Scheduled monthly dependency update for June

[pyup-bot]

Update fonttools from 4.61.0 to 4.63.0.

Changelog

4.63.0

----------------------------

- [ttLib] Add support for Apple Color Emoji ``bgcl`` table (4065).
- [ttLib] Add support for ``IFT`` and ``IFTX`` tables (Incremental Font Transfer,
PatchMapFormat2) (4070, 4072).
- [otData] Introduce ``FieldSpec`` dataclass for OpenType table schema definitions,
replacing raw tuples in ``otData.py`` (4076).
- [Feat] Show ``name`` table strings as comments next to label IDs in TTX output,
matching the convention used by ``fvar``, ``STAT``, ``trak`` (4089).
- [cu2qu] Fix Cython complex-division rounding difference in
``split_cubic_into_three`` that could cause ±1 off-curve coordinate shifts
(3928, 4083).
- [designspaceLib] Fix ``map_backward`` for many-to-one (flat-segment) axis maps
that silently dropped entries via dict comprehension
(googlefonts/ufo2ft978, 4085).
- [OS/2] Fix ``setUnicodeRanges`` to accept reserved bits 123-127, restoring
round-trip with ``getUnicodeRanges`` and fixing ``recalcUnicodeRanges`` crash
in the subsetter (4087, 4088).
- [cython] Declare Cython extensions as free-threading compatible on Python 3.13+,
so that importing them on free-threaded Python no longer re-enables the GIL
(4073, 4090).

4.62.1

----------------------------

- [feaLib] Extend contextual rule merging to all rule types: single subst, GSUB/GPOS
named lookups, ignore rules, and chained alternate subst (4061).

4.62.0

----------------------------

- [diff] Add new ``fonttools diff`` command for comparing font files, imported from the
``fdiff`` project and heavily reworked (1190, 4007, 4009, 4011, 4013, 4019).
- [feaLib] Fix ``VariableScalar`` interpolation bug with non-linear avar mappings. Also
decouple ``VariableScalar`` from compiled fonts, allowing it to work with designspace data
before compilation (3938, 4054).
- [feaLib] Fix ``VariableScalar`` axis ordering and iterative delta rounding to match fontc
behavior (4053).
- [feaLib] Merge chained multi subst rules with same context into a single subtable instead of
emitting one subtable per glyph (4016, 4058).
- [feaLib] Pass location to ``ConditionsetStatement`` to fix glyphsLib round-tripping
(fontra/fontra-glyphs130, 4057).
- [feaLib] Write ``0xFFFF`` instead of ``0`` for missing nameIDs in ``cv`` feature params
(4010, 4012).
- [cmap] Fix ``CmapSubtable.__lt__()`` ``TypeError`` on Python 3 when subtables share the
same encoding record, and add compile-time validation for unique encoding records (4035,
4055).
- [svgLib] Skip non-element XML nodes (comments, processing instructions) when drawing SVG
paths (4042, 4043).
- [glifLib] Fix regression reading glyph outlines when ``glyphObject=None`` (4030, 4031).
- [pointPen] Fix ``SegmentToPointPen`` edge case: only remove a duplicate final point on
``closePath()`` if it is an on-curve point (4014, 4015).
- [cffLib] **SECURITY** Replace ``eval()`` with ``safeEval()`` in ``parseBlendList()`` to
prevent arbitrary code execution from crafted TTX files (4039, 4040).
- [ttLib] Remove defunct Adobe SING Glyphlet tables (``META``, ``SING``, ``GMAP``, ``GPKG``)
(4044).
- [varLib.interpolatable] Various bugfixes: fix swapped nodeTypes assignment, duplicate
kink-detector condition, typos, CFF2 vsindex parsing, glyph existence check, and plot
helpers (4046).
- [varLib.models] Fix ``getSubModel`` not forwarding ``extrapolate``/``axisRanges``; check
location uniqueness after stripping zeros (4047).
- [varLib] Fix ``--variable-fonts`` filter in ``build_many``; remove dead code and fix
comments (4048).
- [avar] Preserve existing name table in build; keep ``unbuild`` return types consistent;
validate ``map`` CLI coordinates (4051).
- [cu2qu/qu2cu] Add input validation: reject non-positive tolerances, validate curve inputs
and list lengths (4052).
- [colorLib] Raise a clear ``ColorLibError`` when base glyphs are missing from glyphMap,
instead of a confusing ``KeyError`` (4041).
- [glyf] Remove unnecessary ``fvar`` table dependency (4017).
- [fvar/trak] Remove unnecessary ``name`` table dependency (4018).
- [ufoLib] Relax guideline validation to follow the updated spec (3537, 3553).
- [ttFont] Fix ``saveXML`` regression with empty table lists, clarify docstring (4025, 4026,
4056).
- [setup.py] Link ``libm`` for Cython extensions using math functions (4028, 4029).
- Add typing annotations for ``DSIG``, ``DefaultTable``, ``ttProgram`` (4033).

4.61.1

----------------------------

- [otlLib] buildCoverage: return empty Coverage instead of None (4003, 4004).
- [instancer] bug fix in ``avar2`` full instancing (4002).
- [designspaceLib] Preserve empty conditionsets when serializing to XML (4001).
- [fontBu ilder] Fix FontBuilder ``setupOS2()`` default params globally polluted (3996, 3997).
- [ttFont] Add more typing annotations to ttFont, xmlWriter, sfnt, varLib.models and others (3952, 3826).
- Explicitly test and declare support for Python 3.14, even though we were already shipping pre-built wheels for it (3990).

Links

• PyPI: https://pypi.org/project/fonttools
• Changelog: https://data.safetycli.com/changelogs/fonttools/
• Repo: http://github.com/fonttools/fonttools

Update idna from 3.11 to 3.17.

Changelog

3.17

- Substantial 75% reduction in memory usage through new data
structures and some optimization in processing speed.
- Added a general 1024-character input length cap to the public
validation, conversion, and codec entry points. This is well above
any legitimate domain or label and guards against pathological
inputs.

3.16

- Add a command-line interface (`python -m idna`, also available as
the `idna` script). Encodes or decodes one or more domains supplied
as arguments or on standard input, with options to select A-label
or U-label output and control error handling.
- Raise the minimum supported Python version to 3.9
- Various code quality improvements

3.15

- Enforce DNS-length cap on individual labels early in `check_label`,
short-circuiting contextual-rule processing for oversized input
while staying compatible with UTS 46 usage.
- Tidy core helpers: hoist bidi category sets to module-level
frozensets (avoiding per-codepoint list construction), simplify
length checks, and reuse the shared `_unicode_dots_re` from
`idna.core` in the codec module.
- Use `raise ... from err` for proper exception chaining and
switch internal string formatting to f-strings.
- Allow `flit_core` 4.x in the build backend.
- Expand the ruff lint set (flake8-bugbear, flake8-simplify,
pyupgrade, perflint) and apply the surfaced fixes; pin lint CI
to Python 3.14.
- Add Dependabot configuration for GitHub Actions.
- Convert README and HISTORY from reStructuredText to Markdown.
- Reference CVE-2026-45409 for the 3.14 advisory in place of the
initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for
contributions to this release.

3.14

- Removed opportunity to process long inputs into quadratic
time by rejecting oversize inputs up-front. Closes a bypass
of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

3.13

- Correct classification error for codepoint U+A7F1

3.12

- Update to Unicode 17.0.0.
- Issue a deprecation warning for the transitional argument.
- Added lazy-loading to provide some performance improvements.
- Removed vestiges of code related to Python 2 support, including
segmentation of data structures specific to Jython.

Thanks to Rodrigo Nogueira for contributions to this release.

Links

• PyPI: https://pypi.org/project/idna
• Changelog: https://data.safetycli.com/changelogs/idna/

Update pillow from 12.1.1 to 12.2.0.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/pillow
• Changelog: https://data.safetycli.com/changelogs/pillow/

Update requests from 2.32.5 to 2.34.2.

Changelog

2.34.2

-------------------
- Moved `headers` input type back to `Mapping` to avoid invariance issues
with `MutableMapping` and inferred dict types. Users calling
`Request.headers.update()` may need to narrow typing in their code. (7441)

2.34.1

-------------------

**Bugfixes**
- Widened `json` input type from `dict` and `list` to `Mapping`
and `Sequence`. (7436)
- Changed `headers` input type to MutableMapping and removed `None` from
`Request.headers` typing to improve handling for users. (7431)
- `Response.reason` moved from `str | None` to `str` to improve handling
for users. (7437)
- Fixed a bug where some bodies with custom `__getattr__` implementations
weren't being properly detected as Iterables. (7433)

2.34.0

-------------------

**Announcements**
- Requests 2.34.0 introduces inline types, replacing those provided by
typeshed. Public API types should be fully compatible with mypy, pyright,
and ty. We believe types are comprehensive but if you find issues, please
report them to the pinned tracking issue.

