I lived and suffered this tension between stability and security for years running a tech team. Staying on the upgrade treadmill while delivering actually important product features for the business. Hopping from LTS to LTS is a solid default strategy when you can use it.
So pardon the plug, but finding a happy middle-ground to exactly this problem for Django based projects is what I now work on with https://www.codestasis.com/
Projects that can't upgrade, because of the ensuing cascade of breaking changes and dev time needed, subscribe to CodeStasis to minimally update Django to new non-breaking patch versions.
So you can keep your trusty old version yet also stay patched and secure if you find someone to do the heavy lifting for you at reasonable cost, which I think we deliver.
Thanks! I toyed with the idea since 2014, after I was stuck managing a Django codebase with a gnarly middleware for a multi-tenanted website that precluded an easy upgrade.
I bookmarked this thread in 2019 where tptacek provided the impetus for the project with a one-liner suggestion https://news.ycombinator.com/item?id=20378409 And I've just noticed you replied then too!
I also assumed someone would get around to it. It took a while to get to a place I could start and then way longer to develop than I assumed. (Not just the backports but the tooling, testing infra, and website)
That's good to hear on pricing since it reflects my experience and is my thinking behind the initial price points.
I've had the opposite experience, working smoothly with Django for a decade except for one huge Flask project. Which essentially re-built Django... badly.
I later tried and enjoyed Flask for a really small solo project, so I don't think you're wrong.
Maybe there's a lot of implicit cultural knowledge on what packages work best to compliment Flask and the original developers on the big Flask project I suffered chose poorly?
Congratulations to the Django project and contributors on a big LTS release. And a huge thank you for the consistently excellent framework that so many have built their web dev careers on.
I'll post this as a Show HN soon, but I'll mention it now as a soft-launch introduction. After a decade of using Django I started a project I always wanted to exist: backported security and bug fixes to old versions that the Django project has dropped support for.
I've seen many Django projects eventually get stuck on an old version as the team I'm on is forced to defer upgrades in favor of commercial pressures and essential product delivery.
So you can subscribe to https://www.codestasis.com/ to stay patched on your old version, removing the urgency to upgrade. Then unsubscribe when you're caught up.
It's free for personal use and a paid subscription for businesses and organizations.
So pardon the plug, but finding a happy middle-ground to exactly this problem for Django based projects is what I now work on with https://www.codestasis.com/
Projects that can't upgrade, because of the ensuing cascade of breaking changes and dev time needed, subscribe to CodeStasis to minimally update Django to new non-breaking patch versions.
So you can keep your trusty old version yet also stay patched and secure if you find someone to do the heavy lifting for you at reasonable cost, which I think we deliver.