Afleveringen
-
Topics covered in this episode:
Vulnerability and malware checks in uvHTTP GET requests with the Python standard libraryMillions of AI agents imperiled by critical vulnerability in open source packagealembic-git-revisionsExtrasJokeWatch on YouTubeAbout the show
Goodbye and Thanks Brian
Thanks Calvin for being part of this and future episodes! Also new time for the live show. Thanks Brian for all the hard work over the years.
Calvin #1: Vulnerability and malware checks in uv
release just yesterday by Astral https://astral.sh/blog/uv-audituv audit scans dependencies for known vulnerabilities and abandoned packages via the OSV database â runs 4â10x faster than pip-auditMalware check runs on every install/sync, catching actively malicious packages (credential stealers, etc.) before they execute â including ones PyPI quarantined but lockfiles can still referenceEnable malware scanning with UV_MALWARE_CHECK=1 â it's opt-in and in previewFuture roadmap includes a resolver that steers toward vulnerability-free versions and install-time warnings scoped to newly added deps onlyMichael #2: HTTP GET requests with the Python standard library
If youâre doing HTTP in Python, youâre probably using one of three popular libraries: requests, httpx, or urllib3.There have been issues with httpx lately.Niquest is another option: Drop-in replacement for Requests. Automatic HTTP/1.1, HTTP/2, and HTTP/3. WebSocket, and SSE included.But maybe less is more, especially in the age of agentic AIA good candidate needs two things to be true at once, not one: the used surface is small, and the behavior behind that surface is shallow.Calvin #3: Millions of AI agents imperiled by critical vulnerability in open source package
"BadHost" (CVE-2026-48710) is a critical vulnerability in Starlette â the ASGI framework underlying FastAPI â with 325 million weekly downloads; also affects vLLM, LiteLLM, and most MCP server toolingThe exploit is trivial: injecting a single character into an HTTP Host header bypasses path-based authentication, and can lead to credential theft, SSRF, and in some cases remote code executionMCP servers are a prime target since they store credentials for external services (email, databases, cloud accounts) â exposed data in the wild includes biopharma clinical trial DBs, full mailboxes, HR/PII pipelines, and AWS topologyFix is available â patch to Starlette 1.0.1 immediately; use the free scanner at mcp-scan.nemesis.services to check if your servers are still running a vulnerable versionOpen source sustainability footnote: the maintainer triages near-daily security reports solo, in his free time â most are AI-generated noise, and real ones like this still compete for the same evenings and weekendsMichael #4: alembic-git-revisions
By Julien Danjou from MergifyAutomatic Alembic migration chaining based on git commit history. No more Multiple head revisions are present for given argument 'head'.See the introductory articleCaused by two migrations landed with the same down_revision, and Alembic doesnât know which one comes first. The fix is always the same: someone manually edits the migration file to re-chain the revisions.The insight: git already knows the orderExtras
Calvin:
GNU make can do pattern matching in the target. Not new at all, mentioned in the 1994-era docs. just and task donât have this super power on the target name yet.train-%: uv run ./train.py $* --save-hyper-params --overwrite $(TRAIN_ARGS)Michael:
Updated my HTTP client using packages from httpx to httpx2: listmonk, umami, and memberful. For motivation, see this reddit thread.Joke: Accurate
-
Topics covered in this episode:
CVE-2026-48710: A Maintainer's Perspectivedaily-stars-explorerMarkdown to pdf with pandoc and typstpostman2pytestExtrasJokeWatch on YouTubeAbout the show
Brian #1: CVE-2026-48710: A Maintainer's Perspective
Marcelo Trylesinskisuggested by Lee LuocksShort version:users of Starlette: upgrade to Starlette 1.0.1security professionals: we canât treat open source projects like corporationsThis top link is a Starlette security advisory with the titleMissing Host header validation poisons request.url.path, bypassing path-based security checksThe CVE apparently caused some negative press targeting starlette.However, âthe vulnerability came from the application pattern and the deployment, never from something Starlette intended.âA quote from an OSTIF article: âThis bug is a classic âresponsibility gapâ where if this maintainer didnât patch, thousands of exposed projects would have to individually secure their projects. In doing this work, theyâve voluntarily taken on the responsibility to protect the ecosystem from long-term systemic harm. As with all open source projects, they owed us nothing and could have left this to be everyone elseâs problem and took the extraordinary steps of helping the ecosystem.âBoth X40 D-Sec and Ars Technica expected immediate fixes and responses from Starlette.Thatâs not good. We can do better.Michael #2: daily-stars-explorer
Explore the full history of any GitHub repository.đ Full Star History - Complete daily star counts for any repoâ° Hourly Stars - Hour-by-hour activity with timezone supportđ Compare Repos - Side-by-side comparison of any two repositoriesđ Activity Timelines - Commits, PRs, Issues, Forks, Contributors over timeđ Pin Favorites - Bookmark repos for quick access without retypingđ° Feed Mentions - See when repos were mentioned on HN, Reddit, YouTube, GitHubđŸ Export Data - Download as CSV or JSONđ Dark Mode - Easy on the eyesTry/use it online at emanuelef.github.io/daily-stars-explorer or install it for yourself.Brian #3: Markdown to pdf with pandoc and typst
typst suggestion from Matt HarrisonMarkdown is awesomePandoc is great for converting markdown to tons of stuffbut for pdf, it goes through LaTeX, which is ⊠yuk (my opinion)Pandoc also can convert to typstAnd typst creates beautiful pdfs and is way easier (my opinion) to deal with than LaTeX.New toolsbrew upgrade pandocbrew install typstNow convertpandoc something.md --to typst -o something.typtypst compile something.typ something.pdfMichael #4: postman2pytest
via MikhailBased on postman appConvert Postman Collection v2.1 JSON into executable pytest test suitesPostman collections document your API. postman2pytest turns that documentation into executable regression tests that run in CI. No manual rewriting, no drift.Extras:
New blog, who dis? - testandcode.org is now on .org and a blog and soon to be a âpublisherâ.Joke: Centering a div
-
Zijn er afleveringen die ontbreken?
