This page includes release notes and updates for Compass app developers. Use this page to keep track of new features, upcoming changes and deprecation notices about the Compass developer platform and GraphQL API.
If you're new to building apps for Compass, check out Get started building Compass apps to begin your journey.
For updates about changes to the Forge platform, see the Forge changelog in the Forge documentation.
You may also be interested in the What's New blog for Atlassian Cloud where we announce new product features and other major changes affecting all users of Compass.
We've introduced a structured process for partners and Atlassian to jointly investigate security incidents affecting your app or the customer data it handles.
What's changing
Log sharing for Forge apps: Atlassian can now share incident-scoped platform logs and app telemetry with you during an investigation. This provides the data you need to diagnose and resolve issues faster.
A single reporting path: You can now report security incidents through the new developer support portal form. This form serves as the shared record for both you and Atlassian.
What you need to do
Review the program overview page to understand eligibility and support levels.
Ensure your security contact information is up to date in the partner account to ensure you are ready before an incident occurs.
As recently announced in Raising the bar on Marketplace cloud app security: together we are updating the Marketplace Security Bug Fix Policy to shorten vulnerability remediation timelines for Marketplace cloud apps. These changes ensure a higher security standard across our ecosystem.
What’s changing
The remediation Service Level Objectives (SLOs) for Marketplace cloud apps are being shortened. The timelines for Data Center apps remain unchanged.
Updated Cloud App SLOs (Enforceable September 1, 2026):
Critical: 10 days
High: 4 weeks
Medium: 12 weeks
Low: 25 weeks
Data Center App SLOs (Unchanged):
Critical: 12 weeks
High: 12 weeks
Medium: 12 weeks
Low: 25 weeks
Additionally, we have published the Marketplace Security Enforcement Policy, a consolidated source of truth for marketplace security compliance expectations, including vulnerability management, OAuth compliance, partner verification, bug bounty participation, and incident response.
What you need to do
Review the new timelines: Ensure your internal processes are updated to meet the new cloud app SLOs by September 1, 2026.
Check your tickets: We have corrected an issue where some AMS Data Center tickets incorrectly showed cloud remediation dates. If you believe a ticket still has an incorrect date, please raise an ECOHELP ticket.
Watch the policy page: The Marketplace Security Enforcement Policy is a living document, we recommend "watching" the page for future updates.
We've introduced the Tile component for Forge UI Kit apps, now available in Preview. The Tile component is a rounded square container for displaying assets like emojis, or objects in a consistent, styled way.
The component supports various sizes (from 16px to 48px), customizable background colors using design tokens, optional borders, and adjustable internal padding for different asset types including third-party logos.
For implementation details and examples, see the Tile component documentation.
As we focus on delivering a next‑generation solution for tracking developer productivity and experience, Compass scorecards and catalog functionality will move into DX.
As part of this transition, we will be ending the sale of Compass on May 13, 2026.
After this date, partners and developers will no longer be able to create, list, deploy, or publish new Forge apps for Compass.
Developers can continue to ship patches and updates to existing Compass Forge apps.
Customers can continue to install and use existing Compass Forge apps while they have access to Compass.
Other types of Forge apps are unaffected.
For more details using the full announcement on the Atlassian blog.
If you have questions, contact Developer Support through the Atlassian Developer Support portal.
We are introducing baseline security requirements for Atlassian Government Cloud (AGC) apps, which will take effect on Mar 31, 2026. If you have any questions regarding these new standards, please contact us here: https://ecosystem.atlassian.net/servicedesk/customer/portal/34/group/109/create/579
We’re also publishing our annual update to the general Cloud App Security Requirements for 2026, which includes new provisions for AI security, data protection, and supply chain security. See More details for highlights on this update.
Key additions to the general Cloud App Security Requirements include:
AI Security: New requirements for apps using Forge Rovo actions and agents, including validating action inputs as untrusted, implementing permission checks for admin-level actions, and accurately configuring actionVerb values.
