[Snyk] Security upgrade fonttools from 4.38.0 to 4.61.0

[glenn-jocher]

Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• requirements.txt

⚠️ Warning

matplotlib 3.5.3 requires fonttools, which is not installed.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 XML Injection

🛠️ PR Summary

_{Made with ❤️ by Ultralytics Actions}

🌟 Summary

Adds a security-focused dependency pin for fonttools to avoid a known vulnerability 🔒

📊 Key Changes

• ✅ Updated requirements.txt to include fonttools>=4.61.0
• 🛡️ Noted it’s not directly required by the project, but pinned per Snyk guidance to mitigate a vulnerability

🎯 Purpose & Impact

• 🔐 Improves supply-chain security by ensuring vulnerable fonttools versions aren’t installed via transitive dependencies
• 📦 Helps keep environments compliant with security scanners (e.g., Snyk), reducing CI/security audit noise
• ⚠️ Potential minor impact: may slightly constrain dependency resolution in some setups, but generally low risk for users

[UltralyticsAssistant]

👋 Hello @glenn-jocher, thank you for submitting a ultralytics/yolov3 🚀 PR! This is an automated message—an Ultralytics engineer will jump in soon. In the meantime, please review this quick checklist 🧩:

-✅ Define a Purpose: Clearly explain the purpose of your fix or feature in your PR description, and link to any relevant issues. Ensure your commit messages are clear, concise, and adhere to the project's conventions.
-✅ Synchronize with Source: Confirm your PR is synchronized with the ultralytics/yolov3 main branch. If it's behind, update it by clicking the 'Update branch' button or by running git pull and git merge main locally.
-✅ Ensure CI Checks Pass: Verify all Ultralytics Continuous Integration (CI) checks are passing. If any checks fail, please address the issues.
-✅ Update Documentation: Update the relevant documentation for any new or modified features.
-✅ Add Tests: If applicable, include or update tests to cover your changes, and confirm that all tests are passing.
-✅ Sign the CLA: Please ensure you have signed our Contributor License Agreement if this is your first Ultralytics PR by writing "I have read the CLA Document and I sign the CLA" in a new message.
-✅ Minimize Changes: Limit your changes to the minimum necessary for your bug fix or feature addition. "It is not daily increase but daily decrease, hack away the unessential. The closer to the source, the less wastage there is." — Bruce Lee

For more guidance, please refer to our Contributing Guide. Don't hesitate to leave a comment if you have any questions. Thank you for contributing to Ultralytics! 🚀

[UltralyticsAssistant]

🔍 PR Review

_{Made with ❤️ by Ultralytics Actions}

PR is functionally safe: it only adds a minimum version constraint for fonttools in requirements.txt, which is a low-risk security hardening change. No logic/runtime issues detected. Only minor maintainability note: keep dependency line formatting consistent with the rest of the file to reduce future diff noise.

💬 Posted 1 inline comment

[UltralyticsAssistant]

📝 LOW: This line doesn’t align with the surrounding formatting in requirements.txt (most entries use aligned inline comments with multiple spaces before #, and the rationale comment is typically capitalized/standardized). While not a functional issue, inconsistent formatting can create noisy diffs over time.

Suggested change:

Suggested change

	fonttools>=4.61.0 # not directly required, pinned by Snyk to avoid a vulnerability
	fonttools>=4.61.0 # Not directly required, pinned by Snyk to avoid a vulnerability