-
Topics covered in this episode:
Dumb Ways for an Open Source Project to DieHow to create a pylock.toml lockfilehttps://github.com/facebook/LifeguardChoosing a Python Logging Library in 2026ExtrasJokeWatch on YouTubeAbout the show
Sponsored by us! Support our work through:
Our courses at Talk Python TrainingThe Complete pytest CoursePatreon SupportersConnect with the hosts
Michael: @[email protected] / @mkennedy.codes (bsky)Brian: @[email protected] / @brianokken.bsky.socialShow: @[email protected] / @pythonbytes.fm (bsky)Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.
Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.
Michael #1: Dumb Ways for an Open Source Project to Die
Core categoriesThe maintainer leftThe maintainer is still thereSabotage and captureThe release pipeline brokeForce majeureThe world moved onThe project split- ExamplesBulma PRs still from 2023, issues and PRs with no maintainer response for years, last release 1.5 years agodiskcache Similar, got hired by OpenAI, crickets after thatBrian #2: How to create a pylock.toml lockfile
Tim HopperTim walks through using uv, pip and pdm to create pylock.toml files.Recommendation: use uv export --format pylock.toml -o pylock.tomlHe also has How to install from a pylock.toml lockfile with pip but the short version is:use -r because tools treat it like a requirements fileMichael #3: https://github.com/facebook/Lifeguard
Lifeguard is a static analyzer to detect Lazy Imports incompatibilities and ease the adoption overhead for Lazy Imports in Python.Iâm more excited about lazy imports after my Cutting Python Web App Memory Over 31% experienceSome Python patterns depend on imports executing immediately. For example:Module-level side effects â a module that registers a handler or modifies global state at import time will behave differently if that import is deferred.The registry pattern â a module that registers itself (e.g., adding to a global dict) when imported will silently fail to register under Lazy Imports.sys.modules manipulation â code that reads or writes sys.modules assumes prior imports have already executed.Metaclasses and __init_subclass__ â class creation side effects may depend on imports being resolved.Project Stage: Beta Lifeguard is in active development. We are aiming to be ready for general use by the Python 3.15 final release.Brian #4: Choosing a Python Logging Library in 2026
Ayooluwa Isaiah" which libraries matter, how they compare, where they overlap with the standard module, and when each one makes sense.âThe slant with this article is the need to log json output, which seems reasonable as things like API entry and exit point logging will include json.Covered librariesstandard library logging with a hat tip to python-json-loggerSame site has a guide to setting up python-json-loggerstructlogLoguruLogbookpicologgingSome benchmarks with structlog, stdlib+json, and Loguru, with structlog coming out fasterI liked the Loguru exampleIâm going to have to try @logger.catch and logger.exception() for easily logging exceptions and serialize=True to enable JSON output.Extras
Brian:
When Women Stopped Coding - Planet Money segment , spotted on BlueSky from Savannah OstrowskiLean TDD is now leanerStill working on audio version, but some great changes in 0.7.1 versionCh 6, TDD Interpretations, move ATDD and some of BDD to chapterCh 7, Change name to TDD with Teams: BDD and ATDDCh 9, Lean TDD, streamline steps and chapterCh 10, Change name to Lean TDD with Teams: Lean ATDDCh 11, Lean TDD with AI, Add short discussion about guardrails and securityMichael:
New course: Python Web Security: OWASP Top 10 with Agentic AIAll courses now with Spanish subtitles, see announcementJoke: Stop texting me
-
Topics covered in this episode:
Using Django Tasks in productionCo-authored with Claude?PyPI packages are increasing rapidlyhttpx2ExtrasJokeWatch on YouTubeAbout the show
Sponsored by us! Support our work through:
Our courses at Talk Python TrainingThe Complete pytest CoursePatreon SupportersConnect with the hostsMichael: @[email protected] / @mkennedy.codes (bsky)Brian: @[email protected] / @brianokken.bsky.socialShow: @[email protected] / @pythonbytes.fm (bsky)Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.Brian #1: Using Django Tasks in production
Tim Schilling shares how the Djangonaut Space website has been using Djangoâs new tasks framework and some of the info missing from the official Django docs.Tasks require a third party package, django-tasks-db to actually run the tasks.Article walks through all changes necessary to get an email process running to notify admins of new testimonials. Cool simple example.With the db backend, you can monitor progress of tasks in the admin, to see which tasks are scheduled, completed, or have errors.Some wishes for the community to implementnew tutorial in the Django docsDjango Debug toolbar panel for taskstest/mock backendGreat title for wish list: Thinks Iâd like to see, but Iâm too lazy to implement myself.Michael #2: Co-authored with Claude?
