Python Bytes - #482 Mr. Beast's epidosde
Episode Date: June 1, 2026Topics covered in this episode: CVE-2026-48710: A Maintainer's Perspective daily-stars-explorer Markdown to pdf with pandoc and typst postman2pytest Extras Joke Watch on YouTube About the show B...rian #1: CVE-2026-48710: A Maintainer's Perspective Marcelo Trylesinski suggested by Lee Luocks Short version: users of Starlette: upgrade to Starlette 1.0.1 security professionals: we can’t treat open source projects like corporations This top link is a Starlette security advisory with the title Missing Host header validation poisons request.url.path, bypassing path-based security checks The CVE apparently caused some negative press targeting starlette. However, “the vulnerability came from the application pattern and the deployment, never from something Starlette intended.” A quote from an OSTIF article: “This bug is a classic “responsibility gap” where if this maintainer didn’t patch, thousands of exposed projects would have to individually secure their projects. In doing this work, they’ve voluntarily taken on the responsibility to protect the ecosystem from long-term systemic harm. As with all open source projects, they owed us nothing and could have left this to be everyone else’s problem and took the extraordinary steps of helping the ecosystem.” Both X40 D-Sec and Ars Technica expected immediate fixes and responses from Starlette. That’s not good. We can do better. Michael #2: daily-stars-explorer Explore the full history of any GitHub repository. 📈 Full Star History - Complete daily star counts for any repo ⏰ Hourly Stars - Hour-by-hour activity with timezone support 🔀 Compare Repos - Side-by-side comparison of any two repositories 📊 Activity Timelines - Commits, PRs, Issues, Forks, Contributors over time 📌 Pin Favorites - Bookmark repos for quick access without retyping 📰 Feed Mentions - See when repos were mentioned on HN, Reddit, YouTube, GitHub 💾 Export Data - Download as CSV or JSON 🌙 Dark Mode - Easy on the eyes Try/use it online at emanuelef.github.io/daily-stars-explorer or install it for yourself. Brian #3: Markdown to pdf with pandoc and typst typst suggestion from Matt Harrison Markdown is awesome Pandoc is great for converting markdown to tons of stuff but for pdf, it goes through LaTeX, which is … yuk (my opinion) Pandoc also can convert to typst And typst creates beautiful pdfs and is way easier (my opinion) to deal with than LaTeX. New tools brew upgrade pandoc brew install typst Now convert pandoc something.md --to typst -o something.typ typst compile something.typ something.pdf Michael #4: postman2pytest via Mikhail Based on postman app Convert Postman Collection v2.1 JSON into executable pytest test suites Postman collections document your API. postman2pytest turns that documentation into executable regression tests that run in CI. No manual rewriting, no drift. Joke: Centering a div
Transcript
Discussion (0)
Hello and welcome to Python Bytes, where we deliver Python news and headlines directly to your earbuds.
This episode 482 recorded Monday, June 1st. I'm Michael Kennedy.
And I'm Brian Ockin.
This episode is brought to you by us and all of the Python things that we're doing.
Check out PythonTest.com. Get Brian's multiple courses over there.
Even something to do with Lean TDD, if you want to check that out.
I hear that an audiobook is underway, which is super cool.
And got a couple.
new courses over at Talk Python, especially the new OWASP top 10 security plus agentic AI. Like,
how do you take cloud code or something like that plus known, recognized patterns like the OWAS top
10 and make your code safe? That's what that course is about. So check out those kind of things.
That's what we're bringing you this week. Also, if you want to connect with us on social,
share, show ideas, whatever, you can do so on all the socials. Sign up for the newsletter.
We got awesome extras that come in through there. So just do that on the web.
website. With that, Brian, I think it might be time.
Should we kick it off?
Speaking of security.
We have a security issue, but the issue I think is resolved.
We just, I'm highlighting an article that's about the maintainer.
So this is interesting.
So this is the CVE, I'm not going to, let's see, CVE 2026, 487, 10 and maintainer's perspective.
So this is from Marcello, Trialis, Trialicent.
Cool name. Anyway, this is about a, what, security advisory from Starlet. So even, so there's a, what, isn't Fast API use Starlet, I think?
I do believe so, yeah. And a bunch of other stuff too. So even if you don't think that you're using Starlet, you might be using Starlet. So the short version is you probably ought to upgrade to 1.0.1 if you haven't already.
That's one of the versions.
If you don't care about the nitty-grady of this, just do that.
The other part is an interesting thing about basically that this is an interesting article.
