Hello and welcome to Python Bytes, where we deliver Python news and headlines directly to your earbuds. This is episode 464, recorded January 5th, 2026. Brian, it's 2026. Amazing.
It is amazing.
I'm Michael Kennedy. I'm Brian Okken. We're here to bring you another year of awesome Python news, and we've got a bunch of good ones queued up here. I've got a pretty interesting spy story to tell people, Brian. It's going to be very fun. Cool. Yes. If you're listening and you're not subscribed to the newsletter, you definitely should. It's super high quality. We put a lot of extra details, extra information,
not just a emailing version of the show notes. Follow us on the socials. You'll find them on probably in the newsletter. I believe they're right there at the top, but also in the show notes. And yeah, with that, Brian, how would you like to kick things off for the new year?
Ty, I think I'm pronouncing it Ty. I don't know how it's supposed to be.
I've asked Charlie Marsh. No, it's ty. TY. It's ty.
Okay.
I believe because it's uv. TY. So now I'm starting to doubt myself, but when I interviewed him about ty, I asked, I'm pretty sure it's ty.
Oh, that makes sense. UV and TY?
TY.
TY. Okay. It's an extreme, it says it is an extremely fast Python type checker and LSP, which is what a language server protocol. I don't know what LSP stands for.
Do you? server protocol uh yeah lsp something yep anyway um it's okay so ty's been out for a while but the
news as of december 16th is that it's um it's in beta um people have been playing with it for a while anyway but i thought um uh so we're gonna link to the uh charlie marsh's announcement of it but and this was going to actually to be clear this was going to be an extra um but um i was playing with it this weekend and i'm kind of in love i really like uh ty um so really fast type checker and language server and um and luckily this is not one where you you it's so fast that
you say did it actually run because it actually prints something out when you when you run like tie check it'll it'll say yeah it even if every if it doesn't find anything it says like all done or or so thank you thank you to you astral to actually letting us know that it's finished but it is super fast so um type checking i i've used my pi before i think that's pronounced my pie and uh and pyrite i tried that and pilance um so actually i remember pilot pailance has been a while but i have tried
pyrite and my pie because people have submitted issues with some of my projects to say hey these these throw problems with mypy can we fix this so we've had some fixes on like a py test check has been one project that we've made some changes however okay so installed ty this just the other day and yes it is super fast i didn't did i'm using expecting um in they have a graph that shows uh Oh, what are they typing? Oh, they checked home assistant project, which is a pretty big project.
And my pie takes 45 seconds to run and ty takes two seconds. And I didn't have anything that large. It just ran instantly and spit out a ton of stuff. So I tried actually went back and tried a couple other projects. So here's another project running it. Let's see, in the Torch project. Oh, recompute. I'm getting ahead of myself. So it's really fast, but that's not the coolest part. The coolest part is it's really fast just the first time.
And then it's even faster when you run it again, because they're doing regenerative stuff. So when you, after, what did they write down? It was designed from the ground up to be incremental. to have incrementality. I don't think that's a word guys, but, to incrementally, just, just check the things you've changed to make it faster. And the reason why is to try to get it running within your editor as well. So, yeah, so it's pretty, pretty fun. I actually ran it.
So, like I said, I ran it on some small projects and it, it, a couple of things I'm like, why is it bugging me about this? But I just tried to fix the suggestions and I found that So it was making easier to read code, even though I didn't, some of the things I didn't quite get, like here's one that tripped me up. So if you, if you declare, if you've got a function with a input parameter and you declare the input type, I always think of that as like the input type.
I expect the user to call this function with, but once I'm in the function, I can, I can like change the type. If I, it came in as a list of strings and I wanted to turn it into just a concatenated full string. That was actually the example I had. And it said, yeah, that's the wrong type. You said list of strings, but then you assigned it a string. And I'm like, well, okay, would it be more clear if I add a new variable? And I actually just tried to clean it up.