Via Nik T.We donât put âexecuted on macOSâ, âedited with PyCharmâ, etc. in our commits. Why Claude?Seems like a growth hack to me, that I donât really care to participate in.Some projects that have formalized their thoughts on this: The Generative AI Policy Landscape in Open SourceAdjust to turn off in ~/.claude/settings.json see the docs.{ "attribution": { "commit": "", "pr": "" }}Brian #3: PyPI packages are increasing rapidly
Artem GolubinThereâs been an increase of published packages per week on PyPIA pretty big increase in the last handful of months.30% increase since 2025, clearly due to AIArtem is building hexora, a malicious Python code detector.Cool package too, it can:Audit project dependencies to catch potential supply-chain attacksDetect malicious scripts found on platforms like Pastebin, GitHub, or open directoriesAnalyze IoC files from past security incidentsAudit new packages uploaded to PyPi.Artem is using hexora to analyze recently published pypi packages and many are obviously vibecoded and trigger false positives for abuses of eval, exec, and subprocessSide note: I donât think thatâs necessarily a false positive. Not malicious, but maybe a stupid-code-detector?Lots are LLM related, Lots have bots contributing codePublishing rate is crazy, dozens to hundreds of published versions in a day is a bug, not a featureBrianâs proposal, PyPI should limit releases per day for any package to something a sane human would do, even if they make a mistake on a release, to maybe like 2-3, definitely under 10, in a day. And if the repo has obvious agent contributors listed, maybe lower to the limit to 1-2 a day? Honestly, âmove fast and break thingsâ doesnât apply to breaking the commons.Michael #4: httpx2
More on the httpx, httpxyz, etc changes: Pydantic people started their own fork, httpx2.Michiel says âwhile we think httpxyz was definitely needed, we welcome httpx2 and think it should be the âblessedâ fork.âKludex, who is among other things maintainer of Starlette, was considering a forkAs it stands, httpx2 is lacking the performance improvements they added to httpxyz. But it will not be long before they will add those, too.Also they already made some smart decisions:they are switching from certifi to truststorethey are switching to compression.zstd on Python 3.14+, enabling zstd compression by defaultthey merged httpcore and vendored it in their repositoryDiscussion on Hacker NewsExtras
Brian:
The Four Horsemen of the LLM Apocalypse - AnarcatDjango/JetBrains 2026 developer survey is openPyrefly 1.0 : âmeaning we are confident that Pyrefly is ready for production use.âMichael:Just about ready to release Python Web Security: OWASP Top 10 with Agentic AI course. Be sure to be on the courses newsletter to get notified.Joke: Proud Parents
-
Topics covered in this episode:
httpxyz one month inLearn concurrency - a deep dive into multithreading with Pythonpip 26.1 - lockfiles and dependency cooldownsPython 3.15 sentinal values from PEP 661ExtrasJokeWatch on YouTubeAbout the show
Sponsored by us! Support our work through:
Our courses at Talk Python TrainingThe Complete pytest CoursePatreon SupportersConnect with the hosts
Michael: @[email protected] / @mkennedy.codes (bsky)Brian: @[email protected] / @brianokken.bsky.socialShow: @[email protected] / @pythonbytes.fm (bsky)Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.
Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.