It's kind of hard to cover, but I wanted to bring it up because it does, we do have more and more AI things like attack both trying to attack websites and also, so we have to keep up on security updates.
But also a lot of these security vulnerability reports against projects.
And a lot of these projects like Starlet are not, they're not a commercial enterprise.
It's an open source project with volunteer maintainers.
So that's really what we're talking about here is a little bit of that.
And also the problem really wasn't with Starlet.
And apparently they got some bad press in a couple of places because of a vulnerability.
But this, I'm going to read this interesting thing.
The vulnerability came from a pattern, an application pattern and the deployment, never from
something Starlett intended. And there's a description in the link about what the issue is,
and I actually got lost. So it's something about like, yeah, I'm not even going to try to summarize
it because I got lost here. But there's one description of the bug. It says from Ostef. I don't know
what Ostef is, but an Osteff article. This bug is a classic responsibility gap where this maintainer
didn't pat, where if this maintainer didn't patch, then thousands of exposed projects would
have had, would have to individually secure their projects. In doing this work, they've voluntarily
taken on the responsibility to protect the ecosystem from long-term systemic harm. As with all
open source projects, they owed us nothing and could have left it for everyone else's problem,
and took, but they took the extraordinary steps of helping the ecosystem. Please consider donating to
gludex which is this um the person that wrote this article uh which is an interesting and i believe the
main corner of starlet as well um okay yeah you're right and also um so apparently ours technique uh
ours technique i even covered it and we've referenced our articles a lot you know in the past um
sometimes some good stuff but apparently they reached out and said you know uh you know this seems
to be as serious do you have any comments uh how severe is it and they didn't they they sent that request
out two hours before publication.
And since they didn't get a response, they posted that.
They asked but didn't get a reply from Starlight.
And two hours?
Anyway, the article goes on to talk about the burden of triaging, how many security
advisories come in, all the work that's involved.
And also that places like Ars Technica and others treat open source projects as if
they're a for-profit corporation and expect, like, a PR department and stuff. And there's
not. It's just people. So anyway, yeah. Do you have anything else to add to this or just interesting?
Yeah, it's just interesting. I don't know. It doesn't look like a super dangerous vulnerability,
I don't think, but definitely go out and patch. And it's a 100 to 101 bump. So it's not like you've got
to jump a major version. Yeah, definitely patch. But also, I think.
I don't know how to get out of this, but because we have a lot of these open source projects
that big companies are relying on and they want the reaction times of a paid product.
And they just, yeah.
And actually, they could do that by maybe putting the maintainer on a healthy retainer,
making the project sustainable and say, look, we'll pay you $2,000 a month and we probably
won't ask you anything for a long time.
But if we need you, we need you to jump in and we'll then pay you out earlier.
I don't know, something like that, right?
That would, if you get five companies doing that,
I bet you can get some response time out of that.
Yeah, but the ironic reverse thing is,
actual paid products are really slow to patch anything.
So we actually get usually faster response times
from open source projects.
So anyway.
Indeed, indeed.
All right.
Let's go and chat a bit about the Daily Stars Explorer.
This is a fun project, Brian.
So what this is is a web app that's open source on GitHub.
What is it built with?
Scrolling.
It's built with JavaScript and Go.
So, but it doesn't matter because it's not about the internals.
It's about the information you get about different projects, including Python ones.
So it's an app that you can put in a repository, and it will give you just basically historical information about the stars, sliced and diced in all these statistical ways.
Ooh, neat.
So has full star history, hourly stars.
You can compare side-by-side repos, activity timelines of like, show me the commits over.
over time, which is kind of interesting.
You know, favorite them and so on.
You can see when the repos were mentioned on Hacker News, Reddit, YouTube, and GitHub,
and you download the data for feeding to your AI or feeding to your data science stack.
So I think this is pretty cool.
And let's just do this by, let me first find the Flask repo one second.
All right, so let's go and open up the little demo.
So it's a web app, which means you have to self-host it.
However, if you just want to try it out, I think just use the demo and put whatever you want in there.
Like, unless you want to save your history and stuff, but let's go over and put Flask in.
And it thinks for a moment.
The first time you get one in there, I put a repo in there, it takes a minute to download all the data from GitHub.
But because I put that in there before, it kind of goes more quickly.
So you can see right now Flask has 71,598 stars.
And you could have different themes, of course, for the thing.
Candy.
It shows you the total stars over time, right?
So you've got this graph, this orange line, if you pull it up, is the integral or something like that.
And here's the stars per day, right, like 13, 15, whatever.
And then the scales are different, right?
One goes up to 80,000, another it goes to 30.
But, you know, you take the integral of the top curve, you get the bottom curve.
Sum up all the stars.
And it's very cool.
You can break it down by like over five year, quarterly years a day.
You can go and say, I want to transform this by, I want to just look at trend lines, or I want to look at monthly bend stars, or maybe I want to normalize the stars across and have like a little, you know, lines.
What else?
We've got the running median and week over week growth.
Neat, right?
It shows you how old the repository is, 16 years, one month, 26 days, 68 stars the last day.
So I did.
A lot of times you maybe want to think about what project do I actually want to work on?
or base my project upon.
And obviously stars are not everything,
but it's certainly something.
Could we pull up here?
Come on now, get away.
You write about this auto hide stuff, right?
So where can I find?
Yeah, I don't know where to pull up the commits
from this one right off top of my head.
But anyway, it would be cool to see the commits
because that would let you answer
some interesting questions as well, right?
Like if you see the commits
just come to a stop two years ago,
you're like, oh, I see.
So where's the work happening?
Like, where is it, is it getting this data from in the browser?
Or where's, when's the...
There's a Go-based web app running on someone's server
that these, you know, that they've got up here that I believe.
And then it just, it happens over there.
If I pulled up a different one, you would see it.
Right.
Grind away for maybe 10, 15 seconds.
Well, that's a lot of data and a lot of graphs.
I'm just the pickiness in me.
I'm like, well, what graph doesn't it have?
I don't see any candlestick bar graphs.
Sorry.
Yeah, I know.
It's pretty neat, though, if you're on six floors from repos.
It's cool.
I haven't seen people include, like, YouTube references before and something like that.
Oh, yeah.
And there's all this side stuff over here.
You can compare.
Here's the commits.
So give it a moment.
See, now it's grinding because I didn't ask for the commits on Flask earlier today.
You can see PRs, issues, forks.
Like, that's pretty neat.
It's kind of hidden in this little hamburger menu on the left, but if you expand it out.
Yeah.
But it'll probably take.
this should be interesting, I think. I've got some ideas. But I don't know. It'd take maybe 30 seconds. There you go.
So you're all time. You can see there's quite a few commits and trending downward. It's kind of a, honestly, kind of a done product, you know. I don't mean that in a positive or negative way. There's a few things left that I think Flask could do. Primarily, I think one of the, there's probably two things to work on. I think primarily you could work on maybe some performance stuff to make Flass better. And you could unify the true async court.
the sort of pseudo-async,
regular Flask async functionality.
I know David and Phillip are
working towards making those just one thing.
But, you know, that could be a lot of work right there.
That could be happening. But other than that,
I kind of feel like Flask is sort of done.
Yeah. Anyway, this is...
It's not about Flask's example.
It's about the Daily Stars Explorer, which I think
is pretty cool. Just to link to us from
last week,
no project's ever done because you have to
test on new Python versions every year.
Yeah. And if it's completely good
treat it's done then it starts to get really badly because it's dust and stuff all right exactly it gets
free as if they were dead how about something to markdown maybe document it write a book about it
yeah so um i like i like a lot of markdown um i use it a lot of all the time i'm actually writing
i wrote the uh the python testing with pie test in markdown i'm writing lean tdd in markdown
use it for blog posts use it for everything so why what's new about this what's new is
I just learned about a tool called Types.
I think it's type.
It even says how to pronounce it, and I didn't look.
So, T-Y-P-S-T.
So I needed a new formatting thing because I'm trying to self-publish Lean T-D-D,
and I didn't like the book, the print book versions of output that I have available.
So I wanted to customize that.
So I reached out to all of our good friend, Matt Harrison, because he self-published
and says, said, Matt, what do you use?
And he's using types now, so I'm, I checked it, tried to check it out.
So the, the gist is that Pandock converts to PDF, but it does it through late law tech,
and I don't really like law tech.
And you have to download something extra anyway to get Pandock to convert it.
So, and then, but there's types.
It's actually quite a pain.
It's not just, it's like three or four libraries.
They're all, I don't know, they're just, it's weird.
It's not great.
Okay.
So I'll jump to the punchline is I've got a convert script now that converts Pandock to type,
TYP, and I don't know what the official extension is, but I just named it.
So you say two types for Pandock.
But it's a fairly recent Pandock that there's been updates recently.
So you'll want to upgrade your Pandock first.
Then convert your markdown, and then take the type TYP output and you do types to compile.
and then the output.
And I did a little example, so it's just a normal markdown,
and it just converts it to some nice PDF.
