Python Bytes

Topics covered in this episode:

Backup Docker volumes locally or to any S3

Pyodide 314.0 Release

nb-cli: A Command-Line Interface for AI Agents and Notebook Automation

Hindsight Agent Memory That Learns

Extras

Joke

Watch on YouTube

About the show

Sponsored by us! Support our work through:

Our courses at Talk Python

AWS Community Day Midwest tomorrow Wednesday the 24th in downtown Indianapolis, Six Feet Up is sponsoring and there are 2 Sixies presenting

Connect with the hosts

Michael: Mastodon / BlueSky / X / LinkedIn

Calvin: Mastodon / BlueSky / X / LinkedIn

Show: Mastodon / BlueSky / X

Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Tuesday at 7am PT. Older video versions available there too.

Finally, if you want an bonus digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Michael #1: Backup Docker volumes locally or to any S3

Via Bryan Weber (thanks Bryan!), who spotted it over on Virtualization HowTo. Find Bryan at bryanwweber.com.

offen/docker-volume-backup is a lightweight companion container that backs up the volumes your apps actually depend on, then ships them somewhere safe.

It's tiny: written in Go and about 25MB compressed, roughly 1/20th the size of the shell-based image (jareware/docker-volume-backup) that inspired it.

Drop it into your docker compose file as a backup service, mount the volumes you care about as read-only, and you're off.

Push backups to a pile of destinations: a local directory, plus any S3, WebDAV, Azure Blob Storage, Dropbox, Google Drive, or SSH-compatible target. Mix and match as many as you want in one run.

Recurring cron-style backups in a Compose setup, or one-off backups straight from the Docker CLI.

Production-friendly touches worth calling out:

Rotates away old backups so you don't quietly fill the disk.

GPG encryption for your archives.

Notifications on finished and failed runs (so you find out about failures before you need the backup).

Stop a container during backup for a consistent snapshot using a simple docker-volume-backup.stop-during-backup=true label, then auto-restart it.

Run custom commands during the backup lifecycle (great for a database dump before the file copy).

Docker Swarm support, plus arm64 and arm/v7 builds. Hello, Raspberry Pi homelab.

Fun aside from Bryan: he searched our back catalog for this tool and the search came back so fast he thought it hadn't run. Love to hear it.

Calvin #2: Pyodide 314.0 Release

PEP 783 is the real news — Pyodide maintainers used to hand-build 300+ packages. Now anyone can publish Pyodide wheels to PyPI with cibuildwheel.

The version jump from 0.29 to 314.0 is intentional — it now tracks the Python version, so 314.x = Python 3.14. Binary compatibility is locked per Python cycle, meaning packages you build today won't break on the next Pyodide release.

sqlite3, ssl, and lzma are back in the default stdlib — no more await pyodide.loadPackage("sqlite3"). Bigger download, but a much smoother experience for newcomers.

bigint precision bug is fixed — values above 2^53 were silently losing precision when crossing the Python/JS boundary. The new JsBigInt type makes the roundtrip correct. Worth flagging if anyone is doing numeric work in a browser app.

Experimental TCP sockets in Node.js — you can now connect Pyodide to a real database (MySQL, PostgreSQL, Redis tested) when running server-side. Blurs the line between "Python in the browser" and "Python runtime anywhere Wasm runs."

Michael #3: nb-cli: A Command-Line Interface for AI Agents and Notebook Automation

From Piyush Jain (Jupyter and LangChain maintainer) on the Jupyter blog: nb-cli: A Command-Line Interface for AI Agents and Notebook Automation.

nb-cli is an experimental, Rust-based CLI to read, write, execute, and search Jupyter notebooks. The premise: agents are great at CLIs but terrible at hand-editing the nested JSON in an .ipynb, so let them operate on the notebook from the outside instead of running inside it.

Works with or without a Jupyter server. No server? It reads/writes .ipynb files directly and talks to kernels over ZeroMQ. Connected to a live JupyterLab, your edits show up instantly via Y.js (the same CRDT Jupyter uses).

