Bump virtualenv from 21.1.0 to 21.2.0

[dependabot]

Bumps virtualenv from 21.1.0 to 21.2.0.

Release notes

Sourced from virtualenv's releases.

21.2.0

What's Changed

• Move SECURITY.md to .github/SECURITY.md by @​gaborbernat in pypa/virtualenv#3077
• Standardize .github files to .yaml suffix by @​gaborbernat in pypa/virtualenv#3079
• Add type annotations to embed wheel generator output by @​rahuldevikar in pypa/virtualenv#3085
• fix broken README heading introduced in docs restructure by @​rahuldevikar in pypa/virtualenv#3088
• 🐛 fix(bash): use BASH_SOURCE in activate relocation by @​gaborbernat in pypa/virtualenv#3091
• 🐛 fix(create): prevent venv from racing virtualenv on gitignore creation by @​gaborbernat in pypa/virtualenv#3092

Full Changelog: pypa/virtualenv@21.1.0...21.2.0

Changelog

Sourced from virtualenv's changelog.

Features - 21.2.0

• Update embed wheel generator (tasks/upgrade_wheels.py) to include type annotations in generated output - by :user:rahuldevikar. (:issue:3075)

Bugfixes - 21.2.0

• Pass --without-scm-ignore-files to subprocess venv on Python 3.13+ so virtualenv controls .gitignore creation, fixing flaky test_create_no_seed and --no-vcs-ignore being ignored in subprocess path - by :user:gaborbernat. (:issue:3089)
• Use BASH_SOURCE[0] instead of $0 in the bash activate script relocation fallback, fixing incorrect PATH when sourcing the activate script from a different directory - by :user:gaborbernat. (:issue:3090)

---

v21.1.0 (2026-02-27)

---

Commits

• 0b6f444 release 21.2.0
• e1af35d 🐛 fix(create): prevent venv from racing virtualenv on gitignore creation (#3092)
• f05bf08 🐛 fix(bash): use BASH_SOURCE in activate relocation (#3091)
• 0cd0e09 fix broken README heading introduced in docs restructure (#3088)
• b7ab17e [pre-commit.ci] pre-commit autoupdate (#3087)
• f2062bc chore(deps): bump astral-sh/setup-uv from 4 to 7 (#3086)
• eb27e55 Add type annotations to embed wheel generator output (#3085)
• fbb3bd1 chore(deps): bump peter-evans/create-pull-request from 7 to 8 (#3081)
• a1d3963 chore(deps): bump actions/setup-python from 5 to 6 (#3080)
• e768d56 chore(deps): bump actions/upload-artifact from 4 to 7 (#3082)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Resolves #3092
Resolves #3091
Resolves #3088
Resolves #3087
Resolves #3086
Resolves #3085
Resolves #3081
Resolves #3080
Resolves #3082
Resolves pypa/virtualenv#3077
Resolves pypa/virtualenv#3079
Resolves pypa/virtualenv#3085
Resolves pypa/virtualenv#3088
Resolves pypa/virtualenv#3091
Resolves pypa/virtualenv#3092

[github-actions]

🤖 Claude Code Review

PR Code Review

Summary: This is a minimal dependency bump — virtualenv from 21.1.0 to 21.2.0 in the development dependency group.

---

Code Quality

• ✅ Style guide — No code style concerns; this is a single dependency version change.
• ✅ No commented-out code — N/A
• ✅ Meaningful variable names — N/A
• ✅ DRY principle — N/A
• ✅ Defects — No logic errors or bugs introduced. The change is isolated to pyproject.toml:46.
• ✅ CLAUDE.md — No issues; the project config remains appropriate for general use.

Testing

• ✅ No new functions or endpoints — testing requirements do not apply to a dependency bump.

Documentation

• ✅ README — No update needed for a dev-only dependency bump.
• ✅ API docs — N/A
• ✅ Inline comments — N/A
• ❌ CHANGELOG.md — A CHANGELOG entry is typically expected even for dependency bumps. Check if this project maintains one and whether automated bumps (e.g., Dependabot) are excluded from that requirement.
• ✅ Markdown formatting — N/A

Security

• ✅ No hardcoded credentials — N/A
• ✅ No license files — No .lic files or AQAAAD-prefixed strings present.
• ✅ virtualenv 21.2.0 — This is a development-only dependency (not included in production installs), so the blast radius of any issue is limited to local dev/CI environments.

---

Verdict: Approved with minor note. The only flag is the missing CHANGELOG entry — if this project tracks dependency bumps there, it should be added. Otherwise, this is a clean, low-risk change.

Automated code review analyzing defects and coding standards