January 05, 2026

#464 Malicious Package? No Build For You!

30 minutes

Topics covered in this episode:

ty: An extremely fast Python type checker and LSP

Python Supply Chain Security Made Easy

typing_extensions

MI6 chief: We'll be as fluent in Python as we are in Russian

Extras

Joke

Watch on YouTube

About the show

Connect with the hosts

Michael: @[email protected] / @mkennedy.codes (bsky)

Brian: @[email protected] / @brianokken.bsky.social

Show: @[email protected] / @pythonbytes.fm (bsky)

Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too.

Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Brian #1: ty: An extremely fast Python type checker and LSP

Charlie Marsh announced the Beta release of ty on Dec 16

“designed as an alternative to tools like mypy, Pyright, and Pylance.”

Extremely fast even from first run

Successive runs are incremental, only rerunning necessary computations as a user edits a file or function. This allows live updates.

Includes nice visual diagnostics much like color enhanced tracebacks

Extensive configuration control

Nice for if you want to gradually fix warnings from ty for a project

Also released a nice VSCode (or Cursor) extension

Check the docs. There are lots of features.

Also a note about disabling the default language server (or disabling ty’s language server) so you don’t have 2 running

Michael #2: Python Supply Chain Security Made Easy

We know about supply chain security issues, but what can you do?

Typosquatting (not great)

Github/PyPI account take-overs (very bad)

Enter pip-audit.

Run it in two ways:

Against your installed dependencies in current venv

As a proper unit test (so when running pytest or CI/CD).

Let others find out first, wait a week on all dependency updates: uv pip compile requirements.piptools --upgrade --output-file requirements.txt --exclude-newer "1 week"

Follow up article: DevOps Python Supply Chain Security

Create a dedicated Docker image for testing dependencies with pip-audit in isolation before installing them into your venv.

Run pip-compile / uv lock --upgrade to generate the new lock file

Test in a ephemeral pip-audit optimized Docker container

Only then if things pass, uv pip install / uv sync

Add a dedicated Docker image build step that fails the docker build step if a vulnerable package is found.

Brian #3: typing_extensions

Kind of a followup on the deprecation warning topic we were talking about in December.

prioinv on Mastodon notified us that the project typing-extensions includes it as part of the backport set.

The warnings.deprecated decorator is new to Python 3.13, but with typing-extensions, you can use it in previous versions.

But typing_extesions is way cooler than just that.

The module serves 2 purposes:

Enable use of new type system features on older Python versions.

Enable experimentation with type system features proposed in new PEPs before they are accepted and added to the typing module.

So cool.

There’s a lot of features here. I’m hoping it allows someone to use the latest typing syntax across multiple Python versions.

I’m “tentatively” excited. But I’m bracing for someone to tell me why it’s not a silver bullet.

Michael #4: MI6 chief: We'll be as fluent in Python as we are in Russian

"Advances in artificial intelligence, biotechnology and quantum computing are not only revolutionizing economies but rewriting the reality of conflict, as they 'converge' to create science fiction-like tools,” said new MI6 chief Blaise Metreweli.

She focused mainly on threats from Russia, the country is "testing us in the grey zone with tactics that are just below the threshold of war.”

This demands what she called "mastery of technology" across the service, with officers required to become "as comfortable with lines of code as we are with human sources, as fluent in Python as we are in multiple other languages."

Recruitment will target linguists, data scientists, engineers, and technologists alike.

Extras

Brian:

Next chapter of Lean TDD being released today, Finding Waste in TDD

Still going to attempt a Jan 31 deadline for first draft of book.

That really doesn’t seem like enough time, but I’m optimistic.

SteamDeck is not helping me find time to write

But I very much appreciate the gift from my fam

Send me game suggestions on Mastodon or Bluesky. I’d love to hear what you all are playing.

Michael:

Astral has announced the Beta release of ty, which they say they are "ready to recommend to motivated users for production use."

Blog post

Release page

Reuven Lerner has a video series on Pandas 3

Joke: Error Handling in the age of AI

Play on the inversion of JavaScript the Good Parts

...more

View all episodes

By Michael Kennedy and Brian Okken

4.7

212212 ratings

January 05, 2026

#464 Malicious Package? No Build For You!

30 minutes

Topics covered in this episode:

ty: An extremely fast Python type checker and LSP

Python Supply Chain Security Made Easy

typing_extensions

MI6 chief: We'll be as fluent in Python as we are in Russian

Extras

Joke

Watch on YouTube

About the show

Connect with the hosts

Michael: @[email protected] / @mkennedy.codes (bsky)

Brian: @[email protected] / @brianokken.bsky.social

Show: @[email protected] / @pythonbytes.fm (bsky)

Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too.

Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Brian #1: ty: An extremely fast Python type checker and LSP

Charlie Marsh announced the Beta release of ty on Dec 16

“designed as an alternative to tools like mypy, Pyright, and Pylance.”

Extremely fast even from first run

Successive runs are incremental, only rerunning necessary computations as a user edits a file or function. This allows live updates.

Includes nice visual diagnostics much like color enhanced tracebacks

Extensive configuration control

Nice for if you want to gradually fix warnings from ty for a project

Also released a nice VSCode (or Cursor) extension

Check the docs. There are lots of features.

Also a note about disabling the default language server (or disabling ty’s language server) so you don’t have 2 running

Michael #2: Python Supply Chain Security Made Easy

We know about supply chain security issues, but what can you do?

Typosquatting (not great)

Github/PyPI account take-overs (very bad)

Enter pip-audit.

Run it in two ways:

Against your installed dependencies in current venv

As a proper unit test (so when running pytest or CI/CD).

Let others find out first, wait a week on all dependency updates: uv pip compile requirements.piptools --upgrade --output-file requirements.txt --exclude-newer "1 week"

Follow up article: DevOps Python Supply Chain Security

Create a dedicated Docker image for testing dependencies with pip-audit in isolation before installing them into your venv.

Run pip-compile / uv lock --upgrade to generate the new lock file

Test in a ephemeral pip-audit optimized Docker container

Only then if things pass, uv pip install / uv sync

Add a dedicated Docker image build step that fails the docker build step if a vulnerable package is found.

Brian #3: typing_extensions

Kind of a followup on the deprecation warning topic we were talking about in December.

prioinv on Mastodon notified us that the project typing-extensions includes it as part of the backport set.

The warnings.deprecated decorator is new to Python 3.13, but with typing-extensions, you can use it in previous versions.

But typing_extesions is way cooler than just that.

The module serves 2 purposes:

Enable use of new type system features on older Python versions.

Enable experimentation with type system features proposed in new PEPs before they are accepted and added to the typing module.

So cool.

There’s a lot of features here. I’m hoping it allows someone to use the latest typing syntax across multiple Python versions.

I’m “tentatively” excited. But I’m bracing for someone to tell me why it’s not a silver bullet.

Michael #4: MI6 chief: We'll be as fluent in Python as we are in Russian

She focused mainly on threats from Russia, the country is "testing us in the grey zone with tactics that are just below the threshold of war.”

Recruitment will target linguists, data scientists, engineers, and technologists alike.

Extras

Brian:

Next chapter of Lean TDD being released today, Finding Waste in TDD

Still going to attempt a Jan 31 deadline for first draft of book.

That really doesn’t seem like enough time, but I’m optimistic.

SteamDeck is not helping me find time to write

But I very much appreciate the gift from my fam

Send me game suggestions on Mastodon or Bluesky. I’d love to hear what you all are playing.

Michael:

Astral has announced the Beta release of ty, which they say they are "ready to recommend to motivated users for production use."

Blog post

Release page

Reuven Lerner has a video series on Pandas 3

Joke: Error Handling in the age of AI

Play on the inversion of JavaScript the Good Parts

...more

More shows like Python Bytes

View all

The Changelog: Software Development, Open Source

288 Listeners

The a16z Show

1,103 Listeners

Daily Tech News Show

1,392 Listeners

Software Engineering Daily

627 Listeners

Talk Python To Me

583 Listeners

Super Data Science: ML & AI Podcast with Jon Krohn

302 Listeners

NVIDIA AI Podcast

348 Listeners

Syntax - Tasty Web Development Treats

990 Listeners

Tech Brew Ride Home

972 Listeners

Practical AI

215 Listeners

The Real Python Podcast

140 Listeners

No Priors: Artificial Intelligence | Technology | Startups

142 Listeners

Latent Space: The AI Engineer Podcast

99 Listeners

This Day in AI Podcast

228 Listeners

The AI Daily Brief: Artificial Intelligence News and Analysis

670 Listeners

Share #464 Malicious Package? No Build For You!

Sign up to save your podcasts

#464 Malicious Package? No Build For You!

#464 Malicious Package? No Build For You!

More shows like Python Bytes

The Changelog: Software Development, Open Source

The a16z Show

Daily Tech News Show

Software Engineering Daily

Talk Python To Me

Super Data Science: ML & AI Podcast with Jon Krohn

NVIDIA AI Podcast

Syntax - Tasty Web Development Treats

Tech Brew Ride Home

Practical AI

The Real Python Podcast

No Priors: Artificial Intelligence | Technology | Startups

Latent Space: The AI Engineer Podcast

This Day in AI Podcast

The AI Daily Brief: Artificial Intelligence News and Analysis