Fonttools

----------------------------

- [subset] Set up lxml ``XMLParser(resolve_entities=False)`` when parsing OT-SVG documents
to prevent XML External Entity (XXE) attacks (9f61271dc):
https://codeql.github.com/codeql-query-help/python/py-xxe/
- [varLib.iup] Added workaround for a Cython bug in ``iup_delta_optimize`` that was
leading to IUP tolerance being incorrectly initialised, resulting in sub-optimal deltas
(60126435d, cython/cython5732).
- [varLib] Added new command-line entry point ``fonttools varLib.avar`` to add an
``avar`` table to an existing VF from axes mappings in a .designspace file (0a3360e52).
- [instancer] Fixed bug whereby no longer used variation regions were not correctly pruned
after VarData optimization (3268).
- Added support for Python 3.12 (3283).

----------------------------

- [t1Lib] Fixed several Type 1 issues (3238, 3240).
- [otBase/packer] Allow sharing tables reached by different offset sizes (3241, 3236).
- [varLib/merger] Fix Cursive attachment merging error when all anchors are NULL (3248, 3247).
- [ttLib] Fixed warning when calling ``addMultilingualName`` and ``ttFont`` parameter was not
passed on to ``findMultilingualName`` (3253).

----------------------------

- [varLib] Use sentinel value 0xFFFF to mark a glyph advance in hmtx/vmtx as non
participating, allowing sparse masters to contain glyphs for variation purposes other
than {H,V}VAR (3235).
- [varLib/cff] Treat empty glyphs in non-default masters as missing, thus not participating
in CFF2 delta computation, similarly to how varLib already treats them for gvar (3234).
- Added varLib.avarPlanner script to deduce 'correct' avar v1 axis mappings based on
glyph average weights (3223).

----------------------------

- [subset] Fixed perf regression in v4.41.0 by making ``NameRecordVisitor`` only visit
tables that do contain nameID references (3213, 3214).
- [varLib.instancer] Support instancing fonts containing null ConditionSet offsets in
FeatureVariationRecords (3211, 3212).
- [statisticsPen] Report font glyph-average weight/width and font-wide slant.
- [fontBuilder] Fixed head.created date incorrectly set to 0 instead of the current
timestamp, regression introduced in v4.40.0 (3210).
- [varLib.merger] Support sparse ``CursivePos`` masters (3209).

----------------------------

- [fontBuilder] Fixed bug in setupOS2 with default panose attribute incorrectly being
set to a dict instead of a Panose object (3201).
- [name] Added method to ``removeUnusedNameRecords`` in the user range (3185).
- [varLib.instancer] Fixed issue with L4 instancing (moving default) (3179).
- [cffLib] Use latin1 so we can roundtrip non-ASCII in {Full,Font,Family}Name (3202).
- [designspaceLib] Mark <source name="..."> as optional in docs (as it is in the code).
- [glyf-1] Fixed drawPoints() bug whereby last cubic segment becomes quadratic (3189, 3190).
- [fontBuilder] Propagate the 'hidden' flag to the fvar Axis instance (3184).
- [fontBuilder] Update setupAvar() to also support avar 2, fixing ``_add_avar()`` call
site (3183).
- Added new ``voltLib.voltToFea`` submodule (originally Tiro Typeworks' "Volto") for
converting VOLT OpenType Layout sources to FEA format (3164).

----------------------------

- Published native binary wheels to PyPI for all the python minor versions and platform
and architectures currently supported that would benefit from this. They will include
precompiled Cython-accelerated modules (e.g. cu2qu) without requiring to compile them
from source. The pure-python wheel and source distribution will continue to be
published as always (pip will automatically chose them when no binary wheel is
available for the given platform, e.g. pypy). Use ``pip install --no-binary=fonttools fonttools``
to expliclity request pip to install from the pure-python source.
- [designspaceLib|varLib] Add initial support for specifying axis mappings and build
``avar2`` table from those (3123).
- [feaLib] Support variable ligature caret position (3130).
- [varLib|glyf] Added option to --drop-implied-oncurves; test for impliable oncurve
points either before or after rounding (3146, 3147, 3155, 3156).
- [TTGlyphPointPen] Don't error with empty contours, simply ignore them (3145).
- [sfnt] Fixed str vs bytes remnant of py3 transition in code dealing with de/compiling
WOFF metadata (3129).
- [instancer-solver] Fixed bug when moving default instance with sparse masters (3139, 3140).
- [feaLib] Simplify variable scalars that don’t vary (3132).
- [pens] Added filter pen that explicitly emits closing line when lastPt != movePt (3100).
- [varStore] Improve optimize algorithm and better document the algorithm (3124, 3127).
Added ``quantization`` option (3126).
- Added CI workflow config file for building native binary wheels (3121).
- [fontBuilder] Added glyphDataFormat=0 option; raise error when glyphs contain cubic
outlines but glyphDataFormat was not explicitly set to 1 (3113, 3119).
- [subset] Prune emptied GDEF.MarkGlyphSetsDef and remap indices; ensure GDEF is
subsetted before GSUB and GPOS (3114, 3118).
- [xmlReader] Fixed issue whereby DSIG table data was incorrectly parsed (3115, 2614).
- [varLib/merger] Fixed merging of SinglePos with pos=0 (3111, 3112).
- [feaLib] Demote "Feature has not been defined" error to a warning when building aalt
and referenced feature is empty (3110).
- [feaLib] Dedupe multiple substitutions with classes (3105).