standup

12th of March, 2026

This time I need to go back a few days because a lot happened since the 5th of March:

• The PyScript project and CI were incapable of running PEP750 t-strings so I had to update everything around our CI to make that happen on Friday, because t-strings are already available in MicroPython but also part of Python 3.14, which was nowhere around our CI stack; see this MR
• on Saturday evening I got a warning around security concerns related to a package I maintain: flatted. This package is downloaded 330 million times per month, with an average of 80 million downloads per week … and that’s the OSS duty/responsibility to fix. The issue is not straight forward, it requires an evil attacker to produce a highly recursive input that could cause a max callstack recursion on the parsing side. Everything is fine at the browser level, but there was a related server-side runtime gotcha capable of killing the process as a whole so I need to fix that. This MR fixed the concerns around JS world, but the same concerns were possible to reproduce in the Python world, so that this other MR fixed that too. We use this module in PyScript but, beyond ourselves, there are tons of projects based on that very same module, including Chrome Devtools (indirectly, but still!). If you want to know more, every detail is in this GitHub Security Advisory report
• coincidentally, because last time I had worked on the reflected package and I am still focused on JS to Python interoperability across worlds (being worlds the Web, CPython on the server, MicroPython, or a mix of them all), I took a chance to write from scratch a new serializer that targets binary data and it’s faster, more compact, better, and compatible with both CPython and MicroPython: meet flatted-view
  • faster than flatted by all means
  • extensible in a way flatted never was
  • tested with all flatted tests + latest attack vectors, to which it survives in a matter of milliseconds, compared to flatted results
• the Python port of that module, in a way that is compatible with MicroPython too, has been mostly “vibe coded” with my own personal review of everything produced by LLMs … after many fixes and improvements, I’ve published that module in a way our PyScript logic can even bring that in via remote packages, creating a live MicroPython demo anyone can play around with

That’s basically it, so far I have:

• a reflected logic that works in all the targets it’s supposed to work in
• a serializer that works back and forth between Python and JS and it’s easier and faster, as pure Python module, than cbor or messagepack alternatives, plus it is easily compatible with any other extra kind or type one would like to serialize
• there is still work needed to bring all these modules together for a successful story, but all the primitives seem to be in place … more work is needed to create a custom helper function that allows more complex types like current reflected-ffi/direct encoder does, but everything is for a greater future of portability

Happy to answer any question or expand more, just use this GitHub space like any other report, filing issues or creating discussions 👋