what's changed
currency release. no changes to the spotify metadata path, audio formats, tags, or the default matching policy - this one brings every runtime and dependency in the stack to current, verified end to end.
changed
- the bundled python moved from 3.11 to 3.13. every sunnify binary ships its own interpreter, so nothing changes day-to-day - the app just runs on a runtime with security support into 2029 per the python release cycle. running from source now needs python 3.10+ (3.9 reached end-of-life october 2025); 3.10 was chosen so ubuntu 22.04 LTS source installs keep working.
- tag writing now uses mutagen 1.48.1, previously held back only by the old 3.9 promise. verified byte-for-byte: the id3v2.3 player-compatibility suite from the #46 work passes unchanged against it.
- the hosted web api runs on a fully patched python 3.13.14 - it had been pinned to 3.11.0, an october 2022 interpreter that never received its later security fixes. the web client dropped a dependency that was declared but never imported, and now targets node 22 (node 20 reached end-of-life april 2026).
- ci got stricter along the way: the test matrix (python 3.10-3.13 across windows, macos, and linux) now runs pytest 9, which also clears the last python-side dependency advisory (GHSA-6w46-j5rx-g56g).
notes
- verified before shipping, not after: 208 tests green on the new toolchain, the live upstream contract check green (spotify embed + anonymous token + youtube search + the real match selector, via
scripts/check_api_status.py), the hosted api redeployed and serving live scrapes, and the hash-locked build inputs resolved on all three platforms by the new lock-check gate. binaries built with yt-dlp 2026.6.9.
verifying this release
sha256sum -c checksums.txt --ignore-missing
gh attestation verify Sunnify-Linux --repo sunnypatell/sunnify-spotify-downloaderinstall via homebrew (macos)
brew tap sunnypatell/sunnify https://github.com/sunnypatell/sunnify-spotify-downloader
brew install --cask sunnifyfull changelog: v2.0.14...v2.0.15
⭐ if sunnify saved you time, star the repo - stars are how people find it.
attestations from this build
direct links to each attestation generated by the workflow run that produced these binaries (sigstore-signed, public-good rekor log entry, SLSA build L3 via the release-build.yml reusable workflow):
- build provenance: Sunnify-Windows.exe
- build provenance: Sunnify-Linux
- build provenance: Sunnify-macOS.zip
- sbom attestation for the binaries
- build provenance for the source tarball
the *.sigstore.json assets attached above are the same attestations as offline-verifiable bundles. these get auto-refreshed on every release re-build, so the links above always correspond to the binaries currently attached to this release.