Scheduled monthly dependency update for December

[pyup-bot]

Update certifi from 2023.7.22 to 2025.11.12.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/certifi
• Repo: https://github.com/certifi/python-certifi

Update fonttools from 4.51.0 to 4.61.0.

Changelog

4.61.0

----------------------------

- [varLib.main]: **SECURITY** Only use basename(vf.filename) to prevent path traversal attacks when
running `fonttools varLib` command. Fixes CVE-2025-66034, see:
https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv.
- [feaLib] Sort BaseLangSysRecords by tag (3986).
- Drop support for EOL Python 3.9 (3982).
- [instancer] Support --remove-overlaps for fonts with CFF2 table (3975).
- [CFF2ToCFF] Add --remove-overlaps option (3976).
- [feaLib] Raise an error for rsub with NULL target (3979).
- [bezierTools] Fix logic bug in curveCurveIntersections (3963).
- [feaLib] Error when condition sets have the same name (3958).
- [cu2qu.ufo] skip processing empty glyphs to support sparse kerning masters (3956).
- [unicodedata] Update to Unicode 17. Require ``unicodedata2 >= 17.0.0`` when installed with 'unicode' extra.

4.60.1

----------------------------

- [ufoLib] Reverted accidental method name change in ``UFOReader.getKerningGroupConversionRenameMaps``
that broke compatibility with downstream projects like defcon (3948, 3947, robotools/defcon478).
- [ufoLib] Added test coverage for ``getKerningGroupConversionRenameMaps`` method (3950).
- [subset] Don't try to subset BASE table; pass it through by default instead (3949).
- [subset] Remove empty BaseRecord entries in MarkBasePos lookups (3897, 3892).
- [subset] Add pruning for MarkLigPos and MarkMarkPos lookups (3946).
- [subset] Remove duplicate features when subsetting (3945).
- [Docs] Added documentation for the visitor module (3944).

4.60.0

----------------------------

- [pointPen] Allow ``reverseFlipped`` parameter of ``DecomposingPointPen`` to take a ``ReverseFlipped``
enum value to control whether/how to reverse contour direction of flipped components, in addition to
the existing True/False. This allows to set ``ReverseFlipped.ON_CURVE_FIRST`` to ensure that
the decomposed outline starts with an on-curve point before being reversed, for better consistency
with other segment-oriented contour transformations. The change is backward compatible, and the
default behavior hasn't changed (3934).
- [filterPen] Added ``ContourFilterPointPen``, base pen for buffered contour operations, and
``OnCurveStartPointPen`` filter to ensure contours start with an on-curve point (3934).
- [cu2qu] Fixed difference in cython vs pure-python complex division by real number (3930).
- [varLib.avar] Refactored and added some new sub-modules and scripts (3926).
* ``varLib.avar.build`` module to build avar (and a missing fvar) binaries into a possibly empty TTFont,
* ``varLib.avar.unbuild`` module to print a .designspace snippet that would generate the same avar binary,
* ``varLib.avar.map`` module to take TTFont and do the mapping, in user/normalized space,
* ``varLib.avar.plan`` module moved from ``varLib.avarPlanner``.
The bare ``fonttools varLib.avar`` script is deprecated, in favour of ``fonttools varLib.avar.build`` (or ``unbuild``).
- [interpolatable] Clarify ``linear_sum_assignment`` backend options and minimal dependency
usage (3927).
- [post] Speed up ``build_psNameMapping`` (3923).
- [ufoLib] Added typing annotations to fontTools.ufoLib (3875).

4.59.2

----------------------------

- [varLib] Clear ``USE_MY_METRICS`` component flags when inconsistent across masters (3912).
- [varLib.instancer] Avoid negative advance width/height values when instatiating HVAR/VVAR,
(unlikely in well-behaved fonts) (3918).
- [subset] Fix shaping behaviour when pruning empty mark sets (3915, harfbuzz/harfbuzz5499).
- [cu2qu] Fixed ``dot()`` product of perpendicular vectors not always returning exactly 0.0
in all Python implementations (3911)
- [varLib.instancer] Implemented fully-instantiating ``avar2`` fonts (3909).
- [feaLib] Allow float values in ``VariableScalar``'s axis locations (3906, 3907).
- [cu2qu] Handle special case in ``calc_intersect`` for degenerate cubic curves where 3 to 4
control points are equal (3904).

4.59.1

----------------------------

- [featureVars] Update OS/2.usMaxContext if possible after addFeatureVariationsRaw (3894).
- [vhmtx] raise TTLibError('not enough data...') when hmtx/vmtx are truncated (3843, 3901).
- [feaLib] Combine duplicate features that have the same set of lookups regardless of the order in which those lookups are added to the feature (3895).
- [varLib] Deprecate ``varLib.mutator`` in favor of ``varLib.instancer``. The latter
provides equivalent full (static font) instancing in addition to partial VF instancing.
CLI users should replace ``fonttools varLib.mutator`` with ``fonttools varLib.instancer``.
API users should migrate to ``fontTools.varLib.instancer.instantiateVariableFont`` (2680).