And I'm like, yeah, this is easier to read, actually. It'll be better to maintain. So I'm trying to embrace the error messages as something that might make it easier to read, even and not become combative. But I tried installing, there's an extension that they released also to the ty extension for VS Code. And this does a ton of stuff. Inlay type hints, go to definition information. I'm pointing this out because I know people will try it out.
But you'll have to be sure to read the documentation because there's a warning in there to say it's a language server also. So you need to either turn off the default language server or turn off TY's language server. Having two at the same time don't work great. So I'm super happy with the project so far, but yeah.
That's cool. I definitely want to give the extension a try. I've been using PyRite as well, and it's also, sorry, PowerFly, all the PIs, PowerFly, and it has the same deal. You've got to go disable a bunch of stuff in the Visual Studio editors and, you know, like Cursor and others. And it's annoying that you got to do it. I feel like that is a fault of Visual Studio code. Why would it let you run two language servers for the same language? That should be like, which one do you want to use?
Just tell me, right? I detected that two are running. It's kind of the nature of Visual Studio being just composed out of a bunch of disjointed things. But once you get it set up, it's super nice. I totally agree.
One thing I wanted to bring up that I haven't yet also is when I ran it on pytestCheck, it ran it like, and actually I've known that the pytestCheck is kind of a fun plugin, but it has some, like I'm hacking Python with this. I'm like overloading a bunch of stuff and a package that's also a context manager and stuff like that. I do plan on like, it's noting a whole bunch of errors and I do want to fix all those that just have a lot of other stuff going on.
And so I'm not like a really, I didn't intend for this to be an apology. What I'm meaning is when I go to check these, TY has a whole bunch of settings. You can turn off any check. So that's what I think I'll do. I'll probably like any of them that are failing, I'll probably turn them off and then fix them one at a time and go through. And I like that they just said, you know what? People might want to like turn any of these off. So we'll just give you access to all of them.
So yeah, that's very cool. I'd like to throw out one more thing about the fast, like, well, my editor's fast enough. I don't really care, right? Or what's it matter if it takes 20 seconds for Pyright to run?
One of the things that you can do with these that I don't think a lot of people are doing, but you can tell, you can set up rules and tell your agentic coding tools, like whenever you make a change, please run ty or Pyright or whatever against my code base and verify that you haven't made any typing mistakes. Everything's hanging together, right? And those tools will do that like over and over and it can just make it super slow, right?
So you're not sitting there waiting for the thing to run and run, you know, just reanalyze, reanalyze, just tell it to use TY and it'll just be nearly instant. Nope, it's fine. Oh, I got to fix something, right? So one more use case here.
Yeah, and like we said, since it's incremental, it'll be like milliseconds to rerun it.
Yeah, exactly. Exactly, super cool. All right, I have a scary story for you, Brian. Okay. So I want to talk about a pair of articles I wrote, and I think they're very, very constructive, very helpful for people to use. So increasingly in open source, we're dealing with issues around supply chain problems, right? This first surfaced most prominently with typosquatting, and I'm sure people have heard of that word by now, but it's like Django without the J or whatever.
And if people don't really know and they type, you know, pip install dango or whatever, it might go and find nothing and say that's there. Or it might find something that someone put up there to look like Django, but also bring down some kind of malicious badness, right? And that's a problem. You can fix it by being careful. The PyPI folks are doing a lot of work to fight that and to like preserve misspellings of common, common things. But it's still, it's an issue, right?
I mean, it's gone so far that there are people trying to see what agent encoding and LLMs would recommend because sometimes they would make up package names and then they would go put stuff there. So that when the next time it recommends that non-existing thing, it actually exists as a virus. Right. So you got to be careful.
But way more serious than that is there was some announcements that some folks had been phished who worked on some project and their PyPI credentials were hacked and their projects were replaced with lookalike projects, but that also had bad things in it, right? And that's way worse. So if I use some library and it uses a library, which itself uses a less known library way down the chain and that third level gets hacked and I pip install the new version of my library, I'm toast.