Smart output format: instead of token-heavy JSON or ambiguous plain markdown, it uses @@cell / @@output sentinels with inline metadata. Less wasted context, unambiguous structure, and it degrades gracefully on truncation.

The payoff is composability. "Add a summary section and run it" becomes one shell pipeline instead of six agent tool calls. And nb search notebook.ipynb --with-errors returns only the failing cells, so the agent skips the cells that worked.

Claude Code tie-in: it ships as an agent skill. npx skills install jupyter-ai-contrib/nb-cli and your agent can drive notebooks via nb.

Out of jupyter-ai-contrib, which aims to become an official Jupyter AI subproject. Still early (crates.io is at v0.0.5), so kick the tires before anything load-bearing.

See also marimo-pair.

Calvin #4: Hindsight Agent Memory That Learns

AI agents forget everything between sessions — Hindsight gives them persistent memory that learns over time

Simple three-method API: retain(), recall(), reflect() — store, retrieve, and reason over memories

TEMPR retrieval runs semantic, keyword, graph, and temporal search in parallel for accurate results

Automatically consolidates related facts into durable observations instead of piling up duplicates

pip install hindsight-all runs the entire server in-process; integrates with LangChain, LlamaIndex, Pydantic AI, CrewAI, and more

Extras

Calvin:

Clanker: A Word For The Machine

**Ponytail — You know him. Long ponytail. Oval glasses. Has been at the company longer than the version control**

**Klangk: Multi-User AI Sandboxing, Collaboration and Coding Platform**

Cursor announces Origin

performative-ui to quick start your new idea
Michael:

Astral Joins OpenAI: The Interview

SpaceX to acquire Cursor

And OpenAI renews Open Source support

Portuguese subtitles are now available for Talk Python courses

DSF is hiring including Six Feet Up support

Joke: Oh Babe…

Topics covered in this episode:

pi + superpowers

Terminal: Warp.dev + OhMyZSH

{Blink,kitty} + mosh + tmux

Claude code

MacWhisper or Handy

Tailscale

Extras

Joke

Watch on YouTube

About the show

Sponsored by us! Support our work through:

Our courses at Talk Python Training

Six Feet Up is hosting a LinkedIn Live
Connect with the hosts

Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky)

Calvin: @calvinhp@sixfeetup.social / @calvinhp.com (bsky)

Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky)

Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Tuesday at 7am PT. Older video versions available there too.
Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Calvin #1: pi + superpowers

terminal-first, open-source coding agent

Session management is a first-class citizen

Extension model is what makes pi special — it's aggressively composable

Superpowers brings a structured software development methodology as loadable skills

Steps back and asks you what you're really trying to do

“hand you the keys to the car” mode vs guardrails might not be for everyone

Michael #2: Terminal: Warp.dev + OhMyZSH

If you’re using the base terminal with default settings, you have so much head-room for improvement.

I’ve been using Warp.dev since Elvis talked me into it. ;)

Remarkable terminal but the AI side of things is a bit junky, can be turned off

OhMyZSH gives better autocomplete

e.g. git branch [HTML_REMOVED] lists all branches in the local repo!

Commandbookapp.com is excellent to keep the terminal focused on terminal things and more server commands and other automation in Command Book.

Calvin #3: {Blink,kitty} + mosh + tmux

Kitty Terminal — GPU-accelerated terminal emulator for macOS, Linux, and Windows with support for graphics, ligatures, and a powerful tiling layout system built right in.

Blink Shell — The go-to terminal for iPad/iPhone power users; full SSH and Mosh client with a gorgeous interface built specifically for mobile professional workflows.

Mosh — Mobile Shell replaces SSH for remote connections, surviving network switches, sleep cycles, and flaky Wi-Fi with zero dropped sessions — essential for staying connected to long-running agentic jobs.

tmux — Terminal multiplexer that keeps sessions alive on your Linux server indefinitely; detach from a Mosh session on your Mac, reconnect from your iPad, and your agent is right where you left it.