4.59.0

----------------------------

- Removed hard-dependency on pyfilesystem2 (``fs`` package) from ``fonttools[ufo]`` extra.
This is replaced by the `fontTools.misc.filesystem` package, a stdlib-only, drop-in
replacement for the subset of the pyfilesystem2's API used by ``fontTools.ufoLib``.
The latter should continue to work with the upstream ``fs`` (we even test with/without).
Clients who wish to continue using ``fs`` can do so by depending on it directly instead
of via the ``fonttools[ufo]`` extra (3885, 3620).
- [xmlWriter] Replace illegal XML characters (e.g. control or non-characters) with "?"
when dumping to ttx (3868, 71).
- [varLib.hvar] Fixed vertical metrics fields copy/pasta error (3884).
- Micro optimizations in ttLib and sstruct modules (3878, 3879).
- [unicodedata] Add Garay script to RTL_SCRIPTS (3882).
- [roundingPen] Remove unreliable kwarg usage. Argument names aren’t consistent among
point pens’ ``.addComponent()`` implementations, in particular ``baseGlyphName``
vs ``glyphName`` (3880).

4.58.5

----------------------------

- [feaLib] Don't try to combine ligature & multisub rules (3874).
- [feaLib/ast] Use weakref proxies to avoid cycles in visitor (3873).
- [varLib.instancer] Fixed instancing CFF2 fonts where VarData contains more than 64k items (3858).

4.58.4

----------------------------

- [feaLib] Allow for empty MarkFilter & MarkAttach sets (3856).

4.58.3

----------------------------

- [feaLib] Fixed iterable check for Python 3.13.4 and newer (3854, 3855).

4.58.2

----------------------------

- [ttLib.reorderGlyphs] Handle CFF2 when reordering glyphs (3852)
- [subset] Copy name IDs in use before scrapping or scrambling them for webfonts (3853)

4.58.1

----------------------------

- [varLib] Make sure that fvar named instances only reuse name ID 2 or 17 if they are at the default location across all axes, to match OT spec requirement (3831).
- [feaLib] Improve single substitution promotion to multiple/ligature substitutions, fixing a few bugs as well (3849).
- [loggingTools] Make ``Timer._time`` a static method that doesn't take self, makes it easier to override (3836).
- [featureVars] Use ``None`` for empty ConditionSet, which translates to a null offset in the compiled table (3850).
- [feaLib] Raise an error on conflicting ligature substitution rules instead of silently taking the last one (3835).
- Add typing annotations to T2CharStringPen (3837).
- [feaLib] Add single substitutions that were promoted to multiple or ligature substitutions to ``aalt`` feature (3847).
- [featureVars] Create a default ``LangSys`` in a ``ScriptRecord`` if missing when adding feature variations to existing GSUB later in the build (3838).
- [symfont] Added a ``main()``.
- [cffLib.specializer] Fix rmoveto merging when blends used (3839, 3840).
- [pyftmerge] Add support for cmap format 14 in the merge tool (3830).
- [varLib.instancer/cff2] Fix vsindex of Private dicts when instantiating (3828, 3232).
- Update text file read to use UTF-8 with optional BOM so it works with e.g. Windows Notepad.exe (3824).
- [varLib] Ensure that instances only reuse name ID 2 or 17 if they are at the default location across all axes (3831).
- [varLib] Create a dflt LangSys in a ScriptRecord when adding variations later, to fix an avoidable crash in an edge case (3838).

4.58.0

----------------------------

- Drop Python 3.8, require 3.9+ (3819)
- [HVAR, VVAR] Prune unused regions when using a direct mapping (3797)
- [Docs] Improvements to ufoLib documentation (3721)
- [Docs] Improvements to varLib documentation (3727)
- [Docs] Improvements to Pens and pen-module documentation (3724)
- [Docs] Miscellany updates to docs (misc modules and smaller modules) (3730)
- [subset] Close codepoints over BiDi mirror variants. (3801)
- [feaLib] Fix serializing ChainContextPosStatement and
ChainContextSubstStatement in some rare cases (3788)
- [designspaceLib] Clarify user expectations for getStatNames (2892)
- [GVAR] Add support for new `GVAR` table (3728)
- [TSI0, TSI5] Derive number of entries to decompile from data length (2477)
- [ttLib] Fix `AttributeError` when reporting table overflow (3808)
- [ttLib] Apply rounding more often in getCoordinates (3798)
- [ttLib] Ignore component bounds if empty (3799)
- [ttLib] Change the separator for duplicate glyph names from "" to "." (3809)
- [feaLib] Support subtable breaks in CursivePos, MarkBasePos, MarkToLigPos and
MarkToMarkPos lookups (3800, 3807)
- [feaLib] If the same lookup has single substitutions and ligature
substitutions, upgrade single substitutions to ligature substitutions with
one input glyph (3805)
- [feaLib] Correctly handle <NULL> in single pos lookups (3803)
- [feaLib] Remove duplicates from class pair pos classes instead of raising an
error (3804)
- [feaLib] Support creating extension lookups using useExtenion lookup flag
instead of silently ignoring it (3811)
- [STAT] Add typing for the simpler STAT arguments (3812)
- [otlLib.builder] Add future import for annotations (3814)
- [cffLib] Fix reading supplement encoding (3813)
- [voltLib] Add some missing functionality and fixes to voltLib and VoltToFea,
making the conversion to feature files more robust. Add also `fonttools
voltLib` command line tool to compile VOLT sources directly (doing an
intermediate fea conversion internally) (3818)
- [pens] Add some PointPen annotations (3820)

4.57.0

----------------------------

- [ttLib.__main__] Add `--no-recalc-timestamp` flag (3771)
- [ttLib.__main__] Add `-b` (recalcBBoxes=False) flag (3772)
- [cmap] Speed up glyphOrder loading from cmap (3774)
- [ttLib.__main__] Improvements around the `-t` flag (3776)
- [Debg] Fix parsing from XML; add roundtrip tests (3781)
- [fealib] Support \*Base.MinMax tables (3783, 3786)
- [config] Add OPTIMIZE_FONT_SPEED (3784)
- [varLib.hvar] New module to add HVAR table to the font (3780)
- [otlLib.optimize] Fix crash when the provided TTF does not contain a `GPOS` (3794)

4.56.0

----------------------------

- [varStore] Sort the input todo list with the same sorting key used for the opimizer's output (3767).
- [otData] Fix DeviceTable's ``DeltaValue`` repeat value which caused a crash after importing from XML and then compiling a GPOS containing Device tables (3758).
- [feaLib] Make ``FeatureLibError`` pickleable, so client can e.g. use feaLib to can compile features in parallel with multiprocessing (3762).
- [varLib/gvar] Removed workaround for old, long-fixed macOS bug about composite glyphs with all zero deltas (1381, 1788).
- [Docs] Updated ttLib documentation, beefed up TTFont and TTGlyphSet explanations (3720).

