Bump virtualenv from 20.37.0 to 20.38.0

[dependabot]

Bumps virtualenv from 20.37.0 to 20.38.0.

Release notes

Sourced from virtualenv's releases.

20.38.0

What's Changed

• Fix Windows activation scripts to handle Python paths with spaces by @​rahuldevikar in pypa/virtualenv#3015
• Exclude pywintypes*.dll and pythoncom*.dll from being copied to Scripts directory by @​rahuldevikar in pypa/virtualenv#3012
• update Automated testing documentation section by @​elmjag in pypa/virtualenv#3016
• Preserver Symlinks in pyvenv.cfg paths by @​rahuldevikar in pypa/virtualenv#3022
• Add PKG_CONFIG_PATH environment variable support to all activation scripts by @​rahuldevikar in pypa/virtualenv#3023
• Add ty type checker to CI via tox by @​rahuldevikar in pypa/virtualenv#3025
• Upgrade embedded dependencies by @​rahuldevikar in pypa/virtualenv#3026
• Fix ty Type Narrowing by @​rahuldevikar in pypa/virtualenv#3030
• Replace ty: ignore with proper type declarations for inheritance patterns by @​rahuldevikar in pypa/virtualenv#3034
• Use user_cache_dir for app data with auto-migration from old location by @​rahuldevikar in pypa/virtualenv#3033
• Fix unhelpful KeyError when using invalid VIRTUALENV_DISCOVERY value by @​veeceey in pypa/virtualenv#3031
• ⚡ perf(test): parallelize test suite with pytest-xdist by @​gaborbernat in pypa/virtualenv#3035
• ✨ feat(create): sync with upstream CPython/PyPy venv by @​gaborbernat in pypa/virtualenv#3036
• Python3.9 dependency range correction by @​reactive-firewall in pypa/virtualenv#3038
• Version bump filelock to latest by @​reactive-firewall in pypa/virtualenv#3039
• Improve error message when discovery plugin is not available by @​veeceey in pypa/virtualenv#3032
• 👷 ci(release): add workflow_dispatch release with zipapp and get-virtualenv by @​gaborbernat in pypa/virtualenv#3040
• 📝 docs: restructure to follow Diataxis framework by @​gaborbernat in pypa/virtualenv#3041
• 👷 ci(release): split into release and tag-triggered publish by @​gaborbernat in pypa/virtualenv#3042
• Fix bash activate PKG_CONFIG_PATH unbound variable under bash -u by @​Fridayai700 in pypa/virtualenv#3047
• 🐛 fix(discovery): harden subprocess interrogation and test reliability by @​gaborbernat in pypa/virtualenv#3054
• 🔧 chore(tox): migrate tox.ini to tox.toml by @​gaborbernat in pypa/virtualenv#3050

New Contributors

• @​elmjag made their first contribution in pypa/virtualenv#3016
• @​veeceey made their first contribution in pypa/virtualenv#3031
• @​reactive-firewall made their first contribution in pypa/virtualenv#3038
• @​Fridayai700 made their first contribution in pypa/virtualenv#3047

Full Changelog: pypa/virtualenv@20.37.0...20.38.0

Changelog

Sourced from virtualenv's changelog.

Features - 20.38.0

• Store app data (pip/setuptools/wheel caches) under the OS cache directory (platformdirs.user_cache_dir) instead of the data directory (platformdirs.user_data_dir). Existing app data at the old location is automatically migrated on first use. This ensures cached files that can be redownloaded are placed in the standard cache location (e.g. ~/.cache on Linux, ~/Library/Caches on macOS) where they are excluded from backups and can be cleaned by system tools - by :user:rahuldevikar. (:issue:1884) (:issue:1884)
• Add PKG_CONFIG_PATH environment variable support to all activation scripts (Bash, Batch, PowerShell, Fish, C Shell, Nushell, and Python). The virtualenv's lib/pkgconfig directory is now automatically prepended to PKG_CONFIG_PATH on activation and restored on deactivation, enabling packages that use pkg-config during build/install to find their configuration files - by :user:rahuldevikar. (:issue:2637)
• Upgrade embedded pip to 26.0.1 from 25.3 and setuptools to 82.0.0, 75.3.4 from 75.3.2, 80.9.0
  • by :user:rahuldevikar. (:issue:3027)
• Replace ty: ignore comments with proper type narrowing using assertions and explicit None checks - by :user:rahuldevikar. (:issue:3029)

Bugfixes - 20.38.0

• Exclude pywin32 DLLs (pywintypes*.dll, pythoncom*.dll) from being copied to the Scripts directory during virtualenv creation on Windows. This fixes compatibility issues with pywin32, which expects its DLLs to be installed in site-packages/pywin32_system32 by its own post-install script - by :user:rahuldevikar. (:issue:2662)
• Preserve symlinks in pyvenv.cfg paths to match venv behavior. Use os.path.abspath() instead of os.path.realpath() to normalize paths without resolving symlinks, fixing issues with Python installations accessed via symlinked directories (common in network-mounted filesystems) - by :user:rahuldevikar. Fixes :issue:2770. (:issue:2770)
• Fix Windows activation scripts to properly quote python.exe path, preventing failures when Python is installed in a path with spaces (e.g., C:\Program Files) and a file named C:\Program exists on the filesystem - by :user:rahuldevikar. (:issue:2985)
• Fix bash -u (set -o nounset) compatibility in bash activation script by using ${PKG_CONFIG_PATH:-} and ${PKG_CONFIG_PATH:+:${PKG_CONFIG_PATH}} to handle unset PKG_CONFIG_PATH - by :user:Fridayai700. (:issue:3044)
• Gracefully handle corrupted on-disk cache and invalid JSON from Python interrogation subprocess instead of crashing with unhandled JSONDecodeError or KeyError - by :user:gaborbernat. (:issue:3054)

---

v20.36.1 (2026-01-09)

---

Bugfixes - 20.36.1

• Fix TOCTOU vulnerabilities in app_data and lock directory creation that could be exploited via symlink attacks - reported by :user:tsigouris007, fixed by :user:gaborbernat. (:issue:3013)

---

v20.36.0 (2026-01-07)

---

... (truncated)

Commits

• fbbb97d release 20.38.0
• c5240c7 🔧 chore(tox): migrate tox.ini to tox.toml (#3050)
• 6ff2e3e 🐛 fix(discovery): harden subprocess interrogation and test reliability (#3054)
• d7919e5 Fix bash activate PKG_CONFIG_PATH unbound variable under bash -u (#3047)
• 39568b0 [pre-commit.ci] pre-commit autoupdate (#3043)
• f745000 🔒 security(workflows): add explicit permissions to all jobs
• fda5bbc 🐛 fix(release): clear coverage env vars in release env
• 1ecf0ed 👷 ci(release): split into release and tag-triggered publish (#3042)
• 4fb0401 📝 docs: restructure to follow Diataxis framework (#3041)
• 834c7ff 👷 ci(release): scope GH_RELEASE_TOKEN to release environment
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codspeed-hq]

Merging this PR will not alter performance

✅ 59 untouched benchmarks

---

_{Comparing dependabot/pip/virtualenv-20.38.0 (8f1bb50) with master (eaeba86)}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.77%. Comparing base (eaeba86) to head (8f1bb50).
⚠️ Report is 1 commits behind head on master.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #12092      +/-   ##
==========================================
- Coverage   98.77%   98.77%   -0.01%     
==========================================
  Files         128      128              
  Lines       44890    44890              
  Branches     2383     2383              
==========================================
- Hits        44341    44340       -1     
  Misses        390      390              
- Partials      159      160       +1     

Flag	Coverage Δ
CI-GHA	98.63% <ø> (-0.01%)	⬇️
OS-Linux	98.37% <ø> (ø)
OS-Windows	96.71% <ø> (-0.01%)	⬇️
OS-macOS	97.36% <ø> (-0.25%)	⬇️
Py-3.10.11	96.01% <ø> (-1.15%)	⬇️
Py-3.10.19	97.51% <ø> (-0.13%)	⬇️
Py-3.11.14	97.84% <ø> (-0.01%)	⬇️
Py-3.11.9	97.09% <ø> (-0.28%)	⬇️
Py-3.12.10	97.46% <ø> (-0.01%)	⬇️
Py-3.12.12	97.93% <ø> (ø)
Py-3.13.12	98.18% <ø> (-0.01%)	⬇️
Py-3.14.3	98.14% <ø> (ø)
Py-3.14.3t	97.23% <ø> (-0.02%)	⬇️
Py-pypy3.11.13-7.3.20	97.38% <ø> (-0.01%)	⬇️
VM-macos	97.36% <ø> (-0.25%)	⬇️
VM-ubuntu	98.37% <ø> (ø)
VM-windows	96.71% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[dependabot]

Looks like virtualenv is up-to-date now, so this is no longer needed.