Michael #1: httpxyz one month in
First version of httpxyz contained just the fixes to get zstd working, and the fixes to get the test suite running on python 3.14, some âhousekeepingâ changes related to the renamingEnd of March: a compatibility shim that allows you to use httpxyz even with third-party packages that import httpx themselves, as long as you import httpxyz first.Importing httpxyz automatically registers it under the httpx name in sys.modules , see https://httpxyz.org/httpx-compatibility/Fixed a WHOLE bunch of performance related issues by forking httpcoreBrian #2: Learn concurrency - a deep dive into multithreading with Python
Nikos VaggalisâWhenever you are trying to speed up code using multiple cores, always ask yourself: âDo these threads need to talk to each other right now?â If the answer is yes, it will be slow. The best parallel code splits a big job into completely isolated chunks, processes them separately, and merges the results at the finish line.âGood overview of thread concurrency with Python and how thatâs been improved dramatically with free-threaded PythonDefines lots of terms you come across, including âembarrassingly parallel multithreadingâThereâs a counter example thatâs niceStart with a shared resource, a counter, and multiple threads updating itAttempt to fix with threading.Lock(), which fixes it, but slows things downGood explanation of whyProper fix with concurrent.futures and separating the work of different threads so that they can be independent and their results can be combined when theyâre all finished.Michael #3: pip 26.1 - lockfiles and dependency cooldowns
Python 3.9 is no longer supportedExperimental: installing from pylock filesDependency cooldowns (see my post about this)Lifting several 2020 resolver limitationsBrian #4: Python 3.15 sentinal values from PEP 661
MISSING = sentinel("MISSING")def next_value(default: int | MISSING = MISSING): ... if default is MISSING: ...Take a name str as a constructor parameterIntended to be compared with is operator, similar to NoneSentinal objects can be used as a type, also similar to Noneand can be combined with other types with |.Unlike None, sentinal values are truthy. (Elipses ... are also truthy)This seems like a strange choice. but I guess it must have made sense to someone.It does force you to use is instead of depending on False-ness, so I guess itâll make code using sentinels more readable.Interesting that the PEP was started in 2021, and weâre finally getting it this year.Extras
Brian:
Before GitHub - Armin Ronachertenacity - cross-platform multi-track audio editor/recorderlearned about it from Arminâs articleJoke:
Joke option Make it myselfSeems similar to what people think about software nowLinks
httpxyz one month inhttpxyz.org/httpx-compatibilityLearn concurrency - a deep dive into multithreading with Pythonpip 26.1 - lockfiles and dependency cooldownsmy post about thisPython 3.15 sentinal values from PEP 661Before GitHubtenacityMake it myself -
Topics covered in this episode:
profiling-explorerReverting the incremental GC in Python 3.14 and 3.15VSCode AI Co-author defaults to on, then offdjango freezeExtrasJokeWatch on YouTubeAbout the show
Sponsored by us! Support our work through:
Our courses at Talk Python TrainingThe Complete pytest CoursePatreon SupportersConnect with the hosts
Michael: @[email protected] / @mkennedy.codes (bsky)Brian: @[email protected] / @brianokken.bsky.socialShow: @[email protected] / @pythonbytes.fm (bsky)Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.
Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.
Brian #1: profiling-explorer
Adam JohnsonAnd intro post Python: introducing profiling-explorerâprofiling-explorer is a tool for exploring profiling data from Pythonâs built-in profilers, which are stored in pstats files. âFeaturesDark modeClick the calls, internal ms, or cumulative ms column headers to sort by that column.Use the search box to filter by filename or function name.Hover by a filename + line number pair to reveal the copy button, which copies the location to your clipboard for faster opening.Click the callers or callees links on the right of a row (not pictured above) to see the callers or callees of that function.Michael #2: Reverting the incremental GC in Python 3.14 and 3.15
Python 3.14 shipped with a new incremental garbage collector, but production reports of severe memory pressure (Neil Schemenauer measured up to 5Ă peak RSS on pathological cyclic workloads) have pushed the core team and Steering Council to revert it in both 3.14 and 3.15 - returning to the 3.13-era generational GC.This is the second time the inc GC has been pulled back: it was also reverted right before 3.13.0 final, and it shipped in 3.14 without going through the PEP process.The tradeoff is real: Neil's benchmarks showed max GC pause times of 1.3ms with inc GC versus 26ms with the generational one - great for latency-sensitive apps, terrible for memory-constrained ones.Release manager Hugo van Kemenade will ship 3.14.5 early with the revert, and Gregory Smith floated the idea of a 3.14.5rc1 - the first patch-release RC since 3.9.2 back in 2021.Tim Peters spent the thread doing live forensics on Windows, running a toy deque program that should cap at 1GB and watching it balloon to 15.6GB on a 16GB machine - and discovered the gen0 collector effectively never fires under the new scheme.Tim's bigger meta-point: CPython has a chronic shortage of real-world GC benchmarks, pyperformance has "basically no interesting" cyclic workloads, and users almost never share real data - so core devs keep flying blind on changes like this.Django maintainer Adam Johnson published a blog post mid-thread documenting a real memory "leak" in Django's migration system caused by inc GC, with a manual gc.collect() workaround - the listener-facing receipt that this wasn't just theoretical.If the inc GC comes back for 3.16, it'll go through a proper PEP, and the discussion is already shifting toward keeping both collectors available via a startup flag - which Neil and Sergey Miryanov have both prototyped.Brian #3: VSCode AI Co-author defaults to on, then off