Special thanks to bastimeyer, cthoyt, edgarrmondragon, and srittau for
helping review and test the types ahead of the release. (7272)

**Improvements**
- Digest Auth hashing algorithms have added `usedforsecurity=False` to clarify
security considerations. (7310)
- Requests added support for Python 3.15 based on beta1. Downstream projects
should be able to start testing prior to its release in October. (7422)
- Requests added support for Python 3.14t. (7419)

**Bugfixes**
- ``Response.history`` no longer contains a reference to itself, preventing
accidental looping when traversing the history list. (7328)
- Requests no longer performs greedy matching on no_proxy domains. The
proxy_bypass implementation has been updated with CPython's fix from
bpo-39057. (7427)
- Requests no longer incorrectly strips duplicate leading slashes in
URI paths. This should address user issues with specific presigned
URLs. Note the full fix requires urllib3 2.7.0+. (7315)

2.33.1

-------------------

**Bugfixes**
- Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary
files in the tmp directory. (7305)
- Fixed Content-Type header parsing for malformed values. (7309)
- Improved error consistency for malformed header values. (7308)

2.33.0

-------------------

**Announcements**
- 📣 Requests is adding inline types. If you have a typed code base that
uses Requests, please take a look at 7271. Give it a try, and report
any gaps or feedback you may have in the issue. 📣

**Security**
- CVE-2026-25645 ``requests.utils.extract_zipped_paths`` now extracts
contents to a non-deterministic location to prevent malicious file
replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.

**Improvements**
- Migrated to a PEP 517 build system using setuptools. (7012)

**Bugfixes**
- Fixed an issue where an empty netrc entry could cause
malformed authentication to be applied to Requests on
Python 3.11+. (7205)

**Deprecations**
- Dropped support for Python 3.9 following its end of support. (7196)

**Documentation**
- Various typo fixes and doc improvements.

Links

• PyPI: https://pypi.org/project/requests
• Changelog: https://data.safetycli.com/changelogs/requests/

Update urllib3 from 2.6.3 to 2.7.0.

Changelog

2.7.0

=======================

Security
--------

Addressed high-severity security issues.
Impact was limited to specific use cases detailed in the accompanying
advisories; overall user exposure was estimated to be marginal.

- Decompression-bomb safeguards of the streaming API were bypassed:

1. When ``HTTPResponse.drain_conn()`` was called after the response had been
  read and decompressed partially.
2. During the second ``HTTPResponse.read(amt=N)`` or
  ``HTTPResponse.stream(amt=N)`` call when the response was decompressed
  using the official `Brotli <https://pypi.org/project/brotli/>`__ library.

See `GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>`__
for details.

- HTTP pools created using ``ProxyManager.connection_from_url`` did not strip
sensitive headers specified in ``Retry.remove_headers_on_redirect`` when
redirecting to a different host.
(`GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>`__)


Deprecations and Removals
-------------------------

- Used ``FutureWarning`` instead of ``DeprecationWarning`` for better
visibility of existing deprecation notices. Rescheduled the removal of
deprecated features to version 3.0.
(`3764 <https://github.com/urllib3/urllib3/issues/3764>`__)
- Removed support for end-of-life Python 3.9.
(`3720 <https://github.com/urllib3/urllib3/issues/3720>`__)
- Removed support for end-of-life PyPy3.10.
(`4979 <https://github.com/urllib3/urllib3/issues/4979>`__)
- Bumped the minimum supported pyOpenSSL version to 19.0.0.
(`3777 <https://github.com/urllib3/urllib3/issues/3777>`__)


Bugfixes
--------

- Fixed a bug where ``HTTPResponse.read(amt=None)`` was ignoring decompressed
data buffered from previous partial reads.
(`3636 <https://github.com/urllib3/urllib3/issues/3636>`__)
- Fixed a bug where ``HTTPResponse.read()`` could cache only part of the
response after a partial read when ``cache_content=True``.
(`4967 <https://github.com/urllib3/urllib3/issues/4967>`__)
- Fixed ``HTTPResponse.stream()`` and ``HTTPResponse.read_chunked()`` to handle
``amt=0``.
(`3793 <https://github.com/urllib3/urllib3/issues/3793>`__)
- Updated ``_TYPE_BODY`` type alias to include missing ``Iterable[str]``,
matching the documented and runtime behavior of chunked request bodies.
(`3798 <https://github.com/urllib3/urllib3/issues/3798>`__)
- Fixed ``LocationParseError`` when paths resembling schemeless URIs were
passed to ``HTTPConnectionPool.urlopen()``.
(`3352 <https://github.com/urllib3/urllib3/issues/3352>`__)
- Fixed ``BaseHTTPResponse.readinto()`` type annotation to accept
``memoryview`` in addition to ``bytearray``, matching the
``io.RawIOBase.readinto`` contract and enabling use with
``io.BufferedReader`` without type errors.
(`3764 <https://github.com/urllib3/urllib3/issues/3764>`__)

Links

• PyPI: https://pypi.org/project/urllib3
• Changelog: https://data.safetycli.com/changelogs/urllib3/