Right. And it's not because I misspelled something and nobody misspelled anything. It's because somewhere along the way, somebody's computer got taken over in some way. Off it goes. This is bad. So I thought I was thinking about this over winter break. I'm like, well, what can we do about it? So I wrote two articles with concrete advice. First one, Python supply chain made easy, right? And what are you going to do? I gave out some examples. So here's the thing.
We have this tool called pip Audit, right? Pip Audit is cool. It audits Python environments. It's officially part of the PyPA. It's under their GitHub organization, even though it's Trellabits and Google have also had influence on it. It audits Python environments, requirement files, and dependency trees for known security vulnerabilities, and it can even fix them. I don't care about fixing them because it may be too late. I just want that to not happen.
So what I was thinking is like, well, how do we use that tool? And how do we use UV? So one thing you can do is with pip audit is you can just say this virtual environment, everything installed in here, how's it looking? Is it bad or is it not bad, right? And you can just uv tool install it. So because it doesn't have to be installed in your local environment, not necessarily, right? You just have that active when you run it. So that's pretty cool. But what if people don't run it?
you know like this is always the problem is like I set up this thing this um this way to lint code or format it to make sure we always do it right but then there's those people that just don't run it right so one thing you can do this nice is I created a unit test py test test which will run pip audit on wherever py test is running so like your application is being tested it will also run pip audit against that so that's cool it just does a sub process figures out which version of python
on it is, and then it just runs pip on it. For this to work, you've got to actually have it installed as part of the virtual environment. But that's all good, right? So then it will just look at all the stuff you've got installed, and your test will fail, which means your CI will fail if some kind of vulnerable thing gets in there.
That's pretty cool.
Yeah, pretty nice. So people can just grab this test and drop it in, and there's really not much to it. And you run it. It's cool. Also, you could-- I mean, you could set it up as a git commit hook, but it's a little bit slow. So next thing you can do is very often something like this will happen. A couple of days later, people are like, why is my CPU at a hundred percent? And why is it this project I'm working on? You know, it'll get discovered, right?
And these things get ganked pretty quickly. That's kind of the positive side is they don't typically last. So the other thing you can do was with uv, as you can say, UV pip compile or uv sync --upgrade, I think is the command for the uv lock file version. But regardless, you can always pass a exclude newer than, just dash, dash, exclude, dash newer, some timeframe. So I chose one week.
And what that means is, if when I say update my requirements in the pinned lock file, it will basically pretend anything released in the last week doesn't exist and only update them to a week ago. That way, because the problem is, PipAudit can know that there's a bad one, but if it was released 10 minutes ago, PipAudit,
no one's going to have reported it and formalized it, right? There's this window in the really early days of a package being updated that no one's going to catch it and get it into the ecosystem in time, right? And so just having a little bit of time, like let other people try this project for a week. If no one freaks out and says, oh my gosh, it's taking over the world, it's more likely to be okay, right? Yeah, sure. I mean, look, it's not a complete defense. It's not like, well,
if it's a week or older, it's never going to be a problem. But almost all of these that are big problems are discovered within a week or, you know, put a month, whatever you put a year, like whatever you feel is like enough that it's very unlikely you're going to get tied up in it. Right. We can put whatever number you want, but the point is you can put a delay. So whenever you say update my dependencies, it says, but not the very, very, very new ones. And I've been doing that for a
and it's been fine for a while. I mean like a week and a half. But I thought, okay, well, what about, this is all well and good if you have CI, but what about production? What if you're doing like DevOps with Docker or stuff? Also, if you run your pip audit and it tells you that you have a virus you've pip installed into your dev machine, too late. Once you've installed a virus, like it could have downloaded stuff off the internet. It could put root kits, like you're done, right? That machine
probably needs formatted. It's very bad. So is there a way that we could do this before we put it into our computer with pipaudit, right? You can, under some circumstances, give it like a requirements file, but I think a better way is to just install stuff into a virtual environment. So I did a follow-up thing here that says, here's how you create a Docker instance that can copy whatever lock file you have into your temporary Docker container, install the requirements with
UV, run pip audit on it, and then give you an answer back. That way, even if it does find something, it finds them over there, not in your computer, but in an isolated Docker environment, which should be safe. So it talks to you that, which is pretty cool. I'll give you a little Docker file that works nice and easy. You can do whatever you want, create an alias so that it'll run with nice reporting, you can skip things you don't care about.