4.55.8

----------------------------

- [MetaTools] Fixed bug in buildUCD.py script whereby the first non-header line of some UCD text file was being skipped. This affected in particular the U+00B7 (MIDDLE DOT) entry of ScriptExtensions.txt (3756).

4.55.7

----------------------------

- Shorten the changelog included in PyPI package description to accommodate maximum length limit imposed by Azure DevOps. No actual code changes since v4.55.6 (3754).

4.55.6

----------------------------

- [glyf] Fixed regression introduced in 4.55.5 when computing bounds of nested composite glyphs  with transformed components (3752).

4.55.5

----------------------------

- [glyf] Fixed recalcBounds of transformed components with unrounded coordinates (3750).
- [feaLib] Allow duplicate script/language statements (3749).

4.55.4

----------------------------

- [bezierTools] Fixed ``splitCubicAtT`` sometimes not returning identical start/end points as result of numerical precision (3742, 3743).
- [feaLib/ast] Fixed docstring of ``AlternateSubstStatement`` (3735).
- [transform] Typing fixes (3734).

4.55.3

----------------------------

- [Docs] fill out ttLib table section [3716]
- [feaLib] More efficient inline format 4 lookups [3726]

4.55.2

----------------------------

- [Docs] update Sphinx config (3712)
- [designspaceLib] Allow axisOrdering to be set to zero (3715)
- [feaLib] Don’t modify variable anchors in place (3717)

4.55.1

----------------------------

- [ttGlyphSet] Support VARC CFF2 fonts (3683)
- [DecomposedTransform] Document and implement always skewY == 0 (3697)
- [varLib] "Fix" cython iup issue? (3704)
- Cython minor refactor (3705)

4.55.0

----------------------------

- [cffLib.specializer] Adjust stack use calculation (3689)
- [varLib] Lets not add mac names if the rest of name doesn't have them (3688)
- [ttLib.reorderGlyphs] Update CFF table charstrings and charset (3682)
- [cffLib.specializer] Add cmdline to specialize a CFF2 font (3675, 3679)
- [CFF2] Lift uint16 VariationStore.length limitation (3674)
- [subset] consider variation selectors subsetting cmap14 (3672)
- [varLib.interpolatable] Support CFF2 fonts (3670)
- Set isfinal to true in XML parser for proper resource cleanup (3669)
- [removeOverlaps] Fix CFF CharString width (3659)
- [glyf] Add optimizeSize option (3657)
- Python 3.13 support (3656)
- [TupleVariation] Optimize for loading speed, not size (3650, 3653)

4.54.1

----------------------------

- [unicodedata] Update to Unicode 16
- [subset] Escape ``\\`` in doc string

4.54.0

----------------------------

- [Docs] Small docs cleanups by n8willis (3611)
- [Docs] cleanup code blocks by n8willis (3627)
- [Docs] fix Sphinx builds by n8willis (3625)
- [merge] Minor fixes to documentation for merge by drj11 (3588)
- [subset] Small tweaks to pyftsubset documentation by RoelN (3633)
- [Tests] Do not require fonttools command to be available by behdad (3612)
- [Tests] subset_test: add failing test to reproduce issue 3616 by anthrotype (3622)
- [ttLib] NameRecordVisitor: include whole sequence of character variants' UI labels, not just the first by anthrotype (3617)
- [varLib.avar] Reconstruct mappings from binary by behdad (3598)
- [varLib.instancer] Fix visual artefacts with partial L2 instancing by Hoolean (3635)
- [varLib.interpolatable] Support discrete axes in .designspace by behdad (3599)
- [varLib.models] By default, assume OpenType-like normalized space by behdad (3601)

4.53.1

----------------------------

- [feaLib] Improve the sharing of inline chained lookups (3559)
- [otlLib] Correct the calculation of OS/2.usMaxContext with reversed chaining contextual single substitutions (3569)
- [misc.visitor] Visitors search the inheritance chain of objects they are visiting (3581)

4.53.0

----------------------------

- [ttLib.removeOverlaps] Support CFF table to aid in downconverting CFF2 fonts (3528)
- [avar] Fix crash when accessing not-yet-existing attribute (3550)
- [docs] Add buildMathTable to otlLib.builder documentation (3540)
- [feaLib] Allow UTF-8 with BOM when reading features (3495)
- [SVGPathPen] Revert rounding coordinates to two decimal places by default (3543)
- [varLib.instancer] Refix output filename decision-making  (3545, 3544, 3548)

4.52.4

----------------------------

- [varLib.cff] Restore and deprecate convertCFFtoCFF2 that was removed in 4.52.0
release as it is used by downstream projects (3535).

4.52.3

----------------------------

- Fixed a small syntax error in the reStructuredText-formatted NEWS.rst file
which caused the upload to PyPI to fail for 4.52.2. No other code changes.

