Skip to content

chore(deps): bump svglib from 1.5.1 to 2.0.2#15256

Merged
skjnldsv merged 1 commit into
masterfrom
dependabot/pip/master/svglib-2.0.2
Jul 2, 2026
Merged

chore(deps): bump svglib from 1.5.1 to 2.0.2#15256
skjnldsv merged 1 commit into
masterfrom
dependabot/pip/master/svglib-2.0.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps svglib from 1.5.1 to 2.0.2.

Release notes

Sourced from svglib's releases.

svglib 2.0.2

Supply-chain hygiene release — no code changes.

The 2.0.1 PyPI attestation was generated by a manual workflow_dispatch run from refs/heads/main that raced ahead of the release event. As a result the Sigstore certificate embedded in the PEP 740 attestation identified refs/heads/main as the source rather than refs/tags/v2.0.1, making it impossible to verify the package against the tagged commit. This release is published exclusively via the release: [published] trigger so the attestation identity is refs/tags/v2.0.2.

svglib 2.0.1

Supply-chain hygiene release — no code changes.

This release replaces 2.0.0, which was published directly with uv publish and therefore lacked the PEP 740 provenance attestation that was present in 1.6.0. Releases must be triggered via the GitHub Actions release workflow (publish-to-pypi.yml), which uses PyPI Trusted Publishing (OIDC) to produce a SLSA Level 3 attestation. Publishing locally — even with uv publish --trusted-publishing — relies on a local OAuth identity and does not meet that bar.

  • Declare pillow>=9.0.0 as a direct dependency; it was previously an undeclared transitive dependency pulled in by reportlab (#463).

Fixes #463, #464.

svglib 2.0.0

2.0.0 (2026-06-16)

Identical to 2.0b1 in terms of code; this release promotes the beta to a stable release and converts the project documentation files from RST to Markdown format.

2.0b1 (2026-05-26)

Breaking change — output sizes will differ from 1.x.

svglib now correctly maps SVG user units to ReportLab points using the standard SVG/CSS conversion factor: 1 px = 0.75 pt (96 dpi). Previous releases treated 1 user unit as 1 pt, which is 33 % too large. Any SVG whose width/height or viewBox uses user units or px will produce a PDF that is 75 % of its previous linear dimensions (same proportions, correct physical size).

Migration — if you need to preserve the old apparent size, scale the returned Drawing object before use:

```python from svglib.svglib import svg2rlg

drawing = svg2rlg("file.svg")

Restore 1.x dimensions (1 user unit → 1 pt, non-spec):

factor = 4 / 3 # 1 / 0.75 drawing.width *= factor drawing.height *= factor drawing.scale(factor, factor) ```

  • Add support for SVG 2 length units: rem, vw, vh, vmin, vmax, and q (quarter-millimetre) in convertLength (#449).
  • rem now resolves against the root <svg> element's font-size (falling back to the CSS default of 16 px when not set).

... (truncated)

Changelog

Sourced from svglib's changelog.

2.0.2 (2026-06-18)

Supply-chain hygiene release — no code changes.

The 2.0.1 PyPI attestation was generated by a manual workflow_dispatch run from refs/heads/main that raced ahead of the release event. As a result the Sigstore certificate embedded in the PEP 740 attestation identified refs/heads/main as the source rather than refs/tags/v2.0.1, making it impossible to verify the package against the tagged commit. This release is published exclusively via the release: [published] trigger so the attestation identity is refs/tags/v2.0.2.

2.0.1 (2026-06-17)

Supply-chain hygiene release — no code changes.

This release replaces 2.0.0, which was published directly with uv publish and therefore lacked the PEP 740 provenance attestation that was present in 1.6.0. Releases must be triggered via the GitHub Actions release workflow (publish-to-pypi.yml), which uses PyPI Trusted Publishing (OIDC) to produce a SLSA Level 3 attestation. Publishing locally — even with uv publish --trusted-publishing — relies on a local OAuth identity and does not meet that bar.

  • Declare pillow>=9.0.0 as a direct dependency; it was previously an undeclared transitive dependency pulled in by reportlab (#463).

2.0.0 (2026-06-16)

Identical to 2.0b1 in terms of code; this release promotes the beta to a stable release and converts the project documentation files from RST to Markdown format.

2.0b1 (2026-05-26)

Breaking change — output sizes will differ from 1.x.

svglib now correctly maps SVG user units to ReportLab points using the standard SVG/CSS conversion factor: 1 px = 0.75 pt (96 dpi). Previous releases treated 1 user unit as 1 pt, which is 33 % too large. Any SVG whose width/height or viewBox uses user units or px will produce a PDF that is 75 % of its previous linear dimensions (same proportions, correct physical size).

Migration — if you need to preserve the old apparent size, scale the returned Drawing object before use:

from svglib.svglib import svg2rlg
</tr></table>

... (truncated)

Commits
  • 48ffb6a Bump to 2.0.2: fix attestation identity (refs/tags vs refs/heads)
  • 3afc7c9 Merge pull request #465 from deeplook/supply-chain-hygiene
  • bfc64db Bump to 2.0.1: restore provenance attestation, document release process (fixe...
  • 3f08e66 Declare pillow as a direct dependency (fixes #463)
  • c300829 Release 2.0.0: convert docs to Markdown, bump version
  • 0355e4e Merge pull request #462 from deeplook/pre-commit-ci-update-config
  • 37e0747 [pre-commit.ci] pre-commit autoupdate
  • 4eb1c18 Merge pull request #461 from deeplook/pre-commit-ci-update-config
  • a3fcc17 [pre-commit.ci] pre-commit autoupdate
  • 0d3db93 Merge pull request #460 from deeplook/pre-commit-ci-update-config
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [svglib](https://github.com/deeplook/svglib) from 1.5.1 to 2.0.2.
- [Release notes](https://github.com/deeplook/svglib/releases)
- [Changelog](https://github.com/deeplook/svglib/blob/main/CHANGELOG.md)
- [Commits](deeplook/svglib@v1.5.1...v2.0.2)

---
updated-dependencies:
- dependency-name: svglib
  dependency-version: 2.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jul 1, 2026
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

📖 Documentation Preview

⚠️ Preview deployment failed or was skipped.

No RST documentation pages changed in this PR.

Last updated: Wed, 01 Jul 2026 06:14:42 GMT

@skjnldsv skjnldsv merged commit 402b607 into master Jul 2, 2026
25 of 26 checks passed
@skjnldsv skjnldsv deleted the dependabot/pip/master/svglib-2.0.2 branch July 2, 2026 09:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

3. to review dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant