Fonttools

----------------------------

- [EBDT] Fixed TypeError exception in `_reverseBytes` method triggered when dumping
some bitmap fonts with `ttx -z bitwise` option (3162).
- [v/hhea] Fixed UnboundLocalError exception in ``recalc`` method when no vmtx or hmtx
tables are present (3290).
- [bezierTools] Fixed incorrectly typed cython local variable leading to TypeError when
calling ``calcQuadraticArcLength`` (3288).
- [feaLib/otlLib] Better error message when building Coverage table with missing glyph (3286).

----------------------------

- [subset] Set up lxml ``XMLParser(resolve_entities=False)`` when parsing OT-SVG documents
to prevent XML External Entity (XXE) attacks (9f61271dc):
https://codeql.github.com/codeql-query-help/python/py-xxe/
- [varLib.iup] Added workaround for a Cython bug in ``iup_delta_optimize`` that was
leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas
(60126435d, cython/cython5732).
- [varLib] Added new command-line entry point ``fonttools varLib.avar`` to add an
``avar`` table to an existing VF from axes mappings in a .designspace file (0a3360e52).
- [instancer] Fixed bug whereby no longer used variation regions were not correctly pruned
after VarData optimization (3268).
- Added support for Python 3.12 (3283).

----------------------------

- [t1Lib] Fixed several Type 1 issues (3238, 3240).
- [otBase/packer] Allow sharing tables reached by different offset sizes (3241, 3236).
- [varLib/merger] Fix Cursive attachment merging error when all anchors are NULL (3248, 3247).
- [ttLib] Fixed warning when calling ``addMultilingualName`` and ``ttFont`` parameter was not
passed on to ``findMultilingualName`` (3253).

----------------------------

- [varLib] Use sentinel value 0xFFFF to mark a glyph advance in hmtx/vmtx as non
participating, allowing sparse masters to contain glyphs for variation purposes other
than {H,V}VAR (3235).
- [varLib/cff] Treat empty glyphs in non-default masters as missing, thus not participating
in CFF2 delta computation, similarly to how varLib already treats them for gvar (3234).
- Added varLib.avarPlanner script to deduce 'correct' avar v1 axis mappings based on
glyph average weights (3223).

----------------------------

- [subset] Fixed perf regression in v4.41.0 by making ``NameRecordVisitor`` only visit
tables that do contain nameID references (3213, 3214).
- [varLib.instancer] Support instancing fonts containing null ConditionSet offsets in
FeatureVariationRecords (3211, 3212).
- [statisticsPen] Report font glyph-average weight/width and font-wide slant.
- [fontBuilder] Fixed head.created date incorrectly set to 0 instead of the current
timestamp, regression introduced in v4.40.0 (3210).
- [varLib.merger] Support sparse ``CursivePos`` masters (3209).

----------------------------

- [fontBuilder] Fixed bug in setupOS2 with default panose attribute incorrectly being
set to a dict instead of a Panose object (3201).
- [name] Added method to ``removeUnusedNameRecords`` in the user range (3185).
- [varLib.instancer] Fixed issue with L4 instancing (moving default) (3179).
- [cffLib] Use latin1 so we can roundtrip non-ASCII in {Full,Font,Family}Name (3202).
- [designspaceLib] Mark <source name="..."> as optional in docs (as it is in the code).
- [glyf-1] Fixed drawPoints() bug whereby last cubic segment becomes quadratic (3189, 3190).
- [fontBuilder] Propagate the 'hidden' flag to the fvar Axis instance (3184).
- [fontBuilder] Update setupAvar() to also support avar 2, fixing ``_add_avar()`` call
site (3183).
- Added new ``voltLib.voltToFea`` submodule (originally Tiro Typeworks' "Volto") for
converting VOLT OpenType Layout sources to FEA format (3164).