Python Bytes

Topics covered in this episode:

profiling-explorer

Reverting the incremental GC in Python 3.14 and 3.15

VSCode AI Co-author defaults to on, then off

django freeze

Extras

Joke

Watch on YouTube

About the show

Sponsored by us! Support our work through:

Our courses at Talk Python Training

The Complete pytest Course

Patreon Supporters

Connect with the hosts

Michael: @[email protected] / @mkennedy.codes (bsky)

Brian: @[email protected] / @brianokken.bsky.social

Show: @[email protected] / @pythonbytes.fm (bsky)

Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.

Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Brian #1: profiling-explorer

Adam Johnson

And intro post Python: introducing profiling-explorer

“profiling-explorer is a tool for exploring profiling data from Python’s built-in profilers, which are stored in pstats files. ”

Features

Dark mode

Click the calls, internal ms, or cumulative ms column headers to sort by that column.

Use the search box to filter by filename or function name.

Hover by a filename + line number pair to reveal the copy button, which copies the location to your clipboard for faster opening.

Click the callers or callees links on the right of a row (not pictured above) to see the callers or callees of that function.

Michael #2: Reverting the incremental GC in Python 3.14 and 3.15

Python 3.14 shipped with a new incremental garbage collector, but production reports of severe memory pressure (Neil Schemenauer measured up to 5× peak RSS on pathological cyclic workloads) have pushed the core team and Steering Council to revert it in both 3.14 and 3.15 - returning to the 3.13-era generational GC.

This is the second time the inc GC has been pulled back: it was also reverted right before 3.13.0 final, and it shipped in 3.14 without going through the PEP process.

The tradeoff is real: Neil's benchmarks showed max GC pause times of 1.3ms with inc GC versus 26ms with the generational one - great for latency-sensitive apps, terrible for memory-constrained ones.

Release manager Hugo van Kemenade will ship 3.14.5 early with the revert, and Gregory Smith floated the idea of a 3.14.5rc1 - the first patch-release RC since 3.9.2 back in 2021.

Tim Peters spent the thread doing live forensics on Windows, running a toy deque program that should cap at 1GB and watching it balloon to 15.6GB on a 16GB machine - and discovered the gen0 collector effectively never fires under the new scheme.

Tim's bigger meta-point: CPython has a chronic shortage of real-world GC benchmarks, pyperformance has "basically no interesting" cyclic workloads, and users almost never share real data - so core devs keep flying blind on changes like this.

Django maintainer Adam Johnson published a blog post mid-thread documenting a real memory "leak" in Django's migration system caused by inc GC, with a manual gc.collect() workaround - the listener-facing receipt that this wasn't just theoretical.

If the inc GC comes back for 3.16, it'll go through a proper PEP, and the discussion is already shifting toward keeping both collectors available via a startup flag - which Neil and Sergey Miryanov have both prototyped.

Brian #3: VSCode AI Co-author defaults to on, then off

VSCode merges Enabling ai co author by default - 3 week ago

Ton’s of “why would you do this” and related comments

VSCode merges Change default for git.addAICoAuthor to off - yesterday

Take-away, don’t rely on default, set addAICoAuthor to off yourself

Michael #4: django freeze

Convert your dynamic django site to a static one with one line of code.

Just run python manage.py generate_static_site :)

Features

Generate the static version of your Django site, optionally compressed .zip file

Generate/download the static site using urls (only superuser and staff)

Follow sitemap.xml urls

Follow internal links founded in each page

Follow redirects

Report invalid/broken urls

Selectively include/exclude media and static files

Custom base url (very useful if the static site will run in a specific folder different by the document-root)

Convert urls to relative urls (very useful if the static site will run offline or in an unknown folder different by the document-root)

Prevent local directory index

Extras

Brian:

Thinking Less, Trusting More: GenAI’s Impacts on Students’ Cognitive Habits

Michael:

Vercel breached, employee to blame

Introducing the new Talk Python web player

GitHub uptime (a couple of views 1, 2)

Joke: Friends in tech

Topics covered in this episode:

Django Modern Rest

Already playing with Python 3.15

Cutting Python Web App Memory Over 31%

tryke - A Rust-based Ptyhon test runner with a Jest-style API

Extras

Joke

Watch on YouTube

About the show

Sponsored by us! Support our work through:

