Python News: What's New From November 2023

PyPI Completes First Security Audit

With the support of the Open Technology Fund (OTF), the Python Package Index (PyPI) completed its first external security audit in November. Because PyPI is the official index and repository for the Python ecosystem, maintaining its security is of vital importance for the community at large.

The audit began in late summer 2023 and involved searching for security vulnerabilities in Warehouse and cabotage, the codebases that power and deploy PyPI. Trail of Bits, a security firm with significant open-source and Python experience, performed the audit.

Overall, the auditors didn’t identify any high-severity issues in either of the codebases, which is great news. The audit did flag some issues, like weak signature verification, unintentional information leaks, and weak cryptographic hashes, but but ultimately noted that the codebases demonstrated best practices in the industry. The PyPI team has already made the repository safer by working to remediate the risks that came up in the audit.

If you’d like to learn more about how Trail of Bits conducted the audit and what the team found, then check out the blog post on the audit. You can also read the full report.

Python 3.13.0a2 Released

Just over a month ago, Python 3.12 introduced a ton of cool new features. But work never stops, and now the second alpha version of Python 3.13 is available.

The most notable change for this release, compared to 3.12, is the elimination of many modules. Python 3.13 closes out a deprecation schedule that began in Python 3.11 with PEP 594. If you’ve been using these deprecated modules on newer Python versions, then you’ve likely run into a DeprecationWarning. Some of the modules eliminated are aifc, audioop, cgi, cgitb, crypt, pipes, telnetlib, and lib2to3.

But Python 3.13 isn’t just about deprecation. It also adds improvements to some modules. Here are a few examples:

• In asyncio, the asyncio.loop.create_unix_server() method will now automatically remove the Unix socket when the connection to the server is closed, which means you won’t have an unnecessary socket file hanging around on disk.
• In the copy module, copy.replace() makes working with immutable objects more convenient by allowing you to create a modified copy.
• In the ipaddress module, the new ipaddress.IPV4Address.ipv6_mapped property lets you represent an IPv4 address as an IPv6 address.

This is just a small sampling of the new functionality added to this version. To see the full list of removals, deprecations, additions, and improvements in 3.13.0a2, check out What’s New In Python 3.13.

If you want to know how to install a pre-release version of Python in your system without affecting your current configuration, then give How Can You Install a Pre-Release Version of Python? a read. Then, you can start playing with these new features by downloading Python 3.13.0a2.

The final release of Python 3.13.0 is scheduled for October 2024. If you want to see the full schedule for future Python 3.13 preview releases, head over to PEP 719.

Python Developers Survey Open for Responses

In an effort to understand the current state of Python development, the Python Software Foundation (PSF), in collaboration with JetBrains, runs The Python Developers Survey every year.

The 2023 version is the seventh iteration of this survey, and as of November 8, it’s open for you to share your insights about how, where, and when you use Python. You can fill it out here. It should take you no more than fifteen minutes.

Why’s it important to participate? Regardless of your current level of knowledge or involvement in the Python community, participating in this survey is essential for the growth of Python as a language, and it also helps the PSF support the big community behind Python.

Also, no less important, twenty lucky winners are randomly selected from those who complete the survey. Each one receives a $100 Amazon Gift card or local equivalent.

Once the survey is completed, you’ll be able to read the aggregated results. Here are the results for 2022 and 2021.

PyCon US Still Seeking Proposals

In October 2023, PyCon US opened the call for proposals for those who’d like to be part of next year’s lineup of speakers. Being part of the largest annual gathering for Python developers is a great opportunity. The conference will take place in Pittsburgh from May 15 to 23.

You can submit a proposal for a talk, tutorial, charla, or poster. No matter how you decide to share your experience and expertise, you have until December 18, when the call for proposals closes.

Pydantic Version 2.5 Released

Pydantic is the most widely used data validation library for Python, and this month it received a major upgrade in the form of Pydantic 2.5. This version is full of new features and bug fixes, so you should definitely check it out.

One of the most significant changes is the addition of a new JsonValue type. You can use this type to represent a value that can be serialized to JSON. Specifically, you can use the following values:

• List['JsonValue']
• Dict[string, 'JsonValue']
• str
• int
• bool
• float
• None

In the example below, you use JsonValue to validate JSON data:

>>> import json
>>> from pydantic import BaseModel, JsonValue

>>> class Model(BaseModel):
...     rp: JsonValue
...

>>> data = {"rp": {"podcast": {
...     "episode": 183, "guests": ["Brendan Maginnis", "Nick Thapen"]
... }}}

>>> Model.model_validate(data)
Model(rp={'podcast': {'episode': 183, 'guests': ['Brendan Maginnis', 'Nick Thapen']}})

Here, you’ve declared rp as JsonValue, and you’re using it to validate if the input dictionary is a valid JSON object. In this case, it is.

