Update virtualenv to 21.2.4

[pyup-bot]

This PR updates virtualenv from 20.35.4 to 21.2.4.

Changelog

21.2.4

=================

- Security hardening: validate each entry of a seed wheel archive before extracting it so a tampered wheel cannot escape
the app-data image directory via an absolute path or ``..`` traversal. (:issue:`3118`)
- Security hardening: verify the SHA-256 of every bundled seed wheel when it is loaded so a corrupted or tampered file
on disk fails loud instead of being handed to pip. The hash table is generated alongside ``BUNDLE_SUPPORT`` by
``tasks/upgrade_wheels.py``. (:issue:`3119`)
- Security hardening: validate the distribution name and version specifier passed to ``pip download`` when acquiring a
seed wheel so extras, pip flags, or shell metacharacters cannot be smuggled into the subprocess command line.
(:issue:`3120`)
- Security hardening: replace the string-prefix containment check in ``virtualenv.util.zipapp`` with
``Path.relative_to`` so the zipapp extraction helpers refuse any path that does not resolve under the archive root.
(:issue:`3121`)
- Security hardening: do not silently fall back to an unverified HTTPS context when the periodic update request to PyPI
fails TLS verification. The returned metadata drives which wheel version virtualenv considers "up to date", so
accepting an unverified response lets a network-level attacker suppress security updates. Set
``VIRTUALENV_PERIODIC_UPDATE_INSECURE=1`` to restore the previous behavior on hosts with broken trust stores.
(:issue:`3122`)

**********************
v21.2.3 (2026-04-14)
**********************

No significant changes.

**********************
v21.2.2 (2026-04-13)
**********************

21.2.2

=================

- Bump ``python-discovery`` minimum to ``>=1.2.2`` to include ``normalize_isa`` support - by :user:`rahuldevikar`.
(:issue:`3117`)

**********************
v21.2.1 (2026-04-09)
**********************

21.2.1

=================

- Upgrade embedded wheels:

- setuptools to ``82.0.1`` from ``82.0.0`` (:issue:`3093`)

- Use terminal width for help formatting instead of hardcoded 240. (:issue:`3110`)

**********************
v21.2.0 (2026-03-09)
**********************

21.2.0

=================

- Pass ``--without-scm-ignore-files`` to subprocess venv on Python 3.13+ so virtualenv controls ``.gitignore`` creation,
fixing flaky ``test_create_no_seed`` and ``--no-vcs-ignore`` being ignored in subprocess path - by
:user:`gaborbernat`. (:issue:`3089`)
- Use ``BASH_SOURCE[0]`` instead of ``$0`` in the bash activate script relocation fallback, fixing incorrect ``PATH``
when sourcing the activate script from a different directory - by :user:`gaborbernat`. (:issue:`3090`)

**********************
v21.1.0 (2026-02-27)
**********************

21.1.0

=================

- Add comprehensive type annotations across the entire codebase and ship a PEP 561 ``py.typed`` marker so downstream
consumers and type checkers recognize virtualenv as an inline-typed package - by :user:`rahuldevikar`. (:issue:`3075`)

**********************
v21.0.0 (2026-02-25)
**********************

21.0.0

==================================

- The Python discovery logic has been extracted into a standalone ``python-discovery`` package on PyPI (`documentation
<https://python-discovery.readthedocs.io/>`_) and is now consumed as a dependency. If you previously imported
discovery internals directly (e.g. ``from virtualenv.discovery.py_info import PythonInfo``), switch to ``from
python_discovery import PythonInfo``. Backward-compatibility re-export shims are provided at
``virtualenv.discovery.py_info``, ``virtualenv.discovery.py_spec``, and ``virtualenv.discovery.cached_py_info``,
however these are considered unsupported and may be removed in a future release - by :user:`gaborbernat`.
(:issue:`3070`)

***********************
v20.39.1 (2026-02-25)
***********************

20.39.1

==================

- Add support for creating virtual environments with RustPython - by :user:`elmjag`. (:issue:`3010`)

***********************
v20.39.0 (2026-02-23)
***********************

20.39.0

==================

- Automatically resolve version manager shims (pyenv, mise, asdf) to the real Python binary during discovery, preventing
incorrect interpreter selection when shims are on ``PATH`` - by :user:`gaborbernat`. (:issue:`3049`)
- Add architecture (ISA) awareness to Python discovery — users can now specify a CPU architecture suffix in the
``--python`` spec string (e.g. ``cpython3.12-64-arm64``) to distinguish between interpreters that share the same
version and bitness but target different architectures. Uses ``sysconfig.get_platform()`` as the data source, with
cross-platform normalization (``amd64`` ↔ ``x86_64``, ``aarch64`` ↔ ``arm64``). Omitting the suffix preserves existing
behavior - by :user:`rahuldevikar`. (:issue:`3059`)

***********************
v20.38.0 (2026-02-19)
***********************

20.38.0

==================

- Exclude pywin32 DLLs (``pywintypes*.dll``, ``pythoncom*.dll``) from being copied to the Scripts directory during
virtualenv creation on Windows. This fixes compatibility issues with pywin32, which expects its DLLs to be installed
in ``site-packages/pywin32_system32`` by its own post-install script - by :user:`rahuldevikar`. (:issue:`2662`)
- Preserve symlinks in ``pyvenv.cfg`` paths to match ``venv`` behavior. Use ``os.path.abspath()`` instead of
``os.path.realpath()`` to normalize paths without resolving symlinks, fixing issues with Python installations accessed
via symlinked directories (common in network-mounted filesystems) - by :user:`rahuldevikar`. Fixes :issue:`2770`.
(:issue:`2770`)
- Fix Windows activation scripts to properly quote ``python.exe`` path, preventing failures when Python is installed in
a path with spaces (e.g., ``C:\Program Files``) and a file named ``C:\Program`` exists on the filesystem - by
:user:`rahuldevikar`. (:issue:`2985`)
- Fix ``bash -u`` (``set -o nounset``) compatibility in bash activation script by using ``${PKG_CONFIG_PATH:-}`` and
``${PKG_CONFIG_PATH:+:${PKG_CONFIG_PATH}}`` to handle unset ``PKG_CONFIG_PATH`` - by :user:`Fridayai700`.
(:issue:`3044`)
- Gracefully handle corrupted on-disk cache and invalid JSON from Python interrogation subprocess instead of crashing
with unhandled ``JSONDecodeError`` or ``KeyError`` - by :user:`gaborbernat`. (:issue:`3054`)

***********************
v20.36.1 (2026-01-09)
***********************

20.36.1

==================

- Fix TOCTOU vulnerabilities in app_data and lock directory creation that could be exploited via symlink attacks -
reported by :user:`tsigouris007`, fixed by :user:`gaborbernat`. (:issue:`3013`)

***********************
v20.36.0 (2026-01-07)
***********************

20.36.0

==================

- Add support for PEP 440 version specifiers in the ``--python`` flag. Users can now specify Python versions using
operators like ``>=``, ``<=``, ``~=``, etc. For example: ``virtualenv --python=">=3.12" myenv`` `. (:issue:`2994`)

***********************
v20.35.4 (2025-10-28)
***********************

Links

• PyPI: https://pypi.org/project/virtualenv
• Changelog: https://data.safetycli.com/changelogs/virtualenv/