Scheduled weekly dependency update for week 13

[pyup-bot]

Update requests from 2.27.1 to 2.33.0.

Changelog

2.33.0

--------------------

**Announcements**
- 📣 Requests is adding inline types. If you have a typed code base that
uses Requests, please take a look at 7271. Give it a try, and report
any gaps or feedback you may have in the issue. 📣

**Security**
- CVE-2026-25645 ``requests.utils.extract_zipped_paths`` now extracts
contents to a non-deterministic location to prevent malicious file
replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.

**Improvements**
- Migrated to a PEP 517 build system using setuptools. (7012)

**Bugfixes**
- Fixed an issue where an empty netrc entry could cause
malformed authentication to be applied to Requests on
Python 3.11+. (7205)

**Deprecations**
- Dropped support for Python 3.9 following its end of support. (7196)

**Documentation**
- Various typo fixes and doc improvements.

2.32.5

-------------------

**Bugfixes**

- The SSLContext caching feature originally introduced in 2.32.0 has created
a new class of issues in Requests that have had negative impact across a number
of use cases. The Requests team has decided to revert this feature as long term
maintenance of it is proving to be unsustainable in its current iteration.

**Deprecations**
- Added support for Python 3.14.
- Dropped support for Python 3.8 following its end of support.

2.32.4

-------------------

**Security**
- CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
environment will retrieve credentials for the wrong hostname/machine from a
netrc file.

**Improvements**
- Numerous documentation improvements

**Deprecations**
- Added support for pypy 3.11 for Linux and macOS.
- Dropped support for pypy 3.9 following its end of support.

2.32.3

-------------------

**Bugfixes**
- Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of
HTTPAdapter. (6716)
- Fixed issue where Requests started failing to run on Python versions compiled
without the `ssl` module. (6724)

2.32.2

-------------------

**Deprecations**
- To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed `_get_connection` to
a new public API, `get_connection_with_tls_context`. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
`get_connection` is considered deprecated in all versions of Requests>=2.32.0.

A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (6710)

2.32.1

-------------------

**Bugfixes**
- Add missing test certs to the sdist distributed on PyPI.

2.32.0

-------------------

**Security**
- Fixed an issue where setting `verify=False` on the first request from a
Session will cause subsequent requests to the _same origin_ to also ignore
cert verification, regardless of the value of `verify`.
(https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

**Improvements**
- `verify=True` now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (6667)
- Requests now supports optional use of character detection
(`chardet` or `charset_normalizer`) when repackaged or vendored.
This enables `pip` and other projects to minimize their vendoring
surface area. The `Response.text()` and `apparent_encoding` APIs
will default to `utf-8` if neither library is present. (6702)

**Bugfixes**
- Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (6589)
- Fixed deserialization bug in JSONDecodeError. (6629)
- Fixed bug where an extra leading `/` (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (6644)

**Deprecations**

- Requests has officially added support for CPython 3.12 (6503)
- Requests has officially added support for PyPy 3.9 and 3.10 (6641)
- Requests has officially dropped support for CPython 3.7 (6642)
- Requests has officially dropped support for PyPy 3.7 and 3.8 (6641)

**Documentation**
- Various typo fixes and doc improvements.

**Packaging**
- Requests has started adopting some modern packaging practices.
The source files for the projects (formerly `requests`) is now located
in `src/requests` in the Requests sdist. (6506)
- Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system
using `hatchling`. This should not impact the average user, but extremely old
versions of packaging utilities may have issues with the new packaging format.

2.31.0

-------------------

**Security**
- Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
forwarding of `Proxy-Authorization` headers to destination servers when
following HTTPS redirects.

When proxies are defined with user info (`https://user:passproxy:8080`), Requests
will construct a `Proxy-Authorization` header that is attached to the request to
authenticate with the proxy.

In cases where Requests receives a redirect response, it previously reattached
the `Proxy-Authorization` header incorrectly, resulting in the value being
sent through the tunneled connection to the destination server. Users who rely on
defining their proxy credentials in the URL are *strongly* encouraged to upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
credentials once the change has been fully deployed.

Users who do not use a proxy or do not supply their proxy credentials through
the user information portion of their proxy URL are not subject to this
vulnerability.

Full details can be read in our [Github Security Advisory](https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)
and [CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681).

2.30.0

-------------------

**Dependencies**
- ⚠️ Added support for urllib3 2.0. ⚠️

This may contain minor breaking changes so we advise careful testing and
reviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html
prior to upgrading.

Users who wish to stay on urllib3 1.x can pin to `urllib3<2`.

2.29.0

-------------------

**Improvements**

- Requests now defers chunked requests to the urllib3 implementation to improve
standardization. (6226)
- Requests relaxes header component requirements to support bytes/str subclasses. (6356)

2.28.2

-------------------

**Dependencies**

- Requests now supports charset\_normalizer 3.x. (6261)

**Bugfixes**

- Updated MissingSchema exception to suggest https scheme rather than http. (6188)

2.28.1

-------------------

**Improvements**

- Speed optimization in `iter_content` with transition to `yield from`. (6170)

**Dependencies**

- Added support for chardet 5.0.0 (6179)
- Added support for charset-normalizer 2.1.0 (6169)

2.28.0

-------------------

**Deprecations**

- ⚠️ Requests has officially dropped support for Python 2.7. ⚠️ (6091)
- Requests has officially dropped support for Python 3.6 (including pypy3.6). (6091)

**Improvements**

- Wrap JSON parsing issues in Request's JSONDecodeError for payloads without
an encoding to make `json()` API consistent. (6097)
- Parse header components consistently, raising an InvalidHeader error in
all invalid cases. (6154)
- Added provisional 3.11 support with current beta build. (6155)
- Requests got a makeover and we decided to paint it black. (6095)

**Bugfixes**

- Fixed bug where setting `CURL_CA_BUNDLE` to an empty string would disable
cert verification. All Requests 2.x versions before 2.28.0 are affected. (6074)
- Fixed urllib3 exception leak, wrapping `urllib3.exceptions.SSLError` with
`requests.exceptions.SSLError` for `content` and `iter_content`. (6057)
- Fixed issue where invalid Windows registry entries caused proxy resolution
to raise an exception rather than ignoring the entry. (6149)
- Fixed issue where entire payload could be included in the error message for
JSONDecodeError. (6036)

Links

• PyPI: https://pypi.org/project/requests
• Changelog: https://data.safetycli.com/changelogs/requests/

Update webrequest from 0.0.78 to 0.1.0.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/webrequest
• Repo: https://github.com/fake-name/WebRequest

Update setproctitle from 1.2.2 to 1.3.7.

Changelog

1.3.7

-------------

- Add support for Python 3.14 (issue 152).

1.3.6

-------------

- Add support for free-threading (issue 147).

1.3.5

-------------

- Fix bouncing Dock icon on macOS (issue 143).
- Fix building on C23 compilers (issue 145).

1.3.4

-------------

- Add support for Python 3.13 (issue 139).
- Drop support for Python 3.7.

1.3.3

-------------

- Add support for Python 3.12.
- Fix package metadata to include Python 3.11, 3.12.

1.3.2

-------------

- Restore import-time initialization of macOS to avoid crash on thread+fork
(issue 113).

1.3.1

-------------

- Fixed segfault on macOS 12.5 in forked processes (issue 111).
Note that, as a workaround, Activity Monitor will show the title of the
parent.

