Update dependencies

[linusg]

Update the listed versions of youtube_dl, mutagen, beautifulsoup4 and PyYAML to their newest versions.

IMO we should use == instead of >= in setup.py, as the former will ensure compatibility of the installed packages with spotdl while the latter would (AFAIK) not update an already existing package to its newest version, which can be important especially with packages like youtube_dl.

[vn-ki]

IMO we should use == instead of >= in setup.py

Packages which are released on PyPI should NOT pin their packages.

Say spotdl pins a package to a said version and another application pins the same package to another version, then we have a package conflict.

The packaging situation of Python is a mess, I agree. There are a lot of arguments in the about packaging which would be too much to include in this comment.

So I think, we should not pin our dependencies but go with the lowest version which is know to work.

PS: I'm talking from the knowledge of reading blog posts and issues over at pipenv, so what I'm saying might be a very opinionated pov.

[linusg]

Say spotdl pins a package to a said version and another application pins the same package to another version, then we have a package conflict.

I'd say that would be rare but I see the potential problem.

The packaging situation of Python is a mess, I agree. There are a lot of arguments in the about packaging which would be too much to include in this comment.

How would using NPM for example be different?

So I think, we should not pin our dependencies but go with the lowest version which is know to work.

That would mean at least regularly updating the version of youtube_dl whenever YouTube changes something on their side which requires a new version of the package.
And for now I'm really not sure if what would happen when the user has installed an ancient version of let's say logzero which we once "verified to work with spotdl" and has since then received various bugfix updates. If said user now installs spotdl with its setup.py containing logzero >= ancient.version.here, will this perform an update of logzero?

[vn-ki]

How would using NPM for example be different?

NPM has a very different ideology. Something I have a love and hate relationship with. NPM aims to give deterministic builds for each application. This means every package can have it's own pinned dependencies which won't create problems to other packages.

This won't create a problem with npm ecosystem because npm has multiple layers of dependencies (as in there can be more than one version of the same package). This is not the case with python where the dependencies are single layered. Only one version of a package is installed at a given point in time.

updating the version of youtube_dl whenever YouTube changes

This is inevitable.

If said user now installs spotdl with its setup.py containing logzero >= ancient.version.here, will this perform an update of logzero?

No. Because the requirement is already satisfied, it won't update.

[linusg]

Thanks for the explanations. On a side note, you just made me feel like I just started programming a few months ago 😄

No. Because the requirement is already satisfied, it won't update.

And that's why I feel at least using >= with a fairly new / the newest version in setup.py should be the way to go.

I agree == is nothing we should use publicly (I've used that in a few company internal tools, no issues so far...), what's your opinion on that?
Edit: since that's exactly what this PR is doing :)

[vn-ki]

I think I'm go for this PR. It has some important updates anyway. (PyYaml 3.12 won't compile with python 3.7, for example.)

[ritiek]

Don't see a problem with merging this. By the way, some good discussion going on in here!