Our courses at Talk Python Training

The Complete pytest Course

Patreon Supporters
Connect with the hosts

Michael: @[email protected] / @mkennedy.codes (bsky)

Brian: @[email protected] / @brianokken.bsky.social

Show: @[email protected] / @pythonbytes.fm (bsky)
Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.
Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Michael #1: Django Modern Rest

Modern REST framework for Django with types and async support

Supports Pydantic, Attrs, and msgspec

Has ai coding support with llms.txt

See an example at the “showcase” section

Brian #2: Already playing with Python 3.15

3.15.0a8, 2.14.4 and 3.13.13 are out

Hugo von Kemenade

beta comes in May, CRs in Sept, and Final planned for October

But still, there’s awesome stuff here already, here’s what I’m looking forward to:

PEP 810: Explicit lazy imports

PEP 814: frozendict built-in type

PEP 798: Unpacking in comprehensions with * and **

PEP 686: Python now uses UTF-8 as the default encoding

Michael #3: Cutting Python Web App Memory Over 31%

I cut 3.2 GB of memory usage from our Python web apps using five techniques:

async workers

import isolation

the Raw+DC database pattern

local imports for heavy libraries

disk-based caching

See the full article for details.

Brian #4: tryke - A Rust-based Ptyhon test runner with a Jest-style API

Justin Chapman

Watch mode, Native async support, Fast test discovery, In-source testing, Support for doctests, Client/server mode for fast editor integrations, Pretty, per-assertion diagnostics, Filtering and marks, Changed mode (like pytest-picked), Concurrent tests, Soft assertions,

JSON, JUnit, Dot, and LLM reporters

Honestly haven’t tried it yet, but you know, I’m kinda a fan of thinking outside the box with testing strategies so I welcome new ideas.

Extras

Brian:

Why are’t we uv yet?

Interesting take on the “agents prefer pip”

Problem with analysis.

Many projects are libraries and don’t publish uv.lock file

Even with uv, it still often seen as a developer preference for non-libarries. You can sitll use uv with requirements.txt

PyCon US 2026 talks schedule is up

Interesting that there’s an AI track now. I won’t be attending, but I might have a bot watch the videos and summarize for me. :)

What has technology done to us?

Justin Jackson

Lean TDD new cover

Also, 0.6.1 is so ready for me to start f-ing reading the audio book and get on with this shipping the actual f-ing book and yes I realize I seem like I’m old because I use “f-ing” while typing.
Michael:

Python 3.14.4 is out

Beanie 2.1 release

Joke: HumanDB - Blazingly slow. Emotionally consistent.

Topics covered in this episode:

Migrating from mypy to ty: Lessons from FastAPI

Oxyde ORM

Typeshedded CPython docs

Raw+DC Database Pattern: A Retrospective

Extras

Joke

Watch on YouTube

About the show

Sponsored by us! Support our work through:

Our courses at Talk Python Training

The Complete pytest Course

Patreon Supporters

Connect with the hosts

Michael: @[email protected] / @mkennedy.codes (bsky)

Brian: @[email protected] / @brianokken.bsky.social

Show: @[email protected] / @pythonbytes.fm (bsky)

Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.

Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Brian #1: Migrating from mypy to ty: Lessons from FastAPI

Tim Hopper

I saw this post by Sebastián Ramírez about all of his projects switching to ty

FastAPI, Typer, SQLModel, Asyncer, FastAPI CLI

SqlModel is already ty only - mypy removed

This signals that ty is ready to use

Tim lists some steps to apply ty to your own projects

Add ty alongside mypy

Set error-on-warning = true

Accept the double-ignore comments

Pick a smaller project to cut over first

Drop mypy when the noise exceeds the signalAdd ty alongside mypy

Related anecdote:

I had tried out ty with pytest-check in the past with difficulty

Tried it again this morning, only a few areas where mypy was happy but ty reported issues

At least one ty warning was a potential problem for people running pre-releases of pytest,

Not really related: packaging.version.parse is awesome

Michael #2: Oxyde ORM

Oxyde ORM is a type-safe, Pydantic-centric asynchronous ORM with a high-performance Rust core.