1.3.0

-------------

- Added fallback no-op implementation if building the extension fails.
- Added support for displaying title as the process name in MacOS Activity
Monitor (issue 10).
- Fixed "Symbol not found: _Py_GetArgcArgv" error when using Xcode provided
Python (issues 82, 103).
- Fixed FreeBSD support, broken in 1.2 (issue 94).
- Added package type annotations (issue 101).
- Dropped support for Python 3.6.

1.2.3

-------------

- Added Python 3.10 packages (issue 102).
- Added Wheel packages for macOS (issue 96).
- Package build moved to cibuildwheel, other wheels provided (issue 47).

Links

• PyPI: https://pypi.org/project/setproctitle
• Changelog: https://data.safetycli.com/changelogs/setproctitle/
• Repo: https://github.com/dvarrazzo/py-setproctitle

Update tqdm from 4.62.3 to 4.67.3.

Changelog

4.67.3

- fix py3.7 dependencies (1706 <- 1705)

4.67.2

- support `pandas>=3` (1703 <- 1701, 1650, 1700)
- fix `format_interval` for negative numbers (1703)
- misc linting
- framework updates (1704)
+ bump CI workflow & `pre-commit` dependencies
+ add `pyupgrade`
+ add py3.13 support
+ fix py3.7 tests
+ update `setuptools-scm` usage
+ support auto-dedented docstrings when building docs in py3.13
- tests: relax flaky benchmarks

4.67.1

- fix `gui` (`matplotlib` syntax) (1629)
- misc test & framework updates
- bump `pytest-asyncio` (1630)
- fix `codecov` rate limit
- fix pybuild
- sync dependencies

4.67.0

- `contrib.discord`: replace `disco-py` with `requests` (1536)

4.66.6

- cli: zip-safe `--manpath`, `--comppath` (1627)
- misc framework updates (1627)
+ fix `pytest` `DeprecationWarning`
+ fix `snapcraft` build
+ fix `nbval` `DeprecationWarning`
+ update & tidy workflows
+ bump pre-commit
+ docs: update URLs

4.66.5

- support `ncols` auto-detection on FreeBSD (1602 <- https://github.com/casperdcl/git-fame/issues/98)
- fix Python 3.13 CLI (1594 <- 1585)
- fix Python 3.13 tests (1595 <- https://github.com/python/cpython/issues/117536#issuecomment-2036883124)
- misc framework updates (1602)
+ add official Python 3.12 support
+ bump deps (https://github.com/NiklasRosenstein/pydoc-markdown/issues/329, https://github.com/tikitu/jsmin/pull/44)

4.66.4

- `rich`: fix completion (1395 <- 1306)
- minor framework updates & code tidy (1578)

4.66.3

- `cli`: `eval` safety (fixes CVE-2024-34062, GHSA-g7vv-2v7x-gj9p)

4.66.2

- `pandas`: add `DataFrame.progress_map` (1549)
- `notebook`: fix HTML padding (1506)
- `keras`: fix resuming training when `verbose>=2` (1508)
- fix `format_num` negative fractions missing leading zero (1548)
- fix Python 3.12 `DeprecationWarning` on `import` (1519)
- linting: use f-strings (1549)
- update tests (1549)
+ fix `pandas` warnings
+ fix `asv` (https://github.com/airspeed-velocity/asv/issues/1323)
+ fix macos `notebook` docstring indentation
- CI: bump actions (1549)

4.66.1

- fix `utils.envwrap` types (1493 <- 1491, 1320 <- 966, 1319)
+ e.g. cloudwatch & kubernetes workaround: `export TQDM_POSITION=-1`
- drop mentions of unsupported Python versions

4.66.0

- environment variables to override defaults (`TQDM_*`) (1491 <- 1061, 950 <- 614, 1318, 619, 612, 370)
+ e.g. in CI jobs, `export TQDM_MININTERVAL=5` to avoid log spam
+ add tests & docs for `tqdm.utils.envwrap`
- fix & update CLI completion
- fix & update API docs
- minor code tidy: replace `os.path` => `pathlib.Path`
- fix docs image hosting
- release with CI bot account again (https://github.com/cli/cli/issues/6680)

4.65.2

- exclude `examples` from distributed wheel (1492)

4.65.1

- migrate `setup.{cfg,py}` => `pyproject.toml` (1490)
+ fix `asv` benchmarks
+ update docs
- fix snap build (1490)
- fix & update tests (1490)
+ fix flaky notebook tests
+ bump `pre-commit`
+ bump workflow actions

4.65.0

- add Python 3.11 and drop Python 3.6 support (1439, 1419, 502 <- 720, 620)
- misc code & docs tidy
- fix & update CI workflows & tests

4.64.1

- support `ipywidgets>=8`  (1366, 1361 <- 1310, 1359, 1360, 1364)
+ fix jupyter lab display
+ update notebook tests

4.64.0

- add `contrib.slack` (1313)

4.63.2

- `rich`: expose `options` kwargs (1282)
- `autonotebook`: re-enable VSCode (1309)
- misc docs typos (1301, 1299)
- update dev dependencies (1311)

4.63.1

- fix stderr/stdout missing `flush()` (1248 <- 1177)
- misc speed improvements/optimisations

4.63.0

- add `__reversed__()`
- add efficient `__contains__()`
- improve CLI startup time (replace `pkg_resources` => `importlib`)
- `tqdm.autonotebook` warning & `std` fallback on missing `ipywidgets` (1218 <- 1082, 1217)
- warn on positional CLI arguments
- misc build/test framework updates
+ enable `py3.10` tests
+ add `conda` dependencies
+ update pre-commit hooks
+ fix `pytest` config (`nbval`, `asyncio`)
+ fix dependencies & tests
+ fix site deployment

Links

• PyPI: https://pypi.org/project/tqdm
• Changelog: https://data.safetycli.com/changelogs/tqdm/

Update chardet from 4.0.0 to 7.4.0.post2.

Changelog

7.4.0

-------------------

**Performance:**

- Switched to dense zlib-compressed model format (v2): models are now
stored as contiguous ``memoryview`` slices of a single decompressed
blob, eliminating per-model ``struct.unpack`` overhead. Cold start
(import + first detect) dropped from ~75ms to ~13ms with mypyc.
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude,
`354 <https://github.com/chardet/chardet/pull/354>`_)

**Accuracy:**

- Accuracy improved from 98.6% to 99.3% (2499/2517 files) through
a combination of training and scoring improvements:

- Eliminated train/test data overlap by content-fingerprinting test
 suite articles and excluding them from training data
 (`351 <https://github.com/chardet/chardet/pull/351>`_)
- Added MADLAD-400 and Wikipedia as supplemental training sources to
 fill gaps left by exclusion filtering
 (`351 <https://github.com/chardet/chardet/pull/351>`_)
- Improved non-ASCII bigram scoring: high-byte bigrams are now
 preserved during training (instead of being crushed by global
 normalization), and weighted by per-bigram IDF so encoding-specific
 byte patterns contribute proportionally to how discriminative they
 are (`352 <https://github.com/chardet/chardet/pull/352>`_)
- Added encoding-aware substitution filtering: character substitutions
 during training now only apply for characters the target encoding
 cannot represent
- Increased training samples from 15K to 25K per language/encoding pair
 (`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)

**Bug Fixes:**

- Added dedicated structural analyzers for CP932, CP949, and
Big5-HKSCS: these superset encodings previously shared their base
encoding's byte-range analyzer, missing extended ranges unique to each
superset
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude,
`353 <https://github.com/chardet/chardet/pull/353>`_)

7.3.0

-------------------

**License:**

- **0BSD license** — the project license has been changed from MIT to
`0BSD <https://opensource.org/license/0bsd>`_, a maximally permissive
license with no attribution requirement. All prior 7.x releases
should also be considered 0BSD licensed as of this release.
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)

**Features:**

- Added ``mime_type`` field to detection results — identifies file types
for both binary (via magic number matching) and text content. Returned
in all ``detect()``, ``detect_all()``, and ``UniversalDetector`` results.
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude,
`350 <https://github.com/chardet/chardet/pull/350>`_)
- New ``pipeline/magic.py`` module detects 40+ binary file formats
including images, audio/video, archives, documents, executables, and
fonts. ZIP-based formats (XLSX, DOCX, JAR, APK, EPUB, wheel,
OpenDocument) are distinguished by entry filenames.
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude,
`350 <https://github.com/chardet/chardet/pull/350>`_)

**Bug Fixes:**

- Fixed incorrect equivalence between UTF-16-LE and UTF-16-BE in
accuracy testing — these are distinct encodings with different byte
order, not interchangeable
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)

**Performance:**

- Added 4 new modules to mypyc compilation (orchestrator, confusion,
magic, ascii), bringing the total to 11 compiled modules
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)
- Capped statistical scoring at 16 KB — bigram models converge quickly,
so large files no longer score the full 200 KB. Worst-case detection
time dropped from 62ms to 26ms with no accuracy loss.
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)
- Replaced ``dataclasses.replace()`` with direct ``DetectionResult``
construction on hot paths, eliminating ~354k function calls per full
test suite run
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)

**Build:**

- Added riscv64 to the mypyc wheel build matrix — prebuilt wheels are
now published for RISC-V Linux alongside existing architectures
(`Bruno Verachten <https://github.com/gounthar>`_,
`348 <https://github.com/chardet/chardet/pull/348>`_)

7.2.0

-------------------

**Features:**

- Added ``include_encodings`` and ``exclude_encodings`` parameters to
:func:`~chardet.detect`, :func:`~chardet.detect_all`, and
:class:`~chardet.UniversalDetector` — restrict or exclude specific
encodings from the candidate set, with corresponding
``-i``/``--include-encodings`` and ``-x``/``--exclude-encodings``
CLI flags
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude,
`343 <https://github.com/chardet/chardet/pull/343>`_)
- Added ``no_match_encoding`` (default ``"cp1252"``) and
``empty_input_encoding`` (default ``"utf-8"``) parameters — control
which encoding is returned when no candidate survives the pipeline or
the input is empty, with corresponding CLI flags
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude,
`343 <https://github.com/chardet/chardet/pull/343>`_)
- Added ``-l``/``--language`` flag to ``chardetect`` CLI — shows the
detected language (ISO 639-1 code and English name) alongside the encoding
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude,
`342 <https://github.com/chardet/chardet/pull/342>`_)

7.1.0

-------------------

**Features:**

- Added PEP 263 encoding declaration detection — `` -*- coding: ... -*-``
and `` coding=...`` declarations on lines 1–2 of Python source files are
now recognized with confidence 0.95
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude,
`249 <https://github.com/chardet/chardet/issues/249>`_)
- Added ``chardet.universaldetector`` backward-compatibility stub so that
``from chardet.universaldetector import UniversalDetector`` works with a
deprecation warning
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude,
`341 <https://github.com/chardet/chardet/issues/341>`_)

**Fixes:**

- Fixed false UTF-7 detection of ASCII text containing ``++`` or ``+word``
patterns
(`Dan Blanchard <https://github.com/dan-blanchard>`_,
`332 <https://github.com/chardet/chardet/issues/332>`_,
`335 <https://github.com/chardet/chardet/pull/335>`_)
- Fixed 0.5s startup cost on first ``detect()`` call — model norms are now
computed during loading instead of lazily iterating 21M entries
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude,
`333 <https://github.com/chardet/chardet/issues/333>`_,
`336 <https://github.com/chardet/chardet/pull/336>`_)
- Fixed undocumented encoding name changes between chardet 5.x and 7.0 —
``detect()`` now returns chardet 5.x-compatible names by default
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude,
`338 <https://github.com/chardet/chardet/pull/338>`_)
- Improved ISO-2022-JP family detection — recognizes ESC sequences for
ISO-2022-JP-2004 (JIS X 0213) and ISO-2022-JP-EXT (JIS X 0201 Kana)
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)
- Fixed silent truncation of corrupt model data (``iter_unpack`` yielded
fewer tuples instead of raising)
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)
- Fixed incorrect date in LICENSE
(`Dan Blanchard <https://github.com/dan-blanchard>`_)

**Performance:**

- 5.5x faster first-detect time (~0.42s → ~0.075s) by computing model
norms as a side-product of ``load_models()``
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)
- ~40% faster model parsing via ``struct.iter_unpack`` for bulk entry
extraction (eliminates ~305K individual ``unpack`` calls)
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)

**New API parameters:**

- Added ``compat_names`` parameter (default ``True``) to
:func:`~chardet.detect`, :func:`~chardet.detect_all`, and
:class:`~chardet.UniversalDetector` — set to ``False`` to get raw Python
codec names instead of chardet 5.x/6.x compatible display names
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)
- Added ``prefer_superset`` parameter (default ``False``) — remaps legacy
ISO/subset encodings to their modern Windows/CP superset equivalents
(e.g., ASCII → Windows-1252, ISO-8859-1 → Windows-1252).
**This will default to ``True`` in the next major version (8.0).**
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)
- Deprecated ``should_rename_legacy`` in favor of ``prefer_superset`` —
a deprecation warning is emitted when used
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)

**Improvements:**

- Switched internal canonical encoding names to Python codec names
(e.g., ``"utf-8"`` instead of ``"UTF-8"``), with ``compat_names``
controlling the public output format.  See :doc:`usage` for the full
mapping table.
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)
- Added ``lookup_encoding()`` to ``registry`` for case-insensitive
resolution of arbitrary encoding name input to canonical names
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)
- Achieved 100% line coverage across all source modules (+31 tests)
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)
- Updated benchmark numbers: 98.2% encoding accuracy, 95.2% language
accuracy on 2,510 test files
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)
- Pinned test-data cloning to chardet release version tags for
reproducible builds
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)

7.0.1

-------------------

**Fixes:**

- Fixed false UTF-7 detection of SHA-1 git hashes
(`Alex Rembish <https://github.com/rembish>`_,
`324 <https://github.com/chardet/chardet/pull/324>`_)
- Fixed ``_SINGLE_LANG_MAP`` missing aliases for single-language encoding
lookup (e.g., ``big5`` → ``big5hkscs``)
(`Dan Blanchard <https://github.com/dan-blanchard>`_)
- Fixed PyPy ``TypeError`` in UTF-7 codec handling
(`Dan Blanchard <https://github.com/dan-blanchard>`_)

**Improvements:**

- Retrained bigram models — 24 previously failing test cases now pass
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)
- Updated language equivalences for mutual intelligibility (Slovak/Czech,
East Slavic + Bulgarian, Malay/Indonesian, Scandinavian languages)
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)

7.0.0

-------------------

Ground-up, 0BSD-licensed rewrite of chardet
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude,
`322 <https://github.com/chardet/chardet/pull/322>`_). Same package name,
same public API — drop-in replacement for chardet 5.x/6.x.

