Python: Security Updates and Documentation Improvements

Transcript

Good morning, this is your Python developer briefing for May 15th, 2026.

Seth Larson merged a critical security fix for UTF-8 support in JavaScript output functions, replacing the latin-1 limited atob() function with decodeURIComponent() for proper UTF-8 handling. This change affects the http.cookies module and includes comprehensive browser compatibility back to Internet Explorer 5.5.

The Python team pushed through two major Expat library security updates. Stan Ulbrych upgraded the bundled Expat XML parser from version 2.8.0 to 2.8.1, addressing security vulnerabilities across multiple Python versions including 3.13, 3.14, and 3.15 branches.

Zachary Ware updated Windows builds to use Tcl/Tk version 9.0.3, improving GUI framework support and adding new test coverage for TCL functionality.

Petr Viktorin fixed documentation rendering issues in compound statements by correcting broken grammar rule links that were displaying raw exclamation marks instead of proper references.

The team made significant documentation improvements to the select module. Sobolevn enhanced availability documentation across Python 3.13, 3.14, and 3.15, clarifying platform-specific function support with over 135 lines of changes per version.

Serhiy Storchaka strengthened XML security by adding comprehensive test coverage for invalid XML encodings, helping prevent potential parsing vulnerabilities.

Additional security work included tomllib key parsing limits to prevent potential denial-of-service attacks through oversized key structures.

What's next: Security patches are being backported across supported Python versions, and the team continues expanding test coverage for XML and HTTP handling modules.

That's your Python development update. Stay secure, and we'll see you tomorrow.