fix(deps): Bump fonttools to address cve (#4125)

CyMule · web-flow · commit afd911891bd7 · 2025-12-10T17:11:53.000Z
> [!NOTE] > Constrain fonttools to >=4.60.2 (CVE-2025-66034), bump extras to 4.61.0, switch setup_ingest to ubuntu-latest-m, and release 0.18.22. > > - **Dependencies**: > - Constrain `fonttools>=4.60.2` in `requirements/deps/constraints.txt` to address CVE-2025-66034. > - Bump `fonttools` to `4.61.0` in `requirements/extra-*.txt`; refresh files via uv and align constraint references. > - **CI**: > - Update `setup_ingest` job in `.github/workflows/ci.yml` to run on `ubuntu-latest-m`. > - **Release**: > - Bump version to `0.18.22` and update `CHANGELOG.md`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 6ec072e. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -225,7 +225,7 @@ jobs:
     strategy:
       matrix:
         python-version: ["3.10"]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-m
     needs: [setup]
     steps:
       - uses: actions/checkout@v4
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,8 @@
+## 0.18.22
+
+### Fixes
+- Constrain fonttools to >=4.60.2 to address CVE-2025-66034
+
 ## 0.18.21
 
 ### Enhancement
diff --git a/requirements/deps/constraints.txt b/requirements/deps/constraints.txt
@@ -15,3 +15,5 @@ unstructured-client>=0.23.0,<0.26.0
 protobuf>=6.30.0
 # (yao) issues with pdfminer-six above 20250416
 pdfminer.six<20250416
+# nickf: CVE-2025-66034 fix for fonttools
+fonttools>=4.60.2
diff --git a/requirements/extra-paddleocr.txt b/requirements/extra-paddleocr.txt
@@ -1,9 +1,5 @@
-#
-# This file is autogenerated by pip-compile with Python 3.10
-# by the following command:
-#
-#    pip-compile --no-strip-extras ./extra-paddleocr.in
-#
+# This file was autogenerated by uv via the following command:
+#    uv pip compile ./extra-paddleocr.in -o ./extra-paddleocr.txt
 albucore==0.0.24
     # via
     #   albumentations
@@ -14,47 +10,45 @@ annotated-types==0.7.0
     # via pydantic
 anyio==4.11.0
     # via
-    #   -c base.txt
+    #   -c ./base.txt
     #   httpx
 beautifulsoup4==4.14.2
     # via
-    #   -c base.txt
+    #   -c ./base.txt
     #   unstructured-paddleocr
 certifi==2025.11.12
     # via
-    #   -c base.txt
+    #   -c ./base.txt
     #   httpcore
     #   httpx
     #   requests
 charset-normalizer==3.4.4
     # via
-    #   -c base.txt
+    #   -c ./base.txt
     #   requests
 cython==3.2.1
     # via unstructured-paddleocr
-exceptiongroup==1.3.0
-    # via
-    #   -c base.txt
-    #   anyio
 fire==0.7.1
     # via unstructured-paddleocr
-fonttools==4.60.1
-    # via unstructured-paddleocr
+fonttools==4.61.0
+    # via
+    #   -c ././deps/constraints.txt
+    #   unstructured-paddleocr
 h11==0.16.0
     # via
-    #   -c base.txt
+    #   -c ./base.txt
     #   httpcore
 httpcore==1.0.9
     # via
-    #   -c base.txt
+    #   -c ./base.txt
     #   httpx
 httpx==0.28.1
     # via
-    #   -c base.txt
+    #   -c ./base.txt
     #   paddlepaddle
 idna==3.11
     # via
-    #   -c base.txt
+    #   -c ./base.txt
     #   anyio
     #   httpx
     #   requests
@@ -64,15 +58,15 @@ lazy-loader==0.4
     # via scikit-image
 lxml==6.0.2
     # via
-    #   -c base.txt
+    #   -c ./base.txt
     #   python-docx
 networkx==3.4.2
     # via
     #   paddlepaddle
     #   scikit-image
 numpy==2.2.6
     # via
-    #   -c base.txt
+    #   -c ./base.txt
     #   albucore
     #   albumentations
     #   imageio
@@ -98,11 +92,11 @@ opt-einsum==3.3.0
     # via paddlepaddle
 packaging==25.0
     # via
-    #   -c base.txt
+    #   -c ./base.txt
     #   lazy-loader
     #   scikit-image
 paddlepaddle==3.2.2
-    # via -r extra-paddleocr.in
+    # via -r ./extra-paddleocr.in
 pillow==12.0.0
     # via
     #   imageio
@@ -111,7 +105,7 @@ pillow==12.0.0
     #   unstructured-paddleocr
 protobuf==6.33.1
     # via
-    #   -c deps/constraints.txt
+    #   -c ././deps/constraints.txt
     #   paddlepaddle
 pyclipper==1.3.0.post6
     # via unstructured-paddleocr
@@ -127,11 +121,11 @@ pyyaml==6.0.3
     #   unstructured-paddleocr
 rapidfuzz==3.14.3
     # via
-    #   -c base.txt
+    #   -c ./base.txt
     #   unstructured-paddleocr
 requests==2.32.5
     # via
-    #   -c base.txt
+    #   -c ./base.txt
     #   unstructured-paddleocr
 safetensors==0.7.0
     # via paddlepaddle
@@ -147,11 +141,11 @@ simsimd==6.5.3
     # via albucore
 sniffio==1.3.1
     # via
-    #   -c base.txt
+    #   -c ./base.txt
     #   anyio
 soupsieve==2.8
     # via
-    #   -c base.txt
+    #   -c ./base.txt
     #   beautifulsoup4
 stringzilla==4.2.3
     # via albucore
@@ -161,14 +155,13 @@ tifffile==2025.5.10
     # via scikit-image
 tqdm==4.67.1
     # via
-    #   -c base.txt
+    #   -c ./base.txt
     #   unstructured-paddleocr
 typing-extensions==4.15.0
     # via
-    #   -c base.txt
+    #   -c ./base.txt
     #   anyio
     #   beautifulsoup4
-    #   exceptiongroup
     #   paddlepaddle
     #   pydantic
     #   pydantic-core
@@ -177,9 +170,9 @@ typing-extensions==4.15.0
 typing-inspection==0.4.2
     # via pydantic
 unstructured-paddleocr==2.10.0
-    # via -r extra-paddleocr.in
+    # via -r ./extra-paddleocr.in
 urllib3==2.5.0
     # via
-    #   -c base.txt
-    #   -c deps/constraints.txt
+    #   -c ./base.txt
+    #   -c ././deps/constraints.txt
     #   requests
diff --git a/requirements/extra-pdf-image.txt b/requirements/extra-pdf-image.txt
diff --git a/unstructured/__version__.py b/unstructured/__version__.py
