Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

New Contributors

• @​M0d3v1 made their first contribution in psf/requests#6865
• @​aminvakil made their first contribution in psf/requests#7220
• @​E8Price made their first contribution in psf/requests#6960
• @​mitre88 made their first contribution in psf/requests#7244
• @​magsen made their first contribution in psf/requests#6553
• @​Rohan5commit made their first contribution in psf/requests#7227

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

v2.32.5

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

• 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

• CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

• Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

• Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

• Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

• Various typo fixes and doc improvements.

2.32.5 (2025-08-18)

Bugfixes

• The SSLContext caching feature originally introduced in 2.32.0 has created a new class of issues in Requests that have had negative impact across a number of use cases. The Requests team has decided to revert this feature as long term maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

• Added support for Python 3.14.
• Dropped support for Python 3.8 following its end of support.

• bc04dfd v2.33.0
• 66d21cb Merge commit from fork
• 8b9bc8f Move badges to top of README (#7293)
• e331a28 Remove unused extraction call (#7292)
• 753fd08 docs: fix FAQ grammar in httplib2 example
• 774a0b8 docs(socks): same block as other sections
• 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
• ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
• 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
• d568f47 docs: clarify Quickstart POST example (#6960)
• Additional commits viewable in compare view

Sourced from cryptography's changelog.

46.0.7 - 2026-04-07

* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be
  passed to APIs that accept Python buffers, which could lead to buffer
  overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6.
.. _v46-0-6:
46.0.6 - 2026-03-25

• SECURITY ISSUE: Fixed a bug where name constraints were not applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug, including those used by the Web PKI. Credit to Oleh Konko (1seal) for reporting the issue. CVE-2026-34073

.. _v46-0-5:

46.0.5 - 2026-02-10

* An attacker could create a malicious public key that reveals portions of your
  private key when using certain uncommon elliptic curves (binary curves).
  This version now includes additional security checks to prevent this attack.
  This issue only affects binary elliptic curves, which are rarely used in
  real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
  Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
  **CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
  removed in the next release.
.. v46-0-4:
46.0.4 - 2026-01-27

• Dropped support for win_arm64 wheels_.
• Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.

.. _v46-0-3:

46.0.3 - 2025-10-15

* Fixed compilation when using LibreSSL 4.2.0.
.. _v46-0-2:

</tr></table>

... (truncated)

• 622d672 46.0.7 release (#14602)
• 91d7288 Cherry-pick #14542 (#14543)
• 06e120e bump version for 46.0.5 release (#14289)
• 0eebb9d EC check key on cofactor > 1 (#14287)
• bedf6e1 fix openssl version on 46 branch (#14220)
• e6f44fc bump for 46.0.4 and drop win arm64 due to CI issues (#14217)
• c0af4dd release 46.0.3 (#13681)
• 99efe5a bump version for 46.0.2 (#13531)
• e735cfc release 46.0.1 (#13450)
• 4e457ff Explicitly specify python in mac uv build invocation (#13447)
• Additional commits viewable in compare view

Sourced from pillow's releases.

12.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html

Documentation

• Update 12.2.0 release notes #9522 [@​hugovk]
• Add loader plugins: AMOS abk, Atari Degas, 40+ more obscure formats via Netpbm #9482 [@​bitplane]
• Update Python versions #9515 [@​radarhere]
• Jeffrey A. Clark -> Jeffrey 'Alex' Clark #9513 [@​aclark4life]
• Add release notes for #9394, #9419 and #9456 #9467 [@​radarhere]
• Add Amiga Workbench .info loader to 3rd party plugins list #9459 [@​bitplane]
• Merge PFM documentation into PPM #9434 [@​radarhere]
• Update macOS tested Pillow versions #9431 [@​radarhere]
• Fix CVE number #9430 [@​hugovk]

Dependencies

• Update xz to 5.8.3 #9523 [@​radarhere]
• Update libjpeg-turbo to 3.1.4.1 #9507 [@​radarhere]
• Update libpng to 1.6.56 #9499 [@​radarhere]
• Update freetype to 2.14.3 #9485 [@​radarhere]
• Updated libavif to 1.4.1 #9479 [@​radarhere]
• Updated harfbuzz to 13.2.1 #9461 [@​radarhere]
• Update Ghostscript to 10.7.0 #9469 [@​radarhere]
• Update harfbuzz to 13.0.1 #9453 [@​radarhere]
• Update libavif to 1.4.0 #9460 [@​radarhere]
• Update freetype to 2.14.2 #9449 [@​radarhere]
• Update actions/download-artifact action to v8 #9451 [@renovate[bot]]
• Updated libpng to 1.6.55 #9425 [@​radarhere]