**Highlights:**

- **0BSD license** (previous versions were LGPL)
- **96.8% accuracy** on 2,179 test files (+2.3pp vs chardet 6.0.0,
+7.7pp vs charset-normalizer)
- **41x faster** than chardet 6.0.0 with mypyc (**28x** pure Python),
**7.5x faster** than charset-normalizer
- **Language detection** for every result (90.5% accuracy across 49
languages)
- **99 encodings** across six eras (MODERN_WEB, LEGACY_ISO, LEGACY_MAC,
LEGACY_REGIONAL, DOS, MAINFRAME)
- **12-stage detection pipeline** — BOM, UTF-16/32 patterns, escape
sequences, binary detection, markup charset, ASCII, UTF-8 validation,
byte validity, CJK gating, structural probing, statistical scoring,
post-processing
- **Bigram frequency models** trained on CulturaX multilingual corpus
data for all supported language/encoding pairs
- **Optional mypyc compilation** — 1.49x additional speedup on CPython
- **Thread-safe** ``detect()`` and ``detect_all()`` with no measurable
overhead; scales on free-threaded Python 3.13t+
- **Negligible import memory** (96 B)
- **Zero runtime dependencies**

6.0.0.post1

-------------------------

- Fixed ``__version__`` not being set correctly in the package
(`Dan Blanchard <https://github.com/dan-blanchard>`_)

6.0.0

-------------------

**Features:**

- Unified single-byte charset detection with proper language-specific
bigram models for all single-byte encodings (replaces ``Latin1Prober``
and ``MacRomanProber`` heuristics)
(`Dan Blanchard <https://github.com/dan-blanchard>`_)
- 38 new languages: Arabic, Belarusian, Breton, Croatian, Czech, Danish,
Dutch, English, Esperanto, Estonian, Farsi, Finnish, French, German,
Icelandic, Indonesian, Irish, Italian, Kazakh, Latvian, Lithuanian,
Macedonian, Malay, Maltese, Norwegian, Polish, Portuguese, Romanian,
Scottish Gaelic, Serbian, Slovak, Slovene, Spanish, Swedish, Tajik,
Ukrainian, Vietnamese, Welsh
(`Dan Blanchard <https://github.com/dan-blanchard>`_)
- ``EncodingEra`` filtering via new ``encoding_era`` parameter
(`Dan Blanchard <https://github.com/dan-blanchard>`_)
- ``max_bytes`` and ``chunk_size`` parameters for ``detect()``,
``detect_all()``, and ``UniversalDetector``
(`Dan Blanchard <https://github.com/dan-blanchard>`_)
- ``-e``/``--encoding-era`` CLI flag
(`Dan Blanchard <https://github.com/dan-blanchard>`_ via Claude)
- EBCDIC detection (CP037, CP500)
(`Dan Blanchard <https://github.com/dan-blanchard>`_)
- Direct GB18030 support (replaces redundant GB2312 prober)
(`Dan Blanchard <https://github.com/dan-blanchard>`_)
- Binary file detection
(`Dan Blanchard <https://github.com/dan-blanchard>`_)
- Python 3.12, 3.13, and 3.14 support
(`Hugo van Kemenade <https://github.com/hugovk>`_,
`283 <https://github.com/chardet/chardet/pull/283>`_)
- GitHub Codespaces support
(`oxygen dioxide <https://github.com/oxygen-dioxide>`_,
`312 <https://github.com/chardet/chardet/pull/312>`_)

**Breaking changes:**

- Dropped Python 3.7, 3.8, and 3.9 (requires Python 3.10+)
- Removed ``Latin1Prober`` and ``MacRomanProber``
- Removed EUC-TW support
- Removed ``LanguageFilter.NONE``
- ``detect()`` default changed to ``encoding_era=EncodingEra.MODERN_WEB``

**Fixes:**

- Fixed CP949 state machine
(`nenw* <https://github.com/HelloWorld017>`_,
`268 <https://github.com/chardet/chardet/pull/268>`_)
- Fixed SJIS distribution analysis (second-byte range >= 0x80)
(`Kadir Can Ozden <https://github.com/bysiber>`_,
`315 <https://github.com/chardet/chardet/pull/315>`_)
- Fixed ``max_bytes`` not being passed to ``UniversalDetector``
(`Kadir Can Ozden <https://github.com/bysiber>`_,
`314 <https://github.com/chardet/chardet/pull/314>`_)
- Fixed UTF-16/32 detection for non-ASCII-heavy text
(`Dan Blanchard <https://github.com/dan-blanchard>`_)
- Fixed GB18030 ``char_len_table``
(`Dan Blanchard <https://github.com/dan-blanchard>`_)
- Fixed UTF-8 state machine
(`Dan Blanchard <https://github.com/dan-blanchard>`_)
- Fixed ``detect_all()`` returning inactive probers
(`Dan Blanchard <https://github.com/dan-blanchard>`_)
- Fixed early cutoff bug
(`Dan Blanchard <https://github.com/dan-blanchard>`_)
- Updated LGPLv2.1 license text for remote-only FSF address
(`Ben Beasley <https://github.com/musicinmybrain>`_,
`307 <https://github.com/chardet/chardet/pull/307>`_)

5.2.0

-------------------

- Added support for running the CLI via ``python -m chardet``
(`Dan Blanchard <https://github.com/dan-blanchard>`_)

5.1.0

-------------------

- Added ``should_rename_legacy`` argument to remap legacy encoding names
to modern equivalents
(`Dan Blanchard <https://github.com/dan-blanchard>`_,
`264 <https://github.com/chardet/chardet/pull/264>`_)
- Added MacRoman encoding prober
(`Elia Robyn Lake <https://github.com/rspeer>`_)
- Added ``--minimal`` flag to ``chardetect`` CLI
(`Dan Blanchard <https://github.com/dan-blanchard>`_,
`214 <https://github.com/chardet/chardet/pull/214>`_)
- Added type annotations and mypy CI
(`Jon Dufresne <https://github.com/jdufresne>`_,
`261 <https://github.com/chardet/chardet/pull/261>`_)
- Added support for Python 3.11
(`Hugo van Kemenade <https://github.com/hugovk>`_,
`274 <https://github.com/chardet/chardet/pull/274>`_)
- Added ISO-8859-15 capital letter sharp S handling
(`Simon Waldherr <https://github.com/SimonWaldherr>`_,
`222 <https://github.com/chardet/chardet/pull/222>`_)
- Clarified LGPL version in license trove classifier
(`Ben Beasley <https://github.com/musicinmybrain>`_,
`255 <https://github.com/chardet/chardet/pull/255>`_)
- Removed support for Python 3.6
(`Jon Dufresne <https://github.com/jdufresne>`_,
`260 <https://github.com/chardet/chardet/pull/260>`_)

