Last updated Mar 7, 2024

Changelog

This changelog is the source of truth for all changes to the Marketplace that affect people publishing apps.

Posts are made in the Marketplace announcements category of the developer community when the changelog is updated. Subscribe to the Marketplace announcements category to get notifications.

7 March 2024

Announcement App access rule GA: soft launch coming soon

Starting at the end of March 2024, all Cloud customers will be able to set up and enable app access rules for Jira and Confluence under data security policies. This change will give customers an important new control to protect data while benefiting from Marketplace apps.

Customer outreach for this feature will be high-touch at first to give partners more time to update apps.

Many app components will display proactive warnings letting customers know that the app has been blocked by their admin. However, if an app relies on data from restricted spaces or projects, user experience may be impacted in other spaces (ex: search features or workspace modules) where the app is not blocked. This may confuse end users or present them with incorrect data if the app is not adjusted to account for the impacts of app blocking.

For this reason, we highly recommend testing out the feature and adjusting your app if necessary to warn users when it’s impacted by an app access rule.

Prepare for this change by reading more about how applying an app access rule to your app affects the behaviour of product REST APIs it calls here for Jira and here for Confluence.

More details

Data security policies help customers keep their organization’s data secure by letting them govern how users, apps, and people outside of their organization can interact with content such as Confluence pages and Jira issues.

The new app access rule under data security policies allows customers to restrict app access to the content in Confluence spaces or Jira projects under a given policy. In this way, customers can benefit from apps while still limiting 3rd-party access to certain content in select spaces.

Announcement Rolling back XSS mitigation for partner reports

On Mar 4, 2024, we announced the release of XSS mitigation for partner reports provided by Marketplace.

After receiving some partner feedback, we have decided to roll back this change. We will reevaluate our approach and explore a more agreeable solution.

We would like to extend our apologies for any inconvenience the change (XSS mitigation in transactions report) may have caused. We recognize the impact of this change on some of our partners (who are mitigating at their end) and have therefore taken a decision to reevaluate our approach.

4 March 2024

Announcement XSS mitigation for Partner Reports

Marketplace has recently rolled out changes and updated historical data for XSS mitigation. The changes have been applied to the transactions report and will be applied to the licenses report by Mar 11, 2024.

Why are we doing this change?

The partner reports consist of user input fields that currently allow HTML/JavaScript code as their value. This poses a risk of potential XSS vulnerabilities in partner systems that utilize this data.

To address this concern, we have implemented an additional validation process for specific data within partner reports. This validation involves using a standard HTML escaper, which has replaced certain HTML entities with alternative values.

What is the change?

We have replaced certain HTML characters with alternative values as outlined below for the purpose of escaping them. Below are the 3 characters that we have replaced -

  • <&lt;

  • >&gt;

  • &&amp;

For example, the following value might be a contact name and is transformed as

  • Contact: "><img src=x onerror=alert('Aya')>"&gt;&lt;img src=x onerror=alert('Aya')&gt;

One caveat to this is that since we can't differentiate between a genuine case of the existence of these HTML from an XSS vulnerability, genuine values will be replaced too. For example,

  • Name: XYZ & Co.XYZ &amp; Co.

  • Address: Street 123 & 5th LaneStreet 123 &amp; 5th Lane

  • Address: Test Address<ABC>Test Address&lt;ABC&gt;

How can partners get the original value back?

Since we have replaced a subset of HTML entities, partners can use any HTML decoding library to get the field value as it was before any replacement by us.

Which data fields will be affected?

The following fields have or will see a replacement in the value because of this additional validation:

Report

Field

Licenses

  • contactDetails.billingContact.address1

  • contactDetails.billingContact.address2

  • contactDetails.billingContact.city

  • contactDetails.company

  • contactDetails.billingContact.name

  • contactDetails.billingContact.phone

  • contactDetails.billingContact.postcode

  • contactDetails.billingContact.state

  • contactDetails.technicalContact.address1

  • contactDetails.technicalContact.address2

  • contactDetails.technicalContact.city

  • contactDetails.technicalContact.name

  • contactDetails.technicalContact.phone

  • contactDetails.technicalContact.postCode

  • contactDetails.technicalContact.state

Transactions

  • contactDetails.technicalContact.name

  • contactDetails.technicalContact.email

  • contactDetails.billingContact.name

  • contactDetails.billingContact.email

  • contactDetails.company

There is no change to the existing APIs. The change is there only in the data.