Like this PDF library on Windows, if you give it a SVG file, image file, it has a vulnerability. I'm like, well, one, I'm not running on Windows. I'm not giving it user input. Like I don't care about, like I just, that's not a problem to me. No, there's certain things you might want to just ignore.
And then finally, you can put, I'll show you how to use like super good build time caching to actually run as part of your Docker build pip audit so that you can't even build a container that has a vulnerability. Like it will fail the Docker build if it has a problem, according to pip audit. I mean, for some definition of a problem.
Yeah.
So that whole series I wrote over winter break, and I think it'll help people. Super easy to adopt. There's not much to it. If you're using Docker, it's got good things for that. If you're not, it also has things you can adopt.
I'm curious with the, yeah, On this topic of dependencies and stuff and possible vulnerabilities, I was trying to remember the name of the word, but basically if you take some other project and just copy its source into yours. Vendoring. Vendoring, that's it. I'm just wondering if that's going to happen more often for production projects because you could have something automatically or have an agent or something checked to see if there's any updates in the project.
and copy them in and test them.
Yeah, I think that's going to happen a lot, especially for small libraries. Like, oh, this one just adds color to your output. You're like, hmm, do I really need, like how often is that going to change? Probably never. Yeah. Do I need to be subjected to a supply chain story or could I just copy it in? Or with the agent encoding things, you're like, I really just need these two functions. Can I just ask it to write these functions? And if they're working, like I don't need a library at all.
You know, I agree 100%. I think so.
Okay. I'm going to actually talk about main updates as well in a different sense, I guess. So I want to talk about typing extensions. And again, this comes out of a suggestion from a listener. It was going to be just an extra, but I started using it and it's pretty cool. So in December, we were talking about, or I was talking about at least, deprecation warnings and the topic of how do you deal with that of deprecated items.
And one recommendation is, was the deprecated, using the deprecated decorator. So you could say warnings import from warnings, import deprecated, and decorate a deprecated function. However, we were reminded that that's Python 3.13 only. Somebody named PrioInv on Mastodon notified us and said, hey, there's the typing extensions and they have them. And so I was checking this out. So the typing extensions, let's see, deprecated. We could just say, get it from typing extensions.
And now we've got it on earlier versions of Python. I haven't, like, I don't know if this is a, okay, I'll save my comments, a couple of comments for the end. But I'm pretty excited about this. So I'm hoping that I can just use like the modern type, modern typing for different projects. And like, why is this important? It's important because me as a developer, I can kind of remember how to do typing in one version of Python.
But if I'm trying to remember, well, what typing decorators and all that stuff do I use for 3.12 versus 3.13 versus 3.14? And that's hard to keep a track. So I'm excited to start using typing extensions. And hopefully this cures the trying to keep track of it all. So of it. So there's a whole bunch of stuff in here. We've got, it's got typing primitives, protocols, decorators, functions, enums, pure aliases, all sorts of stuff that, and it tells you when things were added and all that.
So anyway, kind of fun. Okay. Yeah, that's very nice. So hopefully I can get away with just using the deprecated wrapper, even in 3.12. So because I mean, like, come on, everybody's got like a project that uses a new, the newest because it's my side project. It's using the newest version. Or I've got a library that I'm supporting that's supporting everything back to 3.12 maybe or 3.8 or 3.9 or whatever. And then a work project that's using 3.13, stuff like that.