5.0.0

-------------------

- Added Johab Korean prober
(`grizlupo <https://github.com/grizlupo>`_,
`172 <https://github.com/chardet/chardet/pull/172>`_,
`207 <https://github.com/chardet/chardet/pull/207>`_)
- Added UTF-16/32 BE/LE probers
(`Jason Zavaglia <https://github.com/jpz>`_,
`109 <https://github.com/chardet/chardet/pull/109>`_,
`206 <https://github.com/chardet/chardet/pull/206>`_)
- Added test data for Croatian, Czech, Hungarian, Polish, Slovak,
Slovene, Greek, Turkish
(`Dan Blanchard <https://github.com/dan-blanchard>`_)
- Improved XML tag filtering
(`Dan Blanchard <https://github.com/dan-blanchard>`_,
`208 <https://github.com/chardet/chardet/pull/208>`_)
- Made ``detect_all`` return child prober confidences
(`Dan Blanchard <https://github.com/dan-blanchard>`_,
`210 <https://github.com/chardet/chardet/pull/210>`_)
- Added support for Python 3.10
(`Hugo van Kemenade <https://github.com/hugovk>`_,
`232 <https://github.com/chardet/chardet/pull/232>`_)
- Slight performance increase
(`deedy5 <https://github.com/deedy5>`_,
`252 <https://github.com/chardet/chardet/pull/252>`_)
- Dropped Python 2.7, 3.4, 3.5 (requires Python 3.6+)

Links

• PyPI: https://pypi.org/project/chardet
• Changelog: https://data.safetycli.com/changelogs/chardet/

Update pymysql from 1.0.2 to 1.1.2.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/pymysql

Update statsd from 3.3.0 to 4.0.1.

Changelog

4.0.1

Fixed

- Updated PyPI trove classifiers for current Python versions.

4.0

Added

- Updates support to Python 3.7 through 3.11.
- Added `close()` method to UDP-based `StatsClient`. (136)

Dropped

- Drops support for Python 2.

Fixed

- Using a timing decorator on an async function should now properly measure the
execution time, instead of counting immediately. See 119.

Links

• PyPI: https://pypi.org/project/statsd
• Changelog: https://data.safetycli.com/changelogs/statsd/

Update xxhash from 2.0.2 to 3.6.0.

Changelog

3.6.0

~~~~~~~~~~~~~~~~~

- Build wheels for Python 3.14
- Python free-threading support
- Typing: Use Buffer type stubs
- Deprecate xxhash.VERSION_TUPLE, it will be removed in the next major release

3.5.0

~~~~~~~~~~~~~~~~~

- Build wheels for Python 3.13

3.4.1

~~~~~~~~~~~~~~~~~

- Build wheels for Python 3.12
- Remove setuptools_scm

3.4.0

~~~~~~~~~~~~~~~~~

*Yanked* due to wheels building problem.

3.3.0

~~~~~~~~~~~~~~~~~

- Upgrade xxHash to v0.8.2
- Drop support for Python 3.6

3.2.0

~~~~~~~~~~~~~~~~~

This is the last version to support Python 3.6

- Build Python 3.11 wheels.
- Remove setup.py test_suites, call unittest directly

3.1.0

~~~~~~~~~~~~~~~~~

- Type annotations.
- Enabled muslinux wheels building.

3.0.0

~~~~~~~~~~~~~~~~~

- New set `algorithms_available` lists all implemented algorithms in `xxhash`
package.
- Upgrade xxHash to v0.8.1.
- Drop support for EOL Python versions, require python >= 3.6 from now on.
- Migrate to github actions and build arm64 wheels for macOS.
- Always release GIL.

Links

• PyPI: https://pypi.org/project/xxhash
• Changelog: https://data.safetycli.com/changelogs/xxhash/
• Repo: https://github.com/ifduyue/python-xxhash

Update objgraph from 3.5.0 to 3.6.2.

Changelog

3.6.2

------------------

- Add support for Python 3.13.

3.6.1

------------------

- Add support for Python 3.12.

3.6.0

------------------

- Add support for Python 3.9, 3.10, and 3.11.

- Drop support for Python 2.7 and 3.6.

Links

• PyPI: https://pypi.org/project/objgraph
• Changelog: https://data.safetycli.com/changelogs/objgraph/
• Homepage: https://mg.pov.lt/objgraph/

Update cssutils from 2.3.1 to 2.11.1.

Changelog

2.11.1

=======

Bugfixes
--------

- Consolidated license to simply LGPL 3. (52)

2.11.0

=======

Features
--------

- Reduced cyclomatic complexity in selector module. (47)

2.10.3

=======

Bugfixes
--------

- Fixed DeprecationWarning with cgi module.

2.10.2

=======

Bugfixes
--------

- Remove optional dependency only required on unsupported Python versions. (48)

2.10.1

=======

Bugfixes
--------

- Replace xunit-style setup with pytest fixtures. (45)

2.10.0

=======

Features
--------

- getPropertyValue now allows specifying a default value. (42)

2.9.0

======

Features
--------

- Made URL fetcher lenient to missing metadata.

2.8.0

======

Features
--------

- Require Python 3.8 or later.


Bugfixes
--------

- Made some unreachable tests reachable.

2.7.1

======

36: Refactored to restore docs builds without warning-errors.

2.7.0

======

35: Updated deprecated usage of ``cgi`` module.

34: Updated deprecated setup/teardown from ``nose`` in tests.

Other miscellaneous cleanup and packaging updates.

2.6.0

======

14: Added support for custom CSS variables with ``--`` prefix.

2.5.1

======

Some refactoring.

2.5.0

======

Substantial code refresh. Ported tests to native pytest.

Enrolled project with Tidelift.

2.4.2

======

24: Added Python 3.11 compatibility to tests.

2.4.1

======

22: Removed ``cssutils.tests.basetest.get_resource_filename``.
21: Cleaned up docs so they build without warnings.

2.4.0

======

Require Python 3.7.

Links

• PyPI: https://pypi.org/project/cssutils
• Changelog: https://data.safetycli.com/changelogs/cssutils/
• Docs: https://pythonhosted.org/cssutils/

Update tinycss2 from 1.1.1 to 1.5.1.

Changelog

1.5.1

- Include parsing tests in source tarball

1.5.0

- Support most of CSS Color Level 5
- Fix tokenizer crash on escaped Dimension units and Function names

1.4.0

* Support CSS Color Level 4

1.3.0

* Support CSS nesting
* Deprecate parse_declaration_list, use parse_blocks_contents instead

1.2.1

* Fix tests included in the source tarball

1.2.0

* Drop support of Python 3.6
* Fix serialization of nested functions with no parameters
* Don’t use pytest plugins by default

Links

• PyPI: https://pypi.org/project/tinycss2
• Changelog: https://data.safetycli.com/changelogs/tinycss2/

Update fontTools from 4.27.1 to 4.62.1.

Changelog

4.62.1

----------------------------

- [feaLib] Extend contextual rule merging to all rule types: single subst, GSUB/GPOS
named lookups, ignore rules, and chained alternate subst (4061).