VSCode merges Enabling ai co author by default - 3 week agoTonâs of âwhy would you do thisâ and related commentsVSCode merges Change default for git.addAICoAuthor to off - yesterdayTake-away, donât rely on default, set addAICoAuthor to off yourselfMichael #4: django freeze
Convert your dynamic django site to a static one with one line of code.Just run python manage.py generate_static_site :)FeaturesGenerate the static version of your Django site, optionally compressed .zip fileGenerate/download the static site using urls (only superuser and staff)Follow sitemap.xml urlsFollow internal links founded in each pageFollow redirectsReport invalid/broken urlsSelectively include/exclude media and static filesCustom base url (very useful if the static site will run in a specific folder different by the document-root)Convert urls to relative urls (very useful if the static site will run offline or in an unknown folder different by the document-root)Prevent local directory indexExtras
Brian:
Thinking Less, Trusting More: GenAIâs Impacts on Studentsâ Cognitive HabitsMichael:
Vercel breached, employee to blameIntroducing the new Talk Python web playerGitHub uptime (a couple of views 1, 2)Joke: Friends in tech
-
Topics covered in this episode:
Django Modern RestAlready playing with Python 3.15Cutting Python Web App Memory Over 31%tryke - A Rust-based Ptyhon test runner with a Jest-style APIExtrasJokeWatch on YouTubeAbout the show
Sponsored by us! Support our work through:
Our courses at Talk Python TrainingThe Complete pytest CoursePatreon SupportersConnect with the hostsMichael: @[email protected] / @mkennedy.codes (bsky)Brian: @[email protected] / @brianokken.bsky.socialShow: @[email protected] / @pythonbytes.fm (bsky)Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.Michael #1: Django Modern Rest
Modern REST framework for Django with types and async supportSupports Pydantic, Attrs, and msgspecHas ai coding support with llms.txtSee an example at the âshowcaseâ sectionBrian #2: Already playing with Python 3.15
3.15.0a8, 2.14.4 and 3.13.13 are outHugo von Kemenadebeta comes in May, CRs in Sept, and Final planned for OctoberBut still, thereâs awesome stuff here already, hereâs what Iâm looking forward to:PEP 810: Explicit lazy importsPEP 814: frozendict built-in typePEP 798: Unpacking in comprehensions with * and **PEP 686: Python now uses UTF-8 as the default encodingMichael #3: Cutting Python Web App Memory Over 31%
I cut 3.2 GB of memory usage from our Python web apps using five techniques:async workersimport isolationthe Raw+DC database patternlocal imports for heavy librariesdisk-based cachingSee the full article for details.Brian #4: tryke - A Rust-based Ptyhon test runner with a Jest-style API
Justin ChapmanWatch mode, Native async support, Fast test discovery, In-source testing, Support for doctests, Client/server mode for fast editor integrations, Pretty, per-assertion diagnostics, Filtering and marks, Changed mode (like pytest-picked), Concurrent tests, Soft assertions,JSON, JUnit, Dot, and LLM reportersHonestly havenât tried it yet, but you know, Iâm kinda a fan of thinking outside the box with testing strategies so I welcome new ideas.Extras
Brian:
Why areât we uv yet?Interesting take on the âagents prefer pipâProblem with analysis.Many projects are libraries and donât publish uv.lock fileEven with uv, it still often seen as a developer preference for non-libarries. You can sitll use uv with requirements.txtPyCon US 2026 talks schedule is upInteresting that thereâs an AI track now. I wonât be attending, but I might have a bot watch the videos and summarize for me. :)What has technology done to us?Justin JacksonLean TDD new coverAlso, 0.6.1 is so ready for me to start f-ing reading the audio book and get on with this shipping the actual f-ing book and yes I realize I seem like Iâm old because I use âf-ingâ while typing.Michael:Python 3.14.4 is outBeanie 2.1 releaseJoke: HumanDB - Blazingly slow. Emotionally consistent.
-
Topics covered in this episode:
Migrating from mypy to ty: Lessons from FastAPIOxyde ORMTypeshedded CPython docsRaw+DC Database Pattern: A RetrospectiveExtrasJokeWatch on YouTubeAbout the show
Sponsored by us! Support our work through:
Our courses at Talk Python TrainingThe Complete pytest CoursePatreon SupportersConnect with the hosts
Michael: @[email protected] / @mkennedy.codes (bsky)Brian: @[email protected] / @brianokken.bsky.socialShow: @[email protected] / @pythonbytes.fm (bsky)Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.
Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.
