Mypy 1.20 shipped the biggest overhaul of type narrowing in years, and the handbook added 30+ pages covering GPU installs, supply-chain security, and onboarding guides for developers coming from Go, Rust, and TypeScript.

New on the handbook

Topical Pages!

The handbook has become large enough that it needed new organization to discover content. I’ve added 11 topical pages on all the big tooling areas. I hope this helps you dig deeper into the content you’re looking for.

New Articles

• Why Installing GPU Python Packages Is So Complicated — Python wheels have no way to express GPU requirements, so every CUDA package invents its own workaround. This page explains the current state and what wheel variants will change.

• How to Install PyTorch with uv — One of seven new guides for installing GPU-dependent packages (flash-attention, xformers, DeepSpeed, Triton, and more) using uv's index pinning.

• Python Tooling for Go / Rust / TypeScript Developers — Three new articles that map familiar toolchain concepts to their Python equivalents, so developers switching languages can orient without reading the entire handbook.

• How to Protect Against Python Supply Chain Attacks with uv — Covers dependency cooldowns, hash pinning, and vulnerability scanning with uv audit. Part of a four-article security series that also covers trusted publishing and pylock.toml attestations.

• Do you still need tox or nox if you use uv? — uv replaces the plumbing (Python installs, venv creation), not the orchestration. This comparison explains where the line falls.

In the ecosystem

• mypy 1.20 — Type narrowing is more aggressive and more correct across equality checks, containment, and match statements. Python 3.14 t-string support (PEP 750) landed, and an experimental Ruff-based native parser is available via mypy[native-parser].

• uv 0.11 — Migrated the TLS stack to rustls-platform-verifier and swapped the cryptography backend from ring to AWS-LC. The --native-tls flag is deprecated in favor of --system-certs.

• ty 0.0.25 — Now supports type: ignore[ty:code] suppression comments, bringing ty's inline error suppression in line with mypy and Pyright conventions.

One thing worth trying

Run uv audit in one of your projects. It queries the OSV database against your lockfile and reports known vulnerabilities in under a second. If you have a uv.lock, try it now:

uv audit

No configuration required. If it finds something, the output links directly to the advisory.

Python Developer Tooling Handbook

·

Reply to this email with questions or feedback. I read every response. - Tim Hopper