This week moved in the places teams actually feel it: package managers, deploy defaults, and basic security. The CPython Core Dev Sprint wrapped on Friday in Cambridge. It is the week where nagging issues finally get pushed over the line. Expect a bunch of small interpreter improvements and some good write ups as people get home.
Packaging kept pace. Astral shipped uv 0.8.19 on Friday. If you are trialling uv in place of pip and pip-tools, pin this tag on one service and time your CI before and after. On the platform side, Heroku bumped its Python buildpacks to Poetry 2.2.0 and uv 0.8.18 on the same day, which is your cue to match local tooling so lockfiles and deploys agree. Poetry 2.2.1 then landed on Sunday to tidy a few things from 2.2.0, so bump if you already moved.
Day to day dev stuff also got small wins. Ruff 0.13.1 landed midweek. If your pre-commit still points at an older minor, refresh the hooks so everyone has the same rules and formatter. FastAPI 0.117.1 shipped on Saturday. If you run FastAPI in production, skim the notes and schedule a weekday upgrade. These tiny bumps keep teams quick without any drama.
Community wise, PyCon UK finished up yesterday in Manchester. The hallway chat was very practical this year. Lots of teams comparing FastAPI and Django splits, lint and type configs that do not slow CI, and how trusted publishing spreads across more stacks by year end. If you met someone strong and want a second opinion on fit, I’m more than happy to help out here. Vice versa, if you want a CV reviewing before applying with someone you met - feel free to send across and I’ll review.
Security had another moment. Zscaler’s ThreatLabz wrote up SilentSync, a RAT delivered through two typosquatted PyPI packages that were up briefly and then removed. Do the boring work this week. Rotate any tokens used in GitHub Actions on repos that touch publishing, scan recent pip install events for anything odd, and make sure 2FA is on for PyPI and your git provider. Put it in stand-up, clear it, move on.
If you are hiring or planning headcount, bank two easy operational wins while the sprint and PyCon energy is still there. First, pick one packaging workflow for the team and stick to it, either uv with pip-tools or Poetry, then document it in the README and use pre-commit to catch drift. Second, keep the take-home to 60 to 90 minutes with a scoring rubric you actually share. Both changes cut cycle time and raise signal.
If you need references for stakeholders, here are the right places on the site:
Salary Guide and methodology: https://snakesignals.com/#salary-guide
Interview questions and grading: https://snakesignals.com/#interview-prep
Hiring playbooks you can run: https://snakesignals.com/#hiring-playbooks
Archive of previous episodes: https://snakesignals.com/#archive
If the website has helped already or might help in the future, share it with someone who builds or hires in Python. New readers can join at snakesignals.com.
Hiring? Contact:
Josh Smith
LinkedIn: https://www.linkedin.com/in/python-recruitment/
Email: [email protected]
Phone: 01727 225 552