Last updated Feb 10, 2025

Prepare your Data Center app for 2025 security and usability updates

As announced on the Developer Community, we're making several shared changes to all the Atlassian Data Center products. We expect all of these changes to land into the following product versions:

  • Jira Software 11.0
  • Jira Service Management 11.0
  • Confluence 10.0
  • Bitbucket 10.0
  • Bamboo 12.0
  • Crowd 7.0

Here are the estimated release dates for the first EAPs containing these changes:

ProductVersion numberEAP dateGA dateDownload link
Jira Software11.024 June 2025August 2025https://www.atlassian.com/software/jira/download-eap
Jira Service Management11.024 June 2025August 2025https://www.atlassian.com/software/jira/download-eap
Confluence10.023 June 2025August 2025https://www.atlassian.com/software/confluence/download-eap
Bitbucket10.0Q3 2025September 2025
Bamboo12.0Q3 2025September 2025
Crowd7.019 June 2025August 2025https://www.atlassian.com/software/crowd/download-eap

Announcements

Check out the public announcements we've made so far about the upcoming updates:

What's changing

While there might be differences in details and implementation timelines between the products (which you can learn more about from product-specific documentation), here's a general overview of the planned changes.

Spring and Jakarta upgrade

To maintain high security standards and keep dependencies supported and up to date, we're updating Spring to the 6.x line. Spring 6 is no longer compatible with the currently used Jakarta 8, requiring us to also update the Jakarta version to EE Platform 10, specifically:

We're also updating all the other libraries that depend on Spring and Jakarta.

We won't be making any changes to the Atlassian API unless they're necessary because of the updates to the Jakarta API. There are also several API changes in Jakarta that may impact apps.

Update to jQuery 3

We're upgrading to jQuery 3 to align on jQuery versions across all Data Center products. This means a significant jQuery version uplift for products containing older versions of jQuery that will make developing cross-product apps easier.

Removal of deprecated components in AUI 10

We're removing some outdated AUI 10 components with design and accessibility issues. Make sure to move to their new versions or migrate to Atlaskit:

We're also upgrading some outdated dependencies:

We're also deprecating or removing the following:

Other changes include the Node 22 engine requirement. This will only affect using AUI via NPM, not through the running product.

End of support for LESS

To enhance the security, performance, and overall developer experience, we're deprecating both the LESS web-resource transformer and the LESS Maven plugin.

We're updating Look and Feel to use CSS variables, and all styles will either be CSS or compiled to CSS at build-time. We're also removing LESS compilation from Java build and runtime. You can continue to use LESS or any other CSS pre-processor at build-time.

We recommend you replace the runtime transformation of LESS files with build-time compilation or move to native CSS altogether where applicable.

Removal of Trusted apps

We're removing Trusted apps to reduce the number of insecure entry points into the products. We've replaced this way of exchanging information between Atlassian products with more secure solutions that follow industry best practices, like the OAuth 2.0 protocol.

End of support for the Original theme

With the new light and dark themes that brought accessibility and usability improvements, we're removing the original theme from all products.

Supported platforms updates

We're adding support for the following databases:

  • PostgreSQL 17
  • Amazon Aurora PostgreSQL 17
  • MySQL 8.4 LTS

We're also removing support for:

  • PostgreSQL 15
  • Amazon Aurora PostgresSQL 15
  • SQL Server 2017
  • MySQL 8.0 LTS

These versions of the products will only run on Java 21.

Global serialization filter

We’re implementing a global serialization filter that relies on a central blocklist for Java deserialization, Velocity, Struts, and XStream. This filter is designed to block specific classes and patterns that are recognized as vulnerable to Remote Code Execution (RCE) through publicly known gadget chains.

We’ll update this page with the full list of blocked classes and patterns.

App signing is now enabled by default

As we communicated in February, in 2025 we’re rolling out app signing. In these releases, app signing is enabled by default. This feature enables better security and increases customer trust in what they install on their local instances.

If you upload your apps to Atlassian Marketplace, we’ve got you covered. Once Marketplace validates and approves your app, Atlassian will sign and trust all your apps by default; no additional action is needed. App signing affects only new app installations, previously installed apps will not undergo verification.

For details on private builds, check this CDAC post.

Manage your integrations and automations with service accounts

We’re working on introducing service accounts to Data Center products. Service accounts are specialized, non-user accounts created for secure and efficient management of automated processes and external integrations. With service accounts, you can securely access REST APIs using the OAuth 2.0 authentication method to execute scripts and run tasks while maintaining full control of permissions.

Until we introduce the UI for this feature, you can use the new API in Embedded Crowd to create service accounts.

Product-specific changes

The changes listed on this page apply to common elements shared across multiple Atlassian Data Center products. Each product's feature release may in turn have additional changes. Refer to product-specific release notes for more information on those changes:

Rate this page: