Scheduled monthly dependency update for May

[pyup-bot]

Update fonttools from 4.61.0 to 4.62.1.

Changelog

4.62.1

----------------------------

- [feaLib] Extend contextual rule merging to all rule types: single subst, GSUB/GPOS
named lookups, ignore rules, and chained alternate subst (4061).

4.62.0

----------------------------

- [diff] Add new ``fonttools diff`` command for comparing font files, imported from the
``fdiff`` project and heavily reworked (1190, 4007, 4009, 4011, 4013, 4019).
- [feaLib] Fix ``VariableScalar`` interpolation bug with non-linear avar mappings. Also
decouple ``VariableScalar`` from compiled fonts, allowing it to work with designspace data
before compilation (3938, 4054).
- [feaLib] Fix ``VariableScalar`` axis ordering and iterative delta rounding to match fontc
behavior (4053).
- [feaLib] Merge chained multi subst rules with same context into a single subtable instead of
emitting one subtable per glyph (4016, 4058).
- [feaLib] Pass location to ``ConditionsetStatement`` to fix glyphsLib round-tripping
(fontra/fontra-glyphs130, 4057).
- [feaLib] Write ``0xFFFF`` instead of ``0`` for missing nameIDs in ``cv`` feature params
(4010, 4012).
- [cmap] Fix ``CmapSubtable.__lt__()`` ``TypeError`` on Python 3 when subtables share the
same encoding record, and add compile-time validation for unique encoding records (4035,
4055).
- [svgLib] Skip non-element XML nodes (comments, processing instructions) when drawing SVG
paths (4042, 4043).
- [glifLib] Fix regression reading glyph outlines when ``glyphObject=None`` (4030, 4031).
- [pointPen] Fix ``SegmentToPointPen`` edge case: only remove a duplicate final point on
``closePath()`` if it is an on-curve point (4014, 4015).
- [cffLib] **SECURITY** Replace ``eval()`` with ``safeEval()`` in ``parseBlendList()`` to
prevent arbitrary code execution from crafted TTX files (4039, 4040).
- [ttLib] Remove defunct Adobe SING Glyphlet tables (``META``, ``SING``, ``GMAP``, ``GPKG``)
(4044).
- [varLib.interpolatable] Various bugfixes: fix swapped nodeTypes assignment, duplicate
kink-detector condition, typos, CFF2 vsindex parsing, glyph existence check, and plot
helpers (4046).
- [varLib.models] Fix ``getSubModel`` not forwarding ``extrapolate``/``axisRanges``; check
location uniqueness after stripping zeros (4047).
- [varLib] Fix ``--variable-fonts`` filter in ``build_many``; remove dead code and fix
comments (4048).
- [avar] Preserve existing name table in build; keep ``unbuild`` return types consistent;
validate ``map`` CLI coordinates (4051).
- [cu2qu/qu2cu] Add input validation: reject non-positive tolerances, validate curve inputs
and list lengths (4052).
- [colorLib] Raise a clear ``ColorLibError`` when base glyphs are missing from glyphMap,
instead of a confusing ``KeyError`` (4041).
- [glyf] Remove unnecessary ``fvar`` table dependency (4017).
- [fvar/trak] Remove unnecessary ``name`` table dependency (4018).
- [ufoLib] Relax guideline validation to follow the updated spec (3537, 3553).
- [ttFont] Fix ``saveXML`` regression with empty table lists, clarify docstring (4025, 4026,
4056).
- [setup.py] Link ``libm`` for Cython extensions using math functions (4028, 4029).
- Add typing annotations for ``DSIG``, ``DefaultTable``, ``ttProgram`` (4033).

4.61.1

----------------------------

- [otlLib] buildCoverage: return empty Coverage instead of None (4003, 4004).
- [instancer] bug fix in ``avar2`` full instancing (4002).
- [designspaceLib] Preserve empty conditionsets when serializing to XML (4001).
- [fontBu ilder] Fix FontBuilder ``setupOS2()`` default params globally polluted (3996, 3997).
- [ttFont] Add more typing annotations to ttFont, xmlWriter, sfnt, varLib.models and others (3952, 3826).
- Explicitly test and declare support for Python 3.14, even though we were already shipping pre-built wheels for it (3990).

Links

• PyPI: https://pypi.org/project/fonttools
• Changelog: https://data.safetycli.com/changelogs/fonttools/
• Repo: http://github.com/fonttools/fonttools

Update pillow from 12.1.1 to 12.2.0.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/pillow
• Changelog: https://data.safetycli.com/changelogs/pillow/

Update requests from 2.32.5 to 2.33.1.

Changelog

2.33.1

-------------------

**Bugfixes**
- Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary
files in the tmp directory. (7305)
- Fixed Content-Type header parsing for malformed values. (7309)
- Improved error consistency for malformed header values. (7308)

2.33.0

-------------------

**Announcements**
- 📣 Requests is adding inline types. If you have a typed code base that
uses Requests, please take a look at 7271. Give it a try, and report
any gaps or feedback you may have in the issue. 📣

**Security**
- CVE-2026-25645 ``requests.utils.extract_zipped_paths`` now extracts
contents to a non-deterministic location to prevent malicious file
replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.

**Improvements**
- Migrated to a PEP 517 build system using setuptools. (7012)

**Bugfixes**
- Fixed an issue where an empty netrc entry could cause
malformed authentication to be applied to Requests on
Python 3.11+. (7205)

**Deprecations**
- Dropped support for Python 3.9 following its end of support. (7196)

**Documentation**
- Various typo fixes and doc improvements.

Links

• PyPI: https://pypi.org/project/requests
• Changelog: https://data.safetycli.com/changelogs/requests/