We have applied this validation to past data too.

More details

What is XSS?

XSS is Cross-Site Scripting (XSS), which is a type of security vulnerability commonly found in web applications. It occurs when an attacker injects malicious code (usually in the form of JavaScript) into a trusted website, which is then executed by the victim's browser. Additionally, if you are interested in learning more about XSS and how to safeguard your applications, we recommend exploring another blog published by us for further information.

29 February 2024

Announcement App access rule under data security policies: Early access to selected app blocking starts this week

Starting this week, a few customers will be be able to block selected apps from accessing certain user-generated content in Jira Software Cloud, Jira Service Management Cloud, Jira Work Management Cloud and Confluence Cloud using the app access rule.

This functionality will be available to only Atlassian Access customers in the app access rule early access program (EAP) until the rule reaches General Availability at the end of March. At GA, selective app blocking will become available to all customers with Atlassian Access.

Early access customers will be asked to test the functionality in a sandbox or test site, and warned that app functionality will be impacted when apps are blocked from accessing projects.

More details

Data security policies help customers keep their organization’s data secure by letting them govern how users, apps, and people outside of their organization can interact with content such as Confluence pages and Jira issues.

The new app access rule under data security policies allows customers to restrict access for all apps to the content in Confluence spaces or Jira projects under a given policy. In this way, customers can benefit from apps while still limiting 3rd-party access to certain content in select spaces.

If you’d like to participate in the developer EAP for this feature, which gives you access to the app access rule and new app access rule API to test, sign up here.

27 February 2024

Announcement Breadcrumbs, page.metadata.banner, and system.content.metadata will be hidden when content width is <768px

We are making a change to hide breadcrumbs and page.metadata.banner and system.content.metadata webitems.

This will happen when the content width is less than 768px. This will help with accessibility and responsiveness when the screen is resized to a smaller size.

21 February 2024

Announcement New "CLASSROOM" License Type Enabled

A new license type named "CLASSROOM" has been introduced in our data pipelines. From now on, you can expect to see some licenses designated under this category.

For further information, please visit: https://www.atlassian.com/licensing/purchase-licensing#How-does-atlassian-determine-who-qualifies-for-discounts

20 February 2024

Announcement Updating Vendor Id for $0 Invoices of Acquired Apps

We noticed that some (~455) of the $0 invoices for apps that had been acquired displayed the older vendor ID in Marketplace reports. We have now updated the vendor ID for these licenses to reflect the new vendor ID (the partner acquiring the app).

Partners can see these updates from Feb 20, 2024.

Fixed Certain Free Starter Tier Licenses missing in FST API

Following the analysis of bug reports and our investigative efforts, we identified a problem where certain Free Starter Tier licenses appeared in the Licenses API but were missing from the FST API. We resolved this issue today. As a result, ~500 licenses will now begin to show up in the FST API.

16 February 2024

Announcement Important Notice: Scheduled Maintenance Feb 16th-17th Impacting Marketplace Reports and APIs

Our new finance ERP platform, Oracle Fusion, will undergo scheduled periodic updates, causing approximately a 9-hour maintenance downtime that will impact our internal data pipelines. Once the update is completed, our internal data pipelines will resume and it will take about 3 additional hours to reinstate unprocessed transactions in Marketplace reports and APIs.

We anticipate that Marketplace reports and APIs will be affected on the following upcoming date and time.

  • Feb 16th 2024 7 pm PST to Feb 17th 7 am PST

For more details, please refer to this blog: https://atlassianpartners.atlassian.net/wiki/spaces/news/blog/2023/12/21/379453986/Important+Notice+Scheduled+Oracle+Fusion+Maintenance+Impacting+Marketplace+Reports+and+APIs

9 February 2024

Announcement Changes to atl.general webitem

As part of the Fixed Page Header feature, we’re making two changes that could affect developers:

  1. The View Page Page header is now fixed at the top of the page to increase accessibility to view page buttons. The header used to scroll away and pop back in if you scrolled up.

  2. Along with the view page header, we’ve also made the atl.general webitem fixed at the top. In the past, the atl.general would only show if the user was at the very top of the page. Now, the atl.general location is fixed and will always be visible above the view page header.

