Bump virtualenv from 21.2.4 to 21.3.0

[dependabot]

Bumps virtualenv from 21.2.4 to 21.3.0.

Release notes

Sourced from virtualenv's releases.

21.3.0

What's Changed

• 🐛 fix(type): stop ty flagging default_source on Action by @​gaborbernat in pypa/virtualenv#3124
• feat: Reintroduce xonsh shell support by @​anki-code in pypa/virtualenv#3125
• 🐛 fix(test): prevent PowerShell activation test from crashing xdist workers on Windows by @​gaborbernat in pypa/virtualenv#3128
• docs: Add usage instruction for Xonsh activation by @​anki-code in pypa/virtualenv#3130
• Upgrade embedded pip/setuptools/wheel by @​github-actions[bot] in pypa/virtualenv#3132

New Contributors

• @​anki-code made their first contribution in pypa/virtualenv#3125

Full Changelog: pypa/virtualenv@21.2.4...21.3.0

Changelog

Sourced from virtualenv's changelog.

Features - 21.3.0

• Re-introduce xonsh shell activator (activate.xsh) previously removed in 20.7.0, and make the plugin loader prefer virtualenv's built-in entry points so a third-party package cannot override them by registering a duplicate name. (:issue:3003)

Bugfixes - 21.3.0

• Upgrade embedded wheels:

  • pip to 26.1 (:issue:3132)

---

v21.2.4 (2026-04-14)

---

Commits

• e917cc2 release 21.3.0
• 21152f1 Upgrade embedded pip/setuptools/wheel (#3132)
• 096bdcd chore(deps): bump astral-sh/setup-uv from 8.0.0 to 8.1.0 (#3131)
• 01610dc docs: Add usage instruction for Xonsh activation (#3130)
• fb6ec7c 🐛 fix(test): prevent PowerShell activation test from crashing xdist workers o...
• 6095679 [pre-commit.ci] pre-commit autoupdate (#3129)
• 8d3179c chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (#3127)
• a159c50 chore(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#3126)
• 9ba729b feat: Reintroduce xonsh shell support (#3125)
• d42ea5c 🐛 fix(type): stop ty flagging default_source on Action (#3124)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

🤖 Claude Code Review

Code Review: virtualenv 21.2.4 → 21.3.0 bump

PR Summary: Bumps virtualenv from 21.2.4 to 21.3.0 in the development dependency group.

---

Code Quality

• ✅ Style guide — Single-line change in pyproject.toml, no style concerns.
• ✅ No commented-out code — N/A.
• ✅ Meaningful variable names — N/A.
• ✅ DRY principle — N/A.
• ✅ Defects / bugs — No logic changes; pure version bump. virtualenv is a dev-only dependency (not shipped), so the blast radius is minimal. No security advisories noted for 21.2.4 → 21.3.0.
• ✅ CLAUDE.md — No concerns; the project memory is appropriately general.

Testing

• ✅ Unit/integration tests — No functional code changed; existing test suite is sufficient to validate the bump.
• ⚠️ Test coverage — No evidence in the diff that CI was run against this bump. Recommend confirming the CI pipeline passes (lint, tests) before merging, since a virtualenv minor version can occasionally change environment behavior.

Documentation

• ✅ README — No update needed; virtualenv is an internal dev tool not mentioned in user-facing docs.
• ✅ CHANGELOG.md — Not updated, but this is a transitive/automated dependency bump — acceptable to omit for patch-level tooling changes. If the project tracks all dependency bumps in CHANGELOG, add an entry.
• ✅ Markdown formatting — N/A.

Security

• ✅ No hardcoded credentials — N/A.
• ✅ No license files (.lic / AQAAAD) — None present.
• ✅ Input validation / error handling — N/A.
• ✅ No sensitive data in logs — N/A.

---

Summary

This is a clean, low-risk automated dependency bump. The only action item is confirming CI passes — particularly that the updated virtualenv does not break any test environment setup steps.

Verdict: Approve pending green CI.

Automated code review analyzing defects and coding standards