The combo — Kitty or Blink + Mosh + tmux creates a "persistent remote brain" pattern: your beefy Linux homelab runs the compute-heavy agent sessions 24/7, and any device becomes a thin client to drop in and out at will.

Michael #4: Claude code

I prefer the IDE experience, the new PyCharm + Claude integration is really good. VS Code too. Why IDE? Because we should still be present with our code and managing context is much easier.

Use the best/latest models on high thinking. “Speed” is not your friend, it’s just shortcuts.

Create skills and agents and use them.

Curate your own rules (e.g. Talk Python’s Claude.md)

Works well on non-coding things. Just create a folder, put a ton of files in there and it’s like NotebookLM + Chat + more.

Calvin #5: MacWhisper or Handy

Transcribes your speech using your choice of Whisper or Parakeet models.

All transcription is done on your device, no data leaves your machine.

Automatic Speaker Recognition with local models.

Handy is more basic, but open source and runs on all platforms.

Michael #6: Tailscale

No need to open ports at all, Tailscale makes machines inside the same network accessible to each other

Works great for laptops, desktops, etc. But also available for servers.

Though I still use cloud firewalls for servers.

How I use it:

My dev database server, preloaded with QA data, is always running on my home mac mini m4 pro. All my apps look for that server before looking locally and tailscale makes them always accessible to each other

My local LLMs expose OpenAI API compatible APIs. Tailscale makes these accessible even while traveling or at a coffee shop.

Use my mini as an exit node. All traffic is routed outbound from my local fiber network. Great to restricted IPs like accessing my servers without caring about the local IP.

Screen share back to my home machines even while traveling.

Listen to the Talk Python episode with Alex for a deeper conversation.

Extras

Calvin:

Telescopo great Mac Markdown viewer/editor.
Michael:

One more: Typora markdown editor.

Created formal documentation for many of my open source packages using Great Docs.

Via Mark Little: Statement on the US government directive to suspend access to Fable 5 and Mythos 5

Joke: No second date

Topics covered in this episode:

Vulnerability and malware checks in uv

HTTP GET requests with the Python standard library

Millions of AI agents imperiled by critical vulnerability in open source package

alembic-git-revisions

Extras

Joke

Watch on YouTube

About the show

Goodbye and Thanks Brian

Thanks Calvin for being part of this and future episodes! Also new time for the live show. Thanks Brian for all the hard work over the years.

Calvin #1: Vulnerability and malware checks in uv

release just yesterday by Astral https://astral.sh/blog/uv-audit

uv audit scans dependencies for known vulnerabilities and abandoned packages via the OSV database — runs 4–10x faster than pip-audit

Malware check runs on every install/sync, catching actively malicious packages (credential stealers, etc.) before they execute — including ones PyPI quarantined but lockfiles can still reference

Enable malware scanning with UV_MALWARE_CHECK=1 — it's opt-in and in preview

Future roadmap includes a resolver that steers toward vulnerability-free versions and install-time warnings scoped to newly added deps only

Michael #2: HTTP GET requests with the Python standard library

If you’re doing HTTP in Python, you’re probably using one of three popular libraries: requests, httpx, or urllib3.

There have been issues with httpx lately.

Niquest is another option: Drop-in replacement for Requests. Automatic HTTP/1.1, HTTP/2, and HTTP/3. WebSocket, and SSE included.

But maybe less is more, especially in the age of agentic AI

A good candidate needs two things to be true at once, not one: the used surface is small, and the behavior behind that surface is shallow.

Calvin #3: Millions of AI agents imperiled by critical vulnerability in open source package

"BadHost" (CVE-2026-48710) is a critical vulnerability in Starlette — the ASGI framework underlying FastAPI — with 325 million weekly downloads; also affects vLLM, LiteLLM, and most MCP server tooling

The exploit is trivial: injecting a single character into an HTTP Host header bypasses path-based authentication, and can lead to credential theft, SSRF, and in some cases remote code execution

MCP servers are a prime target since they store credentials for external services (email, databases, cloud accounts) — exposed data in the wild includes biopharma clinical trial DBs, full mailboxes, HR/PII pipelines, and AWS topology

Fix is available — patch to Starlette 1.0.1 immediately; use the free scanner at mcp-scan.nemesis.services to check if your servers are still running a vulnerable version

Open source sustainability footnote: the maintainer triages near-daily security reports solo, in his free time — most are AI-generated noise, and real ones like this still compete for the same evenings and weekends

Michael #4: alembic-git-revisions

By Julien Danjou from Mergify

Automatic Alembic migration chaining based on git commit history. No more Multiple head revisions are present for given argument 'head'.

See the introductory article

Caused by two migrations landed with the same down_revision, and Alembic doesn’t know which one comes first. The fix is always the same: someone manually edits the migration file to re-chain the revisions.

The insight: git already knows the order

Extras

Calvin:

GNU make can do pattern matching in the target. Not new at all, mentioned in the 1994-era docs. just and task don’t have this super power on the target name yet.
train-%:
uv run ./train.py $* --save-hyper-params --overwrite $(TRAIN_ARGS)

Michael:

Updated my HTTP client using packages from httpx to httpx2: listmonk, umami, and memberful. For motivation, see this reddit thread.

Joke: Accurate

Topics covered in this episode:

CVE-2026-48710: A Maintainer's Perspective

daily-stars-explorer

Markdown to pdf with pandoc and typst

postman2pytest

Extras

Joke

Watch on YouTube

About the show

Brian #1: CVE-2026-48710: A Maintainer's Perspective

Marcelo Trylesinski

suggested by Lee Luocks

Short version:

users of Starlette: upgrade to Starlette 1.0.1

security professionals: we can’t treat open source projects like corporations

This top link is a Starlette security advisory with the title

Missing Host header validation poisons request.url.path, bypassing path-based security checks

The CVE apparently caused some negative press targeting starlette.

However, “the vulnerability came from the application pattern and the deployment, never from something Starlette intended.”

A quote from an OSTIF article: “This bug is a classic “responsibility gap” where if this maintainer didn’t patch, thousands of exposed projects would have to individually secure their projects. In doing this work, they’ve voluntarily taken on the responsibility to protect the ecosystem from long-term systemic harm. As with all open source projects, they owed us nothing and could have left this to be everyone else’s problem and took the extraordinary steps of helping the ecosystem.”

Both X40 D-Sec and Ars Technica expected immediate fixes and responses from Starlette.

That’s not good. We can do better.

Michael #2: daily-stars-explorer

Explore the full history of any GitHub repository.

📈 Full Star History - Complete daily star counts for any repo

⏰ Hourly Stars - Hour-by-hour activity with timezone support

🔀 Compare Repos - Side-by-side comparison of any two repositories

📊 Activity Timelines - Commits, PRs, Issues, Forks, Contributors over time

📌 Pin Favorites - Bookmark repos for quick access without retyping

📰 Feed Mentions - See when repos were mentioned on HN, Reddit, YouTube, GitHub

💾 Export Data - Download as CSV or JSON

🌙 Dark Mode - Easy on the eyes

Try/use it online at emanuelef.github.io/daily-stars-explorer or install it for yourself.

Brian #3: Markdown to pdf with pandoc and typst

typst suggestion from Matt Harrison

Markdown is awesome

Pandoc is great for converting markdown to tons of stuff

but for pdf, it goes through LaTeX, which is … yuk (my opinion)

Pandoc also can convert to typst

And typst creates beautiful pdfs and is way easier (my opinion) to deal with than LaTeX.

