Python Joins OpenRewrite for Semantic Refactoring

AI today largely lives in the Python ecosystem. But many production systems still run on Java — for good reasons: strong typing, mature tooling, and predictable builds. Anyone who has wrestled with Python environments knows the drill: “Works on my machine” sometimes comes bundled with a fragile dependency stack. So the real question is not Java or Python. It’s: how do you use Python’s AI/ML ecosystem without sacrificing the stability of a Java platform? That’s what I explore in my latest article in JavaPro Magazine (my second one there. Thank you, team JAVAPRO): Using GraalPy on GraalVM to bridge Java and Python in production AI/ML systems. Curious to hear how others are handling the Java ↔ Python boundary. https://lnkd.in/e2igDbXX

Stop writing Python like Java/C++. Most tutorials get this wrong. They teach you to build APIs with rigid, verbose structures that feel more at home in compiled languages. Python offers a more fluid and powerful approach. The 'Pythonic' way is about embracing the language's dynamic nature and built-in features. Think about composition over deep inheritance, clear and concise function signatures, and leveraging data structures effectively. For scalable applications, clarity and maintainability are paramount. This means making your API intuitive, easy to understand, and simple to extend without unnecessary complexity. Example: Handling Configuration Okay (Java/C++ mindset): class Config: def init(self): self.db_host = "localhost" self.db_port = 5432 class App: def init(self): self.config = Config() def run(self): print(f"Connecting to {self.config.dbhost}:{self.config.dbport}") app = App() app.run() Best (Pythonic): from dataclasses import dataclass @dataclass class DbConfig: host: str = "localhost" port: int = 5432 def runapp(dbconfig: DbConfig): print(f"Connecting to {dbconfig.host}:{dbconfig.port}") config = DbConfig(host="prod.db.com", port=5433) run_app(config) Insight: * Dataclasses: Offer concise data structures with auto-generated init, repr, etc. * Function Arguments: Pass configuration directly as arguments, promoting loose coupling. * Readability: Much cleaner and easier to understand what data is needed. Designing clean Python APIs for scalable applications means writing code that is idiomatic, readable, and simple to maintain. #Python #CodingTips

hey, big release today. Release v0.2: - Migrated backend from Java Spring Boot to Python FastAPI - did this to prepare the backend for AI integrations since Python has a strong ecosystem for AI/ML libraries - Replaced Session based authentication with JWT based authentication - Authentication is still handled through Auth0 as an identity broker - Backend APIs now validate JWT access tokens instead of server side sessions - Also updated the diary front end to support JWT auth instead of session based auth - Created a new pipeline on AWS for the Python FastAPI backend This was the post I had made 2 years ago on the implementation of session based authentication https://lnkd.in/ghyScXbQ , but why the change to JWT based authentication now? Previously, the backend used session based authentication, where the server created a session and stored it in the database, and the client (diary front end) sent a session cookie with every request. Now the backend uses JWT tokens, which means authentication is stateless. The benefits are: - No session storage required, no database lookup needed to validate authentication on each request. This is the main reason for the switch, fewer calls to the database to validate API requests for authenticated endpoints. - Faster API authentication flow since token validation happens locally using the token's signature, without hitting the database. Auth flow remains the same conceptually: 1. User authenticates via Auth0 2. Auth0 issues a JWT access token 3. Client sends the JWT with API requests 4. FastAPI backend validates the token before allowing access to protected routes FastAPI also makes it easier to integrate AI features in the future. Most modern AI/ML libraries are Python first (PyTorch, TensorFlow, HuggingFace, OpenAI, etc), so moving the backend to Python makes it much easier to experiment with AI features around the diary. FastAPI is also really nice to work with: - High performance - Native async support (what i saw whilst writing the backend is that, when you write functions, they are natively working as async) - Automatic API documentation, this is also really cool… OpenAPI/Swagger are automatically implemented for all the APIs we are writing. This was really useful when i was doing the development. Because of this, Python + FastAPI feels like the right stack for where the diary is going and where AI is heading. [7:47pm Sunday, March 15th, 2026]

🐍 I ported a Java Terraform metrics tool to Python and validated it against 5,594 code blocks to make sure everything was perfect. 🔧 I needed Infrastructure as Code (IaC) quality metrics as reward signals for fine-tuning LLMs — TerraMetrics had exactly what I wanted, except it was a .jar file in a Python pipeline. ⚡So I built pyterametrics. I validated it against 3 open-source Terraform repos to find: • 97.59% block identity match (and interesting reasons for why the rest didn't match) • Zero metric discrepancies on matched blocks 📊 See the full write-up on: Medium: https://lnkd.in/ghcasE4q My site: https://lnkd.in/gVVWhhGi You can use it today with pip install pyterametrics!

Elastic helped implement a fix for a major head-based sampling challenge in OpenTelemetry. Head-based sampling is cheap and practical, but it can break backend throughput charts because sampled traces reduce raw span counts. The solution: carry sampling probability in tracestate, so backends can estimate how many original traces each sampled trace represents. In this blog, we explain the problem, the spec, and how we implemented the fix across Java, JavaScript, and Python in OpenTelemetry. Learn how it works and how to validate it in your environment ↓ https://go.es.io/4bzM5ul

Today, we’re announcing a major expansion of Chainguard Libraries across JavaScript, Python, and Java. We’re delivering broad, malware-resistant dependency coverage to the ecosystems that power 70-90% of enterprise applications. 👏 ✅ 94% Python dependency coverage across our customers’ environments 📦 ~1M Java dependency versions rebuilt (Spring Boot, Jackson, Log4j & more) 🟩 88% coverage of npm’s top 500 high-impact packages  🧠 500K+ Python versions built, including complex AI libs like PyTorch and torchvision Every library is rebuilt from publicly verifiable source code in the SLSA L2-compliant Chainguard Factory. This means it is built with signed provenance and SBOMs, so teams know their artifacts match source code bit-for-bit. ❓Why does this matter❓ Over the last year, researchers uncovered 450,000+ malicious open source packages…that is roughly one every minute. Engineering teams shouldn’t have to choose between moving fast and staying secure. Chainguard Libraries delivers open source dependencies as trusted infrastructure, eliminating the trade-off between development velocity and security. Learn how we’re helping enterprises and AI innovators move fast without compromising trust (linked in comments).

Outrageously fun to see how fast this product continues to grow—in terms of ecosystem size, customer adoption, and industry importance all at once. As AI-generated code continues to dominate (both internal code bases and malicious attacks), it's more important than ever to know that your open source libraries are coming from a safe, verifiable, and trusted source.

Huge news! Teams building with Python, Java, or JavaScript should explore Chainguard Libraries to strengthen application security and reduce exposure to malware.

A monumental step as we scale our vision to be the safe source for all open source 🚀 If you have uncovered just 1 of the 450,000+ malicious open source packages discovered by researchers the past year in your environment, let’s connect… Or worse, you don’t know if you have 1 or more in your environment, then let’s definitely connect. #chainguardlibraries #builtfromsource #securesdlc

Remember those Shai Halud attacks? Did your teams also spend days scrambling and trying to find out if your systems were impacted? This is why our customers love our hardened libraries because it’s a proactive measure rather than your typical reactive guardrail tools, and they can be assured they will be protected from 98% of malicious package attacks. No more scrambling to figure if your developers have installed malicious packages accidentally, just letting your them build cool new features as they should be!