hey I want to tell y'all a story:

"the time I tried to kill python 2.6, and the lessons I learned about open source"

I've been sitting on this for a long time, but figure it's probably time to share

funny enough, this story starts with me trying to SUPPORT python 2.6 ... so, I was at an interview many years ago, at a python shop. after they asked me all their questions, I got to ask them some. this was at a time when many places were transitioning from 2 to 3, so I asked:

"what version of Python do you use?"

and they said:

"1.8"

...wat

Today I’m announcing the first stable release of a project that’s been in the works for a few months:

pip-audit: a tool for identifying Python packages with known vulnerabilities.

pypi.org/p/pip-audit/ pip-audit is a bit different from existing vulnerability detection tooling.

First, it's the first tool to use vulnerability data directly from @pypi, via a new feature of PyPI's JSON API.

warehouse.pypa.io/api-reference/…

oh looks like I got early access to github copilot, time to explore my favorite genre of humor: making computers do dumb things bad news for the rest of us

Today we merged support on @pypi for PEP 592, adding the ability to "yank" releases, and for installers to determine which releases have been "yanked"! Nice!

...but, uh, what is a "yanked" release, you might ask?

(1\11) First let's talk about pinning dependencies, a pattern that's generally considered best practice for dependency management.

Pinning (or locking) dependencies means that you won't get automatically upgraded to the latest release when you do an installation or deployment.

(2/11)

Some researchers downloaded all of @pypi (!) and parsed the source of every package (!!!)

Some insights below 👇

(1/9) Insight #1: PyPI is growing.

Compound Annual Growth Rate (CAGR) for new packages, active packages, new releases, and new authors are all in the double-digits:

• New packages: 43.28%
• Active packages: 47.31%
• New releases: 51.21%
• New authors: 39.30%

(2/9)