4.52.2

----------------------------

- [varLib.interpolatable] Ensure that scipy/numpy output is JSON-serializable
(3522, 3526).
- [housekeeping] Regenerate table lists, to fix pyinstaller packaging of the new
``VARC`` table (3531, 3529).
- [cffLib] Make CFFToCFF2 and CFF2ToCFF more robust (3521, 3525).

4.52.1

----------------------------

- Fixed a small syntax error in the reStructuredText-formatted NEWS.rst file
which caused the upload to PyPI to fail for 4.52.0. No other code changes.

4.52.0

----------------------------

- Added support for the new ``VARC`` (Variable Composite) table that is being
proposed to OpenType spec (3395). For more info:
https://github.com/harfbuzz/boring-expansion-spec/blob/main/VARC.md
- [ttLib.__main__] Fixed decompiling all tables (90fed08).
- [feaLib] Don't reference the same lookup index multiple times within the same
feature record, it is only applied once anyway (3520).
- [cffLib] Moved methods to desubroutinize, remove hints and unused subroutines
from subset module to cffLib (3517).
- [varLib.instancer] Added support for partial-instancing CFF2 tables! Also, added
method to down-convert from CFF2 to CFF 1.0, and CLI entry points to convert
CFF<->CFF2 (3506).
- [subset] Prune unused user name IDs even with --name-IDs='*' (3410).
- [ttx] use GNU-style getopt to intermix options and positional arguments (3509).
- [feaLib.variableScalar] Fixed ``value_at_location()`` method (3491)
- [psCharStrings] Shorten output of ``encodeFloat`` (3492).
- [bezierTools] Fix infinite-recursion in ``calcCubicArcLength`` (3502).
- [avar2] Implement ``avar2`` support in ``TTFont.getGlyphSet()`` (3473).

Links

• PyPI: https://pypi.org/project/fonttools
• Changelog: https://data.safetycli.com/changelogs/fonttools/
• Repo: http://github.com/fonttools/fonttools

Update idna from 3.4 to 3.11.

Changelog

3.11

- Update to Unicode 16.0.0, including significant changes to UTS46
processing. As a result of Unicode ending support for it, transitional
processing no longer has an effect and returns the same result.
- Add support for Python 3.14, lowest supported version is Python 3.8.
- Various updates to packaging, including PEP 740 support.

3.10

+++++++++++++++++

- Reverted to Unicode 15.1.0 data. Unicode 16 has some significant changes
to UTS46 processing that will require more work to properly implement.

3.9

++++++++++++++++

- Update to Unicode 16.0.0
- Deprecate setup.cfg in favour of pyproject.toml
- Use ruff for code formatting

Thanks to Waket Zheng for contributions to this release.

3.8

++++++++++++++++

- Fix regression where IDNAError exception was not being produced for
certain inputs.
- Add support for Python 3.13, drop support for Python 3.5 as it is no
longer testable.
- Documentation improvements
- Updates to package testing using Github actions

Thanks to Hugo van Kemenade for contributions to this release.

3.7

++++++++++++++++

- Fix issue where specially crafted inputs to encode() could
take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

3.6

++++++++++++++++

- Fix regression to include tests in source distribution.

3.5

++++++++++++++++

- Update to Unicode 15.1.0
- String codec name is now "idna2008" as overriding the system codec
"idna" was not working.
- Fix typing error for codec encoding
- "setup.cfg" has been added for this release due to some downstream
lack of adherence to PEP 517. Should be removed in a future release
so please prepare accordingly.
- Removed reliance on a symlink for the "idna-data" tool to comport
with PEP 517 and the Python Packaging User Guide for sdist archives.
- Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions
to this release.

Links

• PyPI: https://pypi.org/project/idna
• Changelog: https://data.safetycli.com/changelogs/idna/

Update jinja2 from 3.1.3 to 3.1.6.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/jinja2

Update pillow from 10.2.0 to 12.0.0.

Changelog

11.1.0

----------------

See GitHub Releases:

- https://github.com/python-pillow/Pillow/releases

11.0.0

-------------------

- Update licence to MIT-CMU 8460
[hugovk]

- Conditionally define ImageCms type hint to avoid requiring core 8197
[radarhere]

- Support writing LONG8 offsets in AppendingTiffWriter 8417
[radarhere]

- Use ImageFile.MAXBLOCK when saving TIFF images 8461
[radarhere]

- Do not close provided file handles with libtiff when saving 8458
[radarhere]

- Support ImageFilter.BuiltinFilter for I;16* images 8438
[radarhere]

- Use ImagingCore.ptr instead of ImagingCore.id 8341
[homm, radarhere, hugovk]

- Updated EPS mode when opening images without transparency 8281
[Yay295, radarhere]

- Use transparency when combining P frames from APNGs 8443
[radarhere]

- Support all resampling filters when resizing I;16* images 8422
[radarhere]

- Free memory on early return 8413
[radarhere]

- Cast int before potentially exceeding INT_MAX 8402
[radarhere]

- Check image value before use 8400
[radarhere]

- Improved copying imagequant libraries 8420
[radarhere]

- Use Capsule for WebP saving 8386
[homm, radarhere]

- Fixed writing multiple StripOffsets to TIFF 8317
[Yay295, radarhere]

- Fix dereference before checking for NULL in ImagingTransformAffine 8398
[PavlNekrasov]

- Use transposed size after opening for TIFF images 8390
[radarhere, homm]

- Improve ImageFont error messages 8338
[yngvem, radarhere, hugovk]

- Mention MAX_TEXT_CHUNK limit in PNG error message 8391
[radarhere]

- Cast Dib handle to int 8385
[radarhere]

- Accept float stroke widths 8369
[radarhere]

- Deprecate ICNS (width, height, scale) sizes in favour of load(scale) 8352
[radarhere]

- Improved handling of RGBA palettes when saving GIF images 8366
[radarhere]

- Deprecate isImageType 8364
[radarhere]

- Support converting more modes to LAB by converting to RGBA first 8358
[radarhere]

- Deprecate support for FreeType 2.9.0 8356
[hugovk, radarhere]

- Removed unused TiffImagePlugin IFD_LEGACY_API 8355
[radarhere]

- Handle duplicate EXIF header 8350
[zakajd, radarhere]

- Return early from BoxBlur if either width or height is zero 8347
[radarhere]

- Check text is either string or bytes 8308
[radarhere]

- Added writing XMP bytes to JPEG 8286
[radarhere]

- Support JPEG2000 RGBA palettes 8256
[radarhere]

- Expand C image to match GIF frame image size 8237
[radarhere]

- Allow saving I;16 images as PPM 8231
[radarhere]

- When IFD is missing, connect get_ifd() dictionary to Exif 8230
[radarhere]

- Skip truncated ICO mask if LOAD_TRUNCATED_IMAGES is enabled 8180
[radarhere]

- Treat unknown JPEG2000 colorspace as unspecified 8343
[radarhere]

- Updated error message when saving WebP with invalid width or height 8322
[radarhere, hugovk]

- Remove warning if NumPy failed to raise an error during conversion 8326
[radarhere]

- If left and right sides meet in ImageDraw.rounded_rectangle(), do not draw rectangle to fill gap 8304
[radarhere]

- Remove WebP support without anim, mux/demux, and with buggy alpha 8213
[homm, radarhere]

- Add missing TIFF CMYK;16B reader 8298
[homm]

- Remove all WITH_* flags from _imaging.c and other flags 8211
[homm]

- Improve ImageDraw2 shape methods 8265
[radarhere]

- Lock around usages of imaging memory arenas 8238
[lysnikolaou]

- Deprecate JpegImageFile huffman_ac and huffman_dc 8274
[radarhere]

- Deprecate ImageMath lambda_eval and unsafe_eval options argument 8242
[radarhere]

- Changed ContainerIO to subclass IO 8240
[radarhere]

- Move away from APIs that use borrowed references under the free-threaded build 8216
[hugovk, lysnikolaou]

- Allow size argument to resize() to be a NumPy array 8201
[radarhere]

- Drop support for Python 3.8 8183
[hugovk, radarhere]

- Add support for Python 3.13 8181
[hugovk, radarhere]

- Fix incompatibility with NumPy 1.20 8187
[neutrinoceros, radarhere]

- Remove PSFile, PyAccess and USE_CFFI_ACCESS 8182
[hugovk, radarhere]

10.4.0

-------------------

- Raise FileNotFoundError if show_file() path does not exist 8178
[radarhere]

- Improved reading 16-bit TGA images with colour 7965
[Yay295, radarhere]

- Deprecate non-image ImageCms modes 8031
[radarhere]

- Fixed processing multiple JPEG EXIF markers 8127
[radarhere]

- Do not preserve EXIFIFD tag by default when saving TIFF images 8110
[radarhere]

- Added ImageFont.load_default_imagefont() 8086
[radarhere]

- Added Image.WARN_POSSIBLE_FORMATS 8063
[radarhere]

- Remove zero-byte end padding when parsing any XMP data 8171
[radarhere]

- Do not detect Ultra HDR images as MPO 8056
[radarhere]

- Raise SyntaxError specific to JP2 8146
[Yay295, radarhere]

- Do not use first frame duration for other frames when saving APNG images 8104
[radarhere]

- Consider I;16 pixel size when using a 1 mode mask 8112
[radarhere]

- When saving multiple PNG frames, convert to mode rather than raw mode 8087
[radarhere]

- Added byte support to FreeTypeFont 8141
[radarhere]

- Allow float center for rotate operations 8114
[radarhere]

- Do not read layers immediately when opening PSD images 8039
[radarhere]

- Restore original thread state 8065
[radarhere]

- Read IM and TIFF images as RGB, rather than RGBX 7997
[radarhere]

- Only preserve TIFF IPTC_NAA_CHUNK tag if type is BYTE or UNDEFINED 7948
[radarhere]

- Clarify ImageDraw2 error message when size is missing 8165
[radarhere]

- Support unpacking more rawmodes to RGBA palettes 7966
[radarhere]

- Removed support for Qt 5 8159
[radarhere]

- Improve ``ImageFont.freetype`` support for XDG directories on Linux 8135
[mamg22, radarhere]

- Improved consistency of XMP handling 8069
[radarhere]

- Use pkg-config to help find libwebp and raqm 8142
[radarhere]

- Accept 't' suffix for libtiff version 8126, 8129
[radarhere]

- Deprecate ImageDraw.getdraw hints parameter 8124
[radarhere, hugovk]

- Added ImageDraw circle() 8085
[void4, hugovk, radarhere]

- Add mypy target to Makefile 8077
[Yay295]

- Added more modes to Image.MODES 7984
[radarhere]

- Deprecate BGR;15, BGR;16 and BGR;24 modes 7978
[radarhere, hugovk]

- Fix ImagingAccess for I;16N on big-endian 7921
[Yay295, radarhere]

- Support reading P mode TIFF images with padding 7996
[radarhere]

- Deprecate support for libtiff < 4 7998
[radarhere, hugovk]

- Corrected ImageShow UnixViewer command 7987
[radarhere]

