Bump the python-requirements group across 1 directory with 5 updates

[dependabot]

Updates the requirements on fonttools, coverage, mypy, pre-commit and tox to permit the latest version.
Updates fonttools from 4.62.1 to 4.63.0

Release notes

Sourced from fonttools's releases.

4.63.0

• [ttLib] Add support for Apple Color Emoji bgcl table (#4065).
• [ttLib] Add support for IFT and IFTX tables (Incremental Font Transfer, PatchMapFormat2) (#4070, #4072).
• [otData] Introduce FieldSpec dataclass for OpenType table schema definitions, replacing raw tuples in otData.py (#4076).
• [Feat] Show name table strings as comments next to label IDs in TTX output, matching the convention used by fvar, STAT, trak (#4089).
• [cu2qu] Fix Cython complex-division rounding difference in split_cubic_into_three that could cause ±1 off-curve coordinate shifts (#3928, #4083).
• [designspaceLib] Fix map_backwardgooglefonts/ufo2ft#978#4085).
• [OS/2] Fix setUnicodeRanges to accept reserved bits 123-127, restoring round-trip with getUnicodeRanges and fixing recalcUnicodeRanges crash in the subsetter (#4087, #4088).
• [cython] Declare Cython extensions as free-threading compatible on Python 3.13+, so that importing them on free-threaded Python no longer re-enables the GIL (#4073, #4090).

Changelog

Sourced from fonttools's changelog.

4.63.0 (released 2026-05-14)

• [ttLib] Add support for Apple Color Emoji bgcl table (#4065).
• [ttLib] Add support for IFT and IFTX tables (Incremental Font Transfer, PatchMapFormat2) (#4070, #4072).
• [otData] Introduce FieldSpec dataclass for OpenType table schema definitions, replacing raw tuples in otData.py (#4076).
• [Feat] Show name table strings as comments next to label IDs in TTX output, matching the convention used by fvar, STAT, trak (#4089).
• [cu2qu] Fix Cython complex-division rounding difference in split_cubic_into_three that could cause ±1 off-curve coordinate shifts (#3928, #4083).
• [designspaceLib] Fix map_backward for many-to-one (flat-segment) axis maps that silently dropped entries via dict comprehension googlefonts/ufo2ft#978#4085).
• [OS/2] Fix setUnicodeRanges to accept reserved bits 123-127, restoring round-trip with getUnicodeRanges and fixing recalcUnicodeRanges crash in the subsetter (#4087, #4088).
• [cython] Declare Cython extensions as free-threading compatible on Python 3.13+, so that importing them on free-threaded Python no longer re-enables the GIL (#4073, #4090).

Commits

• 978d9ed Release 4.63.0
• 6b40ecb Add changelog entries for 4.63.0
• 382a35f Merge pull request #4090 from fonttools/fix-freethreading-compat
• 0e999b5 Declare Cython extensions as free-threading compatible
• 9e55ea5 Merge pull request #4089 from fonttools/graphite-feat-labels
• e84db3a Merge pull request #4088 from fonttools/fix-setUnicodeRanges-bits-123-127
• d6eabd1 Feat: show name table strings as comments next to label IDs in ttx
• 7d0902b OS/2: fix setUnicodeRanges round-trip for reserved bits 123-127
• 06e266c Merge pull request #4085 from fonttools/fix-map-backward-non-injective
• 6d64598 Add more tests for map_backward with many-to-one axis maps
• Additional commits viewable in compare view

Updates coverage to 7.14.1

Changelog

Sourced from coverage's changelog.

Version 7.14.1 — 2026-05-26

• Fix: the HTML report used typographic niceties to make file paths more readable by adding a small amount of space around slashes. Those spaces interfered with searching the page for file paths of interest. Now the report uses CSS to accomplish the same visual tweak so that searches with slashes work correctly. Closes issue 2170_.

• Add a 3.16 PyPI classifier <hugo-316_>_ since we test on the 3.16 main branch.

.. _issue 2170: coveragepy/coveragepy#2170 .. _hugo-316: https://mastodon.social/@​hugovk/116588523571204490

.. _changes_7-14-0:

Version 7.14.0 — 2026-05-10

• Feature: now when running one of the reporting commands, if there are parallel data files that need combining, they will be implicitly combined before creating the report. There is no option to avoid the combination; let us know if you have a use case that requires it. Thanks, Tim Hatch <pull 2162_>. Closes issue 1781.

• Fix: the output from combine was too verbose, listing each file considered. Now it shows a single line with the counts of files combined, files skipped, and files with errors. The -q flag suppresses this line. The old detailed lines are available with the new --debug=combine option.

• Fix: running a Python file through a symlink now sets the sys.path correctly, matching regular Python behavior. Fixes issue 2157_.