Data Protection:
External OAuth2 clients must use Forge's OAuth2 Providers and be configured as confidential clients where supported.
Application logs must strictly exclude PII, credentials, and sensitive data.
Apps must ensure strict tenant isolation during runtime.
Apps must not execute arbitrary code by spawning child processes (e.g., using Node.js child_process).
Application Security:
Apps using Forge SQL must use parameterized queries to mitigate SQL injection risks.
Updated guidance on Content Security Policy (CSP) regarding unsafe-inline and unsafe-eval directives.
Runtime Security:
Apps must not use EOL (end-of-life) Node.js runtimes.
We've introduced two new components to UI Kit, now available in Preview: AtlassianTile and AtlassianIcon. Use these components to display Atlassian object type icons—such as stories, tasks, epics, blogs, and more—with consistent styling that aligns with the Atlassian Design System.
Both components provide fixed color, size, and styling options for Atlassian object types. Any updates to icon or tile styling in the Atlassian Design System are automatically reflected in your app.
For implementation details and examples, see the Atlassian icon and Atlassian tile component documentation.
We’ve added a new rovo.isEnabled method to the Forge UI bridge API. This method returns a boolean indicating whether Rovo is enabled for the tenant. You can use it alongside the existing rovo.open method to conditionally invoke Rovo only when it’s available.
For more information, see the updated documentation for the Rovo bridge methods.
We've added optional height and width properties to the Frame component in UI Kit. Apps can now set explicit dimensions in pixels or percentages, instead of relying on automatic resizing. This gives you more control over your app's layout.
For more information, see the updated documentation for the Frame component.
You can now set custom colors for UI Kit Visualisation charts. You can either set a color theme or assign colors to attributes. This can be done by passing the prop colorPalette into your chart.
For an example of how to implement this, please see the Forge UI Kit example app at https://bitbucket.org/atlassian/ui-kit-charts-example/src/master/.
For more information, see documentation.
As announced in July 2025, a number of glyphs for the Icon component will now be removed.
The following UI Kit components are now generally available:
Comment, which displays discussions and user feedback.
Pressable, which is a primitive for building custom buttons.
CommentEditor, provides a contained comment editor UI with a simple toolbar.
ChromelessEditor, provides a simple text editor that does not have a toolbar.
For more information, see the component documentation.
To access these components, you will need to update your app to the latest version of @forge/react. In the terminal of your project directory, run:
npm install --save @forge/react@latest
Following the Preview release, the Forge Automation Actions is now generally available. The Automation action module allows you to extend the Automation Platform and add new Forge-based actions to your app. With this release Forge Actions can now output smart values, enabling seamless data flow and dynamic automation.
For more information, see the Forge Automation Action module documentation.
Forge platform will be undergoing maintenance in commercial production on November 23, 2025 for approximately 1 minute between 5:30-6:30am UTC
During this interval, below capabilities will not be available intermittently:
Create/update/delete apps
Deploy apps
Install/uninstall/upgrade apps
App invocations will continue to work for existing users of the apps. However, new customers might not be able to use apps as consent process will be impacted during this interval as well.
The ability to build Forge apps that are compatible with multiple Atlassian apps is now available in Preview. This feature allows you to declare compatibility in your app’s manifest and enables your app to be installed and used across Jira, Confluence, and Compass.
For more information, see App compatibility.
The following flows are available for testing in this Preview:
Create, deploy, and install an app via the CLI
Distribute the app via a direct distribution link
View and connect/disconnect compatible Atlassian apps in Connected Apps
Add the app to Marketplace
Important considerations:
Customer release (GA) is planned for the end of January 2025.
Until GA: We recommend keeping Marketplace apps private, as customer-facing changes are not yet available (admins currently only see the required app in the consent screen when installing).
For guidance on migrating existing apps, see our migration guidelines.
When defining resolvers, the front-end code can share the types with the backend so the invocation interface is type-safe. This helps catch potential errors during compilation.
Rate this page: