gkeep / spotify-stats Goto Github PK

Hi, your project spotify-stats requires "spotipy==2.19.0" in its dependency. After analyzing the source code, we found that some other versions of spotipy can also be suitable without affecting your project, i.e., spotipy 2.19.0rc1. Therefore, we suggest to loosen the dependency on spotipy from "spotipy==2.19.0" to "spotipy>=2.19.0rc1,<=2.19.0" to avoid any possible conflict for importing more packages or for downstream projects that may use spotify-stats.

May I pull a request to loosen the dependency on spotipy?

By the way, could you please tell us whether such dependency analysis may be potentially helpful for maintaining dependencies easier during your development?

For your reference, here are details in our analysis.

Your project spotify-stats(commit id: a0994d3) directly uses 2 APIs from package spotipy.

spotipy.oauth2.SpotifyOAuth.__init__, spotipy.client.Spotify.__init__

From which, 10 functions are then indirectly called, including 5 spotipy's internal APIs and 5 outsider APIs, as follows (neglecting some repeated function occurrences).

[/gkeep/spotify-stats]
+--spotipy.oauth2.SpotifyOAuth.__init__
|      +--spotipy.oauth2.SpotifyAuthBase.__init__
|      |      +--requests.Session
|      +--spotipy.oauth2.SpotifyAuthBase._normalize_scope
|      |      +--spotipy.util.normalize_scope
|      +--warnings.warn
|      +--spotipy.cache_handler.CacheFileHandler.__init__
|      |      +--os.getenv
|      +--os.getenv
+--spotipy.client.Spotify.__init__
|      +--spotipy.client.Spotify._build_session
|      |      +--requests.Session
|      |      +--urllib3.Retry
|      |      +--requests.adapters.HTTPAdapter

We scan spotipy's versions among [2.19.0rc1] and 2.19.0, the changing functions (diffs being listed below) have none intersection with any function or API we mentioned above (either directly or indirectly called by this project).

diff: 2.19.0(original) 2.19.0rc1
[](no clear difference between the source codes of two versions)

As for other packages, the APIs of @outside_package_name are called by spotipy in the call graph and the dependencies on these packages also stay the same in our suggested versions, thus avoiding any outside conflict.

Therefore, we believe that it is quite safe to loose your dependency on spotipy from "spotipy==2.19.0" to "spotipy>=2.19.0rc1,<=2.19.0". This will improve the applicability of spotify-stats and reduce the possibility of any further dependency conflict with other projects/packages.