Testing

• Cleanup .spider extension in the same test where it is added #9517 [@​radarhere]
• Run tests in parallel via tox for 3.5x speedup #9516 [@​hugovk]
• Enable colour in CI logs #9486 [@​hugovk]
• Update Ghostscript to 10.7.0 #9469 [@​radarhere]
• Simplify TGA test code #9477 [@​radarhere]
• Update tests to check for ValueError when encoding an empty image #9464 [@​radarhere]
• Upgrade CI from macos-15-intel to macos-26-intel #9454 [@​hugovk]
• Add check-case-conflict hook #9446 [@​radarhere]
• Specify platform when pulling docker image #9440 [@​radarhere]
• GHA: Cache libavif and webp builds for Ubuntu #9437 [@​hugovk]
• Update macOS tested Pillow versions #9431 [@​radarhere]

Other changes

• Check calloc return value #9527 [@​radarhere]
• Check all allocs in the Arrow tree #9488 [@​wiredfool]
• Reject non-numeric elements inside list coords #9526 [@​hugovk]
• Move variable declaration inside define #9525 [@​radarhere]

... (truncated)

• 3c41c09 12.2.0 version bump
• cdaa29e Check calloc return value (#9527)
• 585b2f5 Check calloc return value
• ecf011e Check all allocs in the Arrow tree (#9488)
• cf6de8c Reject non-numeric elements inside list coords (#9526)
• ffdcede Update 12.2.0 release notes (#9522)
• 7929d77 Added security release notes (#149)
• c4f7aa5 Added security release notes
• 22cdb5f Move variable declaration inside define (#9525)
• fc15b3b Resize tall images vertically first (#9524)
• Additional commits viewable in compare view

Sourced from scrapy's releases.

2.14.2

• Values from the Referrer-Policy header of HTTP responses are no longer executed as Python callables. See the cwxj-rr6w-m6w7 security advisory for details.
• In line with the standard, 301 redirects of POST requests are converted into GET requests.

Full Changelog

2.14.1

• Deprecate maybeDeferred_coro()
• Pass the spider arg to custom stat collectors {open,close}_spider()
• Replace deprecated Codecov CI action

Full Changelog

2.14.0

• More coroutine-based replacements for Deferred-based APIs
• The default priority queue is now DownloaderAwarePriorityQueue
• Dropped support for Python 3.9 and PyPy 3.10
• Improved and documented the API for custom download handlers

Full changelog

2.13.4

Fix for the CVE-2025-6176 security issue: improved protection against decompression bombs in HttpCompressionMiddleware for responses compressed using the br and deflate methods. Requires brotli >= 1.2.0.

Full changelog

2.13.3

• Changed the values for DOWNLOAD_DELAY (from 0 to 1) and CONCURRENT_REQUESTS_PER_DOMAIN (from 8 to 1) in the default project template.
• Fixed several bugs in the engine initialization and exception handling logic.
• Allowed running tests with Twisted 25.5.0+ again and fixed test failures with lxml 6.0.0.

See the full changelog

2.13.2

• Fixed a bug introduced in Scrapy 2.13.0 that caused results of request errbacks to be ignored when the errback was called because of a downloader error.
• Docs and error messages improvements related to the Scrapy 2.13.0 default reactor change.

See the full changelog

2.13.1

• Give callback requests precedence over start requests when priority values are the same.

See the full changelog

2.13.0

• The asyncio reactor is now enabled by default
• Replaced start_requests() (sync) with start() (async) and changed how it is iterated.
• Added the allow_offsite request meta key
• Spider middlewares that don't support asynchronous spider output are deprecated
• Added a base class for universal spider middlewares

... (truncated)

Sourced from scrapy's changelog.

Scrapy 2.14.2 (2026-03-12)

Security bug fixes

-   Values from the ``Referrer-Policy`` header of HTTP responses are no longer
    executed as Python callables. See the `cwxj-rr6w-m6w7`_ security advisory
    for details.
.. _cwxj-rr6w-m6w7: https://github.com/scrapy/scrapy/security/advisories/GHSA-cwxj-rr6w-m6w7



In line with the standard <https://fetch.spec.whatwg.org/#http-redirect-fetch>__, 301 redirects of

POST requests are converted into GET requests.
Converting to a GET request implies not only a method change, but also

omitting the body and Content-* headers in the redirect request. On

cross-origin redirects (for example, cross-domain redirects), this is

effectively a security bug fix for scenarios where the body contains

secrets.


Deprecations

-   Passing a response URL string as the first positional argument to
    :meth:`scrapy.spidermiddlewares.referer.RefererMiddleware.policy` is
    deprecated. Pass a :class:`~scrapy.http.Response` instead.
The parameter has also been renamed to ``response`` to reflect this change.
The old parameter name (``resp_or_url``) is deprecated.

New features



Added a new setting, :setting:REFERER_POLICIES, to allow customizing

supported referrer policies.

Bug fixes

-   Made additional redirect scenarios convert to ``GET`` in line with the
    `standard <https://fetch.spec.whatwg.org/#http-redirect-fetch>`__:
-   Only ``POST`` 302 redirects are converted into ``GET`` requests; other
    methods are preserved.

-   ``HEAD`` 303 redirects are not converted into ``GET`` requests.

-   ``GET`` 303 redirects do not have their body or standard ``Content-*``

</tr></table>

</code></pre>

</blockquote>

<p>... (truncated)</p>

</details>

<details>

<summary>Commits</summary>
<ul>

<li><a href="https://github.com/scrapy/scrapy/commit/498b4fc1a431c71ea699b2d7e0bd518c7ceca302&quot;&gt;&lt;code&gt;498b4fc&lt;/code&gt;&lt;/a> Bump version: 2.14.1 → 2.14.2</li>

<li><a href="https://github.com/scrapy/scrapy/commit/378bb68039876c5e77b293cccd80eb5f306afd7e&quot;&gt;&lt;code&gt;378bb68&lt;/code&gt;&lt;/a> Proofread the release notes</li>

<li><a href="https://github.com/scrapy/scrapy/commit/8e28f938d29a496c3bf9fbffb212e1808213d9c4&quot;&gt;&lt;code&gt;8e28f93&lt;/code&gt;&lt;/a> Make test_no_warning_when_referer_middleware_present less brittle</li>

<li><a href="https://github.com/scrapy/scrapy/commit/886131c7b2f2e792fc139e5660f908239836388c&quot;&gt;&lt;code&gt;886131c&lt;/code&gt;&lt;/a> Run pre-commit</li>

<li><a href="https://github.com/scrapy/scrapy/commit/945b787a263586cb5803c01c6da57daad8997ae5&quot;&gt;&lt;code&gt;945b787&lt;/code&gt;&lt;/a> Merge remote-tracking branch 'cwxj-rr6w-m6w7/fix-referer-policy-handling' int...</li>

<li><a href="https://github.com/scrapy/scrapy/commit/8974580e438d18a105b8a0475e90bce2f1eb4dca&quot;&gt;&lt;code&gt;8974580&lt;/code&gt;&lt;/a> Reword the release note entry to consider the 301 redirect fix a security bug...</li>

<li><a href="https://github.com/scrapy/scrapy/commit/ba3d7bc7a8329d26862fcae248ececa386c1548a&quot;&gt;&lt;code&gt;ba3d7bc&lt;/code&gt;&lt;/a> Remove the non-standard 307/308 handling, and align other aspects with the st...</li>

<li><a href="https://github.com/scrapy/scrapy/commit/04db6a542407666de586d277acb1a651c389354e&quot;&gt;&lt;code&gt;04db6a5&lt;/code&gt;&lt;/a> Add a docstring to _load_policy_class()</li>

<li><a href="https://github.com/scrapy/scrapy/commit/a39545195ea41f22d7bfdc3eab83ef564480e516&quot;&gt;&lt;code&gt;a395451&lt;/code&gt;&lt;/a> allow to override → allow overriding</li>

<li><a href="https://github.com/scrapy/scrapy/commit/842d0becf0f36152a1090c62c0e5d9c950241975&quot;&gt;&lt;code&gt;842d0be&lt;/code&gt;&lt;/a> Rename test function</li>

<li>Additional commits viewable in <a href="https://github.com/scrapy/scrapy/compare/2.12.0...2.14.2&quot;&gt;compare view</a></li>

</ul>

</details>
<br />

Updates black from 24.10.0 to 26.3.1

Release notes
Sourced from black's releases.

