Open Bug 2003097 Opened 1 month ago

[wpt-sync] Sync PR 56343 - Bump fonttools from 4.51.0 to 4.61.0 in /tools

Categories

(Testing :: web-platform-tests, task, P4)

Product:
Testing
Component:
web-platform-tests
Type:
task

Tracking

(Not tracked)

People

(Reporter: wpt-sync, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream])

Sync web-platform-tests PR 56343 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/56343
Details from upstream follow.

dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> wrote:

Bump fonttools from 4.51.0 to 4.61.0 in /tools

Bumps fonttools from 4.51.0 to 4.61.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/fonttools/fonttools/releases">fonttools's releases</a>.</em></p>
<blockquote>
<h2>4.61.0</h2>
<ul>
<li>[varLib.main]: <strong>SECURITY</strong> Only use basename(vf.filename) to prevent path traversal attacks when running <code>fonttools varLib</code> command-line script. Fixes CVE-2025-66034, see: <a href="https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv">https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv</a>.</li>
<li>[feaLib] Sort BaseLangSysRecords by tag (<a href="https://redirect.github.com/fonttools/fonttools/issues/3986">#3986</a>).</li>
<li>Drop support for EOL Python 3.9 (<a href="https://redirect.github.com/fonttools/fonttools/issues/3982">#3982</a>).</li>
<li>[instancer] Support --remove-overlaps for fonts with CFF2 table (<a href="https://redirect.github.com/fonttools/fonttools/issues/3975">#3975</a>).</li>
<li>[CFF2ToCFF] Add --remove-overlaps option (<a href="https://redirect.github.com/fonttools/fonttools/issues/3976">#3976</a>).</li>
<li>[feaLib] Raise an error for rsub with NULL target (<a href="https://redirect.github.com/fonttools/fonttools/issues/3979">#3979</a>).</li>
<li>[bezierTools] Fix logic bug in curveCurveIntersections (<a href="https://redirect.github.com/fonttools/fonttools/issues/3963">#3963</a>).</li>
<li>[feaLib] Error when condition sets have the same name (<a href="https://redirect.github.com/fonttools/fonttools/issues/3958">#3958</a>).</li>
<li>[cu2qu.ufo] skip processing empty glyphs to support sparse kerning masters (<a href="https://redirect.github.com/fonttools/fonttools/issues/3956">#3956</a>).</li>
<li>[unicodedata] Update to Unicode 17. Require <code>unicodedata2 >= 17.0.0</code> when installed with 'unicode' extra.</li>
</ul>
<h2>4.60.1</h2>
<ul>
<li>[ufoLib] Reverted accidental method name change in <code>UFOReader.getKerningGroupConversionRenameMaps</code>
that broke compatibility with downstream projects like defcon (<a href="https://redirect.github.com/fonttools/fonttools/issues/3948">#3948</a>, <a href="https://redirect.github.com/fonttools/fonttools/issues/3947">#3947</a>, <a href="https://redirect.github.com/robotools/defcon/issues/478">robotools/defcon#478</a>).</li>
<li>[ufoLib] Added test coverage for <code>getKerningGroupConversionRenameMaps</code> method (<a href="https://redirect.github.com/fonttools/fonttools/issues/3950">#3950</a>).</li>
<li>[subset] Don't try to subset BASE table; pass it through by default instead (<a href="https://redirect.github.com/fonttools/fonttools/issues/3949">#3949</a>).</li>
<li>[subset] Remove empty BaseRecord entries in MarkBasePos lookups (<a href="https://redirect.github.com/fonttools/fonttools/issues/3897">#3897</a>, <a href="https://redirect.github.com/fonttools/fonttools/issues/3892">#3892</a>).</li>
<li>[subset] Add pruning for MarkLigPos and MarkMarkPos lookups (<a href="https://redirect.github.com/fonttools/fonttools/issues/3946">#3946</a>).</li>
<li>[subset] Remove duplicate features when subsetting (<a href="https://redirect.github.com/fonttools/fonttools/issues/3945">#3945</a>).</li>
<li>[Docs] Added documentation for the visitor module (<a href="https://redirect.github.com/fonttools/fonttools/issues/3944">#3944</a>).</li>
</ul>
<h2>4.60.0</h2>
<ul>
<li>
