SHA-1 collisions can now be manufactured semi-practically so we should start planning to migrate off SHA-1 to SHA-256.
The attack requires creating a common prefix and suffix that can be slipped into pairs of files, so cannot generally be used to create 'duplicates' of existing files, but can be used to create pairs or sets of files that can confound and confuse expected behavior once put into a common system.
Priority of adding better hashes is highest where the SHA-1 hash is used for unique addressing of user-submitted data, lowest where used to validate server-generated downloads.