If you instead pass invalid JSON data into the .model_validate() method, then Python will raise a ValidationError. Here you specify the guests in a set which is not valid JSON:

>>> data = {"rp": {"podcast": {
...     "episode": 183, "guests": {"Brendan Maginnis", "Nick Thapen"}
... }}}

>>> Model.model_validate(data)
Traceback (most recent call last):
    ...
pydantic_core._pydantic_core.ValidationError: 1 validation error for Model
rp.dict.podcast.dict.guests
  input was not a valid JSON value [type=invalid-json-value,
      input_value={'Nick Thapen', 'Brendan Maginnis'}, input_type=set]

But what if you’re working with Enum types? Then you’re in luck! This version of Pydantic adds support for JSON schema generation for empty Enum types without any member constants. Here’s how that works:

>>> from enum import Enum
>>> from pydantic import BaseModel

>>> class Transmission(Enum):
...     pass
...
>>> class CarModel(BaseModel):
...     brand: str
...     model: str
...     year: int
...     shift: Transmission
...

>>> CarModel.model_json_schema()
{'properties': {'brand': {'title': 'Brand', 'type': 'string'}, ...}

In the example above, you’ve defined an empty Enum class called Transmission. This is an empty Enum because you’ve used the pass statement to sidestep defining members. In previous versions of Pydantic, attempting to build a JSON schema from this empty Enum would’ve failed with an error.

However, this new version of Pydantic allows the operation above. If you dump the model schema to a JSON-file, it’ll look as follows:

{
  "properties": {
    "brand": {
      "title": "Brand",
      "type": "string"
    },
    "model": {
      "title": "Model",
      "type": "string"
    },
    "year": {
      "title": "Year",
      "type": "integer"
    },
    "shift": {
      "enum": [],
      "title": "Transmission"
    }
  },
  "required": [
    "brand",
    "model",
    "year",
    "shift"
  ],
  "title": "CarModel",
  "type": "object"
}

That’s great! Now you have a JSON schema, and you haven’t run into any errors. This gives you greater flexibility in the types of data you can work with.

Of course, this update brings several more features to the table. For a full list of features and fixes, visit the release notes. Which new capabilities are you most excited to use?

PyScript Version 2023.11.1 Comes Out

2023.11.1 is a major release for PyScript that adds a lot of new functionality to the framework, like smaller file sizes, faster loading, and more.

PyScript is a relatively recent addition to the Python ecosystem. Peter Wang first announced it during a keynote at PyCon US 2022. Here’s what it does:

PyScript is a framework that allows users to create rich Python applications in the browser using HTML’s interface and the power of Pyodide, WASM, and modern web technologies. The PyScript framework provides users at every experience level with access to an expressive, easy-to-learn programming language with countless applications. (Source)

One of the most important additions in this release is that PyScript now allows you to pick from two Python runtimes to execute your code:

• CPython through Pyodide
• MicroPython

MicroPython is a very lean and efficient implementation of the Python interpreter, originally written and optimized for microcontrollers. MicroPython, since its birth, has been used on many projects, including a spacecraft.

To differentiate between this new version and older versions, the PyScript team has named them PyScript Next and PyScript Classic, respectively.

This new version is a full rewrite of PyScript, and even though some of the PyScript Classic features are still available, there are many changes. Notably, the way that you include PyScript in a page has changed. You used to import "pyscript.js". Now you import "core.js", and you need to specify type="module" to avoid an error.

There’s also a new optimization that prevents bootstrapping the runtime until the first <script type="py"> or <py-script> tag on the page. This helps your program run faster.

In addition to these classic tags, the addition of MicroPython as a second runtime means that PyScript has added two new tags that allow you to run Python scripts using MicroPython. These are <script type="mpy"> and <mpy-script>, and again, they’re basically interchangeable. Here’s an example of <script type="mpy"> in use:

<script type="mpy">
    from pyscript import display
    display("Happy Pythoning!")
<script>

This new version of PyScript also adds support for parallel execution using web workers.

Under the hood, there’s a new core, Polyscript. This is a smaller, more efficient, and more powerful kernel, so you can expect even better performance. This version also brings a new plugin system that can extend its functionality without modifying its own core. As of now, PyScript supports plugins written in JavaScript.

According to the PyScript team, this version is a significant overhaul. They’ve been working tirelessly, and this new version demonstrates their dedication to the project. Have you tried out Python in your web browser yet?

What’s Next for Python?

Thanksgiving rounded out the month of November for lots of Python programmers. Whether you celebrated or not, it’s undeniable that there’s a lot to be thankful for in the world of Python! PyPI is taking security seriously, and the PSF is seeking input from the community. Plus, Python and its libraries continue to benefit from frequent updates to keep your code running smoothly.

With Advent in full swing, what new Python developments would you ask Santa to deliver to round out 2023?