Update virtualenv requirement from >=16.6.0 to >=21.3.0 (#28)

Updates the requirements on
[virtualenv](https://github.com/pypa/virtualenv) to permit the latest
version.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/virtualenv/releases">virtualenv's
releases</a>.</em></p>
<blockquote>
<h2>21.3.0</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<ul>
<li>🐛 fix(type): stop ty flagging default_source on Action by <a
href="https://github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3124">pypa/virtualenv#3124</a></li>
<li>feat: Reintroduce xonsh shell support by <a
href="https://github.com/anki-code"><code>@​anki-code</code></a> in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3125">pypa/virtualenv#3125</a></li>
<li>🐛 fix(test): prevent PowerShell activation test from crashing xdist
workers on Windows by <a
href="https://github.com/gaborbernat"><code>@​gaborbernat</code></a> in
<a
href="https://redirect.github.com/pypa/virtualenv/pull/3128">pypa/virtualenv#3128</a></li>
<li>docs: Add usage instruction for Xonsh activation by <a
href="https://github.com/anki-code"><code>@​anki-code</code></a> in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3130">pypa/virtualenv#3130</a></li>
<li>Upgrade embedded pip/setuptools/wheel by <a
href="https://github.com/github-actions"><code>@​github-actions</code></a>[bot]
in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3132">pypa/virtualenv#3132</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/anki-code"><code>@​anki-code</code></a>
made their first contribution in <a
href="https://redirect.github.com/pypa/virtualenv/pull/3125">pypa/virtualenv#3125</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/pypa/virtualenv/compare/21.2.4...21.3.0">https://github.com/pypa/virtualenv/compare/21.2.4...21.3.0</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst">virtualenv's
changelog</a>.</em></p>
<blockquote>
<h1>Features - 21.3.0</h1>
<ul>
<li>Re-introduce <code>xonsh</code> shell activator
(<code>activate.xsh</code>) previously removed in 20.7.0, and make the
plugin loader
prefer virtualenv's built-in entry points so a third-party package
cannot override them by registering a duplicate
name. (:issue:<code>3003</code>)</li>
</ul>
<h1>Bugfixes - 21.3.0</h1>
<ul>
<li>
<p>Upgrade embedded wheels:</p>
<ul>
<li>pip to <code>26.1</code> (:issue:<code>3132</code>)</li>
</ul>
</li>
</ul>
<hr />
<p>v21.2.4 (2026-04-14)</p>
<hr />
<h1>Bugfixes - 21.2.4</h1>
<ul>
<li>Security hardening: validate each entry of a seed wheel archive
before extracting it so a tampered wheel cannot escape
the app-data image directory via an absolute path or <code>..</code>
traversal. (:issue:<code>3118</code>)</li>
<li>Security hardening: verify the SHA-256 of every bundled seed wheel
when it is loaded so a corrupted or tampered file
on disk fails loud instead of being handed to pip. The hash table is
generated alongside <code>BUNDLE_SUPPORT</code> by
<code>tasks/upgrade_wheels.py</code>. (:issue:<code>3119</code>)</li>
<li>Security hardening: validate the distribution name and version
specifier passed to <code>pip download</code> when acquiring a
seed wheel so extras, pip flags, or shell metacharacters cannot be
smuggled into the subprocess command line.
(:issue:<code>3120</code>)</li>
<li>Security hardening: replace the string-prefix containment check in
<code>virtualenv.util.zipapp</code> with
<code>Path.relative_to</code> so the zipapp extraction helpers refuse
any path that does not resolve under the archive root.
(:issue:<code>3121</code>)</li>
<li>Security hardening: do not silently fall back to an unverified HTTPS
context when the periodic update request to PyPI
fails TLS verification. The returned metadata drives which wheel version
virtualenv considers &quot;up to date&quot;, so
accepting an unverified response lets a network-level attacker suppress
security updates. Set
<code>VIRTUALENV_PERIODIC_UPDATE_INSECURE=1</code> to restore the
previous behavior on hosts with broken trust stores.
(:issue:<code>3122</code>)</li>
</ul>
<hr />
<p>v21.2.3 (2026-04-14)</p>
<hr />
<p>No significant changes.</p>
<hr />
<p>v21.2.2 (2026-04-13)</p>
<hr />
<h1>Bugfixes - 21.2.2</h1>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pypa/virtualenv/commit/e917cc244e659160607c890de2cbad3a7bc2a28c"><code>e917cc2</code></a>
release 21.3.0</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/21152f1b88c49cdefda2743cddc2cf36d50e2e57"><code>21152f1</code></a>
Upgrade embedded pip/setuptools/wheel (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3132">#3132</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/096bdcd72d7a6c92dcb9dee97fd429fe3e0231a5"><code>096bdcd</code></a>
chore(deps): bump astral-sh/setup-uv from 8.0.0 to 8.1.0 (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3131">#3131</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/01610dc7a8ef08158c815f43dc22ceadb98b85c0"><code>01610dc</code></a>
docs: Add usage instruction for Xonsh activation (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3130">#3130</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/fb6ec7c461db2b0ccfabe7ec6255368e86cfaed3"><code>fb6ec7c</code></a>
🐛 fix(test): prevent PowerShell activation test from crashing xdist
workers o...</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/60956799efa82adac0c3d5e70d9ca1fdd63125f8"><code>6095679</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3129">#3129</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/8d3179cf42332501240e9ee3ddca7e376a790752"><code>8d3179c</code></a>
chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1
(<a
href="https://redirect.github.com/pypa/virtualenv/issues/3127">#3127</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/a159c50a400d4e18aca3bfde5224f09e71d2eb17"><code>a159c50</code></a>
chore(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3126">#3126</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/9ba729bbbbec89c121c3ce4ef205fdd403e33e26"><code>9ba729b</code></a>
feat: Reintroduce xonsh shell support (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3125">#3125</a>)</li>
<li><a
href="https://github.com/pypa/virtualenv/commit/d42ea5cd19a116dbdbb9852becace188d5b3a225"><code>d42ea5c</code></a>
🐛 fix(type): stop ty flagging default_source on Action (<a
href="https://redirect.github.com/pypa/virtualenv/issues/3124">#3124</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/pypa/virtualenv/compare/16.6.0...21.3.0">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

0 files changed, 0 insertions, 0 deletions