Sourced from fonttools's releases.
4.61.0
- [varLib.main]: SECURITY Only use basename(vf.filename) to prevent path traversal attacks when running
fonttools varLibcommand-line script, or code which invokesfonttools.varLib.main(). Fixes CVE-2025-66034, see: https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv.- [feaLib] Sort BaseLangSysRecords by tag (#3986).
- Drop support for EOL Python 3.9 (#3982).
- [instancer] Support --remove-overlaps for fonts with CFF2 table (#3975).
- [CFF2ToCFF] Add --remove-overlaps option (#3976).
- [feaLib] Raise an error for rsub with NULL target (#3979).
- [bezierTools] Fix logic bug in curveCurveIntersections (#3963).
- [feaLib] Error when condition sets have the same name (#3958).
- [cu2qu.ufo] skip processing empty glyphs to support sparse kerning masters (#3956).
- [unicodedata] Update to Unicode 17. Require
unicodedata2 >= 17.0.0when installed with 'unicode' extra.4.60.1
- [ufoLib] Reverted accidental method name change in
UFOReader.getKerningGroupConversionRenameMapsthat broke compatibility with downstream projects like defcon (#3948, #3947, robotools/defcon#478).- [ufoLib] Added test coverage for
getKerningGroupConversionRenameMapsmethod (#3950).- [subset] Don't try to subset BASE table; pass it through by default instead (#3949).
- [subset] Remove empty BaseRecord entries in MarkBasePos lookups (#3897, #3892).
- [subset] Add pruning for MarkLigPos and MarkMarkPos lookups (#3946).
- [subset] Remove duplicate features when subsetting (#3945).
- [Docs] Added documentation for the visitor module (#3944).
4.60.0
[pointPen] Allow
reverseFlippedparameter ofDecomposingPointPento take aReverseFlippedenum value to control whether/how to reverse contour direction of flipped components, in addition to the existing True/False. This allows to setReverseFlipped.ON_CURVE_FIRSTto ensure that the decomposed outline starts with an on-curve point before being reversed, for better consistency with other segment-oriented contour transformations. The change is backward compatible, and the default behavior hasn't changed (#3934).[filterPen] Added
ContourFilterPointPen, base pen for buffered contour operations, andOnCurveStartPointPenfilter to ensure contours start with an on-curve point (#3934).[cu2qu] Fixed difference in cython vs pure-python complex division by real number (#3930).
[varLib.avar] Refactored and added some new sub-modules and scripts (#3926).
varLib.avar.buildmodule to build avar (and a missing fvar) binaries into a possibly empty TTFont,varLib.avar.unbuildmodule to print a .designspace snippet that would generate the same avar binary,varLib.avar.mapmodule to take TTFont and do the mapping, in user/normalized space,varLib.avar.planmodule moved fromvarLib.avarPlanner.The bare
fonttools varLib.avarscript is deprecated, in favour offonttools varLib.avar.build(orunbuild).[interpolatable] Clarify
linear_sum_assignmentbackend options and minimal dependency usage (#3927).[post] Speed up
build_psNameMapping(#3923).[ufoLib] Added typing annotations to fontTools.ufoLib (#3875).
4.59.2
- [varLib] Clear
USE_MY_METRICScomponent flags when inconsistent across masters (#3912).- [varLib.instancer] Avoid negative advance width/height values when instatiating HVAR/VVAR, (unlikely in well-behaved fonts) (#3918).
- [subset] Fix shaping behaviour when pruning empty mark sets (#3915, harfbuzz/harfbuzz#5499).
- [cu2qu] Fixed
dot()product of perpendicular vectors not always returning exactly 0.0 in all Python implementations (#3911)- [varLib.instancer] Implemented fully-instantiating
avar2fonts (#3909).- [feaLib] Allow float values in
VariableScalar's axis locations (#3906, #3907).- [cu2qu] Handle special case in
calc_intersectfor degenerate cubic curves where 3 to 4 control points are equal (#3904).4.59.1
- [featureVars] Update OS/2.usMaxContext if possible after addFeatureVariationsRaw (#3894).
- [vhmtx] raise TTLibError('not enough data...') when hmtx/vmtx are truncated (#3843, #3901).
- [feaLib] Combine duplicate features that have the same set of lookups regardless of the order in which those lookups are added to the feature (#3895).
... (truncated)
Sourced from fonttools's changelog.
4.61.0 (released 2025-11-28)
- [varLib.main]: SECURITY Only use basename(vf.filename) to prevent path traversal attacks when running
fonttools varLibcommand, or code which invokesfonttools.varLib.main(). Fixes CVE-2025-66034, see: https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv.- [feaLib] Sort BaseLangSysRecords by tag (#3986).
- Drop support for EOL Python 3.9 (#3982).
- [instancer] Support --remove-overlaps for fonts with CFF2 table (#3975).
- [CFF2ToCFF] Add --remove-overlaps option (#3976).
- [feaLib] Raise an error for rsub with NULL target (#3979).
- [bezierTools] Fix logic bug in curveCurveIntersections (#3963).
- [feaLib] Error when condition sets have the same name (#3958).
- [cu2qu.ufo] skip processing empty glyphs to support sparse kerning masters (#3956).
- [unicodedata] Update to Unicode 17. Require
unicodedata2 >= 17.0.0when installed with 'unicode' extra.4.60.1 (released 2025-09-29)
- [ufoLib] Reverted accidental method name change in
UFOReader.getKerningGroupConversionRenameMapsthat broke compatibility with downstream projects like defcon (#3948, #3947, robotools/defcon#478).- [ufoLib] Added test coverage for
getKerningGroupConversionRenameMapsmethod (#3950).- [subset] Don't try to subset BASE table; pass it through by default instead (#3949).
- [subset] Remove empty BaseRecord entries in MarkBasePos lookups (#3897, #3892).
- [subset] Add pruning for MarkLigPos and MarkMarkPos lookups (#3946).
- [subset] Remove duplicate features when subsetting (#3945).
- [Docs] Added documentation for the visitor module (#3944).
4.60.0 (released 2025-09-17)
- [pointPen] Allow
reverseFlippedparameter ofDecomposingPointPento take aReverseFlippedenum value to control whether/how to reverse contour direction of flipped components, in addition to the existing True/False. This allows to setReverseFlipped.ON_CURVE_FIRSTto ensure that the decomposed outline starts with an on-curve point before being reversed, for better consistency with other segment-oriented contour transformations. The change is backward compatible, and the default behavior hasn't changed (#3934).- [filterPen] Added
ContourFilterPointPen, base pen for buffered contour operations, andOnCurveStartPointPenfilter to ensure contours start with an on-curve point (#3934).- [cu2qu] Fixed difference in cython vs pure-python complex division by real number (#3930).
- [varLib.avar] Refactored and added some new sub-modules and scripts (#3926).
varLib.avar.buildmodule to build avar (and a missing fvar) binaries into a possibly empty TTFont,varLib.avar.unbuildmodule to print a .designspace snippet that would generate the same avar binary,varLib.avar.mapmodule to take TTFont and do the mapping, in user/normalized space,varLib.avar.planmodule moved fromvarLib.avarPlanner. The barefonttools varLib.avarscript is deprecated, in favour offonttools varLib.avar.build(orunbuild).- [interpolatable] Clarify
linear_sum_assignmentbackend options and minimal dependency usage (#3927).- [post] Speed up
build_psNameMapping(#3923).
... (truncated)
e691e3b
Release 4.61.0c2d540f
Update NEWS.rst3859753
Update NEWS.rst26eb070
black5ff73af
Merge commit from forka696d5b
varLib: only use the basename(vf.filename)b00bc45
varLib_test: test path traversal in variable-font filename066512e
Merge pull request #3986
from cmyr/base-minmax-sortingce78973
[feaLib] Sort BasLangSysRecords by tag5bb37dc
Merge pull request #3983
from fonttools/dependabot/pip/brotli-1.2.0