Skip to content

Bump fonttools from 4.51.0 to 4.62.1 in /tools#58492

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/pip/tools/fonttools-4.62.1
Open

Bump fonttools from 4.51.0 to 4.62.1 in /tools#58492
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/pip/tools/fonttools-4.62.1

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 13, 2026

Bumps fonttools from 4.51.0 to 4.62.1.

Release notes

Sourced from fonttools's releases.

4.62.1

  • [feaLib] Extend contextual rule merging to all rule types: single subst, GSUB/GPOS named lookups, ignore rules, and chained alternate subst (#4061).

4.62.0

  • [diff] Add new fonttools diff command for comparing font files, imported from the fdiff project and heavily reworked (#1190, #4007, #4009, #4011, #4013, #4019).
  • [feaLib] Fix VariableScalar interpolation bug with non-linear avar mappings. Also decouple VariableScalar from compiled fonts, allowing it to work with designspace data before compilation (#3938, #4054).
  • [feaLib] Fix VariableScalar axis ordering and iterative delta rounding to match fontc behavior (#4053).
  • [feaLib] Merge chained multi subst rules with same context into a single subtable instead of emitting one subtable per glyph (#4016, #4058).
  • [feaLib] Pass location to ConditionsetStatementfontra/fontra-glyphs#130#4057).
  • [feaLib] Write 0xFFFF instead of 0 for missing nameIDs in cv feature params (#4010, #4012).
  • [cmap] Fix CmapSubtable.__lt__() TypeError on Python 3 when subtables share the same encoding record, and add compile-time validation for unique encoding records (#4035, #4055).
  • [svgLib] Skip non-element XML nodes (comments, processing instructions) when drawing SVG paths (#4042, #4043).
  • [glifLib] Fix regression reading glyph outlines when glyphObject=None (#4030, #4031).
  • [pointPen] Fix SegmentToPointPen edge case: only remove a duplicate final point on closePath() if it is an on-curve point (#4014, #4015).
  • [cffLib] SECURITY Replace eval() with safeEval() in parseBlendList() to prevent arbitrary code execution from crafted TTX files (#4039, #4040).
  • [ttLib] Remove defunct Adobe SING Glyphlet tables (META, SING, GMAP, GPKG) (#4044).
  • [varLib.interpolatable] Various bugfixes: fix swapped nodeTypes assignment, duplicate kink-detector condition, typos, CFF2 vsindex parsing, glyph existence check, and plot helpers (#4046).
  • [varLib.models] Fix getSubModel not forwarding extrapolate/axisRanges; check location uniqueness after stripping zeros (#4047).
  • [varLib] Fix --variable-fonts filter in build_many; remove dead code and fix comments (#4048).
  • [avar] Preserve existing name table in build; keep unbuild return types consistent; validate map CLI coordinates (#4051).
  • [cu2qu/qu2cu] Add input validation: reject non-positive tolerances, validate curve inputs and list lengths (#4052).
  • [colorLib] Raise a clear ColorLibError when base glyphs are missing from glyphMap, instead of a confusing KeyError (#4041).
  • [glyf] Remove unnecessary fvar table dependency (#4017).
  • [fvar/trak] Remove unnecessary name table dependency (#4018).
  • [ufoLib] Relax guideline validation to follow the updated spec (#3537, #3553).
  • [ttFont] Fix saveXML regression with empty table lists, clarify docstring (#4025, #4026, #4056).
  • [setup.py] Link libm for Cython extensions using math functions (#4028, #4029).
  • Add typing annotations for DSIG, DefaultTable, ttProgram (#4033).

4.61.1

  • [otlLib] buildCoverage: return empty Coverage instead of None (#4003, #4004).
  • [instancer] bug fix in avar2 full instancing (#4002).
  • [designspaceLib] Preserve empty conditionsets when serializing to XML (#4001).
  • [fontBu ilder] Fix FontBuilder setupOS2() default params globally polluted (#3996, #3997).
  • [ttFont] Add more typing annotations to ttFont, xmlWriter, sfnt, varLib.models and others (#3952, #3826).
  • Explicitly test and declare support for Python 3.14, even though we were already shipping pre-built wheels for it (#3990).

4.61.0

  • [varLib.main]: SECURITY Only use basename(vf.filename) to prevent path traversal attacks when running fonttools varLib command-line script, or code which invokes fonttools.varLib.main(). Fixes CVE-2025-66034, see: GHSA-768j-98cg-p3fv.
  • [feaLib] Sort BaseLangSysRecords by tag (#3986).
  • Drop support for EOL Python 3.9 (#3982).
  • [instancer] Support --remove-overlaps for fonts with CFF2 table (#3975).
  • [CFF2ToCFF] Add --remove-overlaps option (#3976).
  • [feaLib] Raise an error for rsub with NULL target (#3979).
  • [bezierTools] Fix logic bug in curveCurveIntersections (#3963).
  • [feaLib] Error when condition sets have the same name (#3958).
  • [cu2qu.ufo] skip processing empty glyphs to support sparse kerning masters (#3956).
  • [unicodedata] Update to Unicode 17. Require unicodedata2 >= 17.0.0 when installed with 'unicode' extra.

4.60.2

... (truncated)

Changelog

Sourced from fonttools's changelog.

4.62.1 (released 2026-03-13)

  • [feaLib] Extend contextual rule merging to all rule types: single subst, GSUB/GPOS named lookups, ignore rules, and chained alternate subst (#4061).

4.62.0 (released 2026-03-09)

  • [diff] Add new fonttools diff command for comparing font files, imported from the fdiff project and heavily reworked (#1190, #4007, #4009, #4011, #4013, #4019).
  • [feaLib] Fix VariableScalar interpolation bug with non-linear avar mappings. Also decouple VariableScalar from compiled fonts, allowing it to work with designspace data before compilation (#3938, #4054).
  • [feaLib] Fix VariableScalar axis ordering and iterative delta rounding to match fontc behavior (#4053).
  • [feaLib] Merge chained multi subst rules with same context into a single subtable instead of emitting one subtable per glyph (#4016, #4058).
  • [feaLib] Pass location to ConditionsetStatement to fix glyphsLib round-tripping fontra/fontra-glyphs#130#4057).
  • [feaLib] Write 0xFFFF instead of 0 for missing nameIDs in cv feature params (#4010, #4012).
  • [cmap] Fix CmapSubtable.__lt__() TypeError on Python 3 when subtables share the same encoding record, and add compile-time validation for unique encoding records (#4035, #4055).
  • [svgLib] Skip non-element XML nodes (comments, processing instructions) when drawing SVG paths (#4042, #4043).
  • [glifLib] Fix regression reading glyph outlines when glyphObject=None (#4030, #4031).
  • [pointPen] Fix SegmentToPointPen edge case: only remove a duplicate final point on closePath() if it is an on-curve point (#4014, #4015).
  • [cffLib] SECURITY Replace eval() with safeEval() in parseBlendList() to prevent arbitrary code execution from crafted TTX files (#4039, #4040).
  • [ttLib] Remove defunct Adobe SING Glyphlet tables (META, SING, GMAP, GPKG) (#4044).
  • [varLib.interpolatable] Various bugfixes: fix swapped nodeTypes assignment, duplicate kink-detector condition, typos, CFF2 vsindex parsing, glyph existence check, and plot helpers (#4046).
  • [varLib.models] Fix getSubModel not forwarding extrapolate/axisRanges; check location uniqueness after stripping zeros (#4047).
  • [varLib] Fix --variable-fonts filter in build_many; remove dead code and fix comments (#4048).
  • [avar] Preserve existing name table in build; keep unbuild return types consistent; validate map CLI coordinates (#4051).
  • [cu2qu/qu2cu] Add input validation: reject non-positive tolerances, validate curve inputs and list lengths (#4052).
  • [colorLib] Raise a clear ColorLibError when base glyphs are missing from glyphMap, instead of a confusing KeyError (#4041).
  • [glyf] Remove unnecessary fvar table dependency (#4017).
  • [fvar/trak] Remove unnecessary name table dependency (#4018).
  • [ufoLib] Relax guideline validation to follow the updated spec (#3537, #3553).

... (truncated)

Commits
  • da54a29 Release 4.62.1
  • ad47e60 Merge pull request #4061 from fonttools/merge-chained-rules
  • 8060f6a Rename _merge_contextual_rule to _add_contextual_rule
  • 0903764 Reuse and merge chained alternate subst lookups
  • bbdcfc2 Add tests for contextual rule merge optimization
  • 2a6072f Merge consecutive contextual rules with same context
  • 11e9bfa Fix typo in cu2qu help message
  • 211171b Bump version: 4.62.0 → 4.62.1.dev0
  • 0aee8a7 Merge pull request #4060 from fonttools/remove-py23-pipe-test
  • ee39ede [tests] Remove obsolete py23 OpenFuncWrapperTest
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump fonttools from 4.51.0 to 4.62.1 in /tools
e540cca 
Bumps [fonttools](https://github.com/fonttools/fonttools) from 4.51.0 to 4.62.1.
- [Release notes](https://github.com/fonttools/fonttools/releases)
- [Changelog](https://github.com/fonttools/fonttools/blob/main/NEWS.rst)
- [Commits](fonttools/fonttools@4.51.0...4.62.1)

---
updated-dependencies:
- dependency-name: fonttools
  dependency-version: 4.62.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Mar 13, 2026
@dependabot dependabot bot mentioned this pull request Mar 13, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DanielRyanSmith DanielRyanSmith Awaiting requested review from DanielRyanSmith

@foolip foolip Awaiting requested review from foolip

@jgraham jgraham Awaiting requested review from jgraham

@jonathan-j-lee jonathan-j-lee Awaiting requested review from jonathan-j-lee

At least 1 approving review is required to merge this pull request.

Assignees

@jonathan-j-lee jonathan-j-lee

Labels

ci dependencies Pull requests that update a dependency file infra python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathan-j-lee @wpt-pr-bot