Planet Python
Last update: June 04, 2026 07:47 AM UTC
June 03, 2026
Real Python
How to Use GitHub Copilot Code Review in Pull Requests
Learn how to use GitHub Copilot code review on pull requests for AI-assisted feedback, one-click fixes, and project-specific custom instructions.
Quiz: How to Use GitHub Copilot Code Review in Pull Requests
Test your knowledge of GitHub Copilot code review in pull requests, including custom instructions and automatic reviews.
Django Weblog
Django security releases issued: 6.0.6 and 5.2.15
In accordance with our security release policy, the Django team is issuing releases for Django 6.0.6 and Django 5.2.15. These releases address the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.
CVE-2026-6873: Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie
get_signed_cookie() derived the signing salt by concatenating the cookie name (key) and salt arguments. When distinct name and salt pairs produced the same concatenation, cookies could be accepted
in a context different from the one where they were signed.
Cookies are now signed with an unambiguous salt derivation. For backwards compatibility, cookies signed by older Django versions are accepted until Django 7.0.
This issue has severity "low" according to the Django security policy.
Thanks to Peng Zhou for the report.
CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend
When using EMAIL_USE_TLS, a failed STARTTLS handshake could leave a partially-initialized connection that would subsequently be reused for sending email without encryption. This can occur with fail_silently=True, as used by send_mail() and BrokenLinkEmailsMiddleware, among others. Connections configured with EMAIL_USE_SSL are not affected.
This issue has severity "low" according to the Django security policy.
Thanks to Kasper Dupont for the report.
CVE-2026-8404: Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware
django.middleware.cache.UpdateCacheMiddleware and django.views.decorators.cache.cache_page decorator incorrectly cached responses marked with private Cache-Control directives when using mixed or uppercase values (e.g. Private).
The django.views.decorators.cache.cache_control decorator and django.utils.cache.patch_cache_control() function were not affected, since they normalize directives to lowercase. This issue only affects responses where Cache-Control is set manually.
This issue has severity "low" according to the Django security policy.
Thanks to Ahmed Badawe for the report.
CVE-2026-35193: Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware
django.middleware.cache.UpdateCacheMiddleware and django.views.decorators.cache.cache_page decorator allowed responses to requests bearing an Authorization header (and without Cache-Control: public) to be cached. To conform with the existing mechanism for constructing cache keys, responses to these requests will now vary on Authorization.
This issue has severity "low" according to the Django security policy.
Thanks to Shai Berger for the report.
CVE-2026-48587: Potential exposure of private data via whitespace padding in Vary header
django.middleware.cache.UpdateCacheMiddleware incorrectly cached responses whose Vary header values contained leading or trailing whitespace. Because has_vary_header() failed to strip that whitespace, a response with a Vary: * header (note the trailing space) was not recognized as containing the wildcard, causing it to be stored and potentially served from the cache when it should not have been.
This issue has severity "low" according to the Django security policy.
Thanks to Navid Rezazadeh for the report.
Affected supported versions
- Django main
- Django 6.1 (currently at alpha status)
- Django 6.0
- Django 5.2
Resolution
Patches to resolve the issue have been applied to Django's main, 6.1 (currently at alpha status), 6.0, and 5.2 branches. The patches may be obtained from the following changesets.
CVE-2026-6873: Signed cookie salt namespace collision in django.http.HttpRequest.get_signed_cookie
- On the main branch
- On the 6.1 branch
- On the 6.0 branch
- On the 5.2 branch
CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend
- On the main branch
- On the 6.1 branch
- On the 6.0 branch
- On the 5.2 branch
CVE-2026-8404: Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware
- On the main branch
- On the 6.1 branch
- On the 6.0 branch
- On the 5.2 branch
CVE-2026-35193: Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware
- On the main branch
- On the 6.1 branch
- On the 6.0 branch
- On the 5.2 branch
CVE-2026-48587: Potential exposure of private data via whitespace padding in Vary header
- On the main branch
- On the 6.1 branch
- On the 6.0 branch
- On the 5.2 branch
The following releases have been issued
The PGP key ID used for this release is Natalia Bidart: 2EE82A8D9470983E
General notes regarding security reporting
As always, we ask that potential security issues be reported via private email
to security@djangoproject.com, and not via Django's Trac instance, nor via
the Django Forum. Please see
our security policies for further
information.
