Bump virtualenv from 20.23.1 to 20.26.6

[dependabot]

Bumps virtualenv from 20.23.1 to 20.26.6.

Release notes

Sourced from virtualenv's releases.

20.26.6

What's Changed

• release 20.26.5 by @​gaborbernat in pypa/virtualenv#2766
• Fix #2768: Quote template strings in activation scripts by @​y5c4l3 in pypa/virtualenv#2771

New Contributors

• @​y5c4l3 made their first contribution in pypa/virtualenv#2771

Full Changelog: pypa/virtualenv@20.26.5...20.26.6

20.26.5

What's Changed

• release 20.26.4 by @​gaborbernat in pypa/virtualenv#2761
• Use uv over pip by @​gaborbernat in pypa/virtualenv#2765

Full Changelog: pypa/virtualenv@20.26.4...20.26.5

20.26.4

What's Changed

• release 20.26.3 by @​gaborbernat in pypa/virtualenv#2742
• Fix whitespace around backticks in changelog by @​edmorley in pypa/virtualenv#2751
• Test latest Python 3.13 by @​hugovk in pypa/virtualenv#2752
• Fix typo in Nushell activation script by @​edmorley in pypa/virtualenv#2754
• GitHub Actions: Replace deprecated macos-12 with macos-13 by @​hugovk in pypa/virtualenv#2756
• Fix #2728: Activating venv create unwanted console output by @​ShootGan in pypa/virtualenv#2748
• Upgrade bundled wheels by @​gaborbernat in pypa/virtualenv#2760

New Contributors

• @​ShootGan made their first contribution in pypa/virtualenv#2748

Full Changelog: pypa/virtualenv@20.26.3...20.26.4

20.26.3

What's Changed

• release 20.26.2 by @​gaborbernat in pypa/virtualenv#2724
• Bump embeded wheels by @​gaborbernat in pypa/virtualenv#2741

Full Changelog: pypa/virtualenv@20.26.2...20.26.3

20.26.2

... (truncated)

Changelog

Sourced from virtualenv's changelog.

v20.26.6 (2024-09-27)

Bugfixes - 20.26.6

- Properly quote string placeholders in activation script templates to mitigate
  potential command injection - by :user:`y5c4l3`. (:issue:`2768`)
v20.26.5 (2024-09-17)
Bugfixes - 20.26.5

• Upgrade embedded wheels: setuptools to 75.1.0 from 74.1.2 - by :user:gaborbernat. (:issue:2765)

v20.26.4 (2024-09-07)

Bugfixes - 20.26.4

- no longer create `()` output in console during activation of a virtualenv by .bat file. (:issue:`2728`)
- Upgrade embedded wheels:

wheel to 0.44.0 from 0.43.0
pip to 24.2 from 24.1
setuptools to 74.1.2 from 70.1.0 (:issue:2760)

v20.26.3 (2024-06-21)
Bugfixes - 20.26.3

• Upgrade embedded wheels:

  • setuptools to 70.1.0 from 69.5.1
  • pip to 24.1 from 24.0 (:issue:2741)

v20.26.2 (2024-05-13)

Bugfixes - 20.26.2

- ``virtualenv.pyz`` no longer fails when zipapp path contains a symlink - by :user:`HandSonic` and :user:`petamas`. (:issue:`1949`)
- Fix bad return code from activate.sh if hashing is disabled - by :user:'fenkes-ibm'. (:issue:`2717`)
v20.26.1 (2024-04-29)
Bugfixes - 20.26.1

... (truncated)

Commits

• ec04726 release 20.26.6
• 86ddded Fix #2768: Quote template strings in activation scripts (#2771)
• 6bb3f62 [pre-commit.ci] pre-commit autoupdate (#2769)
• 220d49c Bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2 (#2767)
• cf340c8 Merge pull request #2766 from pypa/release-20.26.5
• f3172b4 release 20.26.5
• 22b9795 Use uv over pip (#2765)
• 35d8269 [pre-commit.ci] pre-commit autoupdate (#2764)
• ee77feb [pre-commit.ci] pre-commit autoupdate (#2763)
• c516056 Update README.md
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[jpeaks-eroad]