26.3.1
Stable style

Prevent Jupyter notebook magic masking collisions from corrupting cells by using
exact-length placeholders for short magics and aborting if a placeholder can no longer
be unmasked safely (#5038)

Configuration

Always hash cache filename components derived from --python-cell-magics so custom
magic names cannot affect cache paths (#5038)

Blackd

Disable browser-originated requests by default, add configurable origin allowlisting
and request body limits, and bound executor submissions to improve backpressure
(#5039)

26.3.0
Stable style

Don't double-decode input, causing non-UTF-8 files to be corrupted (#4964)
Fix crash on standalone comment in lambda default arguments (#4993)
Preserve parentheses when # type: ignore comments would be merged with other
comments on the same line, preventing AST equivalence failures (#4888)

Preview style

Fix bug where if guards in case blocks were incorrectly split when the pattern had
a trailing comma (#4884)
Fix string_processing crashing on unassigned long string literals with trailing
commas (one-item tuples) (#4929)
Simplify implementation of the power operator "hugging" logic (#4918)

Packaging

Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in
frozen environments (#4930)

Performance

Introduce winloop for windows as an alternative to uvloop (#4996)
Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop()
(#4996)
Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop
installation and creation of either a uvloop/winloop evenloop or default eventloop
(#4996)

Output


... (truncated)


Changelog
Sourced from black's changelog.

Version 26.3.1
Stable style

Prevent Jupyter notebook magic masking collisions from corrupting cells by using
exact-length placeholders for short magics and aborting if a placeholder can no longer
be unmasked safely (#5038)

Configuration

Always hash cache filename components derived from --python-cell-magics so custom
magic names cannot affect cache paths (#5038)

Blackd

Disable browser-originated requests by default, add configurable origin allowlisting
and request body limits, and bound executor submissions to improve backpressure
(#5039)

Version 26.3.0
Stable style

Don't double-decode input, causing non-UTF-8 files to be corrupted (#4964)
Fix crash on standalone comment in lambda default arguments (#4993)
Preserve parentheses when # type: ignore comments would be merged with other
comments on the same line, preventing AST equivalence failures (#4888)

Preview style

Fix bug where if guards in case blocks were incorrectly split when the pattern had
a trailing comma (#4884)
Fix string_processing crashing on unassigned long string literals with trailing
commas (one-item tuples) (#4929)
Simplify implementation of the power operator "hugging" logic (#4918)

Packaging

Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in
frozen environments (#4930)

Performance

Introduce winloop for windows as an alternative to uvloop (#4996)
Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop()
(#4996)
Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop
installation and creation of either a uvloop/winloop eventloop or default eventloop
(#4996)



... (truncated)


Commits

c6755bb Prepare release 26.3.1 (#5046)
69973fd Harden blackd browser-facing request handling (#5039)
4937fe6 Fix some shenanigans with the cache file and IPython (#5038)
2e641d1 docs: remove outdated Black Playground references (#5044)
c014b22 Remove unused internal code (#5041)
0dae20b Add new changelog (#5036)
c5c1cbd Minor release patches (#5035)
7e5a828 docs: clarify relationship between Black style and PEP 8 (#5025)
69705de docs: add clearer pyproject configuration guidance (#5026)
35ea679 Prepare release 26.3.0 (#5032)
Additional commits viewable in compare view




Updates pytest from 7.4.4 to 9.0.3

Release notes
Sourced from pytest's releases.

9.0.3
pytest 9.0.3 (2026-04-07)
Bug fixes


#12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.


#13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.
Previously this resulted in an internal assertion failure during plugin loading.
Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.


#13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.


#14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.


#14343: Fixed use of insecure temporary directory (CVE-2025-71176).


Improved documentation

#13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
#13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
#14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
#14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes


#12689: The test reports are now published to Codecov from GitHub Actions.
The test statistics is visible on the web interface.
-- by aleguy02


9.0.2
pytest 9.0.2 (2025-12-06)
Bug fixes


#13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.
You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.
Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.


#13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.