Python GUIs
Authentication and Authorization with PyQt6 or PySide6 — Secure your desktop applications with login flows, token-based auth, and role-based access control
How can I add authentication and authorization to a PyQt6 application? Is there something built into Qt to make this easier?
Bob Belderbos
How to Tell if Your Python Mock Is Actually Working
A test can pass for the wrong reason. When you're mocking a third-party API call, the test might look green because the real API happened to return an error, not because your mock did anything at all.
June 02, 2026
Kay Hayen
Nuitka Release 4.1
This is to inform you about the new stable release of Nuitka. It is the extremely compatible Python compiler, “download now”.
PyCoder’s Weekly
Issue #737: Polars 1.41, Email, Great Docs, and More (2026-06-02)
Real Python
Structuring Your Python Script
Master Python script structure with best practices for shebangs, ordered imports, formatting with Ruff, constants, and a clean entry point.
PyCharm
Top Agentic Frameworks for Building Applications 2026
In 2026, the world of AI is changing at a serious pace. The days of AI systems dealing solely in single-prompt interactions are coming to an end. Instead, these models are evolving into agentic systems – long-running, goal-driven software enabled by agentic frameworks that are becoming a critical layer in modern application architecture. This rapid […]
Real Python
Quiz: Python's Format Mini-Language for Tidy Strings
Test your understanding of Python's format mini-language and how to use format specifiers to align text, control precision, and tidy your strings.
Quiz: Structuring Your Python Script
Check your understanding of Python script structure, including shebangs, import order, ruff formatting, constants, and a clean entry point.
Python Software Foundation
No Starch Press Humble Bundle: Grab a Deal and Support the PSF!
Tryton News
Tryton News June 2026
In the last month we focused on fixing bugs, improving the behaviour of things, speeding-up performance issues - building on the changes from our last release. We also added some new features which we would like to introduce to you in this newsletter.
For an in depth overview of the Tryton issues please take a look at our issue tracker or see the issues and merge requests filtered by label.
Changes for the User
Accounting, Invoicing and Payments
We now add an optional journal column on the invoice list view.
Now we add a relate to the invoice model from the period and fiscal year to be able to export or print invoices per period.
We add a delay to the PEPPOL e-document rendering and processing for each service to allow after posting an invoice to record payments which are later rendered in the UBL invoice.
We now raise a generic user error message when failing to parse an imported AEB43 account statement.
Stock, Production and Shipments
Now we can manage products directly in the category form. So we think it is better to now have dedicated views at all but to ensure that we can manage such large Many2Many (also with #14782 (closed)).
Now we let Tryton calculate average lead time for product suppliers based on the effective date of incoming stock moves and the purchase date of the last year.
Parties
Now we make Tryton try to guess the type of contact mechanism when changing value for the standardised types like email, phone, mobile and URL.
User Interface
We now use the search dialogue popup window for deleting records in One2Many or removing records from Many2Many widgets. The remove (delete) button shows a search popup when no records are selected or when more than 20 records are selected. In the search popup are the identical records preselected. Users can refine the search using the filter and the sort order of the popup. And once the popup is validated, the selected records are removed (deleted) from the X2Many field.
We now display the number of records being deleted in the confirmation message. We think it helps the user to realise that they are deleting many records.
Now we allow users to mark notifications as read.
System Data and Configuration
Now we support the country organization (Like EU, ASEAN, …) as a criteria for tax rules.
New Releases
We released bug fixes for the currently maintained long term support series
8.0 and 7.0, and for the penultimate series 7.8.
There are no new release for 6.0 and 7.6 series as they entered their end of life period.
Changes for the System Administrator
We now remove the dependencies to pytz and backports.entry-points-selectable.
Now we update the version of Stripe to 2026-04-22.dahlia.
Changes for Implementers and Developers
We now add support for the age-functionality to SQLite. The age-function returns a time interval instead of an integer (of days) when calculating duration between dates.