So there's a whole bunch of...
Oh, and it has code.
Syntax highlighting as well?
Oh, yeah.
It does syntax highlighting, and there's so much that it does.
It has mathematical symbols.
It is a replacement for Lattec, for one, but it's very much simpler.
And I, in like an hour of twiddling with it,
I have a fairly decent book template for the new book.
And yeah, so I'm pretty happy with it.
And I've had this is, and this has been around for a while and I just didn't know about it.
So that's why I'm bringing it up.
And installing-wise, just brew.
For a Mac brew on Windows.
There was some other process I did.
But it's so much easier than the Lotech chain to install.
So I'm pretty happy.
with this tool. So thanks. So I was so happy with it. I did a little blog post to share with people.
Excellent. Excellent. That is really interesting. I might start using that because right now I'm doing
just straight markdown to Pandock for Talk Python in production. And it's really good for EPUB,
but it's kind of janky for PDF and it's kind of janky for Kendall because Kindle can't read it quite
right so I have to do like remove a few little niceties for Kindle. Anyway, certainly
worth considering. Really? Thanks. Yeah. Oh, I'm not having I haven't, I guess I haven't
tried. I'll have to try that. Try the Kindle. The problem that I run into with Kindle is
somehow the way that Pandock is doing code syntax highlighting breaks the display on Kindle because
I don't know, there's something about like new lines or spans or something that get treated
differently and then like the spacing is really weird. It's it's annoying. Okay.
I will definitely...
Give it a look and see what it looks like.
I'll have to try that.
And yeah, so I'll try that probably today.
Yeah.
I mean, the books are identical for me,
other than the Kindle ones don't have syntax highlighting,
which is generally okay because most Kindles are black and white,
but I know some are not.
Oh, okay.
So on black and white,
Kindle, it looks okay?
If I compile a separate version,
a separate Kindle ePUB that disables syntax highlighting in Pandock, yes.
Oh, okay.
Yeah.
I'll have to look at that.
So that was the fix.
I'm just like, all right, well, dash, dash, no.
Whatever the syntax is, I don't know.
It's been a while since I wrote the alias that just does it, you know?
Okay.
Yeah, I'll take a look.
Hmm.
All right.
Well, this one, Brian, this should be yours.
This should be yours, but no, I got it.
This one is mine.
So I want to talk about Postman to Pi Test.
Okay.
This is a cool project that comes to us from Mikhail, and people might be familiar with the Postman app.
I'm a big fan of the Postman app.
Postman app. It's pretty neat. Do you use it? Do you know it? Yeah. Yeah. So the way it works is you create
these collections that are like groups of different API calls that in aggregate demonstrate or
test the some kind of API, right? You can organize them into folders, but also you can do
collections and then share these collections with like teammates and like team collections. I did that
notably for the Talk Python Horses app that's in the Mac, not the Mac, the app, the iOS
and the Google Play Store.
So I need all the APIs that I'm creating for this to be tested, documented, clear.
You can do stuff that should pass, stuff that should fail, and so on.
So, all right.
So if your team uses Postman, then this project here you might like,
because it converts Postman collections, which I just described,
into executable Python test suite, a Pi-test test suite.
Nice.
Yeah.
And it's super simple.
So all you do is you just say, you know,
You install it, probably UV if it says PIP install, but come on now.
UV tool install, let's go.
So it says Postman to PITEST, dash dash collection, give it some collection.
And then you say output this Python test file, and that's it.
And then run Python.
That's right.
Run Pytest to run it.
So that's pretty neat.
That will actually set the environment so that things like the base URL, which can vary,
you know, depending on configs like dev versus prod or whatever.
and then it just runs it through PITES.
And what's cool is you could version this test file
and then just rerun this to regenerate it when it's time.
Yeah.
Yeah.
Also, if you did that, if you versioned it,
then you could rerun it and do the diffs
to see what changed in your collections.
Yeah, that's right.
Yeah, you could regenerate it and just go,
oh, I see we've got this, this or this API actually changed
because now it takes this additional header
and that's why the test was failing.
I don't know.
Something like that.
So if, I mean, this is about,
big if you use Postman, but I think this is a really handy. And it's just like, hey, I've got this
stuff locked into this app and it can run things. It can do test type things. But really, you probably
want it in Pytast land. And this cool little app, this cool little utility does it. So good work,
Michael. Yeah. One of the things that he mentioned to us when he shared this project was, which I thought
was interesting, is the division of a whole bunch of developers and then that used Postman during
development, which is common, right? I think. And then a smaller, like, quality assurance team
or part-time person, I think it, I think it was him, that needs to support some of this stuff.
And so you have to, you've got the same source. You've got the developers developing what they think
is the right thing. And to be able to take that and convert it to something that a smaller test team can
maintain and that's a cool model to do that with so one source of truth nice yeah it is it's
almost like treating like a database right yeah yeah do you have extras i have one extra for today and my
extra is um that i snuck this in uh for the last last blog post that i shared was actually on
testincode.org um so uh i am writing i'm going to start writing there i think a little bit so um i'm
linking to new blog,
Who Dis? There is
not much there yet since I just put it online
but I'll link
to the other stuff. One of the funny
things that happened to me last night was
I went to publish
this at testing code.com
and I had let it expire
because the old podcast was
dead. So what
happened? I just, I'm like
well, somebody else grabbed it. Some
squatter sitting on it now so I just
registered.org. That works.
And I, the important thing, I could just keep blogging on Python test, but I do want to, I want to use this testing code name as the publisher for Lean TD.
So it's self-published through me, but it's kind of, I don't know, it's not fake.
It just looks kind of fun to have a different publisher than my name or Amazon or something like that.
So that's what I want to do.
Anyway, that's my extra.
How about something funny?
I think it's time for something funny.
Indeed.
Let's jump over.
So this joke is called centering a div.
And it's based on Mr. Beast.
Do you know Mr. Beast?
No, but yes, yes.
I know.
It's certainly not a thing that I would watch on YouTube.
However.
Sure.
No, I would watch Animal Fails.
Come on.
I really don't watch Mr. Beast.
It's kind of annoying to me.
But what a phenomenon, right?
So for people who don't know,
by this guy, James Jimmy Donaldson,
and his net worth from his YouTube projects and beyond, you know, it's $2.6 billion.
It's ridiculous.
So it basically follows a theme.
Like, we're going to put you in some crazy situation.
And throughout the situation and at the end, whoever kind of completes it gets
some ridiculous amount of money.
Like, hey, we're all going to hang on to a car, like a Tesla.
And whoever hangs onto it long enough gets a Tesla.
Oh, by the way, the person who doesn't go to the bathroom, the longest, gets an extra
$100,000.
You know, like ridiculous stuff like that, right?
So, queued up, here's the joke, centering a div.
Mr. Beast plans to trap a thousand vibe coders in a room without clawed.
First person to center a div manually wins $1 million.
It's not fair.
Nobody will get it.
I know, exactly.
It's like, it's impossible.
Can't be done.
And then down here, one of them is, center horizontally, vertically, or both?
Like, oh, oh.
Vertically.
It's just impossible now.
I don't even know if it's hard anymore, actually.
It used to be hard, but I don't know if it is.
I think it depends how you write it.
Like, if you did a flex box, you know.
But if you did old school way, it's a little harder.
Yeah.
That's sort of funny to think about, though, because the vibe, I don't vibe code,
but I also don't write CSS by hand anymore.
I use something else to do.
do it for me. So anyway.
Funny. Um, one of the things I actually was at a dinner party the other day. And, um, uh,
somebody said they wanted to start. They take a lot of videos and I said, oh, cool, can I watch
him somewhere? And he's like, well, um, I was going to, I said, you should like throw
them up on Instagram or something, uh, whatever. And he's like, well, I'm going to start doing on
YouTube because, you know, that Mr. Beast makes like millions of dollars. And one of the
things I, I mean, I don't watch these videos and maybe they're funny. Maybe they're
not, I don't know. It's not my thing. But one of the things that's unfortunate is it kind of
makes some people believe that they can do that also. And I don't, I think this is a one-off
random thing. I think it's, it's just, you know, it was at the right time, right place. It was
its own thing. Yeah. And how much did he make for the first three years he was doing it?
I don't know. I don't know. I don't know. I lost money. I'm not sure. He would,
he would just go up to rain and people give him $1,000 for stuff. I don't know where he got the
$1,000 to start this idea with, but. Is that, is that, is that,
how like it started at the beginning was he it was always like this i think so i'm it's you know
the beginning i don't know but for a long time it's been like that but it was all used to be like
lower scale and it goes enough because my daughter watched him a lot for a while not so much
anymore but for a while and so it would kind of be on in the background the mom on the couch whatever
you know weird okay whatever yeah but this is his new amazing one trap a thousand vibe
coders in a room without claude ask them to do things let's go
Yeah, that's funny.
It is.
All right.
Thanks for the show, Brian.
Thanks for everyone for listening.
All right.
Bye.
Bye.