June 09, 2026

#483 Thanks Brian

28 minutes

Topics covered in this episode:

Vulnerability and malware checks in uv

HTTP GET requests with the Python standard library

Millions of AI agents imperiled by critical vulnerability in open source package

alembic-git-revisions

Extras

Joke

Watch on YouTube

About the show

Goodbye and Thanks Brian

Thanks Calvin for being part of this and future episodes! Also new time for the live show. Thanks Brian for all the hard work over the years.

Calvin #1: Vulnerability and malware checks in uv

release just yesterday by Astral https://astral.sh/blog/uv-audit

uv audit scans dependencies for known vulnerabilities and abandoned packages via the OSV database — runs 4–10x faster than pip-audit

Malware check runs on every install/sync, catching actively malicious packages (credential stealers, etc.) before they execute — including ones PyPI quarantined but lockfiles can still reference

Enable malware scanning with UV_MALWARE_CHECK=1 — it's opt-in and in preview

Future roadmap includes a resolver that steers toward vulnerability-free versions and install-time warnings scoped to newly added deps only

Michael #2: HTTP GET requests with the Python standard library

If you’re doing HTTP in Python, you’re probably using one of three popular libraries: requests, httpx, or urllib3.

There have been issues with httpx lately.

Niquest is another option: Drop-in replacement for Requests. Automatic HTTP/1.1, HTTP/2, and HTTP/3. WebSocket, and SSE included.

But maybe less is more, especially in the age of agentic AI

A good candidate needs two things to be true at once, not one: the used surface is small, and the behavior behind that surface is shallow.

Calvin #3: Millions of AI agents imperiled by critical vulnerability in open source package

"BadHost" (CVE-2026-48710) is a critical vulnerability in Starlette — the ASGI framework underlying FastAPI — with 325 million weekly downloads; also affects vLLM, LiteLLM, and most MCP server tooling

The exploit is trivial: injecting a single character into an HTTP Host header bypasses path-based authentication, and can lead to credential theft, SSRF, and in some cases remote code execution

MCP servers are a prime target since they store credentials for external services (email, databases, cloud accounts) — exposed data in the wild includes biopharma clinical trial DBs, full mailboxes, HR/PII pipelines, and AWS topology

Fix is available — patch to Starlette 1.0.1 immediately; use the free scanner at mcp-scan.nemesis.services to check if your servers are still running a vulnerable version

Open source sustainability footnote: the maintainer triages near-daily security reports solo, in his free time — most are AI-generated noise, and real ones like this still compete for the same evenings and weekends

Michael #4: alembic-git-revisions

By Julien Danjou from Mergify

Automatic Alembic migration chaining based on git commit history. No more Multiple head revisions are present for given argument 'head'.

See the introductory article

Caused by two migrations landed with the same down_revision, and Alembic doesn’t know which one comes first. The fix is always the same: someone manually edits the migration file to re-chain the revisions.

The insight: git already knows the order

Extras

Calvin:

GNU make can do pattern matching in the target. Not new at all, mentioned in the 1994-era docs. just and task don’t have this super power on the target name yet.

train-%:

uv run ./train.py $* --save-hyper-params --overwrite $(TRAIN_ARGS)

Michael:

Updated my HTTP client using packages from httpx to httpx2: listmonk, umami, and memberful. For motivation, see this reddit thread.

Joke: Accurate

...more

View all episodes

By Michael Kennedy and Calvin Hendryx-Parker

4.7

212212 ratings

June 09, 2026

#483 Thanks Brian

28 minutes

Topics covered in this episode:

Vulnerability and malware checks in uv

HTTP GET requests with the Python standard library

Millions of AI agents imperiled by critical vulnerability in open source package

alembic-git-revisions

Extras

Joke

Watch on YouTube

About the show

Goodbye and Thanks Brian

Thanks Calvin for being part of this and future episodes! Also new time for the live show. Thanks Brian for all the hard work over the years.

Calvin #1: Vulnerability and malware checks in uv

release just yesterday by Astral https://astral.sh/blog/uv-audit

uv audit scans dependencies for known vulnerabilities and abandoned packages via the OSV database — runs 4–10x faster than pip-audit

Enable malware scanning with UV_MALWARE_CHECK=1 — it's opt-in and in preview

Future roadmap includes a resolver that steers toward vulnerability-free versions and install-time warnings scoped to newly added deps only

Michael #2: HTTP GET requests with the Python standard library

If you’re doing HTTP in Python, you’re probably using one of three popular libraries: requests, httpx, or urllib3.

There have been issues with httpx lately.

Niquest is another option: Drop-in replacement for Requests. Automatic HTTP/1.1, HTTP/2, and HTTP/3. WebSocket, and SSE included.

But maybe less is more, especially in the age of agentic AI

A good candidate needs two things to be true at once, not one: the used surface is small, and the behavior behind that surface is shallow.

Calvin #3: Millions of AI agents imperiled by critical vulnerability in open source package

The exploit is trivial: injecting a single character into an HTTP Host header bypasses path-based authentication, and can lead to credential theft, SSRF, and in some cases remote code execution

Fix is available — patch to Starlette 1.0.1 immediately; use the free scanner at mcp-scan.nemesis.services to check if your servers are still running a vulnerable version

Michael #4: alembic-git-revisions

By Julien Danjou from Mergify

Automatic Alembic migration chaining based on git commit history. No more Multiple head revisions are present for given argument 'head'.

See the introductory article

The insight: git already knows the order

Extras

Calvin:

GNU make can do pattern matching in the target. Not new at all, mentioned in the 1994-era docs. just and task don’t have this super power on the target name yet.

train-%:

uv run ./train.py $* --save-hyper-params --overwrite $(TRAIN_ARGS)

Michael:

Updated my HTTP client using packages from httpx to httpx2: listmonk, umami, and memberful. For motivation, see this reddit thread.

Joke: Accurate

...more