Bump the pip group across 1 directory with 6 updates

[dependabot[bot]]

Bumps the pip group with 6 updates in the / directory:

Package	From	To
certifi	2023.7.22	2024.7.4
fonttools	4.39.4	4.43.0
idna	3.4	3.7
pillow	10.3.0	10.4.0
pyarrow	12.0.0	14.0.1
requests	2.31.0	2.32.2

Updates certifi from 2023.7.22 to 2024.7.4

Commits

• bd81538 2024.07.04 (#295)
• 06a2cbf Bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (#294)
• 13bba02 Bump actions/checkout from 4.1.6 to 4.1.7 (#293)
• e8abcd0 Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 (#292)
• 124f4ad 2024.06.02 (#291)
• c2196ce --- (#290)
• fefdeec Bump actions/checkout from 4.1.4 to 4.1.5 (#289)
• 3c5fb15 Bump actions/download-artifact from 4.1.6 to 4.1.7 (#286)
• 4a9569a Bump actions/checkout from 4.1.2 to 4.1.4 (#287)
• 1fc8086 Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (#288)
• Additional commits viewable in compare view

Updates fonttools from 4.39.4 to 4.43.0

Release notes

Sourced from fonttools's releases.

4.43.0

• [subset] Set up lxml XMLParser(resolve_entities=False) when parsing OT-SVG documents to prevent XML External Entity (XXE) attacks (9f61271dc): https://codeql.github.com/codeql-query-help/python/py-xxe/
• [varLib.iup] Added workaround for a Cython bug in iup_delta_optimize that was leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas (60126435d, cython/cython#5732).
• [varLib] Added new command-line entry point fonttools varLib.avar to add an avar table to an existing VF from axes mappings in a .designspace file (0a3360e52).
• [instancer] Fixed bug whereby no longer used variation regions were not correctly pruned after VarData optimization (#3268).
• Added support for Python 3.12 (#3283).

4.42.1

• [t1Lib] Fixed several Type 1 issues (#3238, #3240).
• [otBase/packer] Allow sharing tables reached by different offset sizes (#3241, #3236, 457f11c2).
• [varLib/merger] Fix Cursive attachment merging error when all anchors are NULL (#3248, #3247).
• [ttLib] Fixed warning when calling addMultilingualName and ttFont parameter was not passed on to findMultilingualName (#3253).

4.42.0

• [varLib] Use sentinel value 0xFFFF to mark a glyph advance in hmtx/vmtx as non participating, allowing sparse masters to contain glyphs for variation purposes other than {H,V}VAR (#3235).
• [varLib/cff] Treat empty glyphs in non-default masters as missing, thus not participating in CFF2 delta computation, similarly to how varLib already treats them for gvar (#3234).
• Added varLib.avarPlanner script to deduce 'correct' avar v1 axis mappings based on glyph average weights (#3223).

4.41.1

• [subset] Fixed perf regression in v4.41.0 by making NameRecordVisitor only visit tables that do contain nameID references (#3213, #3214).
• [varLib.instancer] Support instancing fonts containing null ConditionSet offsets in FeatureVariationRecords (#3211, #3212).
• [statisticsPen] Report font glyph-average weight/width and font-wide slant.
• [fontBuilder] Fixed head.created date incorrectly set to 0 instead of the current timestamp, regression introduced in v4.40.0 (#3210).
• [varLib.merger] Support sparse CursivePos masters (#3209).

4.41.0

• [fontBuilder] Fixed bug in setupOS2 with default panose attribute incorrectly being set to a dict instead of a Panose object (#3201).
• [name] Added method to removeUnusedNameRecords in the user range (#3185).
• [varLib.instancer] Fixed issue with L4 instancing (moving default) (#3179).
• [cffLib] Use latin1 so we can roundtrip non-ASCII in {Full,Font,Family}Name (#3202).
• [designspaceLib] Mark as optional in docs (as it is in the code).
• [glyf-1] Fixed drawPoints() bug whereby last cubic segment becomes quadratic (#3189, #3190).
• [fontBuilder] Propagate the 'hidden' flag to the fvar Axis instance (#3184).
• [fontBuilder] Update setupAvar() to also support avar 2, fixing _add_avar() call site (#3183).
• Added new voltLib.voltToFea submodule (originally Tiro Typeworks' "Volto") for converting VOLT OpenType Layout sources to FEA format (#3164).