#13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0.
Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim.
It will be deprecated in pytest 9.1 and removed in pytest 10.




... (truncated)


Commits

a7d58d7 Prepare release version 9.0.3
089d981 Merge pull request #14366 from bluetech/revert-14193-backport
8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
74eac69 doc: Update training info (#14298) (#14301)
f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
c34bfa3 Add explanation for string context diffs (#14257) (#14266)
Additional commits viewable in compare view




Updates filelock from 3.18.0 to 3.20.3

Release notes
Sourced from filelock's releases.

3.20.3

What's Changed

Fix TOCTOU symlink vulnerability in SoftFileLock by @​gaborbernat in tox-dev/filelock#465

Full Changelog: https://github.com/tox-dev/filelock/compare/3.20.2...3.20.3
3.20.2

What's Changed

Support Unix systems without O_NOFOLLOW by @​mwilliamson in tox-dev/filelock#463
[pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in tox-dev/filelock#464

New Contributors

@​mwilliamson made their first contribution in tox-dev/filelock#463

Full Changelog: https://github.com/tox-dev/filelock/compare/3.20.1...3.20.2
3.20.1

What's Changed

CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation by @​gaborbernat in tox-dev/filelock#461

Full Changelog: https://github.com/tox-dev/filelock/compare/3.20.0...3.20.1
3.20.0

What's Changed

Add tox.toml to sdist by @​mtelka in tox-dev/filelock#436
Update docs with example by @​znichollscr in tox-dev/filelock#438
Add 3.14 support and drop 3.9 by @​gaborbernat in tox-dev/filelock#448

New Contributors

@​mtelka made their first contribution in tox-dev/filelock#436
@​znichollscr made their first contribution in tox-dev/filelock#438

Full Changelog: https://github.com/tox-dev/filelock/compare/3.19.1...3.20.0
3.19.1

What's Changed

add 3.14t (free threading) to matrix by @​paultiq in tox-dev/filelock#433
Increase test coverage by @​paultiq in tox-dev/filelock#434



... (truncated)


Changelog
Sourced from filelock's changelog.

###########
Changelog
###########

3.29.0 (2026-04-19)


✨ feat(soft): enable stale lock detection on Windows :pr:534
🐛 fix(async): use single-thread executor for lock consistency :pr:533
build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 :pr:530 - by :user:dependabot[bot]


3.28.0 (2026-04-14)


🐛 fix(ci): unbreak release workflow, publish to PyPI again :pr:529


3.26.1 (2026-04-09)


🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handling :pr:518 - by :user:naarob
build(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 :pr:525 - by :user:dependabot[bot]


3.26.0 (2026-04-06)


✨ feat(soft): add PID inspection and lock breaking :pr:524
[pre-commit.ci] pre-commit autoupdate :pr:523 - by :user:pre-commit-ci[bot]
build(deps): bump astral-sh/setup-uv from 7.6.0 to 8.0.0 :pr:522 - by :user:dependabot[bot]
Remove persist-credentials: false from release job :pr:520
[pre-commit.ci] pre-commit autoupdate :pr:519 - by :user:pre-commit-ci[bot]
🔒 ci(workflows): add zizmor security auditing :pr:517
[pre-commit.ci] pre-commit autoupdate :pr:516 - by :user:pre-commit-ci[bot]
[pre-commit.ci] pre-commit autoupdate :pr:514 - by :user:pre-commit-ci[bot]


3.25.2 (2026-03-11)


🐛 fix(unix): suppress EIO on close in Docker bind mounts :pr:513


3.25.1 (2026-03-09)


[pre-commit.ci] pre-commit autoupdate :pr:510 - by :user:pre-commit-ci[bot]
🐛 fix(win): restore best-effort lock file cleanup on release :pr:511



... (truncated)


Commits

41b42dd Fix TOCTOU symlink vulnerability in SoftFileLock (#465)
f2e7d40 [pre-commit.ci] pre-commit autoupdate (#464)
5088854 Support Unix systems without O_NOFOLLOW (#463)
377f622 [pre-commit.ci] pre-commit autoupdate (#460)
4724d7f Fix TOCTOU symlink vulnerability in lock file creation (#461)
cb69414 Bump actions/upload-artifact from 5 to 6 (#459)
0769294 Bump actions/download-artifact from 6 to 7 (#458)
414193a [pre-commit.ci] pre-commit autoupdate (#457)
1456797 [pre-commit.ci] pre-commit autoupdate (#456)
8d6bf90 Bump actions/checkout from 5 to 6 (#455)
Additional commits viewable in compare view




Updates fonttools from 4.57.0 to 4.60.2

Release notes
Sourced from fonttools's releases.

