Prepare your Data Center app for 2025 security and usability updates

As announced on the Developer Community, we're making several shared changes to all the Atlassian Data Center products. We expect all of these changes to land into the following product versions:

• Jira Software 11.0
• Jira Service Management 11.0
• Confluence 10.0
• Bitbucket 10.0
• Bamboo 12.0
• Crowd 7.0

Here are the estimated release dates for the first EAPs containing these changes:

Announcements

Check out the public announcements we've made so far about the upcoming updates:

• Improved security and usability: 2025 Data Center product updates
• EAP releases with security and usability updates coming soon

What's changing

While there might be differences in details and implementation timelines between the products (which you can learn more about from product-specific documentation), here's a general overview of the planned changes.

Spring and Jakarta upgrade

To maintain high security standards and keep dependencies supported and up to date, we're updating Spring to the 6.x line. Spring 6 is no longer compatible with the currently used Jakarta 8, requiring us to also update the Jakarta version to EE Platform 10, specifically:

• Jakarta Servlet 6.0
• Jakarta RESTful Web Services 3.1
• Jakarta Dependency Injection 2.0
• Jakarta Annotations 2.1
• Jakarta Activation 2.1
• Jakarta Mail 2.1
• Jakarta XML Binding 4.0
• Jakarta Bean Validation 3.0

We're also updating all the other libraries that depend on Spring and Jakarta.

We won't be making any changes to the Atlassian API unless they're necessary because of the updates to the Jakarta API. There are also several API changes in Jakarta that may impact apps.

Update to jQuery 3

We're upgrading to jQuery 3 to align on jQuery versions across all Data Center products. This means a significant jQuery version uplift for products containing older versions of jQuery that will make developing cross-product apps easier.

Removal of deprecated components in AUI 10

We're removing some outdated AUI 10 components with design and accessibility issues. Make sure to move to their new versions or migrate to Atlaskit:

• Dropdown 1 - replaced by Dropdown 2
• Toolbar 1 - replaced by Toolbar 2

We're also upgrading some outdated dependencies:

• npm: dompurify upgraded from 2.5.7 to 3.1.6+. This dependency is used internally on the tooltip titles. Don't reuse the version under the hood.
• npm: jquery-form upgraded from 2.67 to 4.3.0+. This upgrade will ensure better jQuery 3 compatibility.

We're also deprecating or removing the following:

• Template - AUI Documentation - we're moving to Soy or the I18n system as appropriate. This is so we can better support fewer languages with tools and prevent security issues from arising from a homebrewed templating language.
• Dark mode (old) - AUI Documentation - we're removing the old unused dark theme since we've introduced a new one. If you've followed our recent guide (Prepare your Data Center app for the dark theme) to prepare for dark theme by using design tokens, you should be all set.
• Original theme - since the “light” theme is replacing it, all the fallback values will be gone.
• Redundant polyfills that are now natively supported in browsers, for example npm: css.escape, custom events, and the <input> placeholder.
• npm: @atlassian/tipsy - this is no longer maintained and the AUI library stopped using it internally from version 9.3. You can bundle it if you wish, but we recommend moving to Floating UI - Create tooltips, popovers, dropdowns, and more or using Atlaskit or AUI components where possible.
• npm: trim-extra-html-whitespace - this is no longer maintained and only used internally in our public documentation. This shouldn't be needed in the browser. You can bundle it if you wish, but we recommend finding a maintained HTML minifier.
• Low-usage and renamed Soy templates, web-resources, and CSS classes.

Other changes include the Node 22 engine requirement. This will only affect using AUI via NPM, not through the running product.

End of support for LESS

To enhance the security, performance, and overall developer experience, we're deprecating both the LESS web-resource transformer and the LESS Maven plugin.

We're updating Look and Feel to use CSS variables, and all styles will either be CSS or compiled to CSS at build-time. We're also removing LESS compilation from Java build and runtime. You can continue to use LESS or any other CSS pre-processor at build-time.

We recommend you replace the runtime transformation of LESS files with build-time compilation or move to native CSS altogether where applicable.

Removal of Trusted apps

We're removing Trusted apps to reduce the number of insecure entry points into the products. We've replaced this way of exchanging information between Atlassian products with more secure solutions that follow industry best practices, like the OAuth 2.0 protocol.

End of support for the Original theme

With the new light and dark themes that brought accessibility and usability improvements, we're removing the original theme from all products.

Supported platforms updates

We're adding support for the following databases:

• PostgreSQL 17
• Amazon Aurora PostgreSQL 17
• MySQL 8.4 LTS

We're also removing support for:

• PostgreSQL 15
• Amazon Aurora PostgresSQL 15
• SQL Server 2017
• MySQL 8.0 LTS

These versions of the products will only run on Java 21.

Global serialization filter

We’re implementing a global serialization filter that relies on a central blocklist for Java deserialization, Velocity, Struts, and XStream. This filter is designed to block specific classes and patterns that are recognized as vulnerable to Remote Code Execution (RCE) through publicly known gadget chains.

We’ll update this page with the full list of blocked classes and patterns.

App signing is now enabled by default

As we communicated in February, in 2025 we’re rolling out app signing. In these releases, app signing is enabled by default. This feature enables better security and increases customer trust in what they install on their local instances.

If you upload your apps to Atlassian Marketplace, we’ve got you covered. Once Marketplace validates and approves your app, Atlassian will sign and trust all your apps by default; no additional action is needed. App signing affects only new app installations, previously installed apps will not undergo verification.

For details on private builds, check this CDAC post.

Manage your integrations and automations with service accounts

We’re working on introducing service accounts to Data Center products. Service accounts are specialized, non-user accounts created for secure and efficient management of automated processes and external integrations. With service accounts, you can securely access REST APIs using the OAuth 2.0 authentication method to execute scripts and run tasks while maintaining full control of permissions.

Until we introduce the UI for this feature, you can use the new API in Embedded Crowd to create service accounts.

Product-specific changes

The changes listed on this page apply to common elements shared across multiple Atlassian Data Center products. Each product's feature release may in turn have additional changes. Refer to product-specific release notes for more information on those changes:

• Preparing for Confluence 10.0
• Preparing for Jira 11.0
• Preparing for Crowd 7.0