New tools

brew upgrade pandoc

brew install typst

Now convert

pandoc something.md --to typst -o something.typ

typst compile something.typ something.pdf

Michael #4: postman2pytest

via Mikhail

Based on postman app

Convert Postman Collection v2.1 JSON into executable pytest test suites

Postman collections document your API. postman2pytest turns that documentation into executable regression tests that run in CI. No manual rewriting, no drift.

Extras:

New blog, who dis? - testandcode.org is now on .org and a blog and soon to be a “publisher”.

Joke: Centering a div

Topics covered in this episode:

Dumb Ways for an Open Source Project to Die

How to create a pylock.toml lockfile

https://github.com/facebook/Lifeguard

Choosing a Python Logging Library in 2026

Extras

Joke

Watch on YouTube

About the show

Sponsored by us! Support our work through:

Our courses at Talk Python Training

The Complete pytest Course

Patreon Supporters

Connect with the hosts

Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky)

Brian: @brianokken@fosstodon.org / @brianokken.bsky.social

Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky)

Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 11am PT. Older video versions available there too.

Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.

Michael #1: Dumb Ways for an Open Source Project to Die

Core categories

The maintainer left

The maintainer is still there

Sabotage and capture

The release pipeline broke

Force majeure

The world moved on

The project split

-

Examples

Bulma PRs still from 2023, issues and PRs with no maintainer response for years, last release 1.5 years ago

diskcache Similar, got hired by OpenAI, crickets after that

Brian #2: How to create a pylock.toml lockfile

Tim Hopper

Tim walks through using uv, pip and pdm to create pylock.toml files.

Recommendation: use uv export --format pylock.toml -o pylock.toml

He also has How to install from a pylock.toml lockfile with pip but the short version is:

use -r because tools treat it like a requirements file

Michael #3: https://github.com/facebook/Lifeguard

Lifeguard is a static analyzer to detect Lazy Imports incompatibilities and ease the adoption overhead for Lazy Imports in Python.

I’m more excited about lazy imports after my Cutting Python Web App Memory Over 31% experience

Some Python patterns depend on imports executing immediately. For example:

Module-level side effects — a module that registers a handler or modifies global state at import time will behave differently if that import is deferred.

The registry pattern — a module that registers itself (e.g., adding to a global dict) when imported will silently fail to register under Lazy Imports.

sys.modules manipulation — code that reads or writes sys.modules assumes prior imports have already executed.

Metaclasses and __init_subclass__ — class creation side effects may depend on imports being resolved.

Project Stage: Beta Lifeguard is in active development. We are aiming to be ready for general use by the Python 3.15 final release.

Brian #4: Choosing a Python Logging Library in 2026

Ayooluwa Isaiah

" which libraries matter, how they compare, where they overlap with the standard module, and when each one makes sense.”

The slant with this article is the need to log json output, which seems reasonable as things like API entry and exit point logging will include json.

Covered libraries

standard library logging with a hat tip to python-json-logger

Same site has a guide to setting up python-json-logger

structlog

Loguru

Logbook

picologging

Some benchmarks with structlog, stdlib+json, and Loguru, with structlog coming out faster

I liked the Loguru example

I’m going to have to try @logger.catch and logger.exception() for easily logging exceptions and serialize=True to enable JSON output.

Extras

Brian:

When Women Stopped Coding - Planet Money segment , spotted on BlueSky from Savannah Ostrowski

Lean TDD is now leaner

Still working on audio version, but some great changes in 0.7.1 version

Ch 6, TDD Interpretations, move ATDD and some of BDD to chapter

Ch 7, Change name to TDD with Teams: BDD and ATDD

Ch 9, Lean TDD, streamline steps and chapter

Ch 10, Change name to Lean TDD with Teams: Lean ATDD

Ch 11, Lean TDD with AI, Add short discussion about guardrails and security

Michael:

New course: Python Web Security: OWASP Top 10 with Agentic AI

All courses now with Spanish subtitles, see announcement

Joke: Stop texting me