4.62.0

----------------------------

- [diff] Add new ``fonttools diff`` command for comparing font files, imported from the
``fdiff`` project and heavily reworked (1190, 4007, 4009, 4011, 4013, 4019).
- [feaLib] Fix ``VariableScalar`` interpolation bug with non-linear avar mappings. Also
decouple ``VariableScalar`` from compiled fonts, allowing it to work with designspace data
before compilation (3938, 4054).
- [feaLib] Fix ``VariableScalar`` axis ordering and iterative delta rounding to match fontc
behavior (4053).
- [feaLib] Merge chained multi subst rules with same context into a single subtable instead of
emitting one subtable per glyph (4016, 4058).
- [feaLib] Pass location to ``ConditionsetStatement`` to fix glyphsLib round-tripping
(fontra/fontra-glyphs130, 4057).
- [feaLib] Write ``0xFFFF`` instead of ``0`` for missing nameIDs in ``cv`` feature params
(4010, 4012).
- [cmap] Fix ``CmapSubtable.__lt__()`` ``TypeError`` on Python 3 when subtables share the
same encoding record, and add compile-time validation for unique encoding records (4035,
4055).
- [svgLib] Skip non-element XML nodes (comments, processing instructions) when drawing SVG
paths (4042, 4043).
- [glifLib] Fix regression reading glyph outlines when ``glyphObject=None`` (4030, 4031).
- [pointPen] Fix ``SegmentToPointPen`` edge case: only remove a duplicate final point on
``closePath()`` if it is an on-curve point (4014, 4015).
- [cffLib] **SECURITY** Replace ``eval()`` with ``safeEval()`` in ``parseBlendList()`` to
prevent arbitrary code execution from crafted TTX files (4039, 4040).
- [ttLib] Remove defunct Adobe SING Glyphlet tables (``META``, ``SING``, ``GMAP``, ``GPKG``)
(4044).
- [varLib.interpolatable] Various bugfixes: fix swapped nodeTypes assignment, duplicate
kink-detector condition, typos, CFF2 vsindex parsing, glyph existence check, and plot
helpers (4046).
- [varLib.models] Fix ``getSubModel`` not forwarding ``extrapolate``/``axisRanges``; check
location uniqueness after stripping zeros (4047).
- [varLib] Fix ``--variable-fonts`` filter in ``build_many``; remove dead code and fix
comments (4048).
- [avar] Preserve existing name table in build; keep ``unbuild`` return types consistent;
validate ``map`` CLI coordinates (4051).
- [cu2qu/qu2cu] Add input validation: reject non-positive tolerances, validate curve inputs
and list lengths (4052).
- [colorLib] Raise a clear ``ColorLibError`` when base glyphs are missing from glyphMap,
instead of a confusing ``KeyError`` (4041).
- [glyf] Remove unnecessary ``fvar`` table dependency (4017).
- [fvar/trak] Remove unnecessary ``name`` table dependency (4018).
- [ufoLib] Relax guideline validation to follow the updated spec (3537, 3553).
- [ttFont] Fix ``saveXML`` regression with empty table lists, clarify docstring (4025, 4026,
4056).
- [setup.py] Link ``libm`` for Cython extensions using math functions (4028, 4029).
- Add typing annotations for ``DSIG``, ``DefaultTable``, ``ttProgram`` (4033).

4.61.1

----------------------------

- [otlLib] buildCoverage: return empty Coverage instead of None (4003, 4004).
- [instancer] bug fix in ``avar2`` full instancing (4002).
- [designspaceLib] Preserve empty conditionsets when serializing to XML (4001).
- [fontBu ilder] Fix FontBuilder ``setupOS2()`` default params globally polluted (3996, 3997).
- [ttFont] Add more typing annotations to ttFont, xmlWriter, sfnt, varLib.models and others (3952, 3826).
- Explicitly test and declare support for Python 3.14, even though we were already shipping pre-built wheels for it (3990).

4.61.0

----------------------------

- [varLib.main]: **SECURITY** Only use basename(vf.filename) to prevent path traversal attacks when
running ``fonttools varLib`` command, or code which invokes ``fonttools.varLib.main()``.
Fixes CVE-2025-66034, see:
https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv.
- [feaLib] Sort BaseLangSysRecords by tag (3986).
- Drop support for EOL Python 3.9 (3982).
- [instancer] Support --remove-overlaps for fonts with CFF2 table (3975).
- [CFF2ToCFF] Add --remove-overlaps option (3976).
- [feaLib] Raise an error for rsub with NULL target (3979).
- [bezierTools] Fix logic bug in curveCurveIntersections (3963).
- [feaLib] Error when condition sets have the same name (3958).
- [cu2qu.ufo] skip processing empty glyphs to support sparse kerning masters (3956).
- [unicodedata] Update to Unicode 17. Require ``unicodedata2 >= 17.0.0`` when installed with 'unicode' extra.

4.60.2

----------------------------

- **Backport release** Same as 4.61.0 but without "Drop support for EOL Python 3.9" change to allow
downstream projects still on Python 3.9 to avail of the security fix for CVE-2025-66034 (3994, 3999).

4.60.1

----------------------------

- [ufoLib] Reverted accidental method name change in ``UFOReader.getKerningGroupConversionRenameMaps``
that broke compatibility with downstream projects like defcon (3948, 3947, robotools/defcon478).
- [ufoLib] Added test coverage for ``getKerningGroupConversionRenameMaps`` method (3950).
- [subset] Don't try to subset BASE table; pass it through by default instead (3949).
- [subset] Remove empty BaseRecord entries in MarkBasePos lookups (3897, 3892).
- [subset] Add pruning for MarkLigPos and MarkMarkPos lookups (3946).
- [subset] Remove duplicate features when subsetting (3945).
- [Docs] Added documentation for the visitor module (3944).

4.60.0

----------------------------

- [pointPen] Allow ``reverseFlipped`` parameter of ``DecomposingPointPen`` to take a ``ReverseFlipped``
enum value to control whether/how to reverse contour direction of flipped components, in addition to
the existing True/False. This allows to set ``ReverseFlipped.ON_CURVE_FIRST`` to ensure that
the decomposed outline starts with an on-curve point before being reversed, for better consistency
with other segment-oriented contour transformations. The change is backward compatible, and the
default behavior hasn't changed (3934).
- [filterPen] Added ``ContourFilterPointPen``, base pen for buffered contour operations, and
``OnCurveStartPointPen`` filter to ensure contours start with an on-curve point (3934).
- [cu2qu] Fixed difference in cython vs pure-python complex division by real number (3930).
- [varLib.avar] Refactored and added some new sub-modules and scripts (3926).
* ``varLib.avar.build`` module to build avar (and a missing fvar) binaries into a possibly empty TTFont,
* ``varLib.avar.unbuild`` module to print a .designspace snippet that would generate the same avar binary,
* ``varLib.avar.map`` module to take TTFont and do the mapping, in user/normalized space,
* ``varLib.avar.plan`` module moved from ``varLib.avarPlanner``.
The bare ``fonttools varLib.avar`` script is deprecated, in favour of ``fonttools varLib.avar.build`` (or ``unbuild``).
- [interpolatable] Clarify ``linear_sum_assignment`` backend options and minimal dependency
usage (3927).
- [post] Speed up ``build_psNameMapping`` (3923).
- [ufoLib] Added typing annotations to fontTools.ufoLib (3875).

4.59.2

----------------------------

- [varLib] Clear ``USE_MY_METRICS`` component flags when inconsistent across masters (3912).
- [varLib.instancer] Avoid negative advance width/height values when instatiating HVAR/VVAR,
(unlikely in well-behaved fonts) (3918).
- [subset] Fix shaping behaviour when pruning empty mark sets (3915, harfbuzz/harfbuzz5499).
- [cu2qu] Fixed ``dot()`` product of perpendicular vectors not always returning exactly 0.0
in all Python implementations (3911)
- [varLib.instancer] Implemented fully-instantiating ``avar2`` fonts (3909).
- [feaLib] Allow float values in ``VariableScalar``'s axis locations (3906, 3907).
- [cu2qu] Handle special case in ``calc_intersect`` for degenerate cubic curves where 3 to 4
control points are equal (3904).