1 post - 1 participant
Python Insider
Python 3.15.0 beta 2 is here!
The antepenultimate 3.15 beta is out!
June 01, 2026
The No Title® Tech Blog
Just updated - both Optimize Images and Optimize Images X
This release represents a significant milestone for both Optimize Images and Optimize Images X, marking a coordinated step forward in modernization, dependency cleanup, and internal architecture improvements across the ecosystem.
death and gravity
DynamoDB crash course: part 3 – design patterns
This is the last part of a series covering core DynamoDB philosophy, concepts and patterns; the goal is to help you understand idiomatic usage and trade-offs in under an hour. Today, we're looking at data modeling patterns – how to manage the complexity that arises from DynamoDB being as low level as it is.
Real Python
Python sleep(): How to Add Time Delays to Your Code
Learn how to use Python's sleep() function to add time delays and pause your code with time.sleep(), decorators, threads, and asyncio.
Quiz: Regular Expressions: Regexes in Python (Part 1)
Test your understanding of Python regular expressions: the re module, character classes, anchors, groups, alternation, and flags.
Python Bytes
#482 Mr. Beast's episode
Topics include CVE-2026-48710: A Maintainer's Perspective, daily-stars-explorer, Markdown to pdf with pandoc and typst, and postman2pytest.
Speed Matters
Scandir Rs
Stéphane Wirtel
PyCon Ireland 2026: The Call for Proposals is Open
![[pycon-ireland-2026-cfp-banner.png]]
TL;DR
PyCon Ireland 2026 takes place on 17 October at Trinity College Dublin. The Call for Proposals is open until 30 August. Two tracks get special focus this year: Python security and AI with Python. First-time speakers are welcome. Financial aid up to €350 is available. Submit at 2026.pycon.ie/cfp.
I’m part of the team organising PyCon Ireland 2026, and the Call for Proposals opened on 25 May. If you’ve been carrying a Python idea around (something you built, broke, learned, or want to share), now is the time to write it up.
Bob Belderbos
AI Human-in-the-loop: News Digest Triage Telegram Bot
In my trend digest article I shared a quick tool to keep on top of tech trends, but it's a one-way street: the model gives information, but I still have to decide what to do with it. Let's build the second half: a Telegram bot that shows me each story, guesses a tag, and lets me confirm or overrule it with one tap.
May 31, 2026
Paolo Melchiorre
My PyCon Italia 2026
A timeline of my PyCon Italia 2026 journey, in Bologna (IT), told through the Mastodon posts I shared along the way.
May 30, 2026
Talk Python to Me
#550: AI Contributions and Maintainer Load in Open Source
You wake up, brew the coffee, open GitHub, and there it is. Another pull request on your open source project. Thirteen thousand lines added. No issue filed first. No discussion. Just "here, please review this for me." Over the past year, GitHub activity has spiked roughly twelve times in a few short months, and a huge chunk of that signal is landing on the same small group of maintainers who were already stretched thin. The curl bug bounty got buried under AI-generated noise. Jazzband, the home of Django classics like pip-tools and the Django debug toolbar, hit what its maintainer called an "apocalypse" and started sunsetting. Even CPython just shipped fresh guidelines on AI-assisted contributions this week. So what does all of this actually look like from the receiving end of the pull request? On this episode, Paolo Melchiorre joins us to tell that story from inside the maintainer's chair. Paolo is a director of the Django Software Foundation, an organizer of PyCon Italy, a Django Girls coach, and he has spent the past year carefully collecting examples of how AI is reshaping open source contributions. The good, the bad, and the extra fingers. We dig into his PyCon US talk on AI-assisted contributions and maintainer load, why AI is best understood as an amplifier rather than a new kind of contributor, the wildly different policies across 86 open source foundations, whether projects banning AI today are reacting to last year's models.
Bob Belderbos
The control layer is the product, not the model
Gary Bernhardt posted something this week that names a phenomenon we're teaching in our agentic AI cohort:
Everyone seems fixated on the models, but I think there's so much low-hanging fruit in the control layer above the model. "Agent" and "harness" sell that layer short. There's so much more that we can do beyond "read input, send to model, run commands it returns."