Yeah, I got a message from somebody saying, what am I open source little smaller libraries? They can't get it to work. They can't get it to install or something. And I'm like, hmm, can't really see what the problem is. Oh, you're using 3.9 and it's using some feature of 3.10 and it says it needs 3.10. They're like, why doesn't this work? I'm like, literally, it sounds new, but that is no longer supported at all. It's easy for these to sound like, ah, 3.9 is not that old.
But it's out of even the bug fixes and security fixes.
Yeah, so people remember to do a min version in your PyProject.toml if you're doing a library that other people install so that it just doesn't even update to that version.
Exactly. That's what I did. But there was not a fallbacks older version they could use, because it uses types that are not available, like the lowercase d dict of string string or something like that.
Oh, yeah. Right. Who wants to go back to importing uppercase dict? I don't want to do that. Exactly. I'm like, I will do it when he needs support.
But like, if it's literally out of support, I'm sorry. This is not on me to like make my library work on, you know, as far back as history goes. All right. Let's talk about my spy story. Okay. So this is a real short one. My first one was really long. This one's really short. New MI6 chief Blaze Metroeli outlined her vision for a technologically, augmented intelligence gathering in her first public speech on December 15th, warning that the UK operates in a space between peace and war.
I mean, MI6, come on, James Bond, pretty cool. At the Tameside headquarters, she said previously the UK, she was previously in charge of Q, which is kind of cool. Anyway, said the headline is, We will need our MI6 spies agents to be as fluent in Python as they are in Russian. It's kind of interesting, right? Yeah. Look, we live in this super technological world, and so much of this is becoming cyber more and more.
One of the main bits is, while mentioning China, Miraweli focused mainly on the threats from Russia. She said the country is, Russia is, testing us in the gray zone with tactics that are just below the threshold of war. Pretty much cyber attacks, critical infrastructure, drones, propaganda, all the stuff that having some kind of programming skill will super help. So anyway, I just thought I thought this was an interesting headline and worth a little shout out.
Also, I didn't know Q was real.
I didn't either. I was like, oh, that's so cool.
I knew MI6 was a real thing, but Q, that's awesome. I know.
It's definitely cool. Cool. All right. Anyway, everyone needs to know Python these days. Jake Vander Plaas in 2017, as the PyCon keynote said, Python is a, gosh, basically like a quilt of all these different uses, use cases of people doing interesting things. Well, here's one more patch in the quilt.
Yeah. Even if you got a cooler language, we'll just incorporate it into Python. We are the Borg.
Exactly. There's something to that. All right. What are you going to lean into next here?
So we're into extras now. So I said that I was going to take some time off for, from writing in December and I had a wonderful break with my family. And now I'm back to writing again. I almost, I wanted to announce that the next chapter was the next chapter is going to be finding waste in T tester of development. And, and I was, I don't know why I was stressed out about it, but yesterday I just sat down and wrote, I think a first draft.
I need to clean it up a little bit, but I want to get this released today. So hopefully by the time you listen to this, if you're not watching it live, it'll be around. And I'll, yeah, so the next one will be there. I've still got a goal of finishing this, at least the first draft by the end of January. It's a tight deadline. I don't, I only have half the chapters written so far, but I think that we can get there.
These, I think that the later chapters are possibly shorter and I'm going to try to read it.
release it as an audiobook too so i can't make them too long or else they'll kill me okay so that's that's going on uh one of the things keeping me uh uh updated and on track hopefully is uh is it watches so a slight change of topic but i um i am back to sporting a non-smart watch um i'm doing what i've got a right now i'm wearing a uh victorinox watch and uh i picked it up at an for 40 bucks and it was a steal it was great great watch um uh but i've and then uh since i'm now
looking for watches my i picked up a couple more estate sales in the last last week too so um that's fun something getting in the way of writing though is uh my christmas present i got from my family so um they uh they got me a steam deck and um uh i'm having a blast with it i like i like not having a console like just sitting on the couch and uh or sitting back in a chair and and uh and playing video games i'm having fun with that again so um i'd loved and i'm i've been like looking through
the store and everything i'd love to have anybody uh let me know uh so um let me know on blue sky or mastodon if there's a particular game i should check out i haven't been into the gaming scene
since the early 90s i've got some good recommendations for you i don't know for sure that they'll run on the Steam Deck, but they do run on Windows Steam in On X-Force Now. Small Lands, S-M-A-L-L-A-N-D-S. Small Lands, you're like a little tiny creature running around this forest exploring it, and ladybugs come by and they're like hip height. It's a really cool experience. The graphics is incredible. The music is peaceful. It's cool. Give that one a go.
All right, thanks. But anyway, reach out on Mastodon and Bluesky. Let me know what you were playing.
Michael, do you have any extras? I do. I got actually two follow-ups now that you've mentioned these things. They were not originally there, but I've been dreaming of the Steam Machine, which is like a six-inch by six-inch cube that is kind of like a local, you put it by your TV or something. I'm not sure if it makes sense for me to get it, but it looks like a really neat machine. I've been thinking about that. Just got it now, so that's cool. But back to watches.
I used to have a Pebble Round 2, which is a really cool little round watch that had a traditional watch look, but it was a smart watch. This predates Apple Watch, I think. And it was so good. I loved it so much. It was incredibly thin. The e-ink display just looked like a real watch face. And I had so many people come up to me and say, wow, that is a cool watch. What kind of watch is that? And these would be like older people or people that were not techie.
And they didn't realize even that it was a smart watch.
they were saying that's a cool and i'm like actually that's a smart one they're like what is it oh my gosh incredible uh why am i saying this it's coming back they're remaking it pebble's coming back and is open source and so if you're a fan of pebble there's a couple of pebble things coming back so yay for watches although i'm still sticking with my apple watch because i love all the like health analytics it gathers about me all right here's my actual extras better not follow
of impromptu follows. So Ruben Lerner just posted a 12 video series on what's coming up in Pandas 3. So getting ready for Pandas 3 short focused video series. So like I said, 12 videos, come check it out if you're looking forward to what's coming up in Pandas. And I just released as in two hours ago, a really awesome talk Python episode called Web Frameworks in production by their creators.
So I have folks from the Django team, folks from the Litestar team, from Flask and Cort and FastAPI, all of the people who create all of those coming on to talk about how you should run their web framework in production. I thought that was just super, super fun, cool conversation.
Oh, wow. I'm looking forward to watching that.
Yeah, somebody in the audience said that I basically put the Python Avengers team together when it comes to web frameworks. It was really incredible. Quite the crew there. Okay, that's it for my extras. How are you feeling about a joke? Oh, a joke would be great. This one has to have the stage set just a little bit, okay? Okay. So by telling another joke. So there's this funny joke meme that went around like 15 years ago.
There's JavaScript, the definitive guide, which is like this 600-page tome of a huge book. And then Douglas Crawford published a follow-up book called JavaScript, the good parts. And it's like 100 pages. I don't know how big it is, but it's much, much smaller than the definitive guide. Like this is the slice that you should only pay attention to and the rest is wrong, right? Isn't this funny?
- Yeah.
- Oh yeah, I remember that. - Yeah, yeah, it's kind of old, but here's the new joke. Error handling. It's this huge, huge book. And then there's a little tiny one, error handling before AI. It's just like how much you gotta deal with and like keep track of it. Like what is all this stuff going on? Why is this all here? It's the opposite. It's the inverse of going from a huge thing to like a focused good one. It's like, oh, we had this focused little bit of error handling. Now we got this.
mega thing i gotta deal with yeah there's there's joke yeah i'm looking forward to people people are already starting to actually care about they're making their tests readable um because um
they're having to figure out what's wrong you know so me too well happy 2026 to everybody brian good to see you nice looking forward to another year of good stuff yeah we should have Little poppers. Yeah. Little, yeah. Those things. She's got the little confetti or whatever. But no, we're just going to say goodbye. Goodbye. Bye. Talk to you next week. See you later.