<p>[pointPen] Allow <code>reverseFlipped</code> parameter of <code>DecomposingPointPen</code> to take a <code>ReverseFlipped</code> enum value to control whether/how to reverse contour direction of flipped components, in addition to the existing True/False. This allows to set <code>ReverseFlipped.ON_CURVE_FIRST</code> to ensure that the decomposed outline starts with an on-curve point before being reversed, for better consistency with other segment-oriented contour transformations. The change is backward compatible, and the default behavior hasn't changed (<a href="https://redirect.github.com/fonttools/fonttools/issues/3934">#3934</a>).</p>
</li>
<li>
<p>[filterPen] Added <code>ContourFilterPointPen</code>, base pen for buffered contour operations, and <code>OnCurveStartPointPen</code> filter to ensure contours start with an on-curve point (<a href="https://redirect.github.com/fonttools/fonttools/issues/3934">#3934</a>).</p>
</li>
<li>
<p>[cu2qu] Fixed difference in cython vs pure-python complex division by real number (<a href="https://redirect.github.com/fonttools/fonttools/issues/3930">#3930</a>).</p>
</li>
<li>
<p>[varLib.avar] Refactored and added some new sub-modules and scripts (<a href="https://redirect.github.com/fonttools/fonttools/issues/3926">#3926</a>).</p>
<ul>
<li><code>varLib.avar.build</code> module to build avar (and a missing fvar) binaries into a possibly empty TTFont,</li>
<li><code>varLib.avar.unbuild</code> module to print a .designspace snippet that would generate the same avar binary,</li>
<li><code>varLib.avar.map</code> module to take TTFont and do the mapping, in user/normalized space,</li>
<li><code>varLib.avar.plan</code> module moved from <code>varLib.avarPlanner</code>.</li>
</ul>
<p>The bare <code>fonttools varLib.avar</code> script is deprecated, in favour of <code>fonttools varLib.avar.build</code> (or <code>unbuild</code>).</p>
</li>
<li>
<p>[interpolatable] Clarify <code>linear_sum_assignment</code> backend options and minimal dependency usage (<a href="https://redirect.github.com/fonttools/fonttools/issues/3927">#3927</a>).</p>
</li>
<li>
<p>[post] Speed up <code>build_psNameMapping</code> (<a href="https://redirect.github.com/fonttools/fonttools/issues/3923">#3923</a>).</p>
</li>
<li>
<p>[ufoLib] Added typing annotations to fontTools.ufoLib (<a href="https://redirect.github.com/fonttools/fonttools/issues/3875">#3875</a>).</p>
</li>
</ul>
<h2>4.59.2</h2>
<ul>
<li>[varLib] Clear <code>USE_MY_METRICS</code> component flags when inconsistent across masters (<a href="https://redirect.github.com/fonttools/fonttools/issues/3912">#3912</a>).</li>
<li>[varLib.instancer] Avoid negative advance width/height values when instatiating HVAR/VVAR, (unlikely in well-behaved fonts) (<a href="https://redirect.github.com/fonttools/fonttools/issues/3918">#3918</a>).</li>
<li>[subset] Fix shaping behaviour when pruning empty mark sets (<a href="https://redirect.github.com/fonttools/fonttools/issues/3915">#3915</a>, <a href="https://redirect.github.com/harfbuzz/harfbuzz/issues/5499">harfbuzz/harfbuzz#5499</a>).</li>
<li>[cu2qu] Fixed <code>dot()</code> product of perpendicular vectors not always returning exactly 0.0 in all Python implementations (<a href="https://redirect.github.com/fonttools/fonttools/issues/3911">#3911</a>)</li>
<li>[varLib.instancer] Implemented fully-instantiating <code>avar2</code> fonts (<a href="https://redirect.github.com/fonttools/fonttools/issues/3909">#3909</a>).</li>
<li>[feaLib] Allow float values in <code>VariableScalar</code>'s axis locations (<a href="https://redirect.github.com/fonttools/fonttools/issues/3906">#3906</a>, <a href="https://redirect.github.com/fonttools/fonttools/issues/3907">#3907</a>).</li>
<li>[cu2qu] Handle special case in <code>calc_intersect</code> for degenerate cubic curves where 3 to 4 control points are equal (<a href="https://redirect.github.com/fonttools/fonttools/issues/3904">#3904</a>).</li>
</ul>
<h2>4.59.1</h2>
<ul>
<li>[featureVars] Update OS/2.usMaxContext if possible after addFeatureVariationsRaw (<a href="https://redirect.github.com/fonttools/fonttools/issues/3894">#3894</a>).</li>