4.59.1

----------------------------

- [featureVars] Update OS/2.usMaxContext if possible after addFeatureVariationsRaw (3894).
- [vhmtx] raise TTLibError('not enough data...') when hmtx/vmtx are truncated (3843, 3901).
- [feaLib] Combine duplicate features that have the same set of lookups regardless of the order in which those lookups are added to the feature (3895).
- [varLib] Deprecate ``varLib.mutator`` in favor of ``varLib.instancer``. The latter
provides equivalent full (static font) instancing in addition to partial VF instancing.
CLI users should replace ``fonttools varLib.mutator`` with ``fonttools varLib.instancer``.
API users should migrate to ``fontTools.varLib.instancer.instantiateVariableFont`` (2680).

4.59.0

----------------------------

- Removed hard-dependency on pyfilesystem2 (``fs`` package) from ``fonttools[ufo]`` extra.
This is replaced by the `fontTools.misc.filesystem` package, a stdlib-only, drop-in
replacement for the subset of the pyfilesystem2's API used by ``fontTools.ufoLib``.
The latter should continue to work with the upstream ``fs`` (we even test with/without).
Clients who wish to continue using ``fs`` can do so by depending on it directly instead
of via the ``fonttools[ufo]`` extra (3885, 3620).
- [xmlWriter] Replace illegal XML characters (e.g. control or non-characters) with "?"
when dumping to ttx (3868, 71).
- [varLib.hvar] Fixed vertical metrics fields copy/pasta error (3884).
- Micro optimizations in ttLib and sstruct modules (3878, 3879).
- [unicodedata] Add Garay script to RTL_SCRIPTS (3882).
- [roundingPen] Remove unreliable kwarg usage. Argument names aren’t consistent among
point pens’ ``.addComponent()`` implementations, in particular ``baseGlyphName``
vs ``glyphName`` (3880).

4.58.5

----------------------------

- [feaLib] Don't try to combine ligature & multisub rules (3874).
- [feaLib/ast] Use weakref proxies to avoid cycles in visitor (3873).
- [varLib.instancer] Fixed instancing CFF2 fonts where VarData contains more than 64k items (3858).

4.58.4

----------------------------

- [feaLib] Allow for empty MarkFilter & MarkAttach sets (3856).

4.58.3

----------------------------

- [feaLib] Fixed iterable check for Python 3.13.4 and newer (3854, 3855).

4.58.2

----------------------------

- [ttLib.reorderGlyphs] Handle CFF2 when reordering glyphs (3852)
- [subset] Copy name IDs in use before scrapping or scrambling them for webfonts (3853)

4.58.1

----------------------------

- [varLib] Make sure that fvar named instances only reuse name ID 2 or 17 if they are at the default location across all axes, to match OT spec requirement (3831).
- [feaLib] Improve single substitution promotion to multiple/ligature substitutions, fixing a few bugs as well (3849).
- [loggingTools] Make ``Timer._time`` a static method that doesn't take self, makes it easier to override (3836).
- [featureVars] Use ``None`` for empty ConditionSet, which translates to a null offset in the compiled table (3850).
- [feaLib] Raise an error on conflicting ligature substitution rules instead of silently taking the last one (3835).
- Add typing annotations to T2CharStringPen (3837).
- [feaLib] Add single substitutions that were promoted to multiple or ligature substitutions to ``aalt`` feature (3847).
- [featureVars] Create a default ``LangSys`` in a ``ScriptRecord`` if missing when adding feature variations to existing GSUB later in the build (3838).
- [symfont] Added a ``main()``.
- [cffLib.specializer] Fix rmoveto merging when blends used (3839, 3840).
- [pyftmerge] Add support for cmap format 14 in the merge tool (3830).
- [varLib.instancer/cff2] Fix vsindex of Private dicts when instantiating (3828, 3232).
- Update text file read to use UTF-8 with optional BOM so it works with e.g. Windows Notepad.exe (3824).
- [varLib] Ensure that instances only reuse name ID 2 or 17 if they are at the default location across all axes (3831).
- [varLib] Create a dflt LangSys in a ScriptRecord when adding variations later, to fix an avoidable crash in an edge case (3838).

4.58.0

----------------------------

- Drop Python 3.8, require 3.9+ (3819)
- [HVAR, VVAR] Prune unused regions when using a direct mapping (3797)
- [Docs] Improvements to ufoLib documentation (3721)
- [Docs] Improvements to varLib documentation (3727)
- [Docs] Improvements to Pens and pen-module documentation (3724)
- [Docs] Miscellany updates to docs (misc modules and smaller modules) (3730)
- [subset] Close codepoints over BiDi mirror variants. (3801)
- [feaLib] Fix serializing ChainContextPosStatement and
ChainContextSubstStatement in some rare cases (3788)
- [designspaceLib] Clarify user expectations for getStatNames (2892)
- [GVAR] Add support for new `GVAR` table (3728)
- [TSI0, TSI5] Derive number of entries to decompile from data length (2477)
- [ttLib] Fix `AttributeError` when reporting table overflow (3808)
- [ttLib] Apply rounding more often in getCoordinates (3798)
- [ttLib] Ignore component bounds if empty (3799)
- [ttLib] Change the separator for duplicate glyph names from "" to "." (3809)
- [feaLib] Support subtable breaks in CursivePos, MarkBasePos, MarkToLigPos and
MarkToMarkPos lookups (3800, 3807)
- [feaLib] If the same lookup has single substitutions and ligature
substitutions, upgrade single substitutions to ligature substitutions with
one input glyph (3805)
- [feaLib] Correctly handle <NULL> in single pos lookups (3803)
- [feaLib] Remove duplicates from class pair pos classes instead of raising an
error (3804)
- [feaLib] Support creating extension lookups using useExtenion lookup flag
instead of silently ignoring it (3811)
- [STAT] Add typing for the simpler STAT arguments (3812)
- [otlLib.builder] Add future import for annotations (3814)
- [cffLib] Fix reading supplement encoding (3813)
- [voltLib] Add some missing functionality and fixes to voltLib and VoltToFea,
making the conversion to feature files more robust. Add also `fonttools
voltLib` command line tool to compile VOLT sources directly (doing an
intermediate fea conversion internally) (3818)
- [pens] Add some PointPen annotations (3820)

4.57.0

----------------------------

- [ttLib.__main__] Add `--no-recalc-timestamp` flag (3771)
- [ttLib.__main__] Add `-b` (recalcBBoxes=False) flag (3772)
- [cmap] Speed up glyphOrder loading from cmap (3774)
- [ttLib.__main__] Improvements around the `-t` flag (3776)
- [Debg] Fix parsing from XML; add roundtrip tests (3781)
- [fealib] Support \*Base.MinMax tables (3783, 3786)
- [config] Add OPTIMIZE_FONT_SPEED (3784)
- [varLib.hvar] New module to add HVAR table to the font (3780)
- [otlLib.optimize] Fix crash when the provided TTF does not contain a `GPOS` (3794)

4.56.0

----------------------------

- [varStore] Sort the input todo list with the same sorting key used for the opimizer's output (3767).
- [otData] Fix DeviceTable's ``DeltaValue`` repeat value which caused a crash after importing from XML and then compiling a GPOS containing Device tables (3758).
- [feaLib] Make ``FeatureLibError`` pickleable, so client can e.g. use feaLib to can compile features in parallel with multiprocessing (3762).
- [varLib/gvar] Removed workaround for old, long-fixed macOS bug about composite glyphs with all zero deltas (1381, 1788).
- [Docs] Updated ttLib documentation, beefed up TTFont and TTGlyphSet explanations (3720).

