I'm a little bit conflicted about pinning the dependencies to those specific versions. On one hand it means we know the environment in which each version of the tool will run, thus making debugging easier. On the other hand it means we should continually update, to not miss critical updates. I can imagine something like https://gitlab.com/dependabot-gitlab/dependabot could help out here?
What is the best practice regarding which version to pin and how to pin it? Like I mentioned in this case I just used the ones which pip pulled for me - but should maybe rather pull more "major" versions and use "~=" for minor versions?
In the classifiers-section Python 3.6 is specifically mentioned. Should this be bumped up to a newer version too?
In the cli.spec, there's a line referencing a specfic home-directory. I feel like this should be more generic, though I have no idea what exactly happens in that file and also nothing seems to be breaking atm. (I marked that one with a TODO).