4.40.0

• Published native binary wheels to PyPI for all the python minor versions and platform and architectures currently supported that would benefit from this. They will include precompiled Cython-accelerated modules (e.g. cu2qu) without requiring to compile them from source. The pure-python wheel and source distribution will continue to be published as always (pip will automatically chose them when no binary wheel is available for the given platform, e.g. pypy). Use pip install --no-binary=fonttools fonttools to expliclity request pip to install from the pure-python source.
• [designspaceLib|varLib] Add initial support for specifying axis mappings and build avar2 table from those (#3123).
• [feaLib] Support variable ligature caret position (#3130).
• [varLib|glyf] Added option to --drop-implied-oncurves; test for impliable oncurve points either before or after rounding (#3146, #3147, #3155, #3156).
• [TTGlyphPointPen] Don't error with empty contours, simply ignore them (#3145).
• [sfnt] Fixed str vs bytes remnant of py3 transition in code dealing with de/compiling WOFF metadata (#3129).
• [instancer-solver] Fixed bug when moving default instance with sparse masters (#3139, #3140).
• [feaLib] Simplify variable scalars that don’t vary (#3132).
• [pens] Added filter pen that explicitly emits closing line when lastPt != movePt (#3100).
• [varStore] Improve optimize algorithm and better document the algorithm (#3124, #3127).
  Added quantization option (#3126).
• Added CI workflow config file for building native binary wheels (#3121).
• [fontBuilder] Added glyphDataFormat=0 option; raise error when glyphs contain cubic outlines but glyphDataFormat was not explicitly set to 1 (#3113, #3119).

... (truncated)

Changelog

Sourced from fonttools's changelog.

4.43.0 (released 2023-09-29)

• [subset] Set up lxml XMLParser(resolve_entities=False) when parsing OT-SVG documents to prevent XML External Entity (XXE) attacks (9f61271dc): https://codeql.github.com/codeql-query-help/python/py-xxe/
• [varLib.iup] Added workaround for a Cython bug in iup_delta_optimize that was leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas (60126435d, cython/cython#5732).
• [varLib] Added new command-line entry point fonttools varLib.avar to add an avar table to an existing VF from axes mappings in a .designspace file (0a3360e52).
• [instancer] Fixed bug whereby no longer used variation regions were not correctly pruned after VarData optimization (#3268).
• Added support for Python 3.12 (#3283).

4.42.1 (released 2023-08-20)

• [t1Lib] Fixed several Type 1 issues (#3238, #3240).
• [otBase/packer] Allow sharing tables reached by different offset sizes (#3241, #3236).
• [varLib/merger] Fix Cursive attachment merging error when all anchors are NULL (#3248, #3247).
• [ttLib] Fixed warning when calling addMultilingualName and ttFont parameter was not passed on to findMultilingualName (#3253).

4.42.0 (released 2023-08-02)

• [varLib] Use sentinel value 0xFFFF to mark a glyph advance in hmtx/vmtx as non participating, allowing sparse masters to contain glyphs for variation purposes other than {H,V}VAR (#3235).
• [varLib/cff] Treat empty glyphs in non-default masters as missing, thus not participating in CFF2 delta computation, similarly to how varLib already treats them for gvar (#3234).
• Added varLib.avarPlanner script to deduce 'correct' avar v1 axis mappings based on glyph average weights (#3223).

4.41.1 (released 2023-07-21)

• [subset] Fixed perf regression in v4.41.0 by making NameRecordVisitor only visit tables that do contain nameID references (#3213, #3214).
• [varLib.instancer] Support instancing fonts containing null ConditionSet offsets in FeatureVariationRecords (#3211, #3212).
• [statisticsPen] Report font glyph-average weight/width and font-wide slant.
• [fontBuilder] Fixed head.created date incorrectly set to 0 instead of the current timestamp, regression introduced in v4.40.0 (#3210).
• [varLib.merger] Support sparse CursivePos masters (#3209).

4.41.0 (released 2023-07-12)

... (truncated)

Commits

• 145460e Release 4.43.0
• 64f3fd8 Update changelog [skip ci]
• 7aea49e Merge pull request #3283 from hugovk/main
• 4470c44 Bump requirements.txt to support Python 3.12
• 0c87cba Bump scipy for Python 3.12 support
• eda6fa5 Add support for Python 3.12
• 0e033b0 Bump reportlab from 3.6.12 to 3.6.13 in /Doc
• 6012643 [iup] Work around cython bug
• b14268a [iup] Remove copy/pasta
• 0a3360e [varLib.avar] New module to compile avar from .designspace file
• Additional commits viewable in compare view

Updates idna from 3.4 to 3.7

Release notes

Sourced from idna's releases.

v3.7

What's Changed

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: https://github.com/kjd/idna/compare/v3.6...v3.7

Changelog

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

3.6 (2023-11-25) ++++++++++++++++

• Fix regression to include tests in source distribution.

3.5 (2023-11-24) ++++++++++++++++

• Update to Unicode 15.1.0
• String codec name is now "idna2008" as overriding the system codec "idna" was not working.
• Fix typing error for codec encoding
• "setup.cfg" has been added for this release due to some downstream lack of adherence to PEP 517. Should be removed in a future release so please prepare accordingly.
• Removed reliance on a symlink for the "idna-data" tool to comport with PEP 517 and the Python Packaging User Guide for sdist archives.
• Added security reporting protocol for project

Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions to this release.

Commits

• 1d365e1 Release v3.7
• c1b3154 Merge pull request #172 from kjd/optimize-contextj
• 0394ec7 Merge branch 'master' into optimize-contextj
• cd58a23 Merge pull request #152 from elliotwutingfeng/dev
• 5beb28b More efficient resolution of joiner contexts
• 1b12148 Update ossf/scorecard-action to v2.3.1
• d516b87 Update Github actions/checkout to v4
• c095c75 Merge branch 'master' into dev
• 60a0a4c Fix typo in GitHub Actions workflow key
• 5918a0e Merge branch 'master' into dev
• Additional commits viewable in compare view

Updates pillow from 10.3.0 to 10.4.0

Release notes

Sourced from pillow's releases.

10.4.0

https://pillow.readthedocs.io/en/stable/releasenotes/10.4.0.html

Changes

• Raise FileNotFoundError if show_file() path does not exist #8178 [@​radarhere]
• Improved reading 16-bit TGA images with colour #7965 [@​Yay295]
• Fixed processing multiple JPEG EXIF markers #8127 [@​radarhere]
• Do not preserve EXIFIFD tag by default when saving TIFF images #8110 [@​radarhere]
• Added ImageFont.load_default_imagefont() #8086 [@​radarhere]
• Added Image.WARN_POSSIBLE_FORMATS #8063 [@​radarhere]
• Do not presume "xmp" info simply because "XML:com.adobe.xmp" info exists #8173 [@​radarhere]
• Remove zero-byte end padding when parsing any XMP data #8171 [@​radarhere]
• Do not detect Ultra HDR images as MPO #8056 [@​radarhere]
• Raise SyntaxError specific to JP2 #8146 [@​Yay295]
• Do not use first frame duration for other frames when saving APNG images #8104 [@​radarhere]
• Consider I;16 pixel size when using a 1 mode mask #8112 [@​radarhere]
• When saving multiple PNG frames, convert to mode rather than raw mode #8087 [@​radarhere]
• Added byte support to FreeTypeFont #8141 [@​radarhere]
• Allow float center for rotate operations #8114 [@​radarhere]
• Do not read layers immediately when opening PSD images #8039 [@​radarhere]
• Restore original thread state #8065 [@​radarhere]
• Read IM and TIFF images as RGB, rather than RGBX #7997 [@​radarhere]
• Only preserve TIFF IPTC_NAA_CHUNK tag if type is BYTE or UNDEFINED #7948 [@​radarhere]
• Prevent extra EPS header validations #8144 [@​Yay295]
• Clarify ImageDraw2 error message when size is missing #8165 [@​radarhere]
• Support unpacking more rawmodes to RGBA palettes #7966 [@​radarhere]
• Removed support for Qt 5 #8159 [@​radarhere]
• Improve ImageFont.freetype support for XDG directories on Linux #8135 [@​mamg22]
• Improved consistency of XMP handling #8069 [@​radarhere]
• Use pkg-config to help find libwebp and raqm #8142 [@​radarhere]
• Renamed C transform2 to transform #8113 [@​radarhere]
• Updated nasm to 2.16.03 #7990 [@​radarhere]
• [pre-commit.ci] pre-commit autoupdate #8100 [@​pre-commit-ci]
• Updated ImageCms.createProfile colorTemp default and docstring #8096 [@​radarhere]
• Added ImageDraw circle() #8085 [@​void4]
• Don't reuse variable name #8082 [@​Yay295]
• Use functools.cached_property in GifImagePlugin #8037 [@​radarhere]
• Add mypy target to Makefile #8077 [@​Yay295]
• Added Python 3.13 beta wheels #8071 [@​radarhere]
• Parse _version contents instead of using exec() #8050 [@​radarhere]
• Lint fixes #8068 [@​radarhere]
• Fix type errors #8064 [@​radarhere]
• Added MPEG accept function #7999 [@​radarhere]
• Added more modes to Image.MODES #7984 [@​radarhere]
• [pre-commit.ci] pre-commit autoupdate #8044 [@​pre-commit-ci]
• Do not use percent format in strings #8045 [@​radarhere]
• Changed string formatting to f-strings #8043 [@​mrKazzila]
• Removed direct invocation of setup.py #8027 [@​radarhere]
• Update ExifTags.py #8020 [@​CTimmerman]

... (truncated)

Changelog

Sourced from pillow's changelog.