7 February 2024

Announcement App access rule under data security policies: Early access to selected app blocking coming soon

Starting in the coming weeks (end of February/early March), a few customers will be be able to block selected apps from accessing certain user-generated content in Jira Software Cloud, Jira Service Management Cloud, Jira Work Management Cloud and Confluence Cloud using the app access rule.

This functionality will be available only to Atlassian Access customers in the app access rule early access program (EAP) until the rule reaches General Availability at the end of March or early April. At GA, selective app blocking will become available to all customers with Atlassian Access.

Early access customers will be encouraged to test the functionality in a sandbox or test site, and warned that app functionality will be impacted when apps are blocked from accessing projects.

More details

Data security policies help customers keep their organization’s data secure by letting them govern how users, apps, and people outside of their organization can interact with content such as Confluence pages and Jira issues.

The new app access rule under data security policies allows customers to restrict app access to the content in Confluence spaces or Jira projects under a given policy. In this way, customers can benefit from apps while still limiting 3rd-party app access to certain content in select spaces.

If you’d like to participate in the developer EAP for this feature, which gives you access to the app access rule and new app access rule API to test, sign up here.

6 February 2024

Announcement App access rule under data security policies: early access for Jira customers and partners live this week

This week, select customers will be given early access to the app access rule for Jira Cloud. Customers will be asked to test the functionality, and warned that app functionality will be impacted when apps are blocked from accessing projects.

Marketplace Partners in the app access rule EAP have had access to this feature in Confluence since November 2023. Early access participants will now be given access to the feature in Jira and to the Jira app access rule API. This will allow you to prepare your apps for any potential end user impacts when the app is blocked by an app access rule.

More details

Data security policies help customers keep their organization’s data secure by letting them govern how users, apps, and people outside of their organization can interact with content such as Confluence pages and Jira issues.

The new app access rule under data security policies allows customers to restrict access for all apps to the Confluence spaces or Jira projects under a given policy. This should make it easier for customers with more strict data privacy concerns to install your apps while maintaining control over access to certain content.

If you’d like to participate in the developer EAP for this feature, which gives you access to the app access rule and new app access rule API to test, sign up here.

Added Enhancing Licenses APIs to include "serverExtendedSupport" for Server customers beyond Feb 15th 2024

We are currently implementing improvements to the Licenses API, effective from Feb 6, 2024. These enhancements have been designed to provide insights into the eligibility of licenses for server-extended support.

As a part of the Server End of Support (EOS) initiative, certain Atlassian customers may qualify for extended support until Feb 15, 2025. This extension applies only to server apps and can have one of the following values: 'Yes', 'No', or 'NA'. If the value is 'Yes', it indicates that extended support will be provided until the maintenance end date for the specific app.

More details

Licenses API:

API contract with new fields -

1 2 3 4 5 { "licenseId": "XXX", ... "serverExtendedSupport": <string> <- New field }

How to get started

The newly introduced field information will be accessible through the following Marketplace APIs.

  • /rest/2/vendors/{vendorId}/reporting/licenses

  • /rest/2/vendors/{vendorId}/reporting/licenses/export

  • /rest/2/vendors/{vendorId}/reporting/licenses/async/export

You can find the new field documented here. Click on Licenses Collection under Responses and then follow this path /licenses.

5 February 2024

Fixed [Bug] Few zero dollar transactions are missing in our APIs

Earlier, we reported that we had identified a bug (https://developer.atlassian.com/changelog/#CHANGE-1414) preventing certain zero-dollar transactions (~1.13% of total) from being included in Marketplace transaction reports and APIs. During the investigation, we noticed that the bug began affecting our reports/APIs from Aug '23 onwards. Today, we successfully addressed and resolved the issue.

2 February 2024

Announcement Bug Identified: Few zero dollar transactions are missing in our APIs

Following our internal analysis and bug reports, we have identified an issue where certain zero-dollar transactions (1.13% of overall) are not reflected in our transaction reports and apis. This discrepancy is also impacting the transaction count in the aggregated sales API. As our Reporting UI relies on these APIs for generating charts, it is similarly affected. We are actively working on resolving this issue. Once the fix is implemented, all zero-dollar transactions will be included in the aforementioned APIs, resulting in an increase in the number of such transactions.

Stay tuned for another changelog update, which will be shared upon the release of the bug fix [ETA: week of 5th Feb].

APIs affected with zero dollar transactions:

APIs affected with incorrect number of transactions due to additional zero dollar transactions:

Rate this page: