Blocking vulnerable packages at Docker build time

• ty: An extremely fast Python type checker and LSP
• Python Supply Chain Security Made Easy
• typing_extensions
• MI6 chief: We'll be as fluent in Python as we are in Russian
• Extras
• Joke

About the show

Connect with the hosts

• Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky)
• Brian: @brianokken@fosstodon.org / @brianokken.bsky.social
• Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky)

Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too.

Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Brian #1: ty: An extremely fast Python type checker and LSP

• Charlie Marsh announced the Beta release of ty on Dec 16
• “designed as an alternative to tools like mypy, Pyright, and Pylance.”
• Extremely fast even from first run
• Successive runs are incremental, only rerunning necessary computations as a user edits a file or function. This allows live updates.
• Includes nice visual diagnostics much like color enhanced tracebacks
• Extensive configuration control
  • Nice for if you want to gradually fix warnings from ty for a project
• Also released a nice VSCode (or Cursor) extension
  • Check the docs. There are lots of features.
  • Also a note about disabling the default language server (or disabling ty’s language server) so you don’t have 2 running

Michael #2: Python Supply Chain Security Made Easy

• We know about supply chain security issues, but what can you do?
  • Typosquatting (not great)
  • Github/PyPI account take-overs (very bad)
• Enter pip-audit.
• Run it in two ways:
  1. Against your installed dependencies in current venv
  2. As a proper unit test (so when running pytest or CI/CD).
  3. Let others find out first, wait a week on all dependency updates: uv pip compile requirements.piptools --upgrade --output-file requirements.txt --exclude-newer "1 week"
• Follow up article: DevOps Python Supply Chain Security
  1. Create a dedicated Docker image for testing dependencies with pip-audit in isolation before installing them into your venv.
     1. Run pip-compile / uv lock --upgrade to generate the new lock file
     2. Test in a ephemeral pip-audit optimized Docker container
     3. Only then if things pass, uv pip install / uv sync
  2. Add a dedicated Docker image build step that fails the docker build step if a vulnerable package is found.

Brian #3: typing_extensions

• Kind of a followup on the deprecation warning topic we were talking about in December.
• prioinv on Mastodon notified us that the project typing-extensions includes it as part of the backport set.
• The warnings.deprecated decorator is new to Python 3.13, but with typing-extensions, you can use it in previous versions.
• But typing_extesions is way cooler than just that.
• The module serves 2 purposes:
  • Enable use of new type system features on older Python versions.
  • Enable experimentation with type system features proposed in new PEPs before they are accepted and added to the <code>typing</code> module.
• So cool.
• There’s a lot of features here. I’m hoping it allows someone to use the latest typing syntax across multiple Python versions.
• I’m “tentatively” excited. But I’m bracing for someone to tell me why it’s not a silver bullet.

Michael #4: MI6 chief: We'll be as fluent in Python as we are in Russian

• "Advances in artificial intelligence, biotechnology and quantum computing are not only revolutionizing economies but rewriting the reality of conflict, as they 'converge' to create science fiction-like tools,” said new MI6 chief Blaise Metreweli.
• She focused mainly on threats from Russia, the country is "testing us in the grey zone with tactics that are just below the threshold of war.”
• This demands what she called "mastery of technology" across the service, with officers required to become "as comfortable with lines of code as we are with human sources, as fluent in Python as we are in multiple other languages."
• Recruitment will target linguists, data scientists, engineers, and technologists alike.

Extras

Brian:

• Next chapter of Lean TDD being released today, Finding Waste in TDD
  • Still going to attempt a Jan 31 deadline for first draft of book.
  • That really doesn’t seem like enough time, but I’m optimistic.
• SteamDeck is not helping me find time to write
  • But I very much appreciate the gift from my fam
  • Send me game suggestions on Mastodon or Bluesky. I’d love to hear what you all are playing.

Michael:

• Astral has announced the Beta release of ty, which they say they are "ready to recommend to motivated users for production use."
  • Blog post
  • Release page
• Reuven Lerner has a video series on Pandas 3

Joke: Error Handling in the age of AI

• Play on the inversion of JavaScript the Good Parts