• Fix: Collector.flush_data could fail with "RuntimeError: Set changed size during iteration" when a tracer in another thread added a line to the per-file set that add_lines (or add_arcs) was iterating. The values passed to CoverageData are now snapshotted via dict.copy() and set.copy(), which are atomic under the GIL. Thanks, Alex Vandiver <pull 2165_>_.

• Fix: the soft keyword lazy is now bolded in HTML reports.

• We are no longer testing eventlet support. Eventlet started issuing stern deprecation warnings that break our tests. Our support code is still there.

.. _issue 1781: coveragepy/coveragepy#1781 .. _issue 2157: coveragepy/coveragepy#2157 .. _pull 2162: coveragepy/coveragepy#2162

... (truncated)

Commits

• 64d9b66 docs: correct the date for 7.14.1
• 6fa7dd4 chore: bump actions/dependency-review-action (#2181)
• 078afae docs: sample HTML for 7.14.1
• cb4f028 docs: prep for 7.14.1
• ae2d09f Merge branch 'nedbat/classifire-316-kits'
• 2c3568b build: declare 3.16 compatibility
• faa68f8 chore: bump github/codeql-action in the action-dependencies group (#2173)
• eb55fee test: we don't need PyPy < 7.3.22 anymore
• ac168fe test: the text summary should show missing
• fed4bd2 chore: upgrade virtualenv
• Additional commits viewable in compare view

Updates mypy to 2.1.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Mypy 2.1

We’ve just uploaded mypy 2.1.0 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

librt.vecs: Fast Growable Array Type for Mypyc

The new librt.vecs module provides an efficient growable array type vec that is optimized for mypyc use. It provides fast, packed arrays with integer and floating point value types, which can be several times faster than list, and tens of times faster than array.array in code compiled using mypyc. It also supports nested vec objects and non-value-type items, such as vec[vec[str]].

Refer to the documentation for the details.

Contributed by Jukka Lehtosalo.

librt.random: Fast Pseudo-Random Number Generation

The new librt.random module provides fast pseudo-random number generation that is optimized for code compiled using mypyc. It can be 3x to 10x faster than the stdlib random module in compiled code.

Refer to the documentation for the details.

Contributed by Jukka Lehtosalo (PR 21433).

Mypyc Improvements

• Enable incremental self-compilation (Vaggelis Danias, PR 21369)
• Make compilation order with multiple files consistent (Piotr Sawicki, PR 21419)
• Fix crash on accessing StopAsyncIteration (Piotr Sawicki, PR 21406)
• Fix incremental compilation with separate flag (Vaggelis Danias, PR 21299)

Fixes to Crashes

• Fix crash on partial type with --allow-redefinition and global declaration (Jukka Lehtosalo, PR 21428)
• Fix broken awaitable generator patching (Ivan Levkivskyi, PR 21435)

... (truncated)

Commits

• c1c336d Remove +dev from version
• 74df14b Add changelog for mypy 2.1 (#21464)
• 022d9bc Revert "TypeForm: Enable by default (#21262)"
• 8826288 [mypyc] Document librt.random (#21463)
• 3f4067b Bump librt version to 0.11.0 (#21458)
• 2b1eb58 [mypyc] Enable incremental self-compilation (#21369)
• 8152f4a Respect file config comments for stale modules (#21444)
• 116d60b Fix nondeterminism from nonassociativity of overload joins (#21455)
• 6c4af8e Fix function call message change for small number of args (#21432)
• 4b8fdca [mypyc] Add librt.random module (#21433)
• Additional commits viewable in compare view

Updates pre-commit to 4.6.0

Release notes

Sourced from pre-commit's releases.

pre-commit v4.6.0

Features

• pre-commit hook-impl: allow --hook-dir to be missing to enable easier usage with git 2.54+ git hooks.
  • #3662 PR by @​asottile.

Fixes

• pre-commit hook-impl: --hook-type is required.
  • #3661 PR by @​asottile.

Changelog

Sourced from pre-commit's changelog.

4.6.0 - 2026-04-21

Features

• pre-commit hook-impl: allow --hook-dir to be missing to enable easier usage with git 2.54+ git hooks.
  • #3662 PR by @​asottile.

Fixes

• pre-commit hook-impl: --hook-type is required.
  • #3661 PR by @​asottile.

4.5.1 - 2025-12-16

Fixes

• Fix language: python with repo: local without additional_dependencies.
  • #3597 PR by @​asottile.

4.5.0 - 2025-11-22

Features

• Add pre-commit hazmat.
  • #3585 PR by @​asottile.

