Bump the dependabot group with 4 updates

[dependabot]

Bumps the dependabot group with 4 updates: fonttools, idna, click and zipp.

Updates fonttools from 4.62.1 to 4.63.0

Release notes

Sourced from fonttools's releases.

4.63.0

• [ttLib] Add support for Apple Color Emoji bgcl table (#4065).
• [ttLib] Add support for IFT and IFTX tables (Incremental Font Transfer, PatchMapFormat2) (#4070, #4072).
• [otData] Introduce FieldSpec dataclass for OpenType table schema definitions, replacing raw tuples in otData.py (#4076).
• [Feat] Show name table strings as comments next to label IDs in TTX output, matching the convention used by fvar, STAT, trak (#4089).
• [cu2qu] Fix Cython complex-division rounding difference in split_cubic_into_three that could cause ±1 off-curve coordinate shifts (#3928, #4083).
• [designspaceLib] Fix map_backwardgooglefonts/ufo2ft#978#4085).
• [OS/2] Fix setUnicodeRanges to accept reserved bits 123-127, restoring round-trip with getUnicodeRanges and fixing recalcUnicodeRanges crash in the subsetter (#4087, #4088).
• [cython] Declare Cython extensions as free-threading compatible on Python 3.13+, so that importing them on free-threaded Python no longer re-enables the GIL (#4073, #4090).

Changelog

Sourced from fonttools's changelog.

4.63.0 (released 2026-05-14)

• [ttLib] Add support for Apple Color Emoji bgcl table (#4065).
• [ttLib] Add support for IFT and IFTX tables (Incremental Font Transfer, PatchMapFormat2) (#4070, #4072).
• [otData] Introduce FieldSpec dataclass for OpenType table schema definitions, replacing raw tuples in otData.py (#4076).
• [Feat] Show name table strings as comments next to label IDs in TTX output, matching the convention used by fvar, STAT, trak (#4089).
• [cu2qu] Fix Cython complex-division rounding difference in split_cubic_into_three that could cause ±1 off-curve coordinate shifts (#3928, #4083).
• [designspaceLib] Fix map_backward for many-to-one (flat-segment) axis maps that silently dropped entries via dict comprehension googlefonts/ufo2ft#978#4085).
• [OS/2] Fix setUnicodeRanges to accept reserved bits 123-127, restoring round-trip with getUnicodeRanges and fixing recalcUnicodeRanges crash in the subsetter (#4087, #4088).
• [cython] Declare Cython extensions as free-threading compatible on Python 3.13+, so that importing them on free-threaded Python no longer re-enables the GIL (#4073, #4090).

Commits

• 978d9ed Release 4.63.0
• 6b40ecb Add changelog entries for 4.63.0
• 382a35f Merge pull request #4090 from fonttools/fix-freethreading-compat
• 0e999b5 Declare Cython extensions as free-threading compatible
• 9e55ea5 Merge pull request #4089 from fonttools/graphite-feat-labels
• e84db3a Merge pull request #4088 from fonttools/fix-setUnicodeRanges-bits-123-127
• d6eabd1 Feat: show name table strings as comments next to label IDs in ttx
• 7d0902b OS/2: fix setUnicodeRanges round-trip for reserved bits 123-127
• 06e266c Merge pull request #4085 from fonttools/fix-map-backward-non-injective
• 6d64598 Add more tests for map_backward with many-to-one axis maps
• Additional commits viewable in compare view

Updates idna from 3.14 to 3.15

Changelog

Sourced from idna's changelog.

3.15 (2026-05-12)

• Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.
• Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.
• Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.
• Allow flit_core 4.x in the build backend.
• Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.
• Add Dependabot configuration for GitHub Actions.
• Convert README and HISTORY from reStructuredText to Markdown.
• Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

Commits

• af30a09 Release 3.15
• 30314d4 Pre-release 3.15rc0
• 05d4b21 Merge pull request #237 from kjd/convert-docs-to-markdown
• 2987fdb Convert README and HISTORY from reStructuredText to Markdown
• 59fa800 Merge pull request #236 from kjd/dependabot/github_actions/actions-f3e34333ea
• def6983 Merge branch 'master' into dependabot/github_actions/actions-f3e34333ea
• bbd8004 Merge pull request #234 from StanFromIreland/patch-1
• edd07c0 Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions group
• 5557db0 Merge branch 'master' into patch-1
• f11746c Merge pull request #235 from StanFromIreland/patch-2
• Additional commits viewable in compare view

Updates click from 8.3.0 to 8.4.0

Release notes

Sourced from click's releases.

8.4.0

This is the Click 8.4.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecation, or introduce potentially breaking changes.

We encourage everyone to upgrade. You can read more about our Version Support Policy on our website.

PyPI: https://pypi.org/project/click/8.4.0/ Changes: https://click.palletsprojects.com/page/changes/#version-8-4-0 Milestone https://github.com/pallets/click/milestone/30

• ParamType typing improvements. #3371

  • :class:ParamType is now a generic abstract base class, parameterized by its converted value type.
  • :meth:~ParamType.convert return types are narrowed on all concrete types (str for :class:STRING, int for :class:INT, etc.).
  • :meth:~ParamType.to_info_dict returns specific :class:~typing.TypedDict subclasses instead of dict[str, Any].
  • :class:CompositeParamType and the number-range base are now generic with abstract methods.

