May 18, 2026

#480 Proud Parents

33 minutes

Topics covered in this episode:

Using Django Tasks in production

Co-authored with Claude?

PyPI packages are increasing rapidly

httpx2

Extras

Joke

Watch on YouTube

About the show

Sponsored by us! Support our work through:

Our courses at Talk Python Training

The Complete pytest Course

Patreon Supporters

Connect with the hosts

Michael: @[email protected] / @mkennedy.codes (bsky)

Brian: @[email protected] / @brianokken.bsky.social

Show: @[email protected] / @pythonbytes.fm (bsky)

Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.

Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Brian #1: Using Django Tasks in production

Tim Schilling shares how the Djangonaut Space website has been using Django’s new tasks framework and some of the info missing from the official Django docs.

Tasks require a third party package, django-tasks-db to actually run the tasks.

Article walks through all changes necessary to get an email process running to notify admins of new testimonials. Cool simple example.

With the db backend, you can monitor progress of tasks in the admin, to see which tasks are scheduled, completed, or have errors.

Some wishes for the community to implement

new tutorial in the Django docs

Django Debug toolbar panel for tasks

test/mock backend

Great title for wish list: Thinks I’d like to see, but I’m too lazy to implement myself.

Michael #2: Co-authored with Claude?

Via Nik T.

We don’t put “executed on macOS”, “edited with PyCharm”, etc. in our commits. Why Claude?

Seems like a growth hack to me, that I don’t really care to participate in.

Some projects that have formalized their thoughts on this: The Generative AI Policy Landscape in Open Source

Adjust to turn off in ~/.claude/settings.json see the docs.

{

"attribution": {

"commit": "",

"pr": ""

}

Brian #3: PyPI packages are increasing rapidly

Artem Golubin

There’s been an increase of published packages per week on PyPI

A pretty big increase in the last handful of months.

30% increase since 2025, clearly due to AI

Artem is building hexora, a malicious Python code detector.

Cool package too, it can:

Audit project dependencies to catch potential supply-chain attacks

Detect malicious scripts found on platforms like Pastebin, GitHub, or open directories

Analyze IoC files from past security incidents

Audit new packages uploaded to PyPi.

Artem is using hexora to analyze recently published pypi packages and many are obviously vibecoded and trigger false positives for abuses of eval, exec, and subprocess

Side note: I don’t think that’s necessarily a false positive. Not malicious, but maybe a stupid-code-detector?

Lots are LLM related, Lots have bots contributing code

Publishing rate is crazy, dozens to hundreds of published versions in a day is a bug, not a feature

Brian’s proposal, PyPI should limit releases per day for any package to something a sane human would do, even if they make a mistake on a release, to maybe like 2-3, definitely under 10, in a day. And if the repo has obvious agent contributors listed, maybe lower to the limit to 1-2 a day? Honestly, “move fast and break things” doesn’t apply to breaking the commons.

Michael #4: httpx2

More on the httpx, httpxyz, etc changes: Pydantic people started their own fork, httpx2.

Michiel says “while we think httpxyz was definitely needed, we welcome httpx2 and think it should be the ‘blessed’ fork.”

Kludex, who is among other things maintainer of Starlette, was considering a fork

As it stands, httpx2 is lacking the performance improvements they added to httpxyz. But it will not be long before they will add those, too.

Also they already made some smart decisions:

they are switching from certifi to truststore

they are switching to compression.zstd on Python 3.14+, enabling zstd compression by default

they merged httpcore and vendored it in their repository

Discussion on Hacker News

Extras

Brian:

The Four Horsemen of the LLM Apocalypse - Anarcat

Django/JetBrains 2026 developer survey is open

Pyrefly 1.0 : “meaning we are confident that Pyrefly is ready for production use.”

Michael:

Just about ready to release Python Web Security: OWASP Top 10 with Agentic AI course. Be sure to be on the courses newsletter to get notified.

Joke: Proud Parents

...more

View all episodes

By Michael Kennedy and Brian Okken

4.7

212212 ratings

May 18, 2026

#480 Proud Parents

33 minutes

Topics covered in this episode:

Using Django Tasks in production

Co-authored with Claude?

PyPI packages are increasing rapidly

httpx2

Extras

Joke

Watch on YouTube

About the show

Sponsored by us! Support our work through:

Our courses at Talk Python Training

The Complete pytest Course

Patreon Supporters

Connect with the hosts

Michael: @[email protected] / @mkennedy.codes (bsky)

Brian: @[email protected] / @brianokken.bsky.social

Show: @[email protected] / @pythonbytes.fm (bsky)

Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.

Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Brian #1: Using Django Tasks in production

Tim Schilling shares how the Djangonaut Space website has been using Django’s new tasks framework and some of the info missing from the official Django docs.

Tasks require a third party package, django-tasks-db to actually run the tasks.

Article walks through all changes necessary to get an email process running to notify admins of new testimonials. Cool simple example.

With the db backend, you can monitor progress of tasks in the admin, to see which tasks are scheduled, completed, or have errors.

Some wishes for the community to implement

new tutorial in the Django docs

Django Debug toolbar panel for tasks

test/mock backend

Great title for wish list: Thinks I’d like to see, but I’m too lazy to implement myself.

Michael #2: Co-authored with Claude?

Via Nik T.

We don’t put “executed on macOS”, “edited with PyCharm”, etc. in our commits. Why Claude?

Seems like a growth hack to me, that I don’t really care to participate in.

Some projects that have formalized their thoughts on this: The Generative AI Policy Landscape in Open Source

Adjust to turn off in ~/.claude/settings.json see the docs.

{

"attribution": {

"commit": "",

"pr": ""

}

Brian #3: PyPI packages are increasing rapidly

Artem Golubin

There’s been an increase of published packages per week on PyPI

A pretty big increase in the last handful of months.

30% increase since 2025, clearly due to AI

Artem is building hexora, a malicious Python code detector.

Cool package too, it can:

Audit project dependencies to catch potential supply-chain attacks

Detect malicious scripts found on platforms like Pastebin, GitHub, or open directories

Analyze IoC files from past security incidents

Audit new packages uploaded to PyPi.

Artem is using hexora to analyze recently published pypi packages and many are obviously vibecoded and trigger false positives for abuses of eval, exec, and subprocess

Side note: I don’t think that’s necessarily a false positive. Not malicious, but maybe a stupid-code-detector?

Lots are LLM related, Lots have bots contributing code

Publishing rate is crazy, dozens to hundreds of published versions in a day is a bug, not a feature

Michael #4: httpx2

More on the httpx, httpxyz, etc changes: Pydantic people started their own fork, httpx2.

Michiel says “while we think httpxyz was definitely needed, we welcome httpx2 and think it should be the ‘blessed’ fork.”

Kludex, who is among other things maintainer of Starlette, was considering a fork

As it stands, httpx2 is lacking the performance improvements they added to httpxyz. But it will not be long before they will add those, too.

Also they already made some smart decisions:

they are switching from certifi to truststore

they are switching to compression.zstd on Python 3.14+, enabling zstd compression by default

they merged httpcore and vendored it in their repository