- Use functools.cached_property in ImageStat 7952
[nulano, hugovk, radarhere]

- Add support for reading BITMAPV2INFOHEADER and BITMAPV3INFOHEADER 7956
[Cirras, radarhere]

- Support reading CMYK JPEG2000 images 7947
[radarhere]

10.3.0

-------------------

- CVE-2024-28219: Use ``strncpy`` to avoid buffer overflow 7928
[radarhere, hugovk]

- Deprecate ``eval()``, replacing it with ``lambda_eval()`` and ``unsafe_eval()`` 7927
[radarhere, hugovk]

- Raise ``ValueError`` if seeking to greater than offset-sized integer in TIFF 7883
[radarhere]

- Add ``--report`` argument to ``__main__.py`` to omit supported formats 7818
[nulano, radarhere, hugovk]

- Added RGB to I;16, I;16L, I;16B and I;16N conversion 7918, 7920
[radarhere]

- Fix editable installation with custom build backend and configuration options 7658
[nulano, radarhere]

- Fix putdata() for I;16N on big-endian 7209
[Yay295, hugovk, radarhere]

- Determine MPO size from markers, not EXIF data 7884
[radarhere]

- Improved conversion from RGB to RGBa, LA and La 7888
[radarhere]

- Support FITS images with GZIP_1 compression 7894
[radarhere]

- Use I;16 mode for 9-bit JPEG 2000 images 7900
[scaramallion, radarhere]

- Raise ValueError if kmeans is negative 7891
[radarhere]

- Remove TIFF tag OSUBFILETYPE when saving using libtiff 7893
[radarhere]

- Raise ValueError for negative values when loading P1-P3 PPM images 7882
[radarhere]

- Added reading of JPEG2000 palettes 7870
[radarhere]

- Added alpha_quality argument when saving WebP images 7872
[radarhere]

- Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions 7881
[radarhere]

- Stop reading EPS image at EOF marker 7753
[radarhere]

- PSD layer co-ordinates may be negative 7706
[radarhere]

- Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer 7791
[radarhere]

- When saving GIF frame that restores to background color, do not fill identical pixels 7788
[radarhere]

- Fixed reading PNG iCCP compression method 7823
[radarhere]

- Allow writing IFDRational to UNDEFINED tag 7840
[radarhere]

- Fix logged tag name when loading Exif data 7842
[radarhere]

- Use maximum frame size in IHDR chunk when saving APNG images 7821
[radarhere]

- Prevent opening P TGA images without a palette 7797
[radarhere]

- Use palette when loading ICO images 7798
[radarhere]

- Use consistent arguments for load_read and load_seek 7713
[radarhere]

- Turn off nullability warnings for macOS SDK 7827
[radarhere]

- Fix shift-sign issue in Convert.c 7838
[r-barnes, radarhere]

- Open 16-bit grayscale PNGs as I;16 7849
[radarhere]

- Handle truncated chunks at the end of PNG images 7709
[lajiyuan, radarhere]

- Match mask size to pasted image size in GifImagePlugin 7779
[radarhere]

- Release GIL while calling ``WebPAnimDecoderGetNext`` 7782
[evanmiller, radarhere]

- Fixed reading FLI/FLC images with a prefix chunk 7804
[twolife]

- Update wl-paste handling and return None for some errors in grabclipboard() on Linux 7745
[nik012003, radarhere]

- Remove execute bit from ``setup.py`` 7760
[hugovk]

- Do not support using test-image-results to upload images after test failures 7739
[radarhere]

- Changed ImageMath.ops to be static 7721
[radarhere]

- Fix APNG info after seeking backwards more than twice 7701
[esoma, radarhere]

- Deprecate ImageCms constants and versions() function 7702
[nulano, radarhere]

- Added PerspectiveTransform 7699
[radarhere]

- Add support for reading and writing grayscale PFM images 7696
[nulano, hugovk]

- Add LCMS2 flags to ImageCms 7676
[nulano, radarhere, hugovk]

- Rename x64 to AMD64 in winbuild 7693
[nulano]

Links

• PyPI: https://pypi.org/project/pillow
• Changelog: https://data.safetycli.com/changelogs/pillow/

Update requests from 2.31.0 to 2.32.5.

Changelog

2.32.5

-------------------

**Bugfixes**

- The SSLContext caching feature originally introduced in 2.32.0 has created
a new class of issues in Requests that have had negative impact across a number
of use cases. The Requests team has decided to revert this feature as long term
maintenance of it is proving to be unsustainable in its current iteration.

**Deprecations**
- Added support for Python 3.14.
- Dropped support for Python 3.8 following its end of support.

2.32.4

-------------------

**Security**
- CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file.

**Improvements**
- Numerous documentation improvements

**Deprecations**
- Added support for pypy 3.11 for Linux and macOS.
- Dropped support for pypy 3.9 following its end of support.

2.32.3

-------------------

**Bugfixes**
- Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (6716)
- Fixed issue where Requests started failing to run on Python versions compiled
without the `ssl` module. (6724)

2.32.2

-------------------

**Deprecations**
- To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed `_get_connection` to
a new public API, `get_connection_with_tls_context`. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
`get_connection` is considered deprecated in all versions of Requests>=2.32.0.

