Bump fonttools from 4.53.0 to 4.59.1

[dependabot]

Bumps fonttools from 4.53.0 to 4.59.1.

Release notes

Sourced from fonttools's releases.

4.59.0

• Removed hard-dependency on pyfilesystem2 (fs package) from fonttools[ufo] extra. This is replaced by the fontTools.misc.filesystem package, a stdlib-only, drop-in replacement for the subset of the pyfilesystem2's API used by fontTools.ufoLib. The latter should continue to work with the upstream fs (we even test with/without). However, clients who wish to continue using fs can do so by depending on it directly instead of via the fonttools[ufo] extra (#3885, #3620).
• [xmlWriter] Replace illegal XML characters (e.g. control or non-characters) with "?" when dumping to ttx (#3868, #71).
• [varLib.hvar] Fixed vertical metrics fields copy/pasta error (#3884).
• Micro optimizations in ttLib and sstruct modules (#3878, #3879).
• [unicodedata] Add Garay script to RTL_SCRIPTS (#3882).
• [roundingPen] Remove unreliable kwarg usage. Argument names aren’t consistent among point pens’ .addComponent() implementations, in particular baseGlyphName vs glyphName (#3880).

4.58.5

• [feaLib] Don't try to combine ligature & multisub rules (#3874).
• [feaLib/ast] Use weakref proxies to avoid cycles in visitor (#3873).
• [varLib.instancer] Fixed instancing CFF2 fonts where VarData contains more than 64k items (#3858).

4.58.4

• [feaLib] Fixed iterable check for Python 3.13.4 and newer (#3854, #3855).

4.58.3

• [feaLib] Fixed iterable check for Python 3.13.4 and newer (#3854, #3855).

4.58.2

• [ttLib.reorderGlyphs] Handle CFF2 when reordering glyphs (fonttools/fonttools#3852)
• [subset] Copy name IDs in use before scrapping or scrambling them for webfonts (fonttools/fonttools#3853)

4.58.1

• [varLib] Make sure that fvar named instances only reuse name ID 2 or 17 if they are at the default location across all axes, to match OT spec requirement (#3831).
• [feaLib] Improve single substitution promotion to multiple/ligature substitutions, fixing a few bugs as well (#3849).
• [loggingTools] Make Timer._time a static method that doesn't take self, makes it easier to override (#3836).
• [featureVars] Use None for empty ConditionSet, which translates to a null offset in the compiled table (#3850).
• [feaLib] Raise an error on conflicting ligature substitution rules instead of silently taking the last one (#3835).
• Add typing annotations to T2CharStringPen (#3837).
• [feaLib] Add single substitutions that were promoted to multiple or ligature substitutions to aalt feature (#3847).
• [featureVars] Create a default LangSys in a ScriptRecord if missing when adding feature variations to existing GSUB later in the build (#3838).
• [symfont] Added a main().
• [cffLib.specializer] Fix rmoveto merging when blends used (#3839, #3840).
• [pyftmerge] Add support for cmap format 14 in the merge tool (#3830).
• [varLib.instancer/cff2] Fix vsindex of Private dicts when instantiating (#3828, #3232).
• Update text file read to use UTF-8 with optional BOM so it works with e.g. Windows Notepad.exe (#3824).
• [varLib] Ensure that instances only reuse name ID 2 or 17 if they are at the default location across all axes (#3831).
• [varLib] Create a dflt LangSys in a ScriptRecord when adding variations later, to fix an avoidable crash in an edge case (#3838).

4.58.0

• Drop Python 3.8, require 3.9+ (#3819)
• [HVAR, VVAR] Prune unused regions when using a direct mapping (#3797)
• [Docs] Improvements to ufoLib documentation (#3721)
• [Docs] Improvements to varLib documentation (#3727)
• [Docs] Improvements to Pens and pen-module documentation (#3724)
• [Docs] Miscellany updates to docs (misc modules and smaller modules) (#3730)
• [subset] Close codepoints over BiDi mirror variants. (#3801)
• [feaLib] Fix serializing ChainContextPosStatement and ChainContextSubstStatement in some rare cases (#3788)
• [designspaceLib] Clarify user expectations for getStatNames (#2892)

... (truncated)

Changelog

Sourced from fonttools's changelog.

4.59.1 (released 2025-08-14)

• [featureVars] Update OS/2.usMaxContext if possible after addFeatureVariationsRaw (#3894).
• [vhmtx] raise TTLibError('not enough data...') when hmtx/vmtx are truncated (#3843, #3901).
• [feaLib] Combine duplicate features that have the same set of lookups regardless of the order in which those lookups are added to the feature (#3895).
• [varLib] Deprecate varLib.mutator in favor of varLib.instancer. The latter provides equivalent full (static font) instancing in addition to partial VF instancing. CLI users should replace fonttools varLib.mutator with fonttools varLib.instancer. API users should migrate to fontTools.varLib.instancer.instantiateVariableFont (#2680).

4.59.0 (released 2025-07-16)

• Removed hard-dependency on pyfilesystem2 (fs package) from fonttools[ufo] extra. This is replaced by the fontTools.misc.filesystem package, a stdlib-only, drop-in replacement for the subset of the pyfilesystem2's API used by fontTools.ufoLib. The latter should continue to work with the upstream fs (we even test with/without). Clients who wish to continue using fs can do so by depending on it directly instead of via the fonttools[ufo] extra (#3885, #3620).
• [xmlWriter] Replace illegal XML characters (e.g. control or non-characters) with "?" when dumping to ttx (#3868, #71).
• [varLib.hvar] Fixed vertical metrics fields copy/pasta error (#3884).
• Micro optimizations in ttLib and sstruct modules (#3878, #3879).
• [unicodedata] Add Garay script to RTL_SCRIPTS (#3882).
• [roundingPen] Remove unreliable kwarg usage. Argument names aren’t consistent among point pens’ .addComponent() implementations, in particular baseGlyphName vs glyphName (#3880).

4.58.5 (released 2025-07-03)

• [feaLib] Don't try to combine ligature & multisub rules (#3874).
• [feaLib/ast] Use weakref proxies to avoid cycles in visitor (#3873).
• [varLib.instancer] Fixed instancing CFF2 fonts where VarData contains more than 64k items (#3858).

4.58.4 (released 2025-06-13)

• [feaLib] Allow for empty MarkFilter & MarkAttach sets (#3856).

4.58.3 (released 2025-06-13)

• [feaLib] Fixed iterable check for Python 3.13.4 and newer (#3854, #3855).

4.58.2 (released 2025-06-06)

... (truncated)

Commits

• 7ea9e46 Release 4.59.1
• 34629f9 Update NEWS.rst
• 587f721 Merge pull request #3902 from fonttools/deprecate-varlib-mutator
• 1ea2a47 Merge pull request #3901 from fonttools/improve-vhmtx-error
• 294ef0a issue deprecation warning when calling mutator.instantiantiateVariableFont
• 7feb5df h_m_t_x_test: test not enough table data to decompile sidebearings
• e15c9a3 [vhmtx] raise TTLibError('not enough data...') when hmtx/vmtx are truncated
• 5ae2943 Update OS/2.usMaxContext if possible after addFeatureVariationsRaw (#3894)
• 239af64 [gvar] A couple of assert debug info (#3896)
• ec716f1 Merge pull request #3895 from cmyr/deduplicate-features
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #923.