Skip to content

Bump fonttools from 4.59.0 to 4.62.1#1367

Merged
github-actions[bot] merged 1 commit intomainfrom
dependabot/pip/fonttools-4.62.1
Mar 16, 2026
Merged

Bump fonttools from 4.59.0 to 4.62.1#1367
github-actions[bot] merged 1 commit intomainfrom
dependabot/pip/fonttools-4.62.1

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 16, 2026

Bumps fonttools from 4.59.0 to 4.62.1.

Release notes

Sourced from fonttools's releases.

4.62.1

  • [feaLib] Extend contextual rule merging to all rule types: single subst, GSUB/GPOS named lookups, ignore rules, and chained alternate subst (#4061).

4.62.0

  • [diff] Add new fonttools diff command for comparing font files, imported from the fdiff project and heavily reworked (#1190, #4007, #4009, #4011, #4013, #4019).
  • [feaLib] Fix VariableScalar interpolation bug with non-linear avar mappings. Also decouple VariableScalar from compiled fonts, allowing it to work with designspace data before compilation (#3938, #4054).
  • [feaLib] Fix VariableScalar axis ordering and iterative delta rounding to match fontc behavior (#4053).
  • [feaLib] Merge chained multi subst rules with same context into a single subtable instead of emitting one subtable per glyph (#4016, #4058).
  • [feaLib] Pass location to ConditionsetStatementfontra/fontra-glyphs#130#4057).
  • [feaLib] Write 0xFFFF instead of 0 for missing nameIDs in cv feature params (#4010, #4012).
  • [cmap] Fix CmapSubtable.__lt__() TypeError on Python 3 when subtables share the same encoding record, and add compile-time validation for unique encoding records (#4035, #4055).
  • [svgLib] Skip non-element XML nodes (comments, processing instructions) when drawing SVG paths (#4042, #4043).
  • [glifLib] Fix regression reading glyph outlines when glyphObject=None (#4030, #4031).
  • [pointPen] Fix SegmentToPointPen edge case: only remove a duplicate final point on closePath() if it is an on-curve point (#4014, #4015).
  • [cffLib] SECURITY Replace eval() with safeEval() in parseBlendList() to prevent arbitrary code execution from crafted TTX files (#4039, #4040).
  • [ttLib] Remove defunct Adobe SING Glyphlet tables (META, SING, GMAP, GPKG) (#4044).
  • [varLib.interpolatable] Various bugfixes: fix swapped nodeTypes assignment, duplicate kink-detector condition, typos, CFF2 vsindex parsing, glyph existence check, and plot helpers (#4046).
  • [varLib.models] Fix getSubModel not forwarding extrapolate/axisRanges; check location uniqueness after stripping zeros (#4047).
  • [varLib] Fix --variable-fonts filter in build_many; remove dead code and fix comments (#4048).
  • [avar] Preserve existing name table in build; keep unbuild return types consistent; validate map CLI coordinates (#4051).
  • [cu2qu/qu2cu] Add input validation: reject non-positive tolerances, validate curve inputs and list lengths (#4052).
  • [colorLib] Raise a clear ColorLibError when base glyphs are missing from glyphMap, instead of a confusing KeyError (#4041).
  • [glyf] Remove unnecessary fvar table dependency (#4017).
  • [fvar/trak] Remove unnecessary name table dependency (#4018).
  • [ufoLib] Relax guideline validation to follow the updated spec (#3537, #3553).
  • [ttFont] Fix saveXML regression with empty table lists, clarify docstring (#4025, #4026, #4056).
  • [setup.py] Link libm for Cython extensions using math functions (#4028, #4029).
  • Add typing annotations for DSIG, DefaultTable, ttProgram (#4033).

4.61.1

  • [otlLib] buildCoverage: return empty Coverage instead of None (#4003, #4004).
  • [instancer] bug fix in avar2 full instancing (#4002).
  • [designspaceLib] Preserve empty conditionsets when serializing to XML (#4001).
  • [fontBu ilder] Fix FontBuilder setupOS2() default params globally polluted (#3996, #3997).
  • [ttFont] Add more typing annotations to ttFont, xmlWriter, sfnt, varLib.models and others (#3952, #3826).
  • Explicitly test and declare support for Python 3.14, even though we were already shipping pre-built wheels for it (#3990).

4.61.0

  • [varLib.main]: SECURITY Only use basename(vf.filename) to prevent path traversal attacks when running fonttools varLib command-line script, or code which invokes fonttools.varLib.main(). Fixes CVE-2025-66034, see: GHSA-768j-98cg-p3fv.
  • [feaLib] Sort BaseLangSysRecords by tag (#3986).
  • Drop support for EOL Python 3.9 (#3982).
  • [instancer] Support --remove-overlaps for fonts with CFF2 table (#3975).
  • [CFF2ToCFF] Add --remove-overlaps option (#3976).
  • [feaLib] Raise an error for rsub with NULL target (#3979).
  • [bezierTools] Fix logic bug in curveCurveIntersections (#3963).
  • [feaLib] Error when condition sets have the same name (#3958).
  • [cu2qu.ufo] skip processing empty glyphs to support sparse kerning masters (#3956).
  • [unicodedata] Update to Unicode 17. Require unicodedata2 >= 17.0.0 when installed with 'unicode' extra.

