CVS commit: pkgsrc/devel/py-virtualenv

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Fri Apr 24 09:41:15 UTC 2026

Modified Files:
        pkgsrc/devel/py-virtualenv: Makefile PLIST distinfo

Log Message:
py-virtualenv: updated to 21.2.4

Bugfixes - 21.2.4
Security hardening: validate each entry of a seed wheel archive before extracting it so a tampered wheel cannot escape the app-data image directory via an absolute path or .. traversal.
Security hardening: verify the SHA-256 of every bundled seed wheel when it is loaded so a corrupted or tampered file on disk fails loud instead of being handed to pip. The hash table is generated 
alongside BUNDLE_SUPPORT by tasks/upgrade_wheels.py.
Security hardening: validate the distribution name and version specifier passed to pip download when acquiring a seed wheel so extras, pip flags, or shell metacharacters cannot be smuggled into the 
subprocess command line.
Security hardening: replace the string-prefix containment check in virtualenv.util.zipapp with Path.relative_to so the zipapp extraction helpers refuse any path that does not resolve under the 
archive root.
Security hardening: do not silently fall back to an unverified HTTPS context when the periodic update request to PyPI fails TLS verification. The returned metadata drives which wheel version 
virtualenv considers “up to date”, so accepting an unverified response lets a network-level attacker suppress security updates. Set VIRTUALENV_PERIODIC_UPDATE_INSECURE=1 to restore the previous 
behavior on hosts with broken trust stores.


To generate a diff of this commit:
cvs rdiff -u -r1.106 -r1.107 pkgsrc/devel/py-virtualenv/Makefile
cvs rdiff -u -r1.79 -r1.80 pkgsrc/devel/py-virtualenv/PLIST
cvs rdiff -u -r1.90 -r1.91 pkgsrc/devel/py-virtualenv/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/devel/py-virtualenv/Makefile
diff -u pkgsrc/devel/py-virtualenv/Makefile:1.106 pkgsrc/devel/py-virtualenv/Makefile:1.107
--- pkgsrc/devel/py-virtualenv/Makefile:1.106   Thu Mar 12 05:21:00 2026
+++ pkgsrc/devel/py-virtualenv/Makefile Fri Apr 24 09:41:14 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.106 2026/03/12 05:21:00 adam Exp $
+# $NetBSD: Makefile,v 1.107 2026/04/24 09:41:14 adam Exp $
 
-DISTNAME=      virtualenv-21.2.0
+DISTNAME=      virtualenv-21.2.4
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    devel python
 MASTER_SITES=  ${MASTER_SITE_PYPI:=v/virtualenv/}
@@ -15,7 +15,7 @@ TOOL_DEPENDS+=        ${PYPKGPREFIX}-hatchling>
 DEPENDS+=      ${PYPKGPREFIX}-distlib>=0.3.7:../../devel/py-distlib
 DEPENDS+=      ${PYPKGPREFIX}-filelock>=3.24.2:../../devel/py-filelock
 DEPENDS+=      ${PYPKGPREFIX}-platformdirs>=3.9.1:../../misc/py-platformdirs
-DEPENDS+=      ${PYPKGPREFIX}-python-discovery>=1:../../lang/py-python-discovery
+DEPENDS+=      ${PYPKGPREFIX}-python-discovery>=1.2.2:../../lang/py-python-discovery
 TEST_DEPENDS+= ${PYPKGPREFIX}-coverage>=7.2.7:../../devel/py-coverage
 TEST_DEPENDS+= ${PYPKGPREFIX}-coverage-enable-subprocess>=1:../../devel/py-coverage-enable-subprocess
 TEST_DEPENDS+= ${PYPKGPREFIX}-flaky>=3.7:../../devel/py-flaky

Index: pkgsrc/devel/py-virtualenv/PLIST
diff -u pkgsrc/devel/py-virtualenv/PLIST:1.79 pkgsrc/devel/py-virtualenv/PLIST:1.80
--- pkgsrc/devel/py-virtualenv/PLIST:1.79       Thu Mar 12 05:21:00 2026
+++ pkgsrc/devel/py-virtualenv/PLIST    Fri Apr 24 09:41:14 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.79 2026/03/12 05:21:00 adam Exp $
+@comment $NetBSD: PLIST,v 1.80 2026/04/24 09:41:14 adam Exp $
 bin/virtualenv-${PYVERSSUFFIX}
 ${PYSITELIB}/${WHEEL_INFODIR}/METADATA
 ${PYSITELIB}/${WHEEL_INFODIR}/RECORD
@@ -254,7 +254,7 @@ ${PYSITELIB}/virtualenv/seed/wheels/embe
 ${PYSITELIB}/virtualenv/seed/wheels/embed/pip-25.0.1-py3-none-any.whl
 ${PYSITELIB}/virtualenv/seed/wheels/embed/pip-26.0.1-py3-none-any.whl
 ${PYSITELIB}/virtualenv/seed/wheels/embed/setuptools-75.3.4-py3-none-any.whl
-${PYSITELIB}/virtualenv/seed/wheels/embed/setuptools-82.0.0-py3-none-any.whl
+${PYSITELIB}/virtualenv/seed/wheels/embed/setuptools-82.0.1-py3-none-any.whl
 ${PYSITELIB}/virtualenv/seed/wheels/embed/wheel-0.45.1-py3-none-any.whl
 ${PYSITELIB}/virtualenv/seed/wheels/periodic_update.py
 ${PYSITELIB}/virtualenv/seed/wheels/periodic_update.pyc

Index: pkgsrc/devel/py-virtualenv/distinfo
diff -u pkgsrc/devel/py-virtualenv/distinfo:1.90 pkgsrc/devel/py-virtualenv/distinfo:1.91
--- pkgsrc/devel/py-virtualenv/distinfo:1.90    Thu Mar 12 05:21:00 2026
+++ pkgsrc/devel/py-virtualenv/distinfo Fri Apr 24 09:41:14 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.90 2026/03/12 05:21:00 adam Exp $
+$NetBSD: distinfo,v 1.91 2026/04/24 09:41:14 adam Exp $
 
-BLAKE2s (virtualenv-21.2.0.tar.gz) = cfd76ebdc341613552be3c0c26a41812cce83dc836d96a358373322cbacc91d4
-SHA512 (virtualenv-21.2.0.tar.gz) = 29b41748fa5fe5dd79c1199c3ad28beeec168b54b0a051cfda805c20fa78e0505952a06d837bec3e917935845af3a10435ff7d105fa14246623ac3ec8007755e
-Size (virtualenv-21.2.0.tar.gz) = 5840618 bytes
+BLAKE2s (virtualenv-21.2.4.tar.gz) = df86de9bbabb910610756fcc546f38c9a7de854551d79e98ed811120e49a06fd
+SHA512 (virtualenv-21.2.4.tar.gz) = 59cd373c7b149ab83609f2a331fb6ffa95792647d939d129b661cb12aa02686e1b789ccdf2ecf9ab959e3645c42df303ddb5a277e0600b156f6567f797fc49ff
+Size (virtualenv-21.2.4.tar.gz) = 5850742 bytes