Upgrade: [dependabot] - bump virtualenv from 20.35.4 to 20.36.1 in the pip group across 1 directory
Open
Number: #398
Type: Pull Request
State: Open
Type: Pull Request
State: Open
Author:
![dependabot[bot]](https://github.com/dependabot.png)
dependabot[bot]
Association: Unknown
Comments: 2
dependabot[bot]Association: Unknown
Comments: 2
Created:
January 13, 2026 at 08:08 PM UTC
(5 months ago)
(5 months ago)
Updated:
January 16, 2026 at 09:00 PM UTC
(4 months ago)
(4 months ago)
Labels:
dependencies python
dependencies python
Description:
Bumps the pip group with 1 update in the / directory: virtualenv.
Updates virtualenv from 20.35.4 to 20.36.1
Release notes
Sourced from virtualenv's releases.
20.36.1
What's Changed
- release 20.36.0 by
@gaborbernatin pypa/virtualenv#3011- fix: resolve TOCTOU vulnerabilities in app_data and lock directory creation by
@gaborbernatin pypa/virtualenv#3013Full Changelog: https://github.com/pypa/virtualenv/compare/20.36.0...20.36.1
20.36.0
What's Changed
- release 20.35.3 by
@gaborbernatin pypa/virtualenv#2981- fix: Prevent NameError when accessing _DISTUTILS_PATCH during file ov… by
@gracetyyin pypa/virtualenv#2982- Upgrade pip and fix 3.15 picking old wheel by
@gaborbernatin pypa/virtualenv#2989- release 20.35.4 by
@gaborbernatin pypa/virtualenv#2990- fix: wrong path on migrated venv by
@sk1234567891in pypa/virtualenv#2996- test_too_many_open_files: assert on
errno.EMFILEinstead ofstrerrorby@pltrzin pypa/virtualenv#3001- fix: update filelock dependency version to 3.20.1 to fix CVE CVE-2025-68146 by
@pythonhubdevin pypa/virtualenv#3002- fix: resolve EncodingWarning in tox upgrade environment by
@gaborbernatin pypa/virtualenv#3007- Fix Interpreter discovery bug wrt. Microsoft Store shortcut using Latin-1 by
@rahuldevikarin pypa/virtualenv#3006- Add support for PEP 440 version specifiers in the
--pythonflag. by@rahuldevikarin pypa/virtualenv#3008New Contributors
@gracetyymade their first contribution in pypa/virtualenv#2982@sk1234567891made their first contribution in pypa/virtualenv#2996@pltrzmade their first contribution in pypa/virtualenv#3001@pythonhubdevmade their first contribution in pypa/virtualenv#3002@rahuldevikarmade their first contribution in pypa/virtualenv#3006Full Changelog: https://github.com/pypa/virtualenv/compare/20.35.3...20.36.0
Changelog
Sourced from virtualenv's changelog.
v20.36.1 (2026-01-09)
Bugfixes - 20.36.1
- Fix TOCTOU vulnerabilities in app_data and lock directory creation that could be exploited via symlink attacks - reported by :user:`tsigouris007`, fixed by :user:`gaborbernat`. (:issue:`3013`)v20.36.0 (2026-01-07)
Features - 20.36.0
- Add support for PEP 440 version specifiers in the
--pythonflag. Users can now specify Python versions using operators like>=,<=,~=, etc. For example:virtualenv --python=">=3.12" myenv. (:issue:2994`)
Commits
d0ad11drelease 20.36.1dec4cecMerge pull request #3013 from gaborbernat/fix-sec5fe5d38release 20.36.0 (#3011)9719376release 20.36.00276db6Add support for PEP 440 version specifiers in the--pythonflag. (#3008)4f900c2Fix Interpreter discovery bug wrt. Microsoft Store shortcut using Latin-1 (#3...13afcc6fix: resolve EncodingWarning in tox upgrade environment (#3007)31b5d31[pre-commit.ci] pre-commit autoupdate (#2997)7c28422fix: update filelock dependency version to 3.20.1 to fix CVE CVE-2025-68146 (...365628ctest_too_many_open_files: assert onerrno.EMFILEinstead ofstrerror(#3001)- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.
Package Dependencies
Package:
virtualenv
Ecosystem:
pip
pip
Version Change:
20.35.4 → 20.36.1
Update Type:
Minor
Minor
Path:
the pip group across 1 directory
Technical Details
| ID: | 12753017 |
| UUID: | 3810415224 |
| Node ID: | PR_kwDOLZHIis69A0cA |
| Host: | GitHub |
| Repository: | NHSDigital/eps-FHIR-validator-lambda |