Brian #1: Migrating from mypy to ty: Lessons from FastAPI
Tim HopperI saw this post by SebastiĂĄn RamĂrez about all of his projects switching to tyFastAPI, Typer, SQLModel, Asyncer, FastAPI CLISqlModel is already ty only - mypy removedThis signals that ty is ready to useTim lists some steps to apply ty to your own projectsAdd ty alongside mypySet error-on-warning = trueAccept the double-ignore commentsPick a smaller project to cut over firstDrop mypy when the noise exceeds the signalAdd ty alongside mypyRelated anecdote:I had tried out ty with pytest-check in the past with difficultyTried it again this morning, only a few areas where mypy was happy but ty reported issuesAt least one ty warning was a potential problem for people running pre-releases of pytest,Not really related: packaging.version.parse is awesomeMichael #2: Oxyde ORM
Oxyde ORM is a type-safe, Pydantic-centric asynchronous ORM with a high-performance Rust core.Note: Oxyde is a young project under active development. The API may evolve between minor versions.No sync wrappers or thread pools. Oxyde is async from the ground upIncludes oxyde-adminFeaturesDjango-style API - Familiar Model.objects.filter() syntaxPydantic v2 models - Full validation, type hints, serializationAsync-first - Built for modern async Python with asyncioRust performance - SQL generation and execution in native RustMulti-database - PostgreSQL, SQLite, MySQL supportTransactions - transaction.atomic() context manager with savepointsMigrations - Django-style makemigrations and migrate CLIBrian #3: Typeshedded CPython docs
Thanks emmatyping for the suggestionDocumentation for Python with typeshed typesSource: typeshedding_cpython_docsMichael #4: Raw+DC Database Pattern: A Retrospective
A new design pattern Iâm seeing gain traction in the software space: Raw+DC: The ORM pattern of 2026Iâve had a chance to migrate three of my most important web app.Thrilled to report that yes, the web app is much faster using Raw+DCPlus, this was part of the journey to move from 1.3 GB memory usage to 0.45 GB (more on this next week)Extras
Brian:
Lean TDD 0.5 updateSignificant rewrite and focusMichael:
pytest-just (for just command file testing), by Michael BoothSomething going on with Encodehttpx: Anyone know what's up with HTTPX? And forkedstarlette and uvicorn: Transfer of Uvicorn & Starlettemkdocs: The Slow Collapse of MkDocsdjango-rest-framework: Move to django commons?Certificates at Talk Python TrainingJoke:
Neue Rich -
Topics covered in this episode:
Lock the GhostFence for SandboxingMALUS: Liberate Open SourceHarden your GitHub Actions Workflows with zizmor, dependency pinning, and dependency cooldownsExtrasJokeWatch on YouTubeAbout the show
Sponsored by us! Support our work through:
Our courses at Talk Python TrainingThe Complete pytest Course**Patreon SupportersConnect with the hosts**Michael: @[email protected] / @mkennedy.codes (bsky)Brian: @[email protected] / @brianokken.bsky.socialShow: @[email protected] / @pythonbytes.fm (bsky)Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.
Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.
Michael #1: Lock the Ghost
The five core takeaways:PyPI "removal" doesn't delete distribution files. When a package is removed from PyPI, it disappears from the index and project page, but the actual distribution files remain accessible if you have a direct URL to them.uv.lock uniquely preserves access to ghost packages. Because uv.lock stores direct URLs to distribution files rather than relying on the index API at install time, uv sync can successfully install packages that have already been removed, even with cache disabled. No other Python lock file implementation tested behaved this way.This creates a supply chain attack vector. An attacker could upload a malicious package, immediately remove it to dodge automated security scanning, and still have it installable via a uv.lock file, or combine this with the xz-style strategy of hiding malicious additions in large, auto-generated lock files that nobody reviews.Removed package names can be hijacked with version collisions. When an owner removes a package, the name can be reclaimed by someone else who can upload different distribution types under the same version number, as happened with "umap." Lock files help until you regenerate them, then you're exposed.Your dependency scanning needs to cover lock files, not just manifest files. Scanning only pyproject.toml or requirements.txt misses threats embedded in lock files, which is where the actual resolved URLs and hashes live.Brian #2: Fence for Sandboxing
Suggested by Martin HĂ€ckerâSome coding platforms have since integrated built-in sandboxing (e.g., Claude Code) to restrict write access to directories and/or network connectivity. However, these safeguards are typically optional and not enabled by default.ââJY Tan (on cc) has extracted the sandboxing logic from Claude Code and repackaged it into a standalone Go binary.âSource code on GitHub: https://github.com/Use-Tusk/fenceRelated:Simon Willison lethal trifecta for AI agents article from June 2025Claude Code SandboxingMichael #3: MALUS: Liberate Open Source
via Paul BauerThe service will generate the specs of a library with one AI and build the newly licensed library using the specs with another AI circumventing the licensing and copyright rules.AI that has not been trained on open source reads the docs and API signature, creates a spec. Another AI processes that spec into working software.Is it a real site? Are they accepting real money, or are they just trying to cause a stir around copyright?Brian #4: Harden your GitHub Actions Workflows with zizmor, dependency pinning, and dependency cooldowns
Matthias SchoettleAvoid things like this: hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So FarExtras
Brian:
GitHub is asking to spy on us, thatâs niceMichael:
Michaelâs new SaaS for podcasters: InterviewCueDigitalOceanâs Spaces cold storage for infrequently accessed dataMinor issue about my fire and forget post, was a latent bug?Fire and Forget at Textual follow up articleJoke: Can you?
