starred/ArchiveBox
1
0
Fork 0
mirror of https://github.com/ArchiveBox/ArchiveBox.git synced 2026-04-26 01:26:00 +03:00
Code Issues 624 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #988] Refactor: Remove dependency on old Django admin internal templates (+ bump Django from 3.1 to >=3.2) #3635

New issue
Closed
opened 2026-03-14 23:49:37 +03:00 by kerem · 6 comments
kerem commented 2026-03-14 23:49:37 +03:00
Owner
Copy link

Originally created by @Jonasmadsen on GitHub (Jun 12, 2022).
Original GitHub issue: https://github.com/ArchiveBox/ArchiveBox/issues/988

Currently archivebox uses django: "django>=3.1.3,<3.2" as defined in setup.py
However according to the django website:
https://www.djangoproject.com/download/
3.1.14 has been unsupported for quite a while.
This has some security implications and should be updated to django 3.2 (LTS) or newer.

I tried just updating the dependency to "django>=3.2,<3.3" but the test fails.
Unfortunately, there are breaking changes so it is not a simple version bump.

If anyone has a good idea of the scope of changes needed that would be great.
Love the project!

Originally created by @Jonasmadsen on GitHub (Jun 12, 2022). Original GitHub issue: https://github.com/ArchiveBox/ArchiveBox/issues/988 Currently archivebox uses django: "django>=3.1.3,<3.2" as defined in setup.py However according to the django website: https://www.djangoproject.com/download/ 3.1.14 has been unsupported for quite a while. This has some security implications and should be updated to django 3.2 (LTS) or newer. I tried just updating the dependency to "django>=3.2,<3.3" but the test fails. Unfortunately, there are breaking changes so it is not a simple version bump. If anyone has a good idea of the scope of changes needed that would be great. Love the project!
kerem commented 2026-03-14 23:49:53 +03:00
Author
Owner
Copy link

@pirate commented on GitHub (Jun 13, 2022):

The changes are unfortunately complicated because I use some internal Django template components to build the UI (specifically the table-view action buttons), and those components were completely rewritten after 3.1.

<!-- gh-comment-id:1154516891 --> @pirate commented on GitHub (Jun 13, 2022): The changes are unfortunately complicated because I use some internal Django template components to build the UI (specifically the table-view action buttons), and those components were completely rewritten after 3.1.
kerem commented 2026-03-14 23:49:58 +03:00
Author
Owner
Copy link

@caj-larsson commented on GitHub (Jul 17, 2022):

@pirate I know you are working on something of rewrite of much of the internals, do you have any plans on the template side of things? I decided to see how hard this would be and it seems to be no exaggeration that is quite a bit of work because of the usage of admin template/widgets.

Is it time to rebuild the foundation of the UI, if so got any thoughts on the direction?
If not, have you done any research on what needs to be done or suggestions to make this easier?

<!-- gh-comment-id:1186524262 --> @caj-larsson commented on GitHub (Jul 17, 2022): @pirate I know you are working on something of rewrite of much of the internals, do you have any plans on the template side of things? I decided to see how hard this would be and it seems to be no exaggeration that is quite a bit of work because of the usage of admin template/widgets. Is it time to rebuild the foundation of the UI, if so got any thoughts on the direction? If not, have you done any research on what needs to be done or suggestions to make this easier?
kerem commented 2026-03-14 23:50:03 +03:00
Author
Owner
Copy link

@pirate commented on GitHub (Nov 28, 2022):

My inclination is to bridge the gap temporarily by including the old template files from the previous Django version's source code manually. I can create some template overrides that point to the old Django version for just the files needed, and default to all the newer files for everything else.

Then we can go through and rewrite those components/ remove the dependency on unstable Django internals entirely.

I knew this would be a pain eventually when I depended on those unstable templates but tbh they saved me a ton of dev time early on so I don't entirely regret incurring that tech debt.

In regards to the security fixes, last time I checked (2022/05) the two Django 3.1 CVEs were not hit by archivebox code paths, which is why I didn't push an urgent fix, however there may be newer CVEs since then that I haven't checked yet.

