Sourced from virtualenv's releases.
21.2.4
What's Changed
- 🐛 fix(periodic-update): refuse unverified HTTPS to PyPI by default by
@gaborbernatin pypa/virtualenv#3122- 🐛 fix(zipapp): enforce ROOT containment with Path.relative_to by
@gaborbernatin pypa/virtualenv#3121- 🐛 fix(seed): validate distribution and version before pip download by
@gaborbernatin pypa/virtualenv#3120- 🐛 fix(seed): verify sha256 of bundled wheels on load by
@gaborbernatin pypa/virtualenv#3119- 🐛 fix(seed): validate wheel zip entries before extraction by
@gaborbernatin pypa/virtualenv#3118Full Changelog: https://github.com/pypa/virtualenv/compare/21.2.3...21.2.4
21.2.3
Full Changelog: https://github.com/pypa/virtualenv/compare/21.2.2...21.2.3
21.2.2
What's Changed
- bump python-discovery minimum to 1.2.2 by
@rahuldevikarin pypa/virtualenv#3117Full Changelog: https://github.com/pypa/virtualenv/compare/21.2.1...21.2.2
21.2.1
What's Changed
- Upgrade embedded pip/setuptools/wheel by
@github-actions[bot] in pypa/virtualenv#3093- Enhance upgrade workflow: age check, dedup, issue tracking by
@rahuldevikarin pypa/virtualenv#3094- 🐛 fix(create): use commonpath for correct path validation by
@gaborbernatin pypa/virtualenv#3097- 🔒 ci(workflows): add zizmor security auditing by
@gaborbernatin pypa/virtualenv#3099- Add current and previous maintainers by
@rahuldevikarin pypa/virtualenv#3101- 🔧 fix(ci): restore git credentials for release and upgrade jobs by
@gaborbernatin pypa/virtualenv#3102- Fix broken Installation link in README by
@Bahtyain pypa/virtualenv#3106- fix: use terminal width for help formatting instead of hardcoded 240 by
@Bahtyain pypa/virtualenv#3110- 🐛 fix(nushell): surface actionable hint in deactivate error output by
@gaborbernatin pypa/virtualenv#3112- 👷 ci: fix setup-uv warnings and drop brew@3.9 by
@gaborbernatin pypa/virtualenv#3113- fix(ci): fix pre-release push and release note generation by
@gaborbernatin pypa/virtualenv#3114- fix(ci): check out repo in publish job for gh release notes by
@gaborbernatin pypa/virtualenv#3115New Contributors
@github-actions[bot] made their first contribution in pypa/virtualenv#3093@Bahtyamade their first contribution in pypa/virtualenv#3106
... (truncated)
Sourced from virtualenv's changelog.
Bugfixes - 21.2.4
- Security hardening: validate each entry of a seed wheel archive before extracting it so a tampered wheel cannot escape the app-data image directory via an absolute path or
..traversal. (:issue:3118)- Security hardening: verify the SHA-256 of every bundled seed wheel when it is loaded so a corrupted or tampered file on disk fails loud instead of being handed to pip. The hash table is generated alongside
BUNDLE_SUPPORTbytasks/upgrade_wheels.py. (:issue:3119)- Security hardening: validate the distribution name and version specifier passed to
pip downloadwhen acquiring a seed wheel so extras, pip flags, or shell metacharacters cannot be smuggled into the subprocess command line. (:issue:3120)- Security hardening: replace the string-prefix containment check in
virtualenv.util.zipappwithPath.relative_toso the zipapp extraction helpers refuse any path that does not resolve under the archive root. (:issue:3121)- Security hardening: do not silently fall back to an unverified HTTPS context when the periodic update request to PyPI fails TLS verification. The returned metadata drives which wheel version virtualenv considers "up to date", so accepting an unverified response lets a network-level attacker suppress security updates. Set
VIRTUALENV_PERIODIC_UPDATE_INSECURE=1to restore the previous behavior on hosts with broken trust stores. (:issue:3122)
v21.2.3 (2026-04-14)
No significant changes.
