#464 Malicious Package? No Build For You!

14 snips

Jan 5, 2026

Discover the exciting beta release of ty, an ultra-fast Python type checker that offers incremental checks and VSCode integration. The hosts delve into Python supply chain security, highlighting risks like typosquatting and the importance of tools like pip-audit. Learn how MI6 is pushing for Python fluency among agents, equating it to language skills. Plus, tips on using typing_extensions for older Python versions and personal updates about writing and gadgets round off the discussion!

Ask episode

AI Snips

Chapters

Books

Transcript

Episode notes

INSIGHT

Ty: Blazingly Fast Incremental Type Checking

Ty is an extremely fast, incremental Python type checker and LSP that runs near-instantly even on first run.
Its incremental rechecks make editor and CI integrations practical for live, repeated type validation.

ADVICE

Audit Dependencies And Delay New Upgrades

Use pip-audit to test installed dependencies and fail CI if vulnerabilities appear by adding a pytest that runs pip-audit.
Delay automatic dependency upgrades (e.g., exclude releases newer than one week) to let others find problematic releases first.

ADVICE

Isolate Dependency Tests In Docker Builds

Run dependency installs and pip-audit inside an isolated Docker build to detect malicious packages before they touch your machine.
Fail Docker builds when pip-audit flags vulnerabilities so unsafe images never get produced.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Topics covered in this episode:

ty: An extremely fast Python type checker and LSP
Python Supply Chain Security Made Easy
typing_extensions
MI6 chief: We'll be as fluent in Python as we are in Russian
Extras
Joke

Watch on YouTube

About the show

Connect with the hosts

Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky)
Brian: @brianokken@fosstodon.org / @brianokken.bsky.social
Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky)

Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too.

Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Brian #1: ty: An extremely fast Python type checker and LSP

Charlie Marsh announced the Beta release of ty on Dec 16
“designed as an alternative to tools like mypy, Pyright, and Pylance.”
Extremely fast even from first run
Successive runs are incremental, only rerunning necessary computations as a user edits a file or function. This allows live updates.
Includes nice visual diagnostics much like color enhanced tracebacks
Extensive configuration control
- Nice for if you want to gradually fix warnings from ty for a project
Also released a nice VSCode (or Cursor) extension
- Check the docs. There are lots of features.
- Also a note about disabling the default language server (or disabling ty’s language server) so you don’t have 2 running

Michael #2: Python Supply Chain Security Made Easy

We know about supply chain security issues, but what can you do?
- Typosquatting (not great)
- Github/PyPI account take-overs (very bad)
Enter pip-audit.
Run it in two ways:
1. Against your installed dependencies in current venv
2. As a proper unit test (so when running pytest or CI/CD).
3. Let others find out first, wait a week on all dependency updates: uv pip compile requirements.piptools --upgrade --output-file requirements.txt --exclude-newer "1 week"
Follow up article: DevOps Python Supply Chain Security
1. Create a dedicated Docker image for testing dependencies with pip-audit in isolation before installing them into your venv.
  1. Run pip-compile / uv lock --upgrade to generate the new lock file
  2. Test in a ephemeral pip-audit optimized Docker container
  3. Only then if things pass, uv pip install / uv sync
2. Add a dedicated Docker image build step that fails the docker build step if a vulnerable package is found.

Brian #3: typing_extensions

Kind of a followup on the deprecation warning topic we were talking about in December.
prioinv on Mastodon notified us that the project typing-extensions includes it as part of the backport set.
The warnings.deprecated decorator is new to Python 3.13, but with typing-extensions, you can use it in previous versions.
But typing_extesions is way cooler than just that.
The module serves 2 purposes:
- Enable use of new type system features on older Python versions.
- Enable experimentation with type system features proposed in new PEPs before they are accepted and added to the <code>typing</code> module.
So cool.
There’s a lot of features here. I’m hoping it allows someone to use the latest typing syntax across multiple Python versions.
I’m “tentatively” excited. But I’m bracing for someone to tell me why it’s not a silver bullet.

Michael #4: MI6 chief: We'll be as fluent in Python as we are in Russian

"Advances in artificial intelligence, biotechnology and quantum computing are not only revolutionizing economies but rewriting the reality of conflict, as they 'converge' to create science fiction-like tools,” said new MI6 chief Blaise Metreweli.
She focused mainly on threats from Russia, the country is "testing us in the grey zone with tactics that are just below the threshold of war.”
This demands what she called "mastery of technology" across the service, with officers required to become "as comfortable with lines of code as we are with human sources, as fluent in Python as we are in multiple other languages."
Recruitment will target linguists, data scientists, engineers, and technologists alike.

Extras

Brian:

Next chapter of Lean TDD being released today, Finding Waste in TDD
- Still going to attempt a Jan 31 deadline for first draft of book.
- That really doesn’t seem like enough time, but I’m optimistic.
SteamDeck is not helping me find time to write
- But I very much appreciate the gift from my fam
- Send me game suggestions on Mastodon or Bluesky. I’d love to hear what you all are playing.

Michael:

Astral has announced the Beta release of ty, which they say they are "ready to recommend to motivated users for production use."
- Blog post
- Release page
Reuven Lerner has a video series on Pandas 3

Joke: Error Handling in the age of AI

Play on the inversion of JavaScript the Good Parts