<!-- gh-comment-id:1328486479 --> @pirate commented on GitHub (Nov 28, 2022): My inclination is to bridge the gap temporarily by including the old template files from the previous Django version's source code manually. I can create some template overrides that point to the old Django version for just the files needed, and default to all the newer files for everything else. Then we can go through and rewrite those components/ remove the dependency on unstable Django internals entirely. I knew this would be a pain eventually when I depended on those unstable templates but tbh they saved me a ton of dev time early on so I don't entirely regret incurring that tech debt. In regards to the security fixes, last time I checked (2022/05) the two Django 3.1 CVEs were not hit by archivebox code paths, which is why I didn't push an urgent fix, however there may be newer CVEs since then that I haven't checked yet.
kerem commented 2026-03-14 23:50:08 +03:00
Author
Owner
Copy link

@joepie91 commented on GitHub (Sep 23, 2023):

last time I checked (2022/05) the two Django 3.1 CVEs were not hit by archivebox code paths

For what it's worth, nixpkgs specifies a rather longer list of relevant CVEs:

  • CVE-2021-45115
  • CVE-2021-45116
  • CVE-2021-45452
  • CVE-2022-23833
  • CVE-2022-22818
  • CVE-2022-28347
  • CVE-2022-28346

Not all of these explicitly mark Django 3.1 as being affected; as I understand it, the reason they are added is because they appeared when 3.1 was already out of support, so it is likely that they also exist in 3.1 but nobody has ever explicitly confirmed that.

<!-- gh-comment-id:1732342390 --> @joepie91 commented on GitHub (Sep 23, 2023): > last time I checked (2022/05) the two Django 3.1 CVEs were not hit by archivebox code paths For what it's worth, [nixpkgs specifies](https://github.com/NixOS/nixpkgs/commit/067314d87fef67f713a06b64042da4e7442c851f) a rather longer list of relevant CVEs: - CVE-2021-45115 - CVE-2021-45116 - CVE-2021-45452 - CVE-2022-23833 - CVE-2022-22818 - CVE-2022-28347 - CVE-2022-28346 Not all of these explicitly mark Django 3.1 as being affected; as I understand it, the reason they are added is because they appeared when 3.1 was already out of support, so it is *likely* that they also exist in 3.1 but nobody has ever explicitly confirmed that.
kerem commented 2026-03-14 23:50:13 +03:00
Author
Owner
Copy link

@pirate commented on GitHub (Oct 19, 2023):

For now I have manually verified all of these CVEs, luckily ArchiveBox is not affected by any as we don't use the vulnerable code paths. Upgrading Django is still high on my priority list, but I'm not worried about security concerns unless other CVEs are announced that we are vulnerable to (and I have subscribed to notifications for this with Dependabot).

I also recommend everyone check out our new dedicated Security section on Github: https://github.com/ArchiveBox/ArchiveBox/security

You can subscribe to advisories and keep an eye our for new CVE announcements there too.

I understand this is causing trouble for our friends who help repackage archivebox for nix, arch, and other platforms that only offer newer Django releases. Sorry! Fixing this dependency is the next major internal work on my todo list.

<!-- gh-comment-id:1771828121 --> @pirate commented on GitHub (Oct 19, 2023): For now I have manually verified all of these CVEs, luckily ArchiveBox is not affected by any as we don't use the vulnerable code paths. Upgrading Django is still high on my priority list, but I'm not worried about security concerns unless other CVEs are announced that we are vulnerable to (and I have subscribed to notifications for this with Dependabot). I also recommend everyone check out our new dedicated Security section on Github: https://github.com/ArchiveBox/ArchiveBox/security You can subscribe to advisories and keep an eye our for new CVE announcements there too. I understand this is causing trouble for our friends who help repackage archivebox for nix, arch, and other platforms that only offer newer Django releases. Sorry! Fixing this dependency is the next major internal work on my todo list.
kerem commented 2026-03-14 23:50:18 +03:00
Author
Owner
Copy link