Checkmarx One – Scan Summary & Details – 1e2e943f-9fe6-4dfe-8ba5-d0b5d0073ccc

New Issues (68)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2024-3651	Python-idna-3.4	details Recommended version: 3.7 Description: A vulnerability was identified in the kjd/idna library, specifically within the "idna.encode()" function. The issue arises from the function's hand... Attack Vector: NETWORK Attack Complexity: LOW ID: pS%2BWwtHA2ZWVTbaOErI0%2B%2FNzq2%2B0KG%2Buz5UVfxFtKkc%3D Vulnerable Package
	CVE-2024-39689	Python-certifi-2023.5.7	details Recommended version: 2024.7.4 Description: Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hos... Attack Vector: NETWORK Attack Complexity: LOW ID: TmW3T47Pl7bMn4zPf05Hv9qAlWozTsTVkyiVvyO4L5E%3D Vulnerable Package
	CVE-2024-6345	Python-setuptools-68.0.0	details Recommended version: 78.1.1 Description: A vulnerability in the "package_index" module of the package setuptools versions prior to 70.0.0 allows for remote code execution via its "download... Attack Vector: NETWORK Attack Complexity: LOW ID: 4WOJXTft7I7eOrBv9UsTzJsDkUUvDeO0u8XriVbwsT4%3D Vulnerable Package
	CVE-2025-47273	Python-setuptools-68.0.0	details Recommended version: 78.1.1 Description: The package setuptools allows users to download, build, install, upgrade, and uninstall Python packages. A Path Traversal vulnerability in `Package... Attack Vector: NETWORK Attack Complexity: LOW ID: ZEQMTr9GEALWWHvWURE%2BnwqNUr9LBz0A1MkjpqpR0j0%3D Vulnerable Package
	Missing User Instruction	/Dockerfile: 1	details A user should be specified in the dockerfile, otherwise the image will run as root ID: Ahh1eu%2FgD0iAJQvAcrOApZZvp7M%3D
	Privilege Escalation Allowed	/deployment.yaml: 23	details Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process ID: 6QjrZzXVr4ERdC%2BDqbFLVOAu1PY%3D
	Privilege Escalation Allowed	/deployment.yaml: 37	details Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process ID: Aoipca%2BFcBVYERAWhMPzvFCOYvw%3D
	Privilege Escalation Allowed	/deployment.yaml: 38	details Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process ID: IZW0m7qeHC8mG3RciXwIJx5WRpo%3D
	RBAC Wildcard In Rule	/rbac.yaml: 18	details Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least... ID: il4tn%2FDF%2BT3YRr1fCaQsoUDnW78%3D
	RBAC Wildcard In Rule	/cluster-role.yaml: 10	details Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least... ID: YjpWIiOIT%2B10lLWh1VMdpRT5bYA%3D
	RBAC Wildcard In Rule	/cluster-role.yaml: 10	details Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least... ID: dG4SK1vzcuQUFkmS9mhWQHcdIwc%3D
	RBAC Wildcard In Rule	/rbac.yaml: 19	details Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least... ID: JVy8TnYSFetv35QJBZkD7m3JUjM%3D
	RBAC Wildcard In Rule	/rbac.yaml: 20	details Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least... ID: QrzOI%2B250Dr1rXA66mpgukEM%2Fc0%3D
	RBAC Wildcard In Rule	/rbac.yaml: 17	details Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least... ID: 0ypQoebrEix5dEcvFxKt%2FrvlwFk%3D
	CVE-2024-35195	Python-requests-2.31.0	details Recommended version: 2.32.4 Description: Requests is an HTTP library. In the package requests versions prior to 2.32.0, when making requests through a Requests `Session`, if the first requ... Attack Vector: LOCAL Attack Complexity: HIGH ID: bzswyzl%2FOjXJ%2FJ8s3mo%2BW3XYvg9i3HdDUR2joZpeKcY%3D Vulnerable Package
	CVE-2024-37891	Python-urllib3-2.0.3	details Recommended version: 2.5.0 Description: urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header... Attack Vector: NETWORK Attack Complexity: HIGH Exploitable Path: sleep@/kube_janitor/main.py - ... - _sleep_backoff@/urllib3/util/retry.py ID: DTtJS86CCehNvSb2Bx3EeQye2XaC%2FcSCzao8APd3AfU%3D Vulnerable Package
	CVE-2024-47081	Python-requests-2.31.0	details Recommended version: 2.32.4 Description: Requests is an HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak ".netrc" credentials to third parties for speci... Attack Vector: NETWORK Attack Complexity: HIGH ID: ysYh6cyRNEBChyHKEZmcUKXZ%2Bn%2Fzw1XldtkexAlaoLE%3D Vulnerable Package
