With yesterday's release of Python 3.14, we not only have Python 3.14 itself available on conda-forge, but also a wide selection of packages to make use of it. As the conda ecosystem is based on binary packages, this means that several packages are already built for Python 3.14.

You can create a new environment by using:

conda create -n py314 python=3.14 -c conda-forge

At the time of writing, the Python 3.14 migration is 77% progressed. This means that:

• 1273 (41%) packages that needed a rebuild were built for Python 3.14
• 1115 (36%) have an open PR to get rebuilt for Python 3.14
• 704 (23%) packages are still waiting for a dependency to be rebuilt.

What is already usable?​

While most binary packages needed to be rebuilt for Python 3.14, we did not need to rebuild packages that are abi3-compatible. Here, you can use the builds that were done with previous Python versions. Similarly, all pure Python packages (i.e. the ones we call noarch: python in the conda world) didn't need to be rebuilt and can be used directly.

Still, as the statistics above show, not all packages are available for Python 3.14 yet. The most prominent here include pytorch, numba, and cytoolz. For the latter two, we need to wait for them to provide new releases that make them compatible with 3.14. In the case of PyTorch, we either need to wait for the new 2.10.0 release or may be able to backport changes to the 2.9.0 release. You can track the progress on the upstream side in pytorch#156856 and on the conda-forge side in pytorch-cpu-feedstock#420. For numba, we expect the necessary changes to land in 0.63. As a there is already a beta available, we will wait here for the final release and won't backport any changes. For other packages, similar approaches will be taken. You can track the progress for each of them if you click on the respective link on the status page.

If you face any issue with the Python package itself, please report that on the python-feedstock. For problems with individual packages, please do so on the respective conda-forge/<package>-feedstock repository.

How was conda-forge able to provide release day availability?​

Like we already did in the releases for Python 3.13 and Python 3.12, we have started building packages for Python 3.14 once the release candidate was available. As ABI-stability is guaranteed between release candidates, these packages are also usable with the final Python release. Thus, we were able to start building packages for this release already on August 20. Unfortunately, as part of this release process, the magic number stored in Python bytecode (.pyc) was bumped in RC2 and RC3. This means that the bytecode will be regenerated on the first run for packages built with a version earlier than RC3. As the impact of this has been minor, we did not rebuild the respective packages and expect that through package updates, this will quickly become unnoticeable.

Note that the current migration only includes the "default" flavour of Python. We have not yet started building packages for the freethreading version. Once work on making the migrator more selective has progressed, we will start to build packages.

During the first half of the year, conda-forge has been subject to a security audit in partnership with Open Source Technology Improvement Fund (OSTIF), Sovereign Tech Agency (STA) and the security firm 7ASecurity. This effort has resulted in the identification and remediation of 13 findings with security impact, a custom threat model, and a supply chain security analysis. Full details are now publicly available in the final report.

Today, 2025-04-11, marks the 10th anniversary of the conda-forge community.

Join us in this Zulip thread and share how you got involved with conda-forge, how this community has helped you, or just to show appreciation to the thousands of volunteers that make this effort possible!

To many more years! 🎉

In the past few months, conda-forge has been engaging with an external security audit in collaboration with the Open Source Technology Improvement Fund (OSTIF). The full results of this audit will be made public once it is complete per OSTIF responsible disclosure policies.

During this process, OSTIF and their contractor uncovered misconfigured infrastructure which exposed the anaconda.org token for the conda-forge channel to all feedstock maintainers. The token was exposed from on or about 2025-02-10 through 2025-04-01. See our GitHub Security Advisory for more details.

The conda-forge team is excited to announce that the v1 recipe format is available on conda-forge. The v1 recipe format is a community initiative dating back over 3 years to improve the recipe format for conda packages. If you are a maintainer of a feedstock on conda-forge, you have probably dealt with meta.yaml files that conda-build utilizes. The file format has some limitations which is why the community has come together to come up with an improved version of the format: the v1 format.

We introduce noarch variants for python packages on conda-forge that have compiled extensions but with pure python reference implementations to make life easier for early adopters of new python variants.

conda-forge now supports Python 3.13 on conda. You can create a new environment with Python 3.13 by running the command:

conda create -n py313 python=3.13 -c conda-forge

On March 29th, 2024, at 18:07 UTC, the core team learnt about the recently disclosed xz backdoor, now labeled as CVE-2024-3094.

To the best of our knowledge, conda-forge's artifacts for xz are not affected.

In June 2023, software engineers from Anaconda have reported a security issue in the uninstallers that are included in the Windows versions of the miniforge and mambaforge installers, one of the main ways to bootstrap conda-forge based conda and mamba distributions.

In early January 2023, CircleCI informed us that they had a large security breach where a third party had gained access to all the environment secrets stored in the service. For conda-forge, these secrets are the API token used to upload built packages to our staging area on anaconda.org and the unique token we generate for each feedstock. The feedstock tokens are used as part of our artifact staging process to ensure that only the maintainers of a given feedstock can upload packages built by that feedstock. Later in January, we were informed by CircleCI that their security breach started on December 19, 2022, with the bulk of the secrets being exfiltrated in plain text from their servers a few days later. A malicious third-party with access to these secrets could potentially upload compromised versions of any package on conda-forge in a so-called "supply chain" attack.