ZARZA We are Zarza, the prestigious firm behind major projects in information technology.
Listen "#464 Malicious Package? No Build For You!"
Episode Synopsis
Topics covered in this episode:
ty: An extremely fast Python type checker and LSP
Python Supply Chain Security Made Easy
typing_extensions
MI6 chief: We'll be as fluent in Python as we are in Russian
Extras
Joke
Watch on YouTube
About the show
Connect with the hosts
Michael: @[email protected] / @mkennedy.codes (bsky)
Brian: @[email protected] / @brianokken.bsky.social
Show: @[email protected] / @pythonbytes.fm (bsky)
Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too.
Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.
Brian #1: ty: An extremely fast Python type checker and LSP
Charlie Marsh announced the Beta release of ty on Dec 16
“designed as an alternative to tools like mypy, Pyright, and Pylance.”
Extremely fast even from first run
Successive runs are incremental, only rerunning necessary computations as a user edits a file or function. This allows live updates.
Includes nice visual diagnostics much like color enhanced tracebacks
Extensive configuration control
Nice for if you want to gradually fix warnings from ty for a project
Also released a nice VSCode (or Cursor) extension
Check the docs. There are lots of features.
Also a note about disabling the default language server (or disabling ty’s language server) so you don’t have 2 running
Michael #2: Python Supply Chain Security Made Easy
We know about supply chain security issues, but what can you do?
Typosquatting (not great)
Github/PyPI account take-overs (very bad)
Enter pip-audit.
Run it in two ways:
Against your installed dependencies in current venv
As a proper unit test (so when running pytest or CI/CD).
Let others find out first, wait a week on all dependency updates: uv pip compile requirements.piptools --upgrade --output-file requirements.txt --exclude-newer "1 week"
Follow up article: DevOps Python Supply Chain Security
Create a dedicated Docker image for testing dependencies with pip-audit in isolation before installing them into your venv.
Run pip-compile / uv lock --upgrade to generate the new lock file
Test in a ephemeral pip-audit optimized Docker container
Only then if things pass, uv pip install / uv sync
Add a dedicated Docker image build step that fails the docker build step if a vulnerable package is found.
Brian #3: typing_extensions
Kind of a followup on the deprecation warning topic we were talking about in December.
prioinv on Mastodon notified us that the project typing-extensions includes it as part of the backport set.
The warnings.deprecated decorator is new to Python 3.13, but with typing-extensions, you can use it in previous versions.
But typing_extesions is way cooler than just that.
The module serves 2 purposes:
Enable use of new type system features on older Python versions.
Enable experimentation with type system features proposed in new PEPs before they are accepted and added to the <code>typing</code> module.
So cool.
There’s a lot of features here. I’m hoping it allows someone to use the latest typing syntax across multiple Python versions.
I’m “tentatively” excited. But I’m bracing for someone to tell me why it’s not a silver bullet.
Michael #4: MI6 chief: We'll be as fluent in Python as we are in Russian
"Advances in artificial intelligence, biotechnology and quantum computing are not only revolutionizing economies but rewriting the reality of conflict, as they 'converge' to create science fiction-like tools,” said new MI6 chief Blaise Metreweli.
She focused mainly on threats from Russia, the country is "testing us in the grey zone with tactics that are just below the threshold of war.”
This demands what she called "mastery of technology" across the service, with officers required to become "as comfortable with lines of code as we are with human sources, as fluent in Python as we are in multiple other languages."
Recruitment will target linguists, data scientists, engineers, and technologists alike.
Extras
Brian:
Next chapter of Lean TDD being released today, Finding Waste in TDD
Still going to attempt a Jan 31 deadline for first draft of book.
That really doesn’t seem like enough time, but I’m optimistic.
SteamDeck is not helping me find time to write
But I very much appreciate the gift from my fam
Send me game suggestions on Mastodon or Bluesky. I’d love to hear what you all are playing.
Michael:
Astral has announced the Beta release of ty, which they say they are "ready to recommend to motivated users for production use."
Blog post
Release page
Reuven Lerner has a video series on Pandas 3
Joke: Error Handling in the age of AI
Play on the inversion of JavaScript the Good Parts
ty: An extremely fast Python type checker and LSP
Python Supply Chain Security Made Easy
typing_extensions
MI6 chief: We'll be as fluent in Python as we are in Russian
Extras
Joke
Watch on YouTube
About the show
Connect with the hosts
Michael: @[email protected] / @mkennedy.codes (bsky)
Brian: @[email protected] / @brianokken.bsky.social
Show: @[email protected] / @pythonbytes.fm (bsky)
Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too.
Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.
Brian #1: ty: An extremely fast Python type checker and LSP
Charlie Marsh announced the Beta release of ty on Dec 16
“designed as an alternative to tools like mypy, Pyright, and Pylance.”
Extremely fast even from first run
Successive runs are incremental, only rerunning necessary computations as a user edits a file or function. This allows live updates.
Includes nice visual diagnostics much like color enhanced tracebacks
Extensive configuration control
Nice for if you want to gradually fix warnings from ty for a project
Also released a nice VSCode (or Cursor) extension
Check the docs. There are lots of features.
Also a note about disabling the default language server (or disabling ty’s language server) so you don’t have 2 running
Michael #2: Python Supply Chain Security Made Easy
We know about supply chain security issues, but what can you do?
Typosquatting (not great)
Github/PyPI account take-overs (very bad)
Enter pip-audit.
Run it in two ways:
Against your installed dependencies in current venv
As a proper unit test (so when running pytest or CI/CD).
Let others find out first, wait a week on all dependency updates: uv pip compile requirements.piptools --upgrade --output-file requirements.txt --exclude-newer "1 week"
Follow up article: DevOps Python Supply Chain Security
Create a dedicated Docker image for testing dependencies with pip-audit in isolation before installing them into your venv.
Run pip-compile / uv lock --upgrade to generate the new lock file
Test in a ephemeral pip-audit optimized Docker container
Only then if things pass, uv pip install / uv sync
Add a dedicated Docker image build step that fails the docker build step if a vulnerable package is found.
Brian #3: typing_extensions
Kind of a followup on the deprecation warning topic we were talking about in December.
prioinv on Mastodon notified us that the project typing-extensions includes it as part of the backport set.
The warnings.deprecated decorator is new to Python 3.13, but with typing-extensions, you can use it in previous versions.
But typing_extesions is way cooler than just that.
The module serves 2 purposes:
Enable use of new type system features on older Python versions.
Enable experimentation with type system features proposed in new PEPs before they are accepted and added to the <code>typing</code> module.
So cool.
There’s a lot of features here. I’m hoping it allows someone to use the latest typing syntax across multiple Python versions.
I’m “tentatively” excited. But I’m bracing for someone to tell me why it’s not a silver bullet.
Michael #4: MI6 chief: We'll be as fluent in Python as we are in Russian
"Advances in artificial intelligence, biotechnology and quantum computing are not only revolutionizing economies but rewriting the reality of conflict, as they 'converge' to create science fiction-like tools,” said new MI6 chief Blaise Metreweli.
She focused mainly on threats from Russia, the country is "testing us in the grey zone with tactics that are just below the threshold of war.”
This demands what she called "mastery of technology" across the service, with officers required to become "as comfortable with lines of code as we are with human sources, as fluent in Python as we are in multiple other languages."
Recruitment will target linguists, data scientists, engineers, and technologists alike.
Extras
Brian:
Next chapter of Lean TDD being released today, Finding Waste in TDD
Still going to attempt a Jan 31 deadline for first draft of book.
That really doesn’t seem like enough time, but I’m optimistic.
SteamDeck is not helping me find time to write
But I very much appreciate the gift from my fam
Send me game suggestions on Mastodon or Bluesky. I’d love to hear what you all are playing.
Michael:
Astral has announced the Beta release of ty, which they say they are "ready to recommend to motivated users for production use."
Blog post
Release page
Reuven Lerner has a video series on Pandas 3
Joke: Error Handling in the age of AI
Play on the inversion of JavaScript the Good Parts
More episodes of the podcast Python Bytes
#463 2025 is @wrapped
22/12/2025
#462 LinkedIn Cringe
15/12/2025
#461 This episdoe has a typo
09/12/2025
#460 Overlooked Python Typing
01/12/2025
#459 Inverted dependency trees
24/11/2025
#458 I will install Linux on your computer
17/11/2025
#457 Tapping into HTTP
11/11/2025
#456 You're so wrong
03/11/2025
#455 Gilded Python and Beyond
27/10/2025
#454 It's some form of Elvish
20/10/2025
In God we trust