	CVE-2025-50181	Python-urllib3-2.0.3	details Recommended version: 2.5.0 Description: The package urllib3 is a user-friendly HTTP client library for Python. In versions prior to 2.5.0, it is possible to disable redirects for all requ... Attack Vector: NETWORK Attack Complexity: HIGH ID: %2BB2x7Tuju74e691aURSqx8BEwwv4%2BQA8w41gW8%2BqqZA%3D Vulnerable Package
	Container Running As Root	/deployment.yaml: 23	details Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibiliti... ID: gQSIB%2F4UG6DiDGwH%2BpJ21ZLd5JU%3D
	Container Running With Low UID	/deployment.yaml: 40	details Check if containers are running with low UID, which might cause conflicts with the host's user table. ID: N4Oc%2BAkXMZ49%2FBbwtthVE3BRDFM%3D
	Container Running With Low UID	/deployment.yaml: 41	details Check if containers are running with low UID, which might cause conflicts with the host's user table. ID: jplgUvGBTxSfCRx0m6BUuGGPsbw%3D
	Container Running With Low UID	/deployment.yaml: 23	details Check if containers are running with low UID, which might cause conflicts with the host's user table. ID: Tmbp%2BwkXWQgtB1iT2M5trvyWiZQ%3D
	Memory Limits Not Defined	/deployment.yaml: 23	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ... ID: rt0q1NkA9g9t2dgAa9Jh0bqbXOo%3D
	Memory Requests Not Defined	/deployment.yaml: 23	details Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents ove... ID: XEXadd5i7KmdE77EkVPHRw1pUBY%3D
	NET_RAW Capabilities Not Being Dropped	/deployment.yaml: 23	details Containers should drop 'ALL' or at least 'NET_RAW' capabilities ID: Gs1lQ7oxeW7QcG66xM%2F%2BwBkA%2FWc%3D
	NET_RAW Capabilities Not Being Dropped	/deployment.yaml: 25	details Containers should drop 'ALL' or at least 'NET_RAW' capabilities ID: DAGT2m1%2FoL%2FT4TIpCL89w9jjOv8%3D
	NET_RAW Capabilities Not Being Dropped	/deployment.yaml: 21	details Containers should drop 'ALL' or at least 'NET_RAW' capabilities ID: QBSvWK0NcVwXqxi4kv9Rqoz9uh8%3D
	Readiness Probe Is Not Configured	/deployment.yaml: 25	details Check if Readiness Probe is not configured. ID: Xyd%2BRwyVBLw%2BxCU%2BWXTRSGV3nUU%3D
	Readiness Probe Is Not Configured	/deployment.yaml: 23	details Check if Readiness Probe is not configured. ID: JhFikoPXKZ7KFhQacxTEweS7Nqk%3D
	Readiness Probe Is Not Configured	/deployment.yaml: 21	details Check if Readiness Probe is not configured. ID: J5rcW%2BfdaZ3yzPVSzTilxeHtVUA%3D
	Seccomp Profile Is Not Configured	/deployment.yaml: 37	details Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls ID: AzXrkCKjxrpw2cXdc12fcPzdtLA%3D
	Seccomp Profile Is Not Configured	/deployment.yaml: 23	details Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls ID: Ii%2F%2By3Tz8dBLaJ0YaB8xehvkec0%3D
	Seccomp Profile Is Not Configured	/deployment.yaml: 38	details Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls ID: O31HVo8Qk4PWAFzXON3WfFyb8Ho%3D
	Service Account Token Automount Not Disabled	/deployment.yaml: 18	details Service Account Tokens are automatically mounted even if not necessary ID: Fz04TJBqabvScaKViwb8hKrSu4Y%3D
	Service Account Token Automount Not Disabled	/deployment.yaml: 20	details Service Account Tokens are automatically mounted even if not necessary ID: o5LG7%2BrQCKWy55dORpMHc0NCK%2BQ%3D
	Unpinned Package Version in Pip Install	/Dockerfile: 5	details Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes ID: %2Fe%2FEgsWJEM1INK5gXKd5%2BQE4qSY%3D
	Using Unrecommended Namespace	/deployment.yaml: 6	details Namespaces like 'default', 'kube-system' or 'kube-public' should not be used ID: 5AuT1DYJI3S2UcYjhWwFRSmeOvM%3D
	Using Unrecommended Namespace	/rbac.yaml: 4	details Namespaces like 'default', 'kube-system' or 'kube-public' should not be used ID: q0VHysucw38NfqlOD%2By18kEFlk4%3D
	Using Unrecommended Namespace	/service-account.yaml: 4	details Namespaces like 'default', 'kube-system' or 'kube-public' should not be used ID: TLPbRwHUeH0WATLtztc1rr%2BAhzs%3D
	Using Unrecommended Namespace	/rbac.yaml: 5	details Namespaces like 'default', 'kube-system' or 'kube-public' should not be used ID: 0pMWQyohFRneHg3Uqp0O%2FyqKwCo%3D
	Using Unrecommended Namespace	/deployment.yaml: 7	details Namespaces like 'default', 'kube-system' or 'kube-public' should not be used ID: col%2B%2B%2FMm%2FmZMgALzSZX2WHYisXQ%3D
	Using Unrecommended Namespace	/configmap.yaml: 4	details Namespaces like 'default', 'kube-system' or 'kube-public' should not be used ID: PfTLlrVgXtn8M7PNTEknfkEQ2mw%3D