@pirate commented on GitHub (Mar 26, 2024):

Huge thanks @jimwins for doing this! https://github.com/ArchiveBox/ArchiveBox/pull/1388

<!-- gh-comment-id:2021487998 --> @pirate commented on GitHub (Mar 26, 2024): Huge thanks @jimwins for doing this! https://github.com/ArchiveBox/ArchiveBox/pull/1388
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
main
abx-dl-refactor
claude/issue-1688-20251229-2233
claude/s3-support-migration-JZQcf
claude/review-snapshot-archive-RJOkr
claude/review-code-quality-macdO
claude/reduce-chrome-duplication-JgWVr
fix/chrome-args-comma-parsing
claude/issue-668-20251229-2145
claude/issue-1664-20251229-2236
v086
claude/improve-test-suite-xm6Bh
claude/typescript-archivebox-rewrite-011CUmPyEmECnkXwyHRT9RPF
claude/archivebox-schema-orm-comparison-011CUn26GurEpLiBUq4zjVLJ
stable
logfire
plugins-browsertrix
v072
link-removal2
v0.8.6rc1
v0.7.3
v0.8.6rc0
v0.8.5rc53
v0.8.5rc51
v0.8.5rc50
v0.8.5rc49
v0.8.5rc48
v0.8.5rc47
v0.8.5rc46
v0.8.5rc45
v0.8.5rc44
v0.8.5rc43
v0.8.5rc42
v0.8.5rc41
v0.8.5rc40
v0.8.5rc39
v0.8.5rc38
v0.8.5rc37
v0.8.5rc36
v0.8.5rc35
v0.8.5rc34
v0.8.5rc33
v0.8.5rc32
v0.8.5rc31
v0.8.5rc30
v0.8.5rc29
v0.8.5rc28
v0.8.5rc27
v0.8.5rc26
v0.8.5rc25
v0.8.5rc24
v0.8.5rc23
v0.8.5rc22
v0.8.5rc13
v0.8.5rc12
v0.8.5rc11
v0.8.5rc10
v0.8.5rc9
v0.8.5rc8
v0.8.5rc6
v0.8.5rc5
v0.8.5rc4
v0.8.5rc3
v0.8.5rc2
v0.8.5-rc
v0.8.4-rc
v0.8.3-rc
v0.8.2-rc
v0.8.0-rc
v0.7.2
v0.7.1
v0.7.0
v0.6.2
v0.6.0
v0.5.6
v0.5.4
v0.5.3
v0.4.24
v0.4.21
v0.4.20
v0.4.19
v0.4.18
v0.4.17
v0.4.16
v0.4.15
v0.4.14
v0.4.13
v0.4.12
v0.4.11
v0.4.9
v0.2.4
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.0
v0.0.3
v0.0.2
v0.0.1
Labels
Clear labels   
expected: maybe someday

   
expected: next release

   
expected: release after next

   
expected: unlikely unless contributed

   
good first ticket

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
scope: all users

   
scope: windows users

   
size: easy

   
size: hard

   
size: medium

   
size: medium

   
status: backlog

   
status: blocked

   
status: done

   
status: idea-phase

   
status: needs followup

   
status: wip

   
status: wontfix

   
touches: API/CLI/Spec

   
touches: configuration

   
touches: data/schema/architecture

   
touches: dependencies/packaging

   
touches: docs

   
touches: js

   
touches: views/replayers/html/css

   
why: correctness

   
why: functionality

   
why: performance

   
why: security
No labels
expected: maybe someday
expected: next release
expected: release after next
expected: unlikely unless contributed
good first ticket
help wanted
pull-request
scope: all users
scope: windows users
size: easy
size: hard
size: medium
size: medium
status: backlog
status: blocked
status: done
status: idea-phase
status: needs followup
status: wip
status: wontfix
touches: API/CLI/Spec
touches: configuration
touches: data/schema/architecture
touches: dependencies/packaging
touches: docs
touches: js
touches: views/replayers/html/css
why: correctness
why: functionality
why: performance
why: security
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/ArchiveBox#3635
No description provided.