-
Topics covered in this episode:
Starlette 1.0.0Astral to join OpenAIuv auditFire and forget (or never) with Pythonâs asyncioExtrasJokeWatch on YouTubeAbout the show
Sponsored by us! Support our work through:
Our courses at Talk Python TrainingThe Complete pytest CoursePatreon SupportersConnect with the hostsMichael: @[email protected] / @mkennedy.codes (bsky)Brian: @[email protected] / @brianokken.bsky.socialShow: @[email protected] / @pythonbytes.fm (bsky)Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.Brian #1: Starlette 1.0.0
As a reminder, Starlette is the foundation for FastAPIStarlette 1.0 is here! - fun blog post from Marcello TrylesinskiâThe changes in 1.0 were limited to removing old deprecated code that had been on the way out for years, along with a few bug fixes. From now on we'll follow SemVer strictly.âFun comment in the âWhatâs next?â section:âOh, and SebastiĂĄn, Starlette is now out of your way to release FastAPI 1.0. đâRelated: Experimenting with Starlette 1.0 with Claude skillsSimon Willisonexample of the new lifespan mechanism, very pytest fixture-like@contextlib.asynccontextmanagerasync def lifespan(app):async with some_async_resource(): print("Run at startup!") yield print("Run on shutdown!")app = Starlette(routes=routes,lifespan=lifespan)Michael #2: Astral to join OpenAI
via John Hagen, thanksAstral has agreed to join OpenAI as part of the Codex teamCongrats Charlie and teamSeems like **Ruff** and uv play an important roll.Perhaps ty holds the most value to directly boost Codex (understanding codebases for the AI)All that said, these were open source so there is way more to the motivations than just using the tools.After joining the Codex team, we'll continue building our open source tools.Simon Willison has thoughtsdiscuss.python.org also has thoughtsThe Ars Technica article has interesting comments tooItâs probably the death pyxSimon points out âpyx is notably absent from both the Astral and OpenAI announcement posts.âBrian #3: uv audit
Submitted by Owen LemontPieces of uv audit have been trickling in. uv 0.10.12 exposes it to the cli helpHereâs the roadmap for uv auditI tried it out on a package and found a security issue with a dependencynot of the project, but of the testing dependenciesbut only if using Python < 3.10, even though Iâm using 3.14Kinda coolLooks like it generates a uv.lock file, which includes dependencies for all project supported versions of Python and systems, which is a very thorough way to check for vulnerabilities.But also, maybe some pointers on how to fix the problem would be good. No --fix yet.Michael #4: Fire and forget (or never) with Pythonâs asyncio
Pythonâs asyncio.create_task() can silently garbage collect your fire-and-forget tasks starting in Python 3.12Formerly fine async code can now stop working, so heads upThe fix? Use a set to upgrade to a strong ref and a callback to remove itIs there a chance of task-based memory leaks? Yeah, maybe.Extras
Brian:
Nobody Gets Promoted for Simplicity - interesting read and unfortunate truth in too many places.pytest-check - All built-in check helper functions in this list also accept an optional xfail reason.example: check.equal(actual, expected, xfail="known issue #123")Allows some checks to still cause a failure to happen because you no longer have to mark the whole test as xfailMichael:TurboAPI - FastAPI + Pydantic compatible framework in Zig (see follow up)Pyramid 2.1 is out (yes really! :) first release in 3 years)Vivaldi 7.9 adds minimalist hide mode.Migrated pythonbytes.fm and talkpython.fm to Raw+DC design patternRobyn + Chameleon packageJoke: We now have translation services
-
Topics covered in this episode:
chardet ,AI, and licensingrefined-githubpgdog: PostgreSQL connection pooler, load balancer and database sharderAgentic Engineering PatternsExtrasJokeWatch on YouTubeAbout the show
Sponsored by us! Support our work through:
Our courses at Talk Python TrainingThe Complete pytest CoursePatreon SupportersConnect with the hosts
Michael: @[email protected] / @mkennedy.codes (bsky)Brian: @[email protected] / @brianokken.bsky.socialShow: @[email protected] / @pythonbytes.fm (bsky)Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too.
Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.