	CPU Limits Not Set	/deployment.yaml: 32	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests ID: 37BxUYjgZLorZwDDONYEHrK%2BMJI%3D
	CPU Limits Not Set	/deployment.yaml: 33	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests ID: wJ6etK4s%2Fd%2BkF3p29LxDLhWeCB0%3D
	CPU Limits Not Set	/deployment.yaml: 23	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests ID: UTBd%2F0IEKSxp%2BHfd93PIv4Muw6E%3D
	CPU Requests Not Set	/deployment.yaml: 23	details CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node ID: MXICS5P0x2hd%2BXMkRU6LsCo9WUc%3D
	Healthcheck Instruction Missing	/Dockerfile: 1	details Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working ID: fRMy4xkJQynXXJI%2FOQXb9H%2FXXlc%3D
	Image Pull Policy Of The Container Is Not Set To Always	/deployment.yaml: 25	details Image Pull Policy of the container must be defined and set to Always ID: Gwh7AtvaxntjD59YnG95MUoCtUE%3D
	Image Pull Policy Of The Container Is Not Set To Always	/deployment.yaml: 21	details Image Pull Policy of the container must be defined and set to Always ID: loVjgsejluDnBefb7UIIWhMEAhI%3D
	Image Without Digest	/deployment.yaml: 24	details Images should be specified together with their digests to ensure integrity ID: 779byaflGuIp3pjDpZWxuPHJXdE%3D
	Image Without Digest	/deployment.yaml: 26	details Images should be specified together with their digests to ensure integrity ID: X3ntBgLvfIWbR3%2FGuY32K3g3Yyc%3D
	Image Without Digest	/deployment.yaml: 23	details Images should be specified together with their digests to ensure integrity ID: BvVJ5Ir5kRAMxDPOr2MQcZnQ2YE%3D
	Invalid Image Tag	/deployment.yaml: 24	details Image tag must be defined and not be empty or equal to latest. ID: uI9jzSCBC0y68FGfSZ%2FlkZLqN6I%3D
	Missing AppArmor Profile	/deployment.yaml: 16	details Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources ID: %2FlaXV8V0a%2FayCeq0wMMqu5mgONs%3D
	Missing AppArmor Profile	/deployment.yaml: 14	details Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources ID: YVd%2BFXqBayWwCrBeTKhCLAdbpdE%3D
	Missing AppArmor Profile	/deployment.yaml: 16	details Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources ID: IwlQZUObyg3PQPfedkLh9OQyjIQ%3D
	Multiple RUN, ADD, COPY, Instructions Listed	/Dockerfile: 7	details Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. ID: HvS8h1jcTSsm10s9cI%2F2EyMAo5o%3D
	No Drop Capabilities for Containers	/deployment.yaml: 23	details Sees if Kubernetes Drop Capabilities exists to ensure containers security context ID: qdESV2h42EpIjd%2FMgePf0sTjT%2F0%3D
	No Drop Capabilities for Containers	/deployment.yaml: 38	details Sees if Kubernetes Drop Capabilities exists to ensure containers security context ID: sOEI9OJvOpbmWVB2mff6U%2FtRWm4%3D
	No Drop Capabilities for Containers	/deployment.yaml: 37	details Sees if Kubernetes Drop Capabilities exists to ensure containers security context ID: tZt1JJgr4U%2FyY0vaqNR%2FqoSGvHc%3D
	Pip install Keeping Cached Packages	/Dockerfile: 5	details When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller ID: 0rzE0MA0F1p07VZ0ggmHW1tW%2BBQ%3D
	Pod or Container Without LimitRange	/deployment.yaml: 7	details Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not... ID: EQ8XzVt8vqYQYHqKBVxlfS8EXE4%3D
	Pod or Container Without LimitRange	/deployment.yaml: 6	details Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not... ID: mdhZWoeXu%2FU7x3jq3YeJC%2BdaQZU%3D
	Pod or Container Without ResourceQuota	/deployment.yaml: 6	details Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can... ID: rhZRyRTo3%2BpGrEp1CuLfJMPHdpQ%3D
	Pod or Container Without ResourceQuota	/deployment.yaml: 7	details Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can... ID: bfajngw1KS5wHs5CK24AvSdWe8c%3D
	Pod or Container Without Security Context	/deployment.yaml: 23	details A security context defines privilege and access control settings for a Pod or Container ID: dfd%2Bi0uk5T%2FwKsH9%2B4yMEgDy47w%3D
	Root Container Not Mounted Read-only	/deployment.yaml: 23	details Check if the root container filesystem is not being mounted read-only. ID: t5u%2FSfKM49jYcoI8FlCrPoSDHqs%3D
	Using Unnamed Build Stages	/Dockerfile: 18	details This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. ID: olkvfkwwKDvL%2F8v%2FVhI3VSh4TuY%3D