Note: Oxyde is a young project under active development. The API may evolve between minor versions.

No sync wrappers or thread pools. Oxyde is async from the ground up

Includes oxyde-admin

Features

Django-style API - Familiar Model.objects.filter() syntax

Pydantic v2 models - Full validation, type hints, serialization

Async-first - Built for modern async Python with asyncio

Rust performance - SQL generation and execution in native Rust

Multi-database - PostgreSQL, SQLite, MySQL support

Transactions - transaction.atomic() context manager with savepoints

Migrations - Django-style makemigrations and migrate CLI

Brian #3: Typeshedded CPython docs

Thanks emmatyping for the suggestion

Documentation for Python with typeshed types

Source: typeshedding_cpython_docs

Michael #4: Raw+DC Database Pattern: A Retrospective

A new design pattern I’m seeing gain traction in the software space: Raw+DC: The ORM pattern of 2026

I’ve had a chance to migrate three of my most important web app.

Thrilled to report that yes, the web app is much faster using Raw+DC

Plus, this was part of the journey to move from 1.3 GB memory usage to 0.45 GB (more on this next week)

Extras

Brian:

Lean TDD 0.5 update

Significant rewrite and focus

Michael:

pytest-just (for just command file testing), by Michael Booth

Something going on with Encode

httpx: Anyone know what's up with HTTPX? And forked

starlette and uvicorn: Transfer of Uvicorn & Starlette

mkdocs: The Slow Collapse of MkDocs

django-rest-framework: Move to django commons?

Certificates at Talk Python Training

Joke:

Neue Rich

Topics covered in this episode:

Lock the Ghost

Fence for Sandboxing

MALUS: Liberate Open Source

Harden your GitHub Actions Workflows with zizmor, dependency pinning, and dependency cooldowns

Extras

Joke

Watch on YouTube

About the show

Sponsored by us! Support our work through:

Our courses at Talk Python Training

The Complete pytest Course

**Patreon SupportersConnect with the hosts**

Michael: @[email protected] / @mkennedy.codes (bsky)

Brian: @[email protected] / @brianokken.bsky.social

Show: @[email protected] / @pythonbytes.fm (bsky)

Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.

Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Michael #1: Lock the Ghost

The five core takeaways:

PyPI "removal" doesn't delete distribution files. When a package is removed from PyPI, it disappears from the index and project page, but the actual distribution files remain accessible if you have a direct URL to them.

uv.lock uniquely preserves access to ghost packages. Because uv.lock stores direct URLs to distribution files rather than relying on the index API at install time, uv sync can successfully install packages that have already been removed, even with cache disabled. No other Python lock file implementation tested behaved this way.

This creates a supply chain attack vector. An attacker could upload a malicious package, immediately remove it to dodge automated security scanning, and still have it installable via a uv.lock file, or combine this with the xz-style strategy of hiding malicious additions in large, auto-generated lock files that nobody reviews.

Removed package names can be hijacked with version collisions. When an owner removes a package, the name can be reclaimed by someone else who can upload different distribution types under the same version number, as happened with "umap." Lock files help until you regenerate them, then you're exposed.

Your dependency scanning needs to cover lock files, not just manifest files. Scanning only pyproject.toml or requirements.txt misses threats embedded in lock files, which is where the actual resolved URLs and hashes live.

Brian #2: Fence for Sandboxing

Suggested by Martin Häcker

“Some coding platforms have since integrated built-in sandboxing (e.g., Claude Code) to restrict write access to directories and/or network connectivity. However, these safeguards are typically optional and not enabled by default.”

“JY Tan (on cc) has extracted the sandboxing logic from Claude Code and repackaged it into a standalone Go binary.”

Source code on GitHub: https://github.com/Use-Tusk/fence

Related:

Simon Willison lethal trifecta for AI agents article from June 2025

Claude Code Sandboxing

Michael #3: MALUS: Liberate Open Source

via Paul Bauer

The service will generate the specs of a library with one AI and build the newly licensed library using the specs with another AI circumventing the licensing and copyright rules.

AI that has not been trained on open source reads the docs and API signature, creates a spec. Another AI processes that spec into working software.