4.55.8

----------------------------

- [MetaTools] Fixed bug in buildUCD.py script whereby the first non-header line of some UCD text file was being skipped. This affected in particular the U+00B7 (MIDDLE DOT) entry of ScriptExtensions.txt (3756).

4.55.7

----------------------------

- Shorten the changelog included in PyPI package description to accommodate maximum length limit imposed by Azure DevOps. No actual code changes since v4.55.6 (3754).

4.55.6

----------------------------

- [glyf] Fixed regression introduced in 4.55.5 when computing bounds of nested composite glyphs  with transformed components (3752).

4.55.5

----------------------------

- [glyf] Fixed recalcBounds of transformed components with unrounded coordinates (3750).
- [feaLib] Allow duplicate script/language statements (3749).

4.55.4

----------------------------

- [bezierTools] Fixed ``splitCubicAtT`` sometimes not returning identical start/end points as result of numerical precision (3742, 3743).
- [feaLib/ast] Fixed docstring of ``AlternateSubstStatement`` (3735).
- [transform] Typing fixes (3734).

4.55.3

----------------------------

- [Docs] fill out ttLib table section [3716]
- [feaLib] More efficient inline format 4 lookups [3726]

4.55.2

----------------------------

- [Docs] update Sphinx config (3712)
- [designspaceLib] Allow axisOrdering to be set to zero (3715)
- [feaLib] Don’t modify variable anchors in place (3717)

4.55.1

----------------------------

- [ttGlyphSet] Support VARC CFF2 fonts (3683)
- [DecomposedTransform] Document and implement always skewY == 0 (3697)
- [varLib] "Fix" cython iup issue? (3704)
- Cython minor refactor (3705)

4.55.0

----------------------------

- [cffLib.specializer] Adjust stack use calculation (3689)
- [varLib] Lets not add mac names if the rest of name doesn't have them (3688)
- [ttLib.reorderGlyphs] Update CFF table charstrings and charset (3682)
- [cffLib.specializer] Add cmdline to specialize a CFF2 font (3675, 3679)
- [CFF2] Lift uint16 VariationStore.length limitation (3674)
- [subset] consider variation selectors subsetting cmap14 (3672)
- [varLib.interpolatable] Support CFF2 fonts (3670)
- Set isfinal to true in XML parser for proper resource cleanup (3669)
- [removeOverlaps] Fix CFF CharString width (3659)
- [glyf] Add optimizeSize option (3657)
- Python 3.13 support (3656)
- [TupleVariation] Optimize for loading speed, not size (3650, 3653)

4.54.1

----------------------------

- [unicodedata] Update to Unicode 16
- [subset] Escape ``\\`` in doc string

4.54.0

----------------------------

- [Docs] Small docs cleanups by n8willis (3611)
- [Docs] cleanup code blocks by n8willis (3627)
- [Docs] fix Sphinx builds by n8willis (3625)
- [merge] Minor fixes to documentation for merge by drj11 (3588)
- [subset] Small tweaks to pyftsubset documentation by RoelN (3633)
- [Tests] Do not require fonttools command to be available by behdad (3612)
- [Tests] subset_test: add failing test to reproduce issue 3616 by anthrotype (3622)
- [ttLib] NameRecordVisitor: include whole sequence of character variants' UI labels, not just the first by anthrotype (3617)
- [varLib.avar] Reconstruct mappings from binary by behdad (3598)
- [varLib.instancer] Fix visual artefacts with partial L2 instancing by Hoolean (3635)
- [varLib.interpolatable] Support discrete axes in .designspace by behdad (3599)
- [varLib.models] By default, assume OpenType-like normalized space by behdad (3601)

4.53.1

----------------------------

- [feaLib] Improve the sharing of inline chained lookups (3559)
- [otlLib] Correct the calculation of OS/2.usMaxContext with reversed chaining contextual single substitutions (3569)
- [misc.visitor] Visitors search the inheritance chain of objects they are visiting (3581)

4.53.0

----------------------------

- [ttLib.removeOverlaps] Support CFF table to aid in downconverting CFF2 fonts (3528)
- [avar] Fix crash when accessing not-yet-existing attribute (3550)
- [docs] Add buildMathTable to otlLib.builder documentation (3540)
- [feaLib] Allow UTF-8 with BOM when reading features (3495)
- [SVGPathPen] Revert rounding coordinates to two decimal places by default (3543)
- [varLib.instancer] Refix output filename decision-making  (3545, 3544, 3548)

4.52.4

----------------------------

- [varLib.cff] Restore and deprecate convertCFFtoCFF2 that was removed in 4.52.0
release as it is used by downstream projects (3535).

4.52.3

----------------------------

- Fixed a small syntax error in the reStructuredText-formatted NEWS.rst file
which caused the upload to PyPI to fail for 4.52.2. No other code changes.

4.52.2

----------------------------

- [varLib.interpolatable] Ensure that scipy/numpy output is JSON-serializable
(3522, 3526).
- [housekeeping] Regenerate table lists, to fix pyinstaller packaging of the new
``VARC`` table (3531, 3529).
- [cffLib] Make CFFToCFF2 and CFF2ToCFF more robust (3521, 3525).

4.52.1

----------------------------

- Fixed a small syntax error in the reStructuredText-formatted NEWS.rst file
which caused the upload to PyPI to fail for 4.52.0. No other code changes.

4.52.0

----------------------------

- Added support for the new ``VARC`` (Variable Composite) table that is being
proposed to OpenType spec (3395). For more info:
https://github.com/harfbuzz/boring-expansion-spec/blob/main/VARC.md
- [ttLib.__main__] Fixed decompiling all tables (90fed08).
- [feaLib] Don't reference the same lookup index multiple times within the same
feature record, it is only applied once anyway (3520).
- [cffLib] Moved methods to desubroutinize, remove hints and unused subroutines
from subset module to cffLib (3517).
- [varLib.instancer] Added support for partial-instancing CFF2 tables! Also, added
method to down-convert from CFF2 to CFF 1.0, and CLI entry points to convert
CFF<->CFF2 (3506).
- [subset] Prune unused user name IDs even with --name-IDs='*' (3410).
- [ttx] use GNU-style getopt to intermix options and positional arguments (3509).
- [feaLib.variableScalar] Fixed ``value_at_location()`` method (3491)
- [psCharStrings] Shorten output of ``encodeFloat`` (3492).
- [bezierTools] Fix infinite-recursion in ``calcCubicArcLength`` (3502).
- [avar2] Implement ``avar2`` support in ``TTFont.getGlyphSet()`` (3473).

4.51.0

----------------------------

- [ttLib] Optimization on loading aux fields (3464).
- [ttFont] Add reo

[pyup-bot]

Closing this in favor of #1018