v21.2.2 (2026-04-13)
Bugfixes - 21.2.2
- Bump
python-discoveryminimum to>=1.2.2to includenormalize_isasupport - by :user:rahuldevikar. (:issue:3117)
v21.2.1 (2026-04-09)
Bugfixes - 21.2.1
Upgrade embedded wheels:
- setuptools to
82.0.1from82.0.0(:issue:3093)Use terminal width for help formatting instead of hardcoded 240. (:issue:
3110)
... (truncated)
15063c1
release 21.2.4754602d
🐛 fix(seed): validate wheel zip entries before extraction (#3118)43deabf
🐛 fix(seed): verify sha256 of bundled wheels on load (#3119)4e412b0
🐛 fix(seed): validate distribution and version before pip download (#3120)1309818
🐛 fix(zipapp): enforce ROOT containment with Path.relative_to (#3121)48f6fdc
🐛 fix(periodic-update): refuse unverified HTTPS to PyPI by default (#3122)a5fb4a2
release 21.2.37f91a9a
release 21.2.233348d6
bump python-discovery minimum to 1.2.2 (#3117)d73ff7c
[pre-commit.ci] pre-commit autoupdate (#3116)Sourced from build's releases.
1.4.3
What's Changed
- 🐛 fix(api): resolve thread-safety races in build API by
@gaborbernatin pypa/build#1015- 🐛 fix(builder): validate backend-path entries exist on disk by
@gaborbernatin pypa/build#1016- test: cover config settings build paths by
@terminalchaiin pypa/build#992- Add kind=(step, ) for root messages with * by
@abitrollyin pypa/build#973- fix: correct changelog category ordering by
@gaborbernatin pypa/build#1017- 🐛 fix(cli): show full dependency chain in missing deps error by
@gaborbernatin pypa/build#1019- tests: fully annotate by
@henryiiiin pypa/build#1020- chore: lazy imports by
@henryiiiin pypa/build#1021- chore: adding more ruff codes by
@henryiiiin pypa/build#1022- tests: improve annotations by
@henryiiiin pypa/build#1023- 🧪 test(coverage): achieve 100% test coverage by
@gaborbernatin pypa/build#1018- chore: add ruff PT by
@henryiiiin pypa/build#1025- chore: add ruff PYI by
@henryiiiin pypa/build#1026- chore: add ruff SIM/RET by
@henryiiiin pypa/build#1028- 🐛 fix(env): strip PYTHONPATH from isolated builds by
@gaborbernatin pypa/build#1024- chore: use ruff ALL by
@henryiiiin pypa/build#1029- 🐛 fix(env): prevent pip credential hang with private indexes by
@gaborbernatin pypa/build#1030- 🐛 fix(check_dependency): verify URL reqs via PEP 610 by
@gaborbernatin pypa/build#1027New Contributors
@terminalchaimade their first contribution in pypa/build#992Full Changelog: https://github.com/pypa/build/compare/1.4.2...1.4.3
Sourced from build's changelog.
#################### 1.4.3 (2026-04-10) ####################
Features
- Add
kindparameter to log messages to separate semantic and representation - by :user:abitrolly(:issue:973)
Bugfixes
- Strip
PYTHONPATHfrom the environment during isolated builds to prevent host packages from leaking into the build
- by :user:
gaborbernat(:issue:405)- Pass
--no-inputto pip to prevent hidden credential prompts that cause hangs, and automatically setPIP_KEYRING_PROVIDER=subprocess(orUV_KEYRING_PROVIDER=subprocessfor the uv installer) when thekeyringCLI is onPATH-- by :user:gaborbernat(:issue:409)check_dependencynow reports URL requirements as unmet instead of silently accepting them when a package with the same name is installed - by :user:gaborbernat(:issue:860)- Fix misleading missing dependency error display where transitive dependency chains showed the top-level package on a separate line, making it appear as if the top-level package itself was missing - by :user:
gaborbernat(:issue:875)- Fix towncrier template to generate changelog categories in definition order - by :user:
gaborbernat(:issue:1007)- Resolve thread-safety races in the build API - by :user:
gaborbernat(:issue:1015)- Validate
backend-pathentries exist on disk with a clear error - by :user:gaborbernat(:issue:1016)
Miscellaneous
- :issue:
1020, :issue:1021#################### 1.4.2 (2026-03-25) ####################
Bugfixes
- Ensure the
uvinstaller uses the current version of Python, avoiding an issue ifUV_PYTHONis set, for example. (:issue:977)- Fix
_has_valid_outer_pipreturningTruewhen pip is missing, causing build to try using a non-existent pip instead of falling back to virtualenv. (:issue:1003)#################### 1.4.1 (2026-03-24) ####################
... (truncated)
130b043
chore: prepare for 1.4.37642efe
🐛 fix(check_dependency): verify URL reqs via PEP 610 (#1027)d407530
🐛 fix(env): prevent pip credential hang with private indexes (#1030)b3dc114
chore: use ruff ALL (#1029)27b67b2
🐛 fix(env): strip PYTHONPATH from isolated builds (#1024)c1454fd
chore: add ruff SIM/RET (#1028)0b1ca1c
chore: add ruff PYI (#1026)f1dfe82
chore: add ruff PT (#1025)4348292
🧪 test(coverage): achieve 100% test coverage (#1018)5d3390b
tests: improve annotations (#1023)Sourced from filelock's releases.
3.28.0
What's Changed
- 🐛 fix(ci): unbreak release workflow, publish to PyPI again by
@gaborbernatin tox-dev/filelock#529Full Changelog: https://github.com/tox-dev/filelock/compare/3.27.0...3.28.0
3.27.0
What's Changed
- ✨ feat(rw): add SoftReadWriteLock for NFS and HPC clusters by
@gaborbernatin tox-dev/filelock#528Full Changelog: https://github.com/tox-dev/filelock/compare/3.26.1...3.27.0
3.26.1
What's Changed
- 🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handling by
@naarobin tox-dev/filelock#518New Contributors
@naarobmade their first contribution in tox-dev/filelock#518Full Changelog: https://github.com/tox-dev/filelock/compare/3.26.0...3.26.1
3.26.0
What's Changed
- 🔒 ci(workflows): add zizmor security auditing by
@gaborbernatin tox-dev/filelock#517- 🔧 fix(ci): restore git credentials for release job by
@gaborbernatin tox-dev/filelock#520- ✨ feat(soft): add PID inspection and lock breaking by
@gaborbernatin tox-dev/filelock#524Full Changelog: https://github.com/tox-dev/filelock/compare/3.25.2...3.26.0
Sourced from filelock's changelog.
########### Changelog ###########
3.28.0 (2026-04-14)
- 🐛 fix(ci): unbreak release workflow, publish to PyPI again :pr:
529
3.26.1 (2026-04-09)
- 🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handling :pr:
518- by :user:naarob- build(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 :pr:
525- by :user:dependabot[bot]
3.26.0 (2026-04-06)
- ✨ feat(soft): add PID inspection and lock breaking :pr:
524- [pre-commit.ci] pre-commit autoupdate :pr:
523- by :user:pre-commit-ci[bot]- build(deps): bump astral-sh/setup-uv from 7.6.0 to 8.0.0 :pr:
522- by :user:dependabot[bot]- Remove persist-credentials: false from release job :pr:
520- [pre-commit.ci] pre-commit autoupdate :pr:
519- by :user:pre-commit-ci[bot]- 🔒 ci(workflows): add zizmor security auditing :pr:
517- [pre-commit.ci] pre-commit autoupdate :pr:
516- by :user:pre-commit-ci[bot]- [pre-commit.ci] pre-commit autoupdate :pr:
514- by :user:pre-commit-ci[bot]
3.25.2 (2026-03-11)
- 🐛 fix(unix): suppress EIO on close in Docker bind mounts :pr:
513
3.25.1 (2026-03-09)
- [pre-commit.ci] pre-commit autoupdate :pr:
510- by :user:pre-commit-ci[bot]- 🐛 fix(win): restore best-effort lock file cleanup on release :pr:
511- [pre-commit.ci] pre-commit autoupdate :pr:
508- by :user:pre-commit-ci[bot]- 📝 docs(logo): add branded project logo :pr:
507
3.25.0 (2026-03-01)
- ✨ feat(async): add AsyncReadWriteLock :pr:
506
... (truncated)
55de20c
Release 3.28.0476b0e4
🐛 fix(ci): unbreak release workflow, publish to PyPI again (#529)824713e
✨ feat(rw): add SoftReadWriteLock for NFS and HPC clusters (#528)9879de9
[pre-commit.ci] pre-commit autoupdate (#527)4cfab49
Release 3.26.1734c9f2
🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix
del loop handli...c9f9cb4
build(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 (#525)ad728d7
Release 3.26.0f8a9849
✨ feat(soft): add PID inspection and lock breaking (#524)fc53a83
[pre-commit.ci] pre-commit autoupdate (#523)Sourced from packaging's releases.
26.1
Features:
PEP 783: add handling for Emscripten wheel tags by(old name used in implementation, will be fixed in next release)@hoodmanein pypa/packaging#804- PEP 803: add handling for the
abi3.abi3tfree-threading tag by@ngoldbaumin pypa/packaging#1099- PEP 723: add
packaging.dependency_groupsmodule, based on thedependency-groupspackage by@sirosenin pypa/packaging#1065- Add the
packaging.direct_urlmodule by@sbidoulin pypa/packaging#944- Add the
packaging.errorsmodule by@henryiiiin pypa/packaging#1071- Add
SpecifierSet.is_unsatisfiableusing ranges (new internals that will be expanded in future versions) by@notatallshawin pypa/packaging#1119- Add
create_compatible_tags_selectorto select compatible tags by@sbidoulin pypa/packaging#1110- Add a
keyargument toSpecifierSet.filter()by@frostmingin pypa/packaging#1068- Support
&and|forMarker's by@henryiiiin pypa/packaging#1146- Normalize
Version.__replace__and addVersion.from_partsby@henryiiiin pypa/packaging#1078- Add an option to validate compressed tag set sort order in
parse_wheel_filenameby@r266-techin pypa/packaging#1150Behavior adaptations:
- Narrow exclusion of pre-releases for
<V.postNto match spec by@notatallshawin pypa/packaging#1140- Narrow exclusion of post-releases for
>Vto match spec by@notatallshawin pypa/packaging#1141- Rename
format_full_versionto_format_full_versionto make it visibly private by@r266-techin pypa/packaging#1125- Restrict local version to ASCII by
@henryiiiin pypa/packaging#1102Pylock (PEP 751) updates:
- Add pylock
selectfunction by@sbidoulin pypa/packaging#1092- Document pylock
select()method andPylockSelectErrorby@r266-techin pypa/packaging#1153- Add
filenameproperty toPackageSdistandPackageWheel, more validation by@sbidoulin pypa/packaging#1095- Give preference to path over url by
@sbidoulin pypa/packaging#1128- Validate name/version consistency in file names by
@sbidoulin pypa/packaging#1114Fixes:
- Fix
>comparison for versions with dev+local segments by@veeceeyin pypa/packaging#1097- Fix incorrect self-comparison for
InfinityTypeandNegativeInfinityTypeby@bysiberin pypa/packaging#1093- Canonicalize when deduplicating specifiers in
SpecifierSetby@notatallshawin pypa/packaging#1109- Fix charset error message formatting by
@notatallshawin pypa/packaging#1121- Handle the
keyparameter inSpecifierSet.filterwhen specifiers are empty and prerelease isFalseby@notatallshawin pypa/packaging#1096- Standardize inner components of
reproutput by@henryiiiin pypa/packaging#1090Specifier's===uses original string, not normalized, when available by@notatallshawin pypa/packaging#1124- Propagate int-max-str-digits
ValueErrorby@notatallshawin pypa/packaging#1155Performance:
- Add fast path for parsing simple versions (digits and dots only) by
@notatallshawin pypa/packaging#1082- Add fast path for
VersiontoVersioncomparison by skipping_keyproperty by@notatallshawin pypa/packaging#1083- Cache
Versionhash value in dedicated slot by@notatallshawin pypa/packaging#1118- Overhaul
_cmpkeyto remove use of custom objects by@notatallshawin pypa/packaging#1116- Skip
__replace__in Specifier comparison if not needed by@notatallshawin pypa/packaging#1081SpecifierSetusetupleinstead offrozensetfor_specsby@notatallshawin pypa/packaging#1108- Speed up complex
SpecifierSetfiltering by implementing cost-based ordering by@notatallshawin pypa/packaging#1105
... (truncated)
Sourced from packaging's changelog.
26.1 - 2026-04-14
Features:
- PEP 783: add handling for Emscripten wheel tags in (:pull:
804)- PEP 803: add handling for the
abi3.abi3tfree-threading tag in (:pull:1099)- PEP 723: add
packaging.dependency_groupsmodule, based on thedependency-groupspackage in (:pull:1065)- Add the
packaging.direct_urlmodule in (:pull:944)- Add the
packaging.errorsmodule in (:pull:1071)- Add
SpecifierSet.is_unsatisfiableusing ranges (new internals that will be expanded in future versions) in (:pull:1119)- Add
create_compatible_tags_selectorto select compatible tags in (:pull:1110)- Add a
keyargument toSpecifierSet.filter()in (:pull:1068)- Support
&and|forMarker's in (:pull:1146)- Normalize
Version.__replace__and addVersion.from_partsin (:pull:1078)- Add an option to validate compressed tag set sort order in
parse_wheel_filenamein (:pull:1150)Behavior adaptations:
- Narrow exclusion of pre-releases for
<V.postNto match spec in (:pull:1140)- Narrow exclusion of post-releases for
>Vto match spec in (:pull:1141)- Rename
format_full_versionto_format_full_versionto make it visibly private in (:pull:1125)- Restrict local version to ASCII in (:pull:
1102)Pylock (PEP 751) updates:
- Add pylock
selectfunction in (:pull:1092)- Document pylock
select()method andPylockSelectErrorin (:pull:1153)- Add
filenameproperty toPackageSdistandPackageWheel, more validation in (:pull:1095)- Give preference to path over url in (:pull:
1128)- Validate name/version consistency in file names in (:pull:
1114)Fixes:
- Fix
>comparison for versions with dev+local segments in (:pull:1097)- Fix incorrect self-comparison for
InfinityTypeandNegativeInfinityTypein (:pull:1093)- Canonicalize when deduplicating specifiers in
SpecifierSetin (:pull:1109)- Fix charset error message formatting in (:pull:
1121)- Handle the
keyparameter inSpecifierSet.filterwhen specifiers are empty and prerelease isFalsein (:pull:1096)- Standardize inner components of
reproutput in (:pull:1090)Specifier's===uses original string, not normalized, when available in (:pull:1124)- Propagate int-max-str-digits
ValueErrorin (:pull:1155)Performance:
- Add fast path for parsing simple versions (digits and dots only) in (:pull:
1082)- Add fast path for
VersiontoVersioncomparison by skipping_keyproperty in (:pull:1083)- Cache
Versionhash value in dedicated slot in (:pull:1118)- Overhaul
_cmpkeyto remove use of custom objects in (:pull:1116)- Skip
__replace__in Specifier comparison if not needed in (:pull:1081)
</tr></table>
... (truncated)
c1a88a3
Bump for release702c25e
docs: update changelog for 26.1 (#1156)3f4f5d4
Implement is_unsatisfiable on SpecifierSet
using ranges (#1119)06c6555
Propagate int-max-str-digits ValueError (#1155)905c90c
feat: option to validate compressed tag set sort order in
`parse_wheel_filena...af0026c
docs(pylock): document select() method and PylockSelectError (#1153)668da86
Rename format_full_version to _format_full_version to make it visibly
private...f294d52
tests: do not reload the tags module (#1152)2c6c7df
feat: add handling for Emscripten wheels tags per PEP 783 (#804)6762eea
docs(markers): document & and | operators for combining Marker
objects (#1151)