4.60.2

... (truncated)

Changelog

Sourced from fonttools's changelog.

4.62.1 (released 2026-03-13)

  • [feaLib] Extend contextual rule merging to all rule types: single subst, GSUB/GPOS named lookups, ignore rules, and chained alternate subst (#4061).

4.62.0 (released 2026-03-09)

  • [diff] Add new fonttools diff command for comparing font files, imported from the fdiff project and heavily reworked (#1190, #4007, #4009, #4011, #4013, #4019).
  • [feaLib] Fix VariableScalar interpolation bug with non-linear avar mappings. Also decouple VariableScalar from compiled fonts, allowing it to work with designspace data before compilation (#3938, #4054).
  • [feaLib] Fix VariableScalar axis ordering and iterative delta rounding to match fontc behavior (#4053).
  • [feaLib] Merge chained multi subst rules with same context into a single subtable instead of emitting one subtable per glyph (#4016, #4058).
  • [feaLib] Pass location to ConditionsetStatement to fix glyphsLib round-tripping fontra/fontra-glyphs#130#4057).
  • [feaLib] Write 0xFFFF instead of 0 for missing nameIDs in cv feature params (#4010, #4012).
  • [cmap] Fix CmapSubtable.__lt__() TypeError on Python 3 when subtables share the same encoding record, and add compile-time validation for unique encoding records (#4035, #4055).
  • [svgLib] Skip non-element XML nodes (comments, processing instructions) when drawing SVG paths (#4042, #4043).
  • [glifLib] Fix regression reading glyph outlines when glyphObject=None (#4030, #4031).
  • [pointPen] Fix SegmentToPointPen edge case: only remove a duplicate final point on closePath() if it is an on-curve point (#4014, #4015).
  • [cffLib] SECURITY Replace eval() with safeEval() in parseBlendList() to prevent arbitrary code execution from crafted TTX files (#4039, #4040).
  • [ttLib] Remove defunct Adobe SING Glyphlet tables (META, SING, GMAP, GPKG) (#4044).
  • [varLib.interpolatable] Various bugfixes: fix swapped nodeTypes assignment, duplicate kink-detector condition, typos, CFF2 vsindex parsing, glyph existence check, and plot helpers (#4046).
  • [varLib.models] Fix getSubModel not forwarding extrapolate/axisRanges; check location uniqueness after stripping zeros (#4047).
  • [varLib] Fix --variable-fonts filter in build_many; remove dead code and fix comments (#4048).
  • [avar] Preserve existing name table in build; keep unbuild return types consistent; validate map CLI coordinates (#4051).
  • [cu2qu/qu2cu] Add input validation: reject non-positive tolerances, validate curve inputs and list lengths (#4052).
  • [colorLib] Raise a clear ColorLibError when base glyphs are missing from glyphMap, instead of a confusing KeyError (#4041).
  • [glyf] Remove unnecessary fvar table dependency (#4017).
  • [fvar/trak] Remove unnecessary name table dependency (#4018).
  • [ufoLib] Relax guideline validation to follow the updated spec (#3537, #3553).

... (truncated)

Commits
  • da54a29 Release 4.62.1
  • ad47e60 Merge pull request #4061 from fonttools/merge-chained-rules
  • 8060f6a Rename _merge_contextual_rule to _add_contextual_rule
  • 0903764 Reuse and merge chained alternate subst lookups
  • bbdcfc2 Add tests for contextual rule merge optimization
  • 2a6072f Merge consecutive contextual rules with same context
  • 11e9bfa Fix typo in cu2qu help message
  • 211171b Bump version: 4.62.0 → 4.62.1.dev0
  • 0aee8a7 Merge pull request #4060 from fonttools/remove-py23-pipe-test
  • ee39ede [tests] Remove obsolete py23 OpenFuncWrapperTest
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump fonttools from 4.59.0 to 4.62.1
c608c38 
Bumps [fonttools](https://github.com/fonttools/fonttools) from 4.59.0 to 4.62.1.
- [Release notes](https://github.com/fonttools/fonttools/releases)
- [Changelog](https://github.com/fonttools/fonttools/blob/main/NEWS.rst)
- [Commits](fonttools/fonttools@4.59.0...4.62.1)

---
updated-dependencies:
- dependency-name: fonttools
  dependency-version: 4.62.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Mar 16, 2026
@github-actions github-actions bot merged commit 03752dd into main Mar 16, 2026
13 of 14 checks passed
@dependabot dependabot bot deleted the dependabot/pip/fonttools-4.62.1 branch March 16, 2026 13:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants