jgonggrijp
commented
5 years ago Frontend part mostly done, backend part still to be done.
In the frontend, I'd need to upgrade grunt-contrib-coffee from 1.0.0 to 2.1.0 in order to completely silence the security warnings for lodash. I'm not going to do this, however, because the vulnerability only affects compilation (i.e., not exposed to the outside world) and the required time investment would be huge because it also entails upgrading from coffeescript 1 to coffeescript 2. Coffeescript 2 compiles to ES6, which means that some semantics change and new restrictions apply compared to coffeescript 1, which in turn requires a lot of fiddling to make all the code correct again.
There are two other potentially breaking updates in the frontend which look like they might actually apply without problems: grunt-contrib-cssmin and grunt-contrib-jasmine. The former just drops support for node.js < 6 (we use 6 in deployment, so should be fine) and the latter just upgrades its own dependencies. I might try my luck with these other updates, but it's not on the top of my priority list because these aren't exposed to the outside world, either.
For the backend, Django will have to be upgraded in multiple steps, one minor version at a time, making sure to fix all deprecations before each upgrade. That is (current) 1.8 - 1.9 - 1.10 - 1.11 (LTS). Making notes below of the things I'll need to keep track of.
- [x] No deprecations for version 1.8 in the current code.
- [x] Check what
rest_framework.serializers.HyperlinkedModelSerializerwill do inrecordings.serializers:146because of this - [x] (more to come, still investigating)
See security alerts.