A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (6710)

2.32.1

-------------------

**Bugfixes**
- Add missing test certs to the sdist distributed on PyPI.

2.32.0

-------------------

**Security**
- Fixed an issue where setting `verify=False` on the first request from a
Session will cause subsequent requests to the _same origin_ to also ignore
cert verification, regardless of the value of `verify`.
(https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

**Improvements**
- `verify=True` now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (6667)
- Requests now supports optional use of character detection
(`chardet` or `charset_normalizer`) when repackaged or vendored.
This enables `pip` and other projects to minimize their vendoring
surface area. The `Response.text()` and `apparent_encoding` APIs
will default to `utf-8` if neither library is present. (6702)

**Bugfixes**
- Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (6589)
- Fixed deserialization bug in JSONDecodeError. (6629)
- Fixed bug where an extra leading `/` (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (6644)

**Deprecations**

- Requests has officially added support for CPython 3.12 (6503)
- Requests has officially added support for PyPy 3.9 and 3.10 (6641)
- Requests has officially dropped support for CPython 3.7 (6642)
- Requests has officially dropped support for PyPy 3.7 and 3.8 (6641)

**Documentation**
- Various typo fixes and doc improvements.

**Packaging**
- Requests has started adopting some modern packaging practices.
The source files for the projects (formerly `requests`) is now located
in `src/requests` in the Requests sdist. (6506)
- Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system
using `hatchling`. This should not impact the average user, but extremely old
versions of packaging utilities may have issues with the new packaging format.

Links

• PyPI: https://pypi.org/project/requests
• Changelog: https://data.safetycli.com/changelogs/requests/
• Docs: https://requests.readthedocs.io

Update urllib3 from 2.0.7 to 2.5.0.

Changelog

2.5.0

==================

Features
--------

- Added support for the ``compression.zstd`` module that is new in Python 3.14.
See `PEP 784 <https://peps.python.org/pep-0784/>`_ for more information. (`#3610 <https://github.com/urllib3/urllib3/issues/3610>`__)
- Added support for version 0.5 of ``hatch-vcs`` (`3612 <https://github.com/urllib3/urllib3/issues/3612>`__)


Bugfixes
--------

- Fixed a security issue where restricting the maximum number of followed
redirects at the ``urllib3.PoolManager`` level via the ``retries`` parameter
did not work.
- Made the Node.js runtime respect redirect parameters such as ``retries``
and ``redirects``.
- Raised exception for ``HTTPResponse.shutdown`` on a connection already released to the pool. (`3581 <https://github.com/urllib3/urllib3/issues/3581>`__)
- Fixed incorrect `CONNECT` statement when using an IPv6 proxy with `connection_from_host`. Previously would not be wrapped in `[]`. (`3615 <https://github.com/urllib3/urllib3/issues/3615>`__)

2.4.0

==================

Features
--------

- Applied PEP 639 by specifying the license fields in pyproject.toml. (`3522 <https://github.com/urllib3/urllib3/issues/3522>`__)
- Updated exceptions to save and restore more properties during the pickle/serialization process. (`3567 <https://github.com/urllib3/urllib3/issues/3567>`__)
- Added ``verify_flags`` option to ``create_urllib3_context`` with a default of ``VERIFY_X509_PARTIAL_CHAIN`` and ``VERIFY_X509_STRICT`` for Python 3.13+. (`3571 <https://github.com/urllib3/urllib3/issues/3571>`__)


Bugfixes
--------

- Fixed a bug with partial reads of streaming data in Emscripten. (`3555 <https://github.com/urllib3/urllib3/issues/3555>`__)


Misc
----

- Switched to uv for installing development dependecies. (`3550 <https://github.com/urllib3/urllib3/issues/3550>`__)
- Removed the ``multiple.intoto.jsonl`` asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. (`3566 <https://github.com/urllib3/urllib3/issues/3566>`__)

2.3.0

==================

Features
--------

- Added ``HTTPResponse.shutdown()`` to stop any ongoing or future reads for a specific response. It calls ``shutdown(SHUT_RD)`` on the underlying socket. This feature was `sponsored by LaunchDarkly <https://opencollective.com/urllib3/contributions/815307>`__. (`#2868 <https://github.com/urllib3/urllib3/issues/2868>`__)
- Added support for JavaScript Promise Integration on Emscripten. This enables more efficient WebAssembly
requests and streaming, and makes it possible to use in Node.js if you launch it as  ``node --experimental-wasm-stack-switching``. (`3400 <https://github.com/urllib3/urllib3/issues/3400>`__)
- Added the ``proxy_is_tunneling`` property to ``HTTPConnection`` and ``HTTPSConnection``. (`3285 <https://github.com/urllib3/urllib3/issues/3285>`__)
- Added pickling support to ``NewConnectionError`` and ``NameResolutionError``. (`3480 <https://github.com/urllib3/urllib3/issues/3480>`__)


Bugfixes
--------

- Fixed an issue in debug logs where the HTTP version was rendering as "HTTP/11" instead of "HTTP/1.1". (`3489 <https://github.com/urllib3/urllib3/issues/3489>`__)


Deprecations and Removals
-------------------------

- Removed support for Python 3.8. (`3492 <https://github.com/urllib3/urllib3/issues/3492>`__)

2.2.3

==================

Features
--------

- Added support for Python 3.13. (`3473 <https://github.com/urllib3/urllib3/issues/3473>`__)

Bugfixes
--------

- Fixed the default encoding of chunked request bodies to be UTF-8 instead of ISO-8859-1.
All other methods of supplying a request body already use UTF-8 starting in urllib3 v2.0. (`3053 <https://github.com/urllib3/urllib3/issues/3053>`__)
- Fixed ResourceWarning on CONNECT with Python < 3.11.4 by backporting https://github.com/python/cpython/issues/103472. (`#3252 <https://github.com/urllib3/urllib3/issues/3252>`__)
- Adjust tolerance for floating-point comparison on Windows to avoid flakiness in CI (`3413 <https://github.com/urllib3/urllib3/issues/3413>`__)
- Fixed a crash where certain standard library hash functions were absent in restricted environments. (`3432 <https://github.com/urllib3/urllib3/issues/3432>`__)
- Fixed mypy error when adding to ``HTTPConnection.default_socket_options``. (`3448 <https://github.com/urllib3/urllib3/issues/3448>`__)

HTTP/2 (experimental)
---------------------

HTTP/2 support is still in early development.

