Pleasing bandit

.banditrc.yml

@@ -2,3 +2,7 @@ skips:
   # Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
   # => OK, we don't care though
   - B101
+  # Use of insecure MD5 hash function
+  # => OK, we always use md5 with usedforsecurity=False
+  # => cf. https://github.com/PyCQA/bandit/issues/994
+  - B324

CHANGELOG.md

@@ -28,6 +28,7 @@ This can also be enabled programmatically with `warnings.simplefilter('default',
 - hyperlinks were not working on encrypted files - thanks to @andersonhc
 - unicode (non limited to ASCII) text can now be provided as metadata [#685](https://github.com/PyFPDF/fpdf2/issues/685)
 - all `TitleStyle` constructor parameters are now effectively optional
+- memory usage was reduced by 10 MiB in some cases, thanks to a small optimization in using `fonttools`
 ### Changed
 - vector images parsing is now more robust: `fpdf2` can now embed SVG files without `viewPort` or no `height` / `width`
 - bitonal images are now encoded using `CCITTFaxDecode`, reducing their size in the PDF document - thanks to @eroux

fpdf/svg.py

@@ -635,7 +635,8 @@ def from_file(cls, filename, *args, encoding="utf-8", **kwargs):
     def __init__(self, svg_text):
         self.cross_references = {}
 
-        svg_tree = parse_xml_str(svg_text)
+        # disabling bandit rule as we use defusedxml:
+        svg_tree = parse_xml_str(svg_text)  # nosec B314
 
         if svg_tree.tag not in xmlns_lookup("svg", "svg"):
             raise ValueError(f"root tag must be svg, not {svg_tree.tag}")