chore(deps): bump fonttools from 4.60.1 to 4.61.0

[dependabot]

Bumps fonttools from 4.60.1 to 4.61.0.

Release notes

Sourced from fonttools's releases.

4.61.0

• [varLib.main]: SECURITY Only use basename(vf.filename) to prevent path traversal attacks when running fonttools varLib command-line script, or code which invokes fonttools.varLib.main(). Fixes CVE-2025-66034, see: GHSA-768j-98cg-p3fv.
• [feaLib] Sort BaseLangSysRecords by tag (#3986).
• Drop support for EOL Python 3.9 (#3982).
• [instancer] Support --remove-overlaps for fonts with CFF2 table (#3975).
• [CFF2ToCFF] Add --remove-overlaps option (#3976).
• [feaLib] Raise an error for rsub with NULL target (#3979).
• [bezierTools] Fix logic bug in curveCurveIntersections (#3963).
• [feaLib] Error when condition sets have the same name (#3958).
• [cu2qu.ufo] skip processing empty glyphs to support sparse kerning masters (#3956).
• [unicodedata] Update to Unicode 17. Require unicodedata2 >= 17.0.0 when installed with 'unicode' extra.

Changelog

Sourced from fonttools's changelog.

4.61.0 (released 2025-11-28)

• [varLib.main]: SECURITY Only use basename(vf.filename) to prevent path traversal attacks when running fonttools varLib command, or code which invokes fonttools.varLib.main(). Fixes CVE-2025-66034, see: GHSA-768j-98cg-p3fv.
• [feaLib] Sort BaseLangSysRecords by tag (#3986).
• Drop support for EOL Python 3.9 (#3982).
• [instancer] Support --remove-overlaps for fonts with CFF2 table (#3975).
• [CFF2ToCFF] Add --remove-overlaps option (#3976).
• [feaLib] Raise an error for rsub with NULL target (#3979).
• [bezierTools] Fix logic bug in curveCurveIntersections (#3963).
• [feaLib] Error when condition sets have the same name (#3958).
• [cu2qu.ufo] skip processing empty glyphs to support sparse kerning masters (#3956).
• [unicodedata] Update to Unicode 17. Require unicodedata2 >= 17.0.0 when installed with 'unicode' extra.

Commits

• e691e3b Release 4.61.0
• c2d540f Update NEWS.rst
• 3859753 Update NEWS.rst
• 26eb070 black
• 5ff73af Merge commit from fork
• a696d5b varLib: only use the basename(vf.filename)
• b00bc45 varLib_test: test path traversal in variable-font filename
• 066512e Merge pull request #3986 from cmyr/base-minmax-sorting
• ce78973 [feaLib] Sort BasLangSysRecords by tag
• 5bb37dc Merge pull request #3983 from fonttools/dependabot/pip/brotli-1.2.0
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.09%. Comparing base (8817207) to head (354911c).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #533   +/-   ##
=======================================
  Coverage   91.09%   91.09%           
=======================================
  Files         111      111           
  Lines        4201     4201           
  Branches      552      552           
=======================================
  Hits         3827     3827           
  Misses        231      231           
  Partials      143      143           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Unit Test Results

    18 files  ±0      18 suites  ±0   38m 27s ⏱️ + 5m 50s
 1 212 tests ±0   1 212 ✅ + 1  0 💤 ±0  0 ❌  - 1 
15 840 runs  ±0  15 840 ✅ +10  0 💤  - 9  0 ❌  - 1 

Results for commit 354911c. ± Comparison against base commit 8817207.

♻️ This comment has been updated with latest results.