• Refactor convert_type to extract type inference into a private _guess_type helper, and add :func:typing.overload signatures. #3372

• Parameter typing improvements. #2805

  • :class:Parameter is now an abstract base class, making explicit that it cannot be instantiated directly.
  • :attr:Parameter.name is now str instead of str | None. When expose_value=False, the name is set to "" instead of None.
  • The ctx parameter of :meth:Parameter.get_error_hint is now typed as Context | None, matching the runtime behavior.

• Split string values from default_map for parameters with nargs > 1 or :class:Tuple type, matching environment variable behavior. #2745 #3364

• Auto-detect type=UNPROCESSED for flag_value of non-basic types (not str, int, float, or bool), so programmer-provided Python objects like classes and enum members are passed through unchanged instead of being stringified. Previously type=click.UNPROCESSED had to be set explicitly. #2012 #3363

• The error hint now uses Command.get_help_option_names to pick non-shadowed help option names, so Try '... -h' no longer points to a subcommand option that shadows -h. All surviving names are shown (-h/--help). #2790 #3208

• Fix readline functionality on non-Windows platforms. Prompt text is now passed directly to readline instead of being printed separately, allowing proper backspace, line editing, and line wrapping behavior. #2968

... (truncated)

Changelog

Sourced from click's changelog.

Version 8.4.0

Released 2026-05-17

• :class:ParamType typing improvements. :pr:3371

  • :class:ParamType is now a generic abstract base class, parameterized by its converted value type.
  • :meth:~ParamType.convert return types are narrowed on all concrete types (str for :class:STRING, int for :class:INT, etc.).
  • :meth:~ParamType.to_info_dict returns specific :class:~typing.TypedDict subclasses instead of dict[str, Any].
  • :class:CompositeParamType and the number-range base are now generic with abstract methods.

• Refactor convert_type to extract type inference into a private _guess_type helper, and add :func:typing.overload signatures. :pr:3372

• :class:Parameter typing improvements. :pr:2805

  • :class:Parameter is now an abstract base class, making explicit that it cannot be instantiated directly.
  • :attr:Parameter.name is now str instead of str | None. When expose_value=False, the name is set to "" instead of None.
  • The ctx parameter of :meth:Parameter.get_error_hint is now typed as Context | None, matching the runtime behavior.

• Split string values from default_map for parameters with nargs > 1 or :class:Tuple type, matching environment variable behavior. :issue:2745 :pr:3364

• Auto-detect type=UNPROCESSED for flag_value of non-basic types (not str, int, float, or bool), so programmer-provided Python objects like classes and enum members are passed through unchanged instead of being stringified. Previously type=click.UNPROCESSED had to be set explicitly. :issue:2012 :pr:3363

• The error hint now uses :meth:Command.get_help_option_names to pick non-shadowed help option names, so Try '... -h' no longer points to a subcommand option that shadows -h. All surviving names are shown (-h/--help). :issue:2790 :pr:3208

• Fix readline functionality on non-Windows platforms. Prompt text is now passed directly to readline instead of being printed separately, allowing proper backspace, line editing, and line wrapping behavior. :issue:2968 :pr:2969

• Use :func:os.startfile on Windows to open URLs in :func:open_url, replacing the start built-in which cannot be invoked without shell=True. :issue:3164 :pr:3186

• Fix Fish shell completion errors when option help text contains newlines. :issue:3043 :pr:3126

... (truncated)

Commits

• 41f410f Release 8.4.0
• e3e69e3 Add type annotations for instance attributes in utils (#3422)
• 3bb230d WIP: Fix HelpFormatter.write_usage producing spurious characters (#3434)
• 63274a7 click.get_pager_file: add tests (#1572 followup) (#3405)
• 0551bf5 Fix HelpFormatter.write_usage producing spurious characters
• fc41aa1 Apply class-body annotations to KeepOpenFile for consistency
• b761eda Skip some tests on Windows
• 98302ac Check PAGER usage, color preservation and edge-cases
• dbdae17 Fix documentation
• 1aa2d53 Redesigned tests and get_pager_file branching to be more clear and not set color
• Additional commits viewable in compare view

Updates zipp from 3.23.0 to 4.1.0

Changelog

Sourced from zipp's changelog.

v4.1.0

Features

• Path.iterdir now raises NotADirectoryError (formerly ValueError) when call on something that's not a directory. (#154)

v4.0.0

Deprecations and Removals

• Drop workaround for stacklevel bug on older PyPy releases. (#149)

v3.23.1

Bugfixes

• str(Path(...)) now renders ":zipfile" for the filename when a zipfile has no filename instead of failing with a TypeError. (#134)

Commits

• 29a7a55 Finalize
• bf9bf8c Merge pull request #154 from ShipItAndPray/fix-129-iterdir-notadirectory
• a43226a Add news fragment.
• 5b41b49 Merge branch 'main' into fix-129-iterdir-notadirectory
• f2f3e79 👹 Feed the hobgoblins (delint).
• d14b720 Merge https://github.com/jaraco/skeleton
• b8f1030 More aggressively direct Agents not to add generated artifacts.
• fb8483b Use Python 3.14 as the latest stable.
• 91aed9ajaraco/skeleton#198
• 225b2af Add agent guidance pointing to skeleton documentation.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[coveralls]

Coverage Report for CI Build 26120066272

Coverage remained the same at 86.632%

Details

• Coverage remained the same as the base build.
• Patch coverage: No coverable lines changed in this PR.
• No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	3643
Covered Lines:	3156
Line Coverage:	86.63%
Coverage Strength:	0.87 hits per line

---

💛 - Coveralls