Michael #1: chardet ,AI, and licensing
Thanks Ian LessingWow, where to start?A bit of legal precedence research.Chardet dispute shows how AI will kill software licensing, argues Bruce Perens on the RegisterAlso see this GitHub issue.Dan Blanchard, maintainer of a Python character encoding detection library called chardet, released a new version of the library under a new software license. (LGPL â MIT)Dan is allowed to make this change because v7 is a complete âclean roomâ rewrite using AIBTW, v7 is WAY better:The result is a 48x increase in detection speed for a project that lives in the hot loops of many projects. That will lead to noticeable performance increases for literally millions of users (the package gets ~130M downloads per month).It paves a path towards inclusion in the standard library (assuming they donât institute policies against using AI tools).Thread-safe detect() and detect_all() with no measurable overhead; scales on free-threaded Python 3.13t+An individual claiming to be Mark Pilgrim, the original creator of the library, opened an issue in the project's GitHub repo arguing that Blanchard had no right to change the software license, citing the LPGL requirement that the license remain unchanged.A 'complete rewrite' is irrelevant, since they had ample exposure to the originally licensed code (i.e. this is not a 'clean room' implementation).Blanchard disagreed, citing how version 7.0.0 and 6.0.0 compare when subjected to JPlag, a library for detecting plagiarism.Blanchard told The Register he had wanted to get chardet added to the Python standard library for more than a decade since itâs a core dependency to most Python projects.Brian #2: refined-github
Suggested by Matthias SchöttleA browser plugin that improves the GitHub experienceA samplingAdds a build/CI status icon next to the repoâs name.Adds a link back to the PR that ran the workflow.Enables tab and shiftâtab for indentation in comment fields.Auto-resizes comment fields to fit their content and no longer show scroll bars.Highlights the most useful comment in issues.Changes the default sort order of issues/PRs to Recently updated.But really, itâs a huge list of improvementsMichael #3: pgdog: PostgreSQL connection pooler, load balancer and database sharder
PgDog is a proxy for scaling PostgreSQL.It supports connection pooling, load balancing queries and sharding entire databases.Written in Rust, PgDog is fast, secure and can manage thousands of connections on commodity hardware.FeaturesPgDog is an application layer load balancer for PostgreSQLHealth Checks: PgDog maintains a real-time list of healthy hosts. When a database fails a health check, it's removed from the active rotation and queries are re-routed to other replicasSingle Endpoint: PgDog can detect writes (e.g. INSERT, UPDATE, CREATE TABLE, etc.) and send them to the primary, leaving the replicas to serve readsFailover: PgDog monitors Postgres replication state and can automatically redirect writes to a different database if a replica is promotedSharding: PgDog is able to manage databases with multiple shardsBrian #4: Agentic Engineering Patterns
Simon WillisonSo much great stuff here, especiallyAnti-patterns: things to avoidAnd 3 sections on testingRed/green TDDFirst run the testAgentic manual testingExtras
Brian:
uv python upgrade will upgrade all versions of Python installed with uv to latest patch releasesuggested by John HagenCoding After Coders: The End of Computer Programming as We Know ItNY Times ArticleSuggested by ChristopherBest quote: âPushing code that fails pytest is unacceptable and embarrassing.âMichael:
Talk Python Training users get a better account dashboardPackage Managers Need to Cool DownWill AI Kill Open Source, article + videoMy Always activate the venv is now a zsh-plugin, sorta.Joke: Ergonomic keyboard
Also pretty good and related:
Claude Code MandatedLinks
legal precedence researchChardet dispute shows how AI will kill software licensing, argues Bruce Perensthis GitHub issuecitingJPlagrefined-githubAgentic Engineering PatternsAnti-patterns: things to avoidRed/green TDDFirst run the testAgentic manual testinguv python upgradeCoding After Coders: The End of Computer Programming as We Know ItSuggested by Christophera better account dashboardPackage Managers Need to Cool DownWill AI Kill Open SourceAlways activate the venvnow a zsh-pluginErgonomic keyboardClaude Code Mandatedclaude-mandated.pngblobs.pythonbytes.fm/keyboard-joke.jpeg?cache_id=a6026b -
Topics covered in this episode:
Setting up a Python monorepo with uv workspacescattrs: Flexible Object Serialization and ValidationLearning to program in the AI ageVS Code extension for FastAPI and friendsExtrasJokeSee the full show notes for this episode on the website at pythonbytes.fm/472 -
Topics covered in this episode:
Raw+DC: The ORM pattern of 2026?pytest-check releasesDataclass WizardSQLiteo - ânative macOS SQLite browser built for normal peopleâExtrasJokeSee the full show notes for this episode on the website at pythonbytes.fm/471 -
Topics covered in this episode:
Better Python tests with inline-snapshotjolt Battery intelligence for your laptopMarkdown code formatting with ruffact - run your GitHub actions locallyExtrasJokeSee the full show notes for this episode on the website at pythonbytes.fm/470 -
Topics covered in this episode:
Command Book Appuvx.sh: Install Python tools without uv or PythonEnding 15 years of subprocess pollingmonty: A minimal, secure Python interpreter written in Rust for use by AIExtrasJokeSee the full show notes for this episode on the website at pythonbytes.fm/469 -
Topics covered in this episode:
django-bolt: Faster than FastAPI, but with Django ORM, Django Admin, and Django packagespyleakMore Django (three articles)DatastarExtrasJokeSee the full show notes for this episode on the website at pythonbytes.fm/468 -
Topics covered in this episode:
GreyNoise IP Checktprof: a targeting profilerTOAD is outExtrasJokeSee the full show notes for this episode on the website at pythonbytes.fm/467 -
Topics covered in this episode:
Better Django management commands with django-click and django-typerPSF Lands a $1.5 million sponsorship from AnthropicHow uv got so fastPyView Web FrameworkExtrasJokeSee the full show notes for this episode on the website at pythonbytes.fm/466 -
Topics covered in this episode:
port-killerHow we made Python's packaging library 3x fasterCodSpeedExtrasJokeSee the full show notes for this episode on the website at pythonbytes.fm/465 -
Topics covered in this episode:
ty: An extremely fast Python type checker and LSPPython Supply Chain Security Made Easytyping_extensionsMI6 chief: We'll be as fluent in Python as we are in RussianExtrasJokeSee the full show notes for this episode on the website at pythonbytes.fm/464 - Laat meer zien
