SpecifierRequirement('typing-extensions==4.13.0'), parent=None), RequirementInformation(requirement=SpecifierRequirement('typing-extensions>=3.10; python_version < "3.10"'), parent=LinkCandidate('https://files.pythonhosted.org/packages/1a/a7/69460c4a6af7575449e615144aa2205b89408dc2969b87bc3df2f262ad0b/pylint-3.3.9-py3-none-any.whl (from https://pypi.org/simple/pylint/) (requires-python:>=3.9.0)')), RequirementInformation(requirement=SpecifierRequirement('typing-extensions>=4; python_version < "3.11"'), parent=LinkCandidate('https://files.pythonhosted.org/packages/af/0f/3b8fdc946b4d9cc8cc1e8af42c4e409468c84441b933d037e101b3d72d86/astroid-3.3.11-py3-none-any.whl (from https://pypi.org/simple/astroid/) (requires-python:>=3.9.0)')), RequirementInformation(requirement=SpecifierRequirement('typing-extensions>=4.6.0; python_version < "3.13"'), parent=LinkCandidate('https://files.pythonhosted.org/packages/8a/0e/97c33bf5009bdbac74fd2beace167cab3f978feb69cc36f1ef79360d6c4e/exceptiongroup-1.3.1-py3-none-any.whl (from https://pypi.org/simple/exceptiongroup/) (requires-python:>=3.7)')), RequirementInformation(requirement=SpecifierRequirement('typing-extensions>=4.4.0; python_version < "3.13"'), parent=LinkCandidate('https://files.pythonhosted.org/packages/c1/b1/3baf80dc6d2b7bc27a95a67752d0208e410351e3feb4eb78de5f77454d8d/referencing-0.36.2-py3-none-any.whl (from https://pypi.org/simple/referencing/) (requires-python:>=3.9)')), RequirementInformation(requirement=SpecifierRequirement('typing-extensions>=4.13.2; python_version < "3.11"'), parent=LinkCandidate('https://files.pythonhosted.org/packages/6a/2a/dc2228b2888f51192c7dc766106cd475f1b768c10caaf9727659726f7391/virtualenv-20.36.1-py3-none-any.whl (from https://pypi.org/simple/virtualenv/) (requires-python:>=3.8)'))]

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/bin/pip-compile", line 6, in <module>
    sys.exit(cli())
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/click/core.py", line 1161, in __call__
    return self.main(*args, **kwargs)
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/click/core.py", line 1082, in main
    rv = self.invoke(ctx)
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/click/core.py", line 1443, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/click/core.py", line 788, in invoke
    return __callback(*args, **kwargs)
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/click/decorators.py", line 33, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/piptools/scripts/compile.py", line 481, in cli
    results = resolver.resolve(max_rounds=max_rounds)
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/piptools/resolver.py", line 642, in resolve
    is_resolved = self._do_resolve(
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/piptools/resolver.py", line 677, in _do_resolve
    resolver.resolve(
  File "/opt/containerbase/tools/pip-tools/7.5.3/3.9.25/lib/python3.9/site-packages/pip/_internal/resolution/resolvelib/resolver.py", line 108, in resolve
    raise error from e
pip._internal.exceptions.DistributionNotFound: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (98a4d3b) to head (7483f52).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff            @@
##            master      #137   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           13        13           
  Lines          365       365           
=========================================
  Hits           365       365           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (``). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.