fix(deps): Bump fonttools to address cve (#4125)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> Constrain fonttools to >=4.60.2 (CVE-2025-66034), bump extras to
4.61.0, switch setup_ingest to ubuntu-latest-m, and release 0.18.22.
>
> - **Dependencies**:
> - Constrain `fonttools>=4.60.2` in `requirements/deps/constraints.txt`
to address CVE-2025-66034.
> - Bump `fonttools` to `4.61.0` in `requirements/extra-*.txt`; refresh
files via uv and align constraint references.
> - **CI**:
> - Update `setup_ingest` job in `.github/workflows/ci.yml` to run on
`ubuntu-latest-m`.
> - **Release**:
> - Bump version to `0.18.22` and update `CHANGELOG.md`.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
6ec072e0f48249f0b07d7ca12e35a09dcc78c04f. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
