#430: Or you go to jail

Play on YouTube

Watch the live stream replay

About the show

Sponsored by Porkbun! Use our link pythonbytes.fm/porkbun and get a .app or .dev domain for $5.99 at Porkbun.

Connect with the hosts

• Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky)
• Brian: @brianokken@fosstodon.org / @brianokken.bsky.social
• Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky)

Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too.

Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Brian #1: pip 25.1 has dependency groups, pylock.toml, plus more

• post What's new in pip 25.1 - Dependency groups!
• Richard Si
• Discovered this through Hugo van Kemenade

• Dependency groups, PEP 735, supported

  # pyproject.toml
  [dependency-groups]
  test = ["pytest", "pytest-xdist"]
  lint = ["mypy", "isort"]
  # Dependency Groups can include other groups! ✨
  dev = [ {include-group = "test"}, {include-group = "lint"} ]
  

• Package installation progress bar

• Resumable downloads
• Experimental lockfile generation, PEP 751, with pip lock
  • so cool
• pip index versions is stable, no longer experimental
  • use this to get a list of available versions
  • ex: python3 -m pip index versions pytest-check
  • combine with --json to get a nice script readable output

Michael #2: aiohttp goes free threaded

• Thanks to months of consistent contributions by Lysandros Nikolaou, all of the mandatory dependencies of #aiohttp now ship free-threaded variants of #wheels!
• This unlocks the same in aiohttp!

Brian #3: uv 0.6.15 supports pylock.toml

• Discovered through Brett Cannon
• So far, these projects support pylock.toml
  • pip
  • pip-audit
  • pdm
  • uv
• With uv
  • To export a uv.lock to the pylock.toml format,
    • run: uv export -o pylock.toml
  • To generate a pylock.toml file from a set of requirements,
    • run: uv pip compile -o pylock.toml -r requirements.in
  • To install from a pylock.toml file,
    • run: uv pip sync pylock.toml or uv pip install -r pylock.toml

Michael #4: Whenever

• via Pat Decker
• Typed and DST-safe datetimes for Python, available in Rust or pure Python.
• Whenever helps you write correct and type checked datetime code.
• It's also way faster than other third-party libraries—and usually the standard library as well.

Extras

Brian:

• Every UUID

Michael:

• New Vulnerability in GitHub Copilot and Cursor: How Hackers Can Weaponize Code Agents via Brian Skinn
• And typosquatting in the AI age
• Firefox Send alternatives
  • file.pizza via @rafaelwo
  • bitwarden send

Joke: Can you Vibe?

• Interview with Vibe Coder in 2025
• Senior Engineer tries Vibe Coding