[MEDIUM] Upgrade python-virtualenv to 20.36.1 for CVE-2026-22702

[archana25-ms]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?
Upgrade python-virtualenv to 20.36.1 for CVE-2026-22702
Reference: #15494

Change Log

• SPECS/python-virtualenv/0001-replace-to-flit.patch
• SPECS/python-virtualenv/python-virtualenv.signatures.json
• SPECS/python-virtualenv/python-virtualenv.spec
• cgmanifest.json

Does this affect the toolchain?

NO

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2026-22702

Test Methodology

• Pipeline build id: xxxx

Build and test is successful

[Kanishk-Bansal]

Buddy Build

[Kanishk-Bansal]

There are no breaking changes on the API side as per the changelog, this release needs Python to 3.8+ and we already have 3.10

[Kanishk-Bansal]

remove the CVE-2024-53899.patch file from SPEC folder

[archana25-ms]

remove the CVE-2024-53899.patch file from SPEC folder

Removed

[Kanishk-Bansal]

LGTM. Buddy Build is fine. Source Tarball Uploaded to blob.

[kgodara912]

As per the AI summary,

Yes, there are significant changes and potential for breaking behavior between virtualenv version 20.25 and 20.36, primarily driven by updated embedded, upgraded system requirements, and the yanking of intermediate releases due to issues. 

Upgraded Embedded Seed Packages

virtualenv embeds pip, setuptools, and wheel to create environments. Between 20.25 and 20.36, these have been upgraded, which can cause subtle changes in how environments are created or packages are installed: 
20.25.x: Embedded pip 23.3.2/24.0 and setuptools 69.0.3/69.1.0.
20.36.x: Embedded pip 24.2 and setuptools 74.1.2. 

Specific Behavioral Fixes & Changes

Application Data Handling: Improved handling of read-only application data folders, which might change behavior in restricted environments.

If you are upgrading from 20.25 to 20.36, it is highly recommended to recreate your virtual environments to ensure compatibility with the updated embedded pip and setuptools versions.

Could you please reverify once if everything is fine in upgrade?

[Kanishk-Bansal]

I feel there is no breaking changes according to changelogs. Co-pilot also suggested no breaking changes.
Hence, we can move ahead with the upgrade.

[kgodara912]

Considering no breaking changes from the original version as most of the summary says that no need to recreate existing environments and it should work as is. Buddy build is successful. LGTM.