#483 Thanks Brian copertina

#483 Thanks Brian

#483 Thanks Brian

Ascolta gratuitamente

Vedi i dettagli del titolo
Topics covered in this episode: Vulnerability and malware checks in uvHTTP GET requests with the Python standard libraryMillions of AI agents imperiled by critical vulnerability in open source packagealembic-git-revisionsExtrasJokeWatch on YouTube About the show Goodbye and Thanks Brian Thanks Calvin for being part of this and future episodes! Also new time for the live show. Thanks Brian for all the hard work over the years. Calvin #1: Vulnerability and malware checks in uv release just yesterday by Astral https://astral.sh/blog/uv-audituv audit scans dependencies for known vulnerabilities and abandoned packages via the OSV database — runs 4–10x faster than pip-auditMalware check runs on every install/sync, catching actively malicious packages (credential stealers, etc.) before they execute — including ones PyPI quarantined but lockfiles can still referenceEnable malware scanning with UV_MALWARE_CHECK=1 — it's opt-in and in previewFuture roadmap includes a resolver that steers toward vulnerability-free versions and install-time warnings scoped to newly added deps only Michael #2: HTTP GET requests with the Python standard library If you’re doing HTTP in Python, you’re probably using one of three popular libraries: requests, httpx, or urllib3.There have been issues with httpx lately.Niquest is another option: Drop-in replacement for Requests. Automatic HTTP/1.1, HTTP/2, and HTTP/3. WebSocket, and SSE included.But maybe less is more, especially in the age of agentic AIA good candidate needs two things to be true at once, not one: the used surface is small, and the behavior behind that surface is shallow. Calvin #3: Millions of AI agents imperiled by critical vulnerability in open source package "BadHost" (CVE-2026-48710) is a critical vulnerability in Starlette — the ASGI framework underlying FastAPI — with 325 million weekly downloads; also affects vLLM, LiteLLM, and most MCP server toolingThe exploit is trivial: injecting a single character into an HTTP Host header bypasses path-based authentication, and can lead to credential theft, SSRF, and in some cases remote code executionMCP servers are a prime target since they store credentials for external services (email, databases, cloud accounts) — exposed data in the wild includes biopharma clinical trial DBs, full mailboxes, HR/PII pipelines, and AWS topologyFix is available — patch to Starlette 1.0.1 immediately; use the free scanner at mcp-scan.nemesis.services to check if your servers are still running a vulnerable versionOpen source sustainability footnote: the maintainer triages near-daily security reports solo, in his free time — most are AI-generated noise, and real ones like this still compete for the same evenings and weekends Michael #4: alembic-git-revisions By Julien Danjou from MergifyAutomatic Alembic migration chaining based on git commit history. No more Multiple head revisions are present for given argument 'head'.See the introductory articleCaused by two migrations landed with the same down_revision, and Alembic doesn’t know which one comes first. The fix is always the same: someone manually edits the migration file to re-chain the revisions.The insight: git already knows the order Extras Calvin: GNU make can do pattern matching in the target. Not new at all, mentioned in the 1994-era docs. just and task don’t have this super power on the target name yet. train-%: uv run ./train.py $* --save-hyper-params --overwrite $(TRAIN_ARGS) Michael: Updated my HTTP client using packages from httpx to httpx2: listmonk, umami, and memberful. For motivation, see this reddit thread. Joke: Accurate
adbl_web_anon_alc_button_suppression_t1
Ancora nessuna recensione