4.4.0 - 2025-11-08

Features

• Add --fail-fast option to pre-commit run.
  • #3528 PR by @​JulianMaurin.
• Upgrade ruby-build / rbenv.
  • #3566 PR by @​asottile.
  • #3565 issue by @​MRigal.
• Add language: unsupported / language: unsupported_script as aliases for language: system / language: script (which will eventually be deprecated).
  • #3577 PR by @​asottile.
• Add support docker-in-docker detection for cgroups v2.
  • #3535 PR by @​br-rhrbacek.
  • #3360 issue by @​JasonAlt.

Fixes

• Handle when docker gives SecurityOptions: null.
  • #3537 PR by @​asottile.
  • #3514 issue by @​jenstroeger.
• Fix error context for invalid stages in .pre-commit-config.yaml.
  • #3576 PR by @​asottile.

... (truncated)

Commits

• f35134b v4.6.0
• 2a51ffc Merge pull request #3662 from pre-commit/hook-impl-optional-hook-dir
• d7dee32 make --hook-dir optional for hook-impl
• 965aeb1 Merge pull request #3661 from pre-commit/hook-impl-required
• 2eacc06 --hook-type is required for hook-impl
• f5678bf Merge pull request #3657 from pre-commit/pre-commit-ci-update-config
• 054cc5b [pre-commit.ci] pre-commit autoupdate
• 5c0f302 Merge pull request #3652 from pre-commit/pre-commit-ci-update-config
• a5d9114 [pre-commit.ci] pre-commit autoupdate
• 129a1f5 Merge pull request #3641 from pre-commit/mxr-patch-1
• Additional commits viewable in compare view

Updates tox to 4.55.0

Release notes

Sourced from tox's releases.

v4.55.0

What's Changed

• 👷 ci(schemastore): sync fork before pushing branch by @​gaborbernat in tox-dev/tox#3942
• feat: Also pass TERMINFO when in an interactive shell by @​edgarrmondragon in tox-dev/tox#3946
• 🐛 fix(pip): skip constrain_package_deps when constraints is set by @​gaborbernat in tox-dev/tox#3948

Full Changelog: tox-dev/tox@4.54.0...4.55.0

Changelog

Sourced from tox's changelog.

Features - 4.55.0

• Automatically pass the TERMINFO environment variable to tox subprocesses if the output is a TTY. This variable is used by Ghostty to communicate terminal capabilities to programs. (:issue:3946)

Bug fixes - 4.55.0

• When the constraints configuration option is set, constrain_package_deps and use_frozen_constraints are now ignored. Previously, both the user-provided constraints file and the auto-generated constraints file were passed to pip during install_package_deps, which could cause resolver conflicts when the same package appeared in both files - by :user:gaborbernat. (:issue:3945) (:issue:3945)

---

v4.54.0 (2026-05-12)

---

Features - 4.54.0

• Declare the runtime dependencies of the tox.pytest plugin (pytest, devpi-process and pytest-mock) under a new testing extra, so plugin authors can pull them in via tox[testing] - by :user:gaborbernat. (:issue:3938, :issue:3940)

Bug fixes - 4.54.0

• Extend the generated TOML schema to cover every replace table form (env, ref, posargs, glob, if), including conditional replacements used inside commands. A guard test asserts the schema stays in sync with the loader implementation so future replace types cannot be added without a corresponding schema entry. (:issue:3939)

---

v4.53.1 (2026-05-02)

---

Bug fixes - 4.53.1

• Hardening pass on user-facing logging and config parsing:

  • Mask secret-looking --key=value flag values in command logs (terminal warnings, .tox/<env>/log/*.log, and Outcome __repr__) using the same keyword regex previously applied to environment variable values.
  • Resolve PEP 723 script paths and reject any that escape tox_root; cap the script read at 5 MiB so a symlink to /dev/zero cannot exhaust memory.
  • Replace eval() of a constructed Literal[...] string in the CLI parser with a direct Literal[tuple(action.choices)] subscript.
  • Pass timeout=30 to urlopen when fetching a remote requirements file so a slow or unresponsive mirror cannot hang tox indefinitely. (:issue:3924)

... (truncated)

Commits

• 928b7f0 release 4.55.0
• a43427f 🐛 fix(pip): skip constrain_package_deps when constraints is set (#3948)
• 27b68b3 [pre-commit.ci] pre-commit autoupdate (#3947)
• 4e6627c feat: Also pass TERMINFO when in an interactive shell (#3946)
• 10c431c [pre-commit.ci] pre-commit autoupdate (#3943)
• c86e876 👷 ci(schemastore): sync fork before pushing branch (#3942)
• 1f1fcc7 release 4.54.0
• b35c8ee 🐛 fix(schema): cover every replace form in the TOML schema (#3941)
• 6eb5c4f ✨ feat(packaging): declare tox.pytest deps via a testing extra (#3940)
• 1ad47dd 🧪 test(conftest): strip broken nspkg.pth files under py3.15 (#3937)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions