Suggest to loosen the dependency on spotipy

Agnes-U commented

2022-11-13 10:34:35 +03:00

(Migrated from github.com)

Hi, your project spotify-stats requires "spotipy==2.19.0" in its dependency. After analyzing the source code, we found that some other versions of spotipy can also be suitable without affecting your project, i.e., spotipy 2.19.0rc1. Therefore, we suggest to loosen the dependency on spotipy from "spotipy==2.19.0" to "spotipy>=2.19.0rc1,<=2.19.0" to avoid any possible conflict for importing more packages or for downstream projects that may use spotify-stats.

May I pull a request to loosen the dependency on spotipy?

By the way, could you please tell us whether such dependency analysis may be potentially helpful for maintaining dependencies easier during your development?

For your reference, here are details in our analysis.

Your project spotify-stats(commit id: a0994d3144) directly uses 2 APIs from package spotipy.

spotipy.oauth2.SpotifyOAuth.__init__, spotipy.client.Spotify.__init__

From which, 10 functions are then indirectly called, including 5 spotipy's internal APIs and 5 outsider APIs, as follows (neglecting some repeated function occurrences).

[/gkeep/spotify-stats]
+--spotipy.oauth2.SpotifyOAuth.__init__
|      +--spotipy.oauth2.SpotifyAuthBase.__init__
|      |      +--requests.Session
|      +--spotipy.oauth2.SpotifyAuthBase._normalize_scope
|      |      +--spotipy.util.normalize_scope
|      +--warnings.warn
|      +--spotipy.cache_handler.CacheFileHandler.__init__
|      |      +--os.getenv
|      +--os.getenv
+--spotipy.client.Spotify.__init__
|      +--spotipy.client.Spotify._build_session
|      |      +--requests.Session
|      |      +--urllib3.Retry
|      |      +--requests.adapters.HTTPAdapter

We scan spotipy's versions among [2.19.0rc1] and 2.19.0, the changing functions (diffs being listed below) have none intersection with any function or API we mentioned above (either directly or indirectly called by this project).

diff: 2.19.0(original) 2.19.0rc1
[](no clear difference between the source codes of two versions)

As for other packages, the APIs of @outside_package_name are called by spotipy in the call graph and the dependencies on these packages also stay the same in our suggested versions, thus avoiding any outside conflict.

Therefore, we believe that it is quite safe to loose your dependency on spotipy from "spotipy==2.19.0" to "spotipy>=2.19.0rc1,<=2.19.0". This will improve the applicability of spotify-stats and reduce the possibility of any further dependency conflict with other projects/packages.

Hi, your project spotify-stats requires "spotipy==2.19.0" in its dependency. After analyzing the source code, we found that some other versions of spotipy can also be suitable without affecting your project, i.e., spotipy 2.19.0rc1. Therefore, we suggest to loosen the dependency on spotipy from "spotipy==2.19.0" to "spotipy>=2.19.0rc1,<=2.19.0" to avoid any possible conflict for importing more packages or for downstream projects that may use spotify-stats. May I pull a request to loosen the dependency on spotipy? By the way, could you please tell us whether such dependency analysis may be potentially helpful for maintaining dependencies easier during your development? <br /> ---- For your reference, here are details in our analysis. Your project spotify-stats(commit id: a0994d3144279cc2cb6d8f9afb518af7e836fe97) directly uses 2 APIs from package spotipy. ``` spotipy.oauth2.SpotifyOAuth.__init__, spotipy.client.Spotify.__init__ ``` From which, 10 functions are then indirectly called, including 5 spotipy's internal APIs and 5 outsider APIs, as follows (neglecting some repeated function occurrences). ``` [/gkeep/spotify-stats] +--spotipy.oauth2.SpotifyOAuth.__init__ | +--spotipy.oauth2.SpotifyAuthBase.__init__ | | +--requests.Session | +--spotipy.oauth2.SpotifyAuthBase._normalize_scope | | +--spotipy.util.normalize_scope | +--warnings.warn | +--spotipy.cache_handler.CacheFileHandler.__init__ | | +--os.getenv | +--os.getenv +--spotipy.client.Spotify.__init__ | +--spotipy.client.Spotify._build_session | | +--requests.Session | | +--urllib3.Retry | | +--requests.adapters.HTTPAdapter ``` We scan spotipy's versions among [2.19.0rc1] and 2.19.0, the changing functions (diffs being listed below) have none intersection with any function or API we mentioned above (either directly or indirectly called by this project). ``` diff: 2.19.0(original) 2.19.0rc1 [](no clear difference between the source codes of two versions) ``` As for other packages, the APIs of @outside_package_name are called by spotipy in the call graph and the dependencies on these packages also stay the same in our suggested versions, thus avoiding any outside conflict. Therefore, we believe that it is quite safe to loose your dependency on spotipy from "spotipy==2.19.0" to "spotipy>=2.19.0rc1,<=2.19.0". This will improve the applicability of spotify-stats and reduce the possibility of any further dependency conflict with other projects/packages.

gkeep commented

2022-11-13 17:48:36 +03:00

(Migrated from github.com)

Hm, using strict version dependency does seem like a mistake or rather something I overlooked while using pip freeze.

Loosening the dependency is a good idea, but I don't think a Release Candidate should be used as a minimal version. Stable versions are there for a reason.
This is applicable to all dependencies, so this should really be done to requirements.txt as a whole.

Feel free to submit a PR!

Hm, using strict version dependency does seem like a mistake or rather something I overlooked while using `pip freeze`. Loosening the dependency is a good idea, but I don't think a Release Candidate should be used as a minimal version. Stable versions are there for a reason. This is applicable to all dependencies, so this should really be done to `requirements.txt` as a whole. Feel free to submit a PR!

gkeep commented

2023-07-08 14:27:20 +03:00

(Migrated from github.com)

Closing for inactivity.

Rows
Columns

Suggest to loosen the dependency on spotipy #3