<li>[vhmtx] raise TTLibError('not enough data...') when hmtx/vmtx are truncated (<a href="https://redirect.github.com/fonttools/fonttools/issues/3843">#3843</a>, <a href="https://redirect.github.com/fonttools/fonttools/issues/3901">#3901</a>).</li>
<li>[feaLib] Combine duplicate features that have the same set of lookups regardless of the order in which those lookups are added to the feature (<a href="https://redirect.github.com/fonttools/fonttools/issues/3895">#3895</a>).</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/fonttools/fonttools/blob/main/NEWS.rst">fonttools's changelog</a>.</em></p>
<blockquote>
<h2>4.61.0 (released 2025-11-28)</h2>
<ul>
<li>[varLib.main]: <strong>SECURITY</strong> Only use basename(vf.filename) to prevent path traversal attacks when
running <code>fonttools varLib</code> command. Fixes CVE-2025-66034, see:
<a href="https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv">https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv</a>.</li>
<li>[feaLib] Sort BaseLangSysRecords by tag (<a href="https://redirect.github.com/fonttools/fonttools/issues/3986">#3986</a>).</li>
<li>Drop support for EOL Python 3.9 (<a href="https://redirect.github.com/fonttools/fonttools/issues/3982">#3982</a>).</li>
<li>[instancer] Support --remove-overlaps for fonts with CFF2 table (<a href="https://redirect.github.com/fonttools/fonttools/issues/3975">#3975</a>).</li>
<li>[CFF2ToCFF] Add --remove-overlaps option (<a href="https://redirect.github.com/fonttools/fonttools/issues/3976">#3976</a>).</li>
<li>[feaLib] Raise an error for rsub with NULL target (<a href="https://redirect.github.com/fonttools/fonttools/issues/3979">#3979</a>).</li>
<li>[bezierTools] Fix logic bug in curveCurveIntersections (<a href="https://redirect.github.com/fonttools/fonttools/issues/3963">#3963</a>).</li>
<li>[feaLib] Error when condition sets have the same name (<a href="https://redirect.github.com/fonttools/fonttools/issues/3958">#3958</a>).</li>
<li>[cu2qu.ufo] skip processing empty glyphs to support sparse kerning masters (<a href="https://redirect.github.com/fonttools/fonttools/issues/3956">#3956</a>).</li>
<li>[unicodedata] Update to Unicode 17. Require <code>unicodedata2 >= 17.0.0</code> when installed with 'unicode' extra.</li>
</ul>
<h2>4.60.1 (released 2025-09-29)</h2>
<ul>
<li>[ufoLib] Reverted accidental method name change in <code>UFOReader.getKerningGroupConversionRenameMaps</code>
that broke compatibility with downstream projects like defcon (<a href="https://redirect.github.com/fonttools/fonttools/issues/3948">#3948</a>, <a href="https://redirect.github.com/fonttools/fonttools/issues/3947">#3947</a>, <a href="https://redirect.github.com/robotools/defcon/issues/478">robotools/defcon#478</a>).</li>
<li>[ufoLib] Added test coverage for <code>getKerningGroupConversionRenameMaps</code> method (<a href="https://redirect.github.com/fonttools/fonttools/issues/3950">#3950</a>).</li>
<li>[subset] Don't try to subset BASE table; pass it through by default instead (<a href="https://redirect.github.com/fonttools/fonttools/issues/3949">#3949</a>).</li>
<li>[subset] Remove empty BaseRecord entries in MarkBasePos lookups (<a href="https://redirect.github.com/fonttools/fonttools/issues/3897">#3897</a>, <a href="https://redirect.github.com/fonttools/fonttools/issues/3892">#3892</a>).</li>
<li>[subset] Add pruning for MarkLigPos and MarkMarkPos lookups (<a href="https://redirect.github.com/fonttools/fonttools/issues/3946">#3946</a>).</li>
<li>[subset] Remove duplicate features when subsetting (<a href="https://redirect.github.com/fonttools/fonttools/issues/3945">#3945</a>).</li>
<li>[Docs] Added documentation for the visitor module (<a href="https://redirect.github.com/fonttools/fonttools/issues/3944">#3944</a>).</li>
</ul>
<h2>4.60.0 (released 2025-09-17)</h2>
<ul>
<li>[pointPen] Allow <code>reverseFlipped</code> parameter of <code>DecomposingPointPen</code> to take a <code>ReverseFlipped</code>
enum value to control whether/how to reverse contour direction of flipped components, in addition to
the existing True/False. This allows to set <code>ReverseFlipped.ON_CURVE_FIRST</code> to ensure that