- Excluded Transfer-Encoding: chunked from HTTP/2 request body (`3425 <https://github.com/urllib3/urllib3/issues/3425>`__)
- Added version checking for ``h2`` (https://pypi.org/project/h2/) usage.

Now only accepting supported h2 major version 4.x.x. (`3290 <https://github.com/urllib3/urllib3/issues/3290>`__)
- Added a probing mechanism for determining whether a given target origin
supports HTTP/2 via ALPN. (`3301 <https://github.com/urllib3/urllib3/issues/3301>`__)
- Add support for sending a request body with HTTP/2 (`3302 <https://github.com/urllib3/urllib3/issues/3302>`__)


Deprecations and Removals
-------------------------

- Note for downstream distributors: the ``_version.py`` file has been removed and is now created at build time by hatch-vcs. (`3412 <https://github.com/urllib3/urllib3/issues/3412>`__)
- Drop support for end-of-life PyPy3.8 and PyPy3.9. (`3475 <https://github.com/urllib3/urllib3/issues/3475>`__)

2.2.2

==================

- Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``.
- Allowed passing negative integers as ``amt`` to read methods of ``http.client.HTTPResponse`` as an alternative to ``None``. (`3122 <https://github.com/urllib3/urllib3/issues/3122>`__)
- Fixed return types representing copying actions to use ``typing.Self``. (`3363 <https://github.com/urllib3/urllib3/issues/3363>`__)

2.2.1

==================

- Fixed issue where ``InsecureRequestWarning`` was emitted for HTTPS connections when using Emscripten. (`3331 <https://github.com/urllib3/urllib3/issues/3331>`__)
- Fixed ``HTTPConnectionPool.urlopen`` to stop automatically casting non-proxy headers to ``HTTPHeaderDict``. This change was premature as it did not apply to proxy headers and ``HTTPHeaderDict`` does not handle byte header values correctly yet. (`3343 <https://github.com/urllib3/urllib3/issues/3343>`__)
- Changed ``InvalidChunkLength`` to ``ProtocolError`` when response terminates before the chunk length is sent. (`2860 <https://github.com/urllib3/urllib3/issues/2860>`__)
- Changed ``ProtocolError`` to be more verbose on incomplete reads with excess content. (`3261 <https://github.com/urllib3/urllib3/issues/3261>`__)

2.2.0

==================

- Added support for `Emscripten and Pyodide <https://urllib3.readthedocs.io/en/latest/reference/contrib/emscripten.html>`__, including streaming support in cross-origin isolated browser environments where threading is enabled. (`#2951 <https://github.com/urllib3/urllib3/issues/2951>`__)
- Added support for ``HTTPResponse.read1()`` method. (`3186 <https://github.com/urllib3/urllib3/issues/3186>`__)
- Added rudimentary support for HTTP/2. (`3284 <https://github.com/urllib3/urllib3/issues/3284>`__)
- Fixed issue where requests against urls with trailing dots were failing due to SSL errors
when using proxy. (`2244 <https://github.com/urllib3/urllib3/issues/2244>`__)
- Fixed ``HTTPConnection.proxy_is_verified`` and ``HTTPSConnection.proxy_is_verified``
to be always set to a boolean after connecting to a proxy. It could be
``None`` in some cases previously. (`3130 <https://github.com/urllib3/urllib3/issues/3130>`__)
- Fixed an issue where ``headers`` passed in a request with ``json=`` would be mutated (`3203 <https://github.com/urllib3/urllib3/issues/3203>`__)
- Fixed ``HTTPSConnection.is_verified`` to be set to ``False`` when connecting
from a HTTPS proxy to an HTTP target. It was set to ``True`` previously. (`3267 <https://github.com/urllib3/urllib3/issues/3267>`__)
- Fixed handling of new error message from OpenSSL 3.2.0 when configuring an HTTP proxy as HTTPS (`3268 <https://github.com/urllib3/urllib3/issues/3268>`__)
- Fixed TLS 1.3 post-handshake auth when the server certificate validation is disabled (`3325 <https://github.com/urllib3/urllib3/issues/3325>`__)
- Note for downstream distributors: To run integration tests, you now need to run the tests a second
time with the ``--integration`` pytest flag. (`3181 <https://github.com/urllib3/urllib3/issues/3181>`__)

2.1.0

==================

- Removed support for the deprecated urllib3[secure] extra. (`2680 <https://github.com/urllib3/urllib3/issues/2680>`__)
- Removed support for the deprecated SecureTransport TLS implementation. (`2681 <https://github.com/urllib3/urllib3/issues/2681>`__)
- Removed support for the end-of-life Python 3.7. (`3143 <https://github.com/urllib3/urllib3/issues/3143>`__)
- Allowed loading CA certificates from memory for proxies. (`3065 <https://github.com/urllib3/urllib3/issues/3065>`__)
- Fixed decoding Gzip-encoded responses which specified ``x-gzip`` content-encoding. (`3174 <https://github.com/urllib3/urllib3/issues/3174>`__)

Links

• PyPI: https://pypi.org/project/urllib3
• Changelog: https://data.safetycli.com/changelogs/urllib3/

[pyup-bot]

Closing this in favor of #746