chore(deps): bump fonttools from 4.47.0 to 4.60.2#314
Conversation
Bumps [fonttools](https://github.com/fonttools/fonttools) from 4.47.0 to 4.60.2. - [Release notes](https://github.com/fonttools/fonttools/releases) - [Changelog](https://github.com/fonttools/fonttools/blob/main/NEWS.rst) - [Commits](fonttools/fonttools@4.47.0...4.60.2) --- updated-dependencies: - dependency-name: fonttools dependency-version: 4.60.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
LGTM — transitive dep bump in uv.lock only, includes CVE-2025-66034 fix; fonttools isn't directly used by eyecite.
Extended reasoning...
Overview
Dependabot PR bumping fonttools from 4.47.0 to 4.60.2 in uv.lock. The only changed file is the lockfile; no source code, configs, or direct dependencies are touched.
Security risks
None for eyecite. fonttools appears only in uv.lock and is not referenced anywhere in the source tree (grep for fonttools|fontTools matches only the lockfile), so it is a transitive dependency. The bump itself pulls in the CVE-2025-66034 path-traversal fix in varLib.main, which is a net security improvement.
Level of scrutiny
Low. Lockfile-only dependency bump for a transitive, unused-at-runtime package, generated by Dependabot. Mechanical change with no logic implications.
Other factors
No bugs found by the bug hunter, no prior reviewer comments, and the project consistently merges these Dependabot lockfile bumps (recent commits include several similar bumps for mako, markdown, etc.).
Bumps fonttools from 4.47.0 to 4.60.2.
Release notes
Sourced from fonttools's releases.
... (truncated)
Changelog
Sourced from fonttools's changelog.
... (truncated)
Commits
78ba5e8Release 4.60.2c3f9979macos-13 runner is no more, use macos-15-intel8016403Revert "Merge pull request #3982 from fonttools/drop-py39"e691e3bRelease 4.61.0c2d540fUpdate NEWS.rst3859753Update NEWS.rst26eb070black5ff73afMerge commit from forka696d5bvarLib: only use the basename(vf.filename)b00bc45varLib_test: test path traversal in variable-font filenameDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.