the decomposed outline starts with an on-curve point before being reversed, for better consistency
with other segment-oriented contour transformations. The change is backward compatible, and the
default behavior hasn't changed (<a href="https://redirect.github.com/fonttools/fonttools/issues/3934">#3934</a>).</li>
<li>[filterPen] Added <code>ContourFilterPointPen</code>, base pen for buffered contour operations, and
<code>OnCurveStartPointPen</code> filter to ensure contours start with an on-curve point (<a href="https://redirect.github.com/fonttools/fonttools/issues/3934">#3934</a>).</li>
<li>[cu2qu] Fixed difference in cython vs pure-python complex division by real number (<a href="https://redirect.github.com/fonttools/fonttools/issues/3930">#3930</a>).</li>
<li>[varLib.avar] Refactored and added some new sub-modules and scripts (<a href="https://redirect.github.com/fonttools/fonttools/issues/3926">#3926</a>).
<ul>
<li><code>varLib.avar.build</code> module to build avar (and a missing fvar) binaries into a possibly empty TTFont,</li>
<li><code>varLib.avar.unbuild</code> module to print a .designspace snippet that would generate the same avar binary,</li>
<li><code>varLib.avar.map</code> module to take TTFont and do the mapping, in user/normalized space,</li>
<li><code>varLib.avar.plan</code> module moved from <code>varLib.avarPlanner</code>.
The bare <code>fonttools varLib.avar</code> script is deprecated, in favour of <code>fonttools varLib.avar.build</code> (or <code>unbuild</code>).</li>
</ul>
</li>
<li>[interpolatable] Clarify <code>linear_sum_assignment</code> backend options and minimal dependency
usage (<a href="https://redirect.github.com/fonttools/fonttools/issues/3927">#3927</a>).</li>
<li>[post] Speed up <code>build_psNameMapping</code> (<a href="https://redirect.github.com/fonttools/fonttools/issues/3923">#3923</a>).</li>
<li>[ufoLib] Added typing annotations to fontTools.ufoLib (<a href="https://redirect.github.com/fonttools/fonttools/issues/3875">#3875</a>).</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/fonttools/fonttools/commit/e691e3bef9fc4e8096e4023ccacbc327d2569905"><code>e691e3b</code></a> Release 4.61.0</li>
<li><a href="https://github.com/fonttools/fonttools/commit/c2d540f4ada946ea1ef97f898e0daa9601bc1019"><code>c2d540f</code></a> Update NEWS.rst</li>
<li><a href="https://github.com/fonttools/fonttools/commit/3859753a0511efc568d4d71c4933219c11b6207b"><code>3859753</code></a> Update NEWS.rst</li>
<li><a href="https://github.com/fonttools/fonttools/commit/26eb070a55c731d9828dddf5cb022e0d79e9af45"><code>26eb070</code></a> black</li>
<li><a href="https://github.com/fonttools/fonttools/commit/5ff73af3265e0b5207c3a2870c9f0ccc8ee19d0f"><code>5ff73af</code></a> Merge commit from fork</li>
<li><a href="https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32"><code>a696d5b</code></a> varLib: only use the basename(vf.filename)</li>
<li><a href="https://github.com/fonttools/fonttools/commit/b00bc459efac4d9d52a1eafa2cdd2c7ff503ced7"><code>b00bc45</code></a> varLib_test: test path traversal in variable-font filename</li>
<li><a href="https://github.com/fonttools/fonttools/commit/066512e4f339527803743baf856d9e7355a8b10e"><code>066512e</code></a> Merge pull request <a href="https://redirect.github.com/fonttools/fonttools/issues/3986">#3986</a> from cmyr/base-minmax-sorting</li>
<li><a href="https://github.com/fonttools/fonttools/commit/ce78973e97ab1201e3f852b6aacfe26a4a999235"><code>ce78973</code></a> [feaLib] Sort BasLangSysRecords by tag</li>
<li><a href="https://github.com/fonttools/fonttools/commit/5bb37dc201ab5408bec71b7e61f83be01f84b6bf"><code>5bb37dc</code></a> Merge pull request <a href="https://redirect.github.com/fonttools/fonttools/issues/3983">#3983</a> from fonttools/dependabot/pip/brotli-1.2.0</li>
<li>Additional commits viewable in <a href="https://github.com/fonttools/fonttools/compare/4.51.0...4.61.0">compare view</a></li>
</ul>
</details>
<br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>

You need to log in before you can comment on or make changes to this bug.