A busy week across the Python and PHP ecosystems. redis-py shipped native OpenTelemetry metrics for async clients, Laravel landed a batch of queue reliability improvements, and Symfony pushed out maintenance releases across three active branches. Meanwhile, a security disclosure in redis-py is worth checking if you’re running Redis with password auth.
Highlights
redis-py v7.3.0 adds native OpenTelemetry metrics for asynchronous clients, following the OTel Database Client Semantic Conventions. The new instrumentation covers six metric groups: command duration with retry tracking, connection count and creation time, resiliency metrics (errors, handoffs, timeout relaxation), connection wait and use time, pubsub message counts, and stream processing duration. For teams running async Python frameworks like FastAPI with Redis, this means deep observability out of the box. The redis-py OpenTelemetry docs cover setup and configuration.
Laravel v12.54.0 shipped with ~30 changes, headlined by a queue deadlock prevention fix that stops lockups when reserving a job throws an exception (e.g., attempts overflow). Also notable: a composite index for the jobs table that speeds up queue polling on database-backed queues, a native PostgreSQL tsvector column type for full-text search, and a view:cache deduplication fix that eliminates redundant Blade compilation from overlapping paths. Laravel News recently covered deadlock causes and fixes — timely context for this release.
Also Noteworthy
- Predis v3.4.2 — Patch release with sentinel discovery fixes and upstream driver reporting via CLIENT SETINFO.
- Symfony v6.4.35, v7.4.7, v8.0.7 — Maintenance releases across all three active branches with bug fixes. The Week of Symfony #1001 has the full roundup.
Recently Merged
Laravel 13.x is shaping up ahead of its release. A merged PR makes Cache::touch() require an explicit TTL parameter and removes a redundant get() call from the Repository layer — eliminating unnecessary value deserialization for Redis, Database, DynamoDB, and Memcached stores. The old behavior silently converted items to live forever when called without a TTL, which contradicted the method’s purpose.
Over in Django, a merged change preserves the original exception when URLconf loading fails during auto-reload, using Python exception chaining. Previously, the autoreloader swallowed the original traceback, making URL configuration errors harder to debug during development.
In Development
Security: redis-py ConnectionPool leaks passwords in plaintext. A vulnerability report (CWE-532, CVSS 5.5) reveals that ConnectionPool.__repr__() includes Redis passwords in its string output. Any code that triggers repr() on a pool — logging, error trackers like Sentry, tracebacks — exposes credentials. The Connection class already redacts passwords, but ConnectionPool was missed. A fix is in progress that redacts password, username, ssl_password, and credential_provider from both sync and async pool repr output. If you use Redis with password auth, audit your logs now.
A Rails issue reports that Bytea#deserialize raises ArgumentError on unmarked BINARY strings with null bytes after cache serialization round-trips. The root cause: serializers like MessagePack strip the @ar_pg_bytea_decoded instance variable that marks strings as already decoded, causing unescape_bytea to crash on raw binary data. A fix (PR #56935) has been proposed.
Celery has an open issue about warm shutdown not canceling prefetched tasks when using thread-pool concurrency, causing delays and message visibility timeout problems with SQS.
Laravel 13.x also has a PR in progress fixing URL generation when URL::defaults() is combined with route parameters that use model key binding — a bug that causes positional parameter misalignment and empty query strings.
What We’re Watching
The trend of libraries shipping native OpenTelemetry instrumentation continues to accelerate. redis-py joining the OTel-native club alongside frameworks that already support it signals a maturing observability ecosystem for Python. The redis-py credential leak is a good reminder that __repr__ methods on objects holding secrets deserve the same scrutiny as serialization code — especially in production environments where logs flow into dozens of downstream systems.
Try Scout APM
Tracking releases and performance changes across your framework dependencies is part of running production applications. At Scout, we make it easy to monitor your Ruby, Python, Elixir, and PHP apps end-to-end — from HTTP requests through database queries, background jobs, and external service calls. Start your free trial (no credit card required) and see what’s really happening inside your application.
.png)