Is it a real site? Are they accepting real money, or are they just trying to cause a stir around copyright?

Brian #4: Harden your GitHub Actions Workflows with zizmor, dependency pinning, and dependency cooldowns

Matthias Schoettle

Avoid things like this: hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far

Extras

Brian:

GitHub is asking to spy on us, that’s nice

Michael:

Michael’s new SaaS for podcasters: InterviewCue

DigitalOcean’s Spaces cold storage for infrequently accessed data

Minor issue about my fire and forget post, was a latent bug?

Fire and Forget at Textual follow up article

Joke: Can you?

Topics covered in this episode:

Starlette 1.0.0

Astral to join OpenAI

uv audit

Fire and forget (or never) with Python’s asyncio

Extras

Joke

Watch on YouTube

About the show

Sponsored by us! Support our work through:

Our courses at Talk Python Training

The Complete pytest Course

Patreon Supporters
Connect with the hosts

Michael: @[email protected] / @mkennedy.codes (bsky)

Brian: @[email protected] / @brianokken.bsky.social

Show: @[email protected] / @pythonbytes.fm (bsky)
Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.
Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Brian #1: Starlette 1.0.0

As a reminder, Starlette is the foundation for FastAPI

Starlette 1.0 is here! - fun blog post from Marcello Trylesinski

“The changes in 1.0 were limited to removing old deprecated code that had been on the way out for years, along with a few bug fixes. From now on we'll follow SemVer strictly.”

Fun comment in the “What’s next?” section:

“Oh, and Sebastián, Starlette is now out of your way to release FastAPI 1.0. 😉”

Related: Experimenting with Starlette 1.0 with Claude skills

Simon Willison

example of the new lifespan mechanism, very pytest fixture-like

@contextlib.asynccontextmanager
async def lifespan(app):
async with some_async_resource():
print("Run at startup!")
yield
print("Run on shutdown!")
app = Starlette(
routes=routes,
lifespan=lifespan
)

Michael #2: Astral to join OpenAI

via John Hagen, thanks

Astral has agreed to join OpenAI as part of the Codex team

Congrats Charlie and team

Seems like **Ruff** and uv play an important roll.

Perhaps ty holds the most value to directly boost Codex (understanding codebases for the AI)

All that said, these were open source so there is way more to the motivations than just using the tools.

After joining the Codex team, we'll continue building our open source tools.

Simon Willison has thoughts

discuss.python.org also has thoughts

The Ars Technica article has interesting comments too

It’s probably the death pyx

Simon points out “pyx is notably absent from both the Astral and OpenAI announcement posts.”

Brian #3: uv audit

Submitted by Owen Lemont

Pieces of uv audit have been trickling in. uv 0.10.12 exposes it to the cli help

Here’s the roadmap for uv audit

I tried it out on a package and found a security issue with a dependency

not of the project, but of the testing dependencies

but only if using Python < 3.10, even though I’m using 3.14

Kinda cool

Looks like it generates a uv.lock file, which includes dependencies for all project supported versions of Python and systems, which is a very thorough way to check for vulnerabilities.

But also, maybe some pointers on how to fix the problem would be good. No --fix yet.

Michael #4: Fire and forget (or never) with Python’s asyncio

Python’s asyncio.create_task() can silently garbage collect your fire-and-forget tasks starting in Python 3.12

Formerly fine async code can now stop working, so heads up

The fix? Use a set to upgrade to a strong ref and a callback to remove it

Is there a chance of task-based memory leaks? Yeah, maybe.

Extras

Brian:

Nobody Gets Promoted for Simplicity - interesting read and unfortunate truth in too many places.

pytest-check - All built-in check helper functions in this list also accept an optional xfail reason.

example: check.equal(actual, expected, xfail="known issue #123")

Allows some checks to still cause a failure to happen because you no longer have to mark the whole test as xfail
Michael:

TurboAPI - FastAPI + Pydantic compatible framework in Zig (see follow up)

Pyramid 2.1 is out (yes really! :) first release in 3 years)

Vivaldi 7.9 adds minimalist hide mode.

Migrated pythonbytes.fm and talkpython.fm to Raw+DC design pattern

Robyn + Chameleon package

Joke: We now have translation services