10.4.0 (2024-07-01)

• Raise FileNotFoundError if show_file() path does not exist #8178 [radarhere]

• Improved reading 16-bit TGA images with colour #7965 [Yay295, radarhere]

• Deprecate non-image ImageCms modes #8031 [radarhere]

• Fixed processing multiple JPEG EXIF markers #8127 [radarhere]

• Do not preserve EXIFIFD tag by default when saving TIFF images #8110 [radarhere]

• Added ImageFont.load_default_imagefont() #8086 [radarhere]

• Added Image.WARN_POSSIBLE_FORMATS #8063 [radarhere]

• Remove zero-byte end padding when parsing any XMP data #8171 [radarhere]

• Do not detect Ultra HDR images as MPO #8056 [radarhere]

• Raise SyntaxError specific to JP2 #8146 [Yay295, radarhere]

• Do not use first frame duration for other frames when saving APNG images #8104 [radarhere]

• Consider I;16 pixel size when using a 1 mode mask #8112 [radarhere]

• When saving multiple PNG frames, convert to mode rather than raw mode #8087 [radarhere]

• Added byte support to FreeTypeFont #8141 [radarhere]

• Allow float center for rotate operations #8114 [radarhere]

• Do not read layers immediately when opening PSD images #8039 [radarhere]

... (truncated)

Commits

• 9b4fae7 10.4.0 version bump
• b55d74b Update CHANGES.rst [ci skip]
• 8daf550 Merge pull request #8178 from radarhere/imageshow
• c6d8c58 Merge pull request #7965 from Yay295/patch-3
• c9ec76a Raise FileNotFoundError if show_file() path does not exist
• b48d175 Update CHANGES.rst [ci skip]
• 4d6dff3 Merge pull request #8031 from radarhere/imagingcms_modes
• 70b3815 Merge pull request #8127 from radarhere/multiple_exif_markers
• 88cd6d4 Rearranged comments
• 41426a6 Merge pull request #8110 from radarhere/exififd
• Additional commits viewable in compare view

Updates pyarrow from 12.0.0 to 14.0.1

Commits

• ba53748 MINOR: [Release] Update versions for 14.0.1
• 529f376 MINOR: [Release] Update .deb/.rpm changelogs for 14.0.1
• b84bbca MINOR: [Release] Update CHANGELOG.md for 14.0.1
• f141709 GH-38607: [Python] Disable PyExtensionType autoload (#38608)
• 5a37e74 GH-38431: [Python][CI] Update fs.type_name checks for s3fs tests (#38455)
• 2dcee3f MINOR: [Release] Update versions for 14.0.0
• 297428c MINOR: [Release] Update .deb/.rpm changelogs for 14.0.0
• 3e9734f MINOR: [Release] Update CHANGELOG.md for 14.0.0
• 9f90995 GH-38332: [CI][Release] Resolve symlinks in RAT lint (#38337)
• bd61239 GH-35531: [Python] C Data Interface PyCapsule Protocol (#37797)
• Additional commits viewable in compare view

Updates requests from 2.31.0 to 2.32.2

Release notes

Sourced from requests's releases.

v2.32.2

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

v2.32.1

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

v2.32.0

2.32.0 (2024-05-20)

🐍 PYCON US 2024 EDITION 🐍

Security

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
• Fixed deserialization bug in JSONDecodeError. (#6629)
• Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

... (truncated)

Changelog

Sourced from requests's changelog.

2.32.2 (2024-05-21)

Deprecations

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0.

  A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)

2.32.1 (2024-05-20)

Bugfixes

• Add missing test certs to the sdist distributed on PyPI.

2.32.0 (2024-05-20)

Security

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

Improvements

• verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. The Response.text() and apparent_encoding APIs will default to utf-8 if neither library is present. (#6702)

Bugfixes

• Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
• Fixed deserialization bug in JSONDecodeError. (#6629)
• Fixed bug where an extra leading / (path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)

Deprecations

... (truncated)

Commits

• 88dce9d v2.32.2
• c98e4d1 Merge pull request #6710 from nateprewitt/api_rename
• 92075b3 Add deprecation warning
• aa1461b Move _get_connection to get_connection_with_tls_context
• 970e8ce v2.32.1
• d6ebc4a v2.32.0
• 9a40d12 Avoid reloading root certificates to improve concurrent performance (#6667)
• 0c030f7 Merge pull request #6702 from nateprewitt/no_char_detection
• 555b870 Allow character detection dependencies to be optional in post-packaging steps
• d6dded3 Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-test
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/NREL/altrios/network/alerts).

[dependabot[bot]]

None of your dependencies match this group anymore, you may need to update your configuration file to remove it or change its rules.