Python: Security Fixes and Import System Updates

Transcript

Good morning, this is your Python development briefing for Tuesday, May 20th, 2026.

Yesterday saw significant security and stability improvements across the Python codebase. Pablo Galindo merged a major change removing the lazy_imports=none startup mode, affecting 18 files with over 148,000 lines of changes. This follows ongoing work on PEP 810's deferred import implementation.

Critical security fixes dominated the merge activity. Alexey Katsman resolved a use-after-free vulnerability in the pickle module's list handling, while Ashley merged backports to Python 3.13 and 3.14 fixing a similar use-after-free bug in the JSON encoder during re-entrant mutations. These fixes prevent potential crashes and memory corruption issues.

Larry Hastings addressed a reference leak in queue.SimpleQueue.put when memory allocation fails, and Kirill Ignatev fixed a race condition in SSL's SNI callback handling. Additional stability improvements included Caleb's fix for ZipFile reproducible builds that eliminates dependency on local timezone information.

Sam Gross optimized memory usage in free-threading tests, reducing peak memory consumption from 850MB to 175MB by adjusting iteration parameters. Documentation updates improved clarity around inspect module functions and string formatting references.

Notable commits include Peter Bierma's frozenset construction optimization that avoids unnecessary copying, Jelle Zijlstra's work making sentinel objects more customizable, and Serhiy Storchaka's fix preventing potential out-of-memory conditions in gzip header processing.

What's next: The lazy import system continues evolution with deferred loading improvements, and free-threading optimizations remain a development focus.

That's your Python briefing. I'm back tomorrow with the latest from CPython development.