4.60.2

Backport release Same as 4.61.0 but without "Drop support for EOL Python 3.9" change to allow downstream projects still on Python 3.9 to avail of the security fix for CVE-2025-66034 (#3994, #3999).

4.60.1

[ufoLib] Reverted accidental method name change in UFOReader.getKerningGroupConversionRenameMaps
that broke compatibility with downstream projects like defcon (#3948, #3947, robotools/defcon#478).
[ufoLib] Added test coverage for getKerningGroupConversionRenameMaps method (#3950).
[subset] Don't try to subset BASE table; pass it through by default instead (#3949).
[subset] Remove empty BaseRecord entries in MarkBasePos lookups (#3897, #3892).
[subset] Add pruning for MarkLigPos and MarkMarkPos lookups (#3946).
[subset] Remove duplicate features when subsetting (#3945).
[Docs] Added documentation for the visitor module (#3944).

4.60.0


[pointPen] Allow reverseFlipped parameter of DecomposingPointPen to take a ReverseFlipped enum value to control whether/how to reverse contour direction of flipped components, in addition to the existing True/False. This allows to set ReverseFlipped.ON_CURVE_FIRST to ensure that the decomposed outline starts with an on-curve point before being reversed, for better consistency with other segment-oriented contour transformations. The change is backward compatible, and the default behavior hasn't changed (#3934).


[filterPen] Added ContourFilterPointPen, base pen for buffered contour operations, and OnCurveStartPointPen filter to ensure contours start with an on-curve point (#3934).


[cu2qu] Fixed difference in cython vs pure-python complex division by real number (#3930).


[varLib.avar] Refactored and added some new sub-modules and scripts (#3926).

varLib.avar.build module to build avar (and a missing fvar) binaries into a possibly empty TTFont,
varLib.avar.unbuild module to print a .designspace snippet that would generate the same avar binary,
varLib.avar.map module to take TTFont and do the mapping, in user/normalized space,
varLib.avar.plan module moved from varLib.avarPlanner.

The bare fonttools varLib.avar script is deprecated, in favour of fonttools varLib.avar.build (or unbuild).


[interpolatable] Clarify linear_sum_assignment backend options and minimal dependency usage (#3927).


[post] Speed up build_psNameMapping (#3923).


[ufoLib] Added typing annotations to fontTools.ufoLib (#3875).


4.59.2

[varLib] Clear USE_MY_METRICS component flags when inconsistent across masters (#3912).
[varLib.instancer] Avoid negative advance width/height values when instatiating HVAR/VVAR, (unlikely in well-behaved fonts) (#3918).
[subset] Fix shaping behaviour when pruning empty mark sets (#3915, harfbuzz/harfbuzz#5499).
[cu2qu] Fixed dot() product of perpendicular vectors not always returning exactly 0.0 in all Python implementations (#3911)
[varLib.instancer] Implemented fully-instantiating avar2 fonts (#3909).
[feaLib] Allow float values in VariableScalar's axis locations (#3906, #3907).
[cu2qu] Handle special case in calc_intersect for degenerate cubic curves where 3 to 4 control points are equal (#3904).

4.59.1

[featureVars] Update OS/2.usMaxContext if possible after addFeatureVariationsRaw (#3894).
[vhmtx] raise TTLibError('not enough data...') when hmtx/vmtx are truncated (#3843, #3901).
[feaLib] Combine duplicate features that have the same set of lookups regardless of the order in which those lookups are added to the feature (#3895).
[varLib] Deprecate varLib.mutator in favor of varLib.instancer. The latter provides equivalent full (static font) instancing in addition to partial VF instancing.

CLI users should replace fonttools varLib.mutator with fonttools varLib.instancer. API users should migrate to fontTools.varLib.instancer.instantiateVariableFont (#2680).

4.59.0

Removed hard-dependency on pyfilesystem2 (fs package) from fonttools[ufo] extra. This is replaced by the fontTools.misc.filesystem package, a stdlib-only, drop-in replacem...
Description has been truncated