Python Tooling Blog
RSS-
PyPI Moved 1.92 Exabytes Last Year. Its Safety Team Is One Person.
PyPI moved 1.92 exabytes in 2025, handled two thousand malware reports, and watched a phishing site relay TOTP codes in real time. The 2026 Packaging Summit laid out the structural fixes coming next.
-
Bernát Gábor's Recap of the 2026 Python Packaging Summit
A pointer to Bernát Gábor's full write-up of the May 15 packaging summit, with a short list of what changed for handbook readers.
-
If you're on mypy in 2026, Pyrefly is the obvious upgrade
Pyrefly 1.0 (May 12, 2026) makes the mechanical half of a mypy migration free. `pyrefly init` reads `mypy.ini`, writes a Pyrefly config, and baseline files keep CI green while you triage the diagnostics Pyrefly's tighter inference surfaces.
-
Python 3.14.5 rolls back the incremental garbage collector
Python 3.14.5 reverts the incremental garbage collector that shipped in 3.14.0 through 3.14.4 back to the generational collector from 3.13. Production reports of memory pressure forced the change.
-
mypy 2.0 picks parallelism over a rewrite
mypy 2.0 shipped May 6, 2026, with experimental parallel type checking via --num-workers. The release reports up to 5x faster checks with 8 workers, narrowing the gap to ty, Pyrefly, and Zuban without trading Python for Rust.
-
Locking dependencies for PEP 723 single-file scripts in May 2026
PEP 723 made single-file Python scripts shareable. Reproducibility is still half-solved. Here's what actually works in May 2026.
-
Ruff Already Rewrites Your Python to Be More Idiomatic
Ruff's FURB rules catch non-idiomatic patterns and auto-fix them into cleaner Python. 36 rules, all with auto-fix, and most projects haven't enabled them.
-
Lightning Got Owned: When `import lightning` Steals Your Credentials
Malicious lightning PyPI versions 2.6.2 and 2.6.3 shipped a daemon-thread payload that runs on import, steals credentials, and worms into npm.
-
What Reddit taught me about why people switch to uv
A 476-upvote r/Python thread asked 'But really, why use uv?' The OP was a casual user who only installs packages a few times a month. The comments convinced them anyway.
-
ty and pyrefly find different bugs
Running ty 0.0.32 and pyrefly 0.62.0 on Textualize/rich raised 49 errors from ty and 20 from pyrefly. The 2.5x gap mostly disappears once you account for how each tool handles `# type: ignore` comments. Each tool also catches real bugs the other misses.