Minimizing Reliance on 3rd Party Libraries in the Data Center Platform

Hello, Atlassian Community,

At Atlassian Data Center, we're in the process of making some changes to the availability of third-party libraries used in Marketplace apps and custom plugins created by our valued customers to meet their specific needs. Our primary aim is to align with the ever-increasing stringent standards for promptly resolving security vulnerabilities, all while ensuring that library updates won't negatively impact the stability of Marketplace apps and custom plugins.

To accomplish this, we're planning a Platform release across our Data Center products, tentatively slated for the second quarter of calendar year 2024. By the end of December 2023, we intend to share technical specifics, including a list of exported libraries. Please keep in mind that these timelines are preliminary, and we'll provide regular updates, as we gain more clarity.

This announcement is our early engagement with you to provide clarity on the matter and gather your valuable input.

The Challenge:

Currently, a multitude of third-party libraries is accessible within the ecosystem, known as the Grey API. Major upgrades to these libraries carry the risk of introducing changes that could disrupt Marketplace apps and custom customer plugins dependent on these libraries. To mitigate this risk, we've sometimes refrained from upgrading libraries. In cases of security concerns, we've had to create forks of libraries that are no longer supported and manually apply patches, resulting in multiple outdated and forked libraries.

At the same time, we've noticed an increasing need from you, our valued customers, for swift updates to third-party libraries, including those with minor security concerns.

We genuinely understand your hesitation when it comes to relying on these forked libraries for security, and we acknowledge the added costs of pen-test reports, which is far from an ideal, scalable solution for us at Atlassian.

We're also aware that using outdated dependencies could potentially put us in a situation where we may struggle to address security issues promptly, and we certainly don't want any of these challenges to negatively affect your experience with our products. Your trust and satisfaction are of utmost importance to us.

The Resolution:

We need to bolster our dependencies and processes to the point where we can confidently update and release dependencies without compromising the stability of apps and custom plugins. To achieve this, we're planning to significantly reduce the array of third-party libraries available to Marketplace Partners and customers. The remaining libraries will be declared as an API. This measure aims to prevent future disruptive changes to Marketplace apps and custom plugins during Atlassian's library updates. Marketplace partners and custom plugin developers will be responsible for individually defining these dependencies and managing upgrades in non-public libraries.

To implement this change, we're coordinating a Platform release across Data Center products in the second quarter of calendar year 2024, with Early Access Preview (EAP) versions made available beforehand.

As the next step, Atlassian aims to continually replace unsupported third-party libraries and proactively update them to their latest versions. This approach allows Marketplace apps and custom plugin builders to follow this path.

Timeline:

• Q4 2023: Sharing technical project details, including a list of exported libraries.

• Q1 2024: Launching Early Access Preview (EAP) versions of all products.

• Q1/Q2 2024: Introducing the new Platform version in a coordinated Data Center products release. Please note that this timeline is subject to change.

Next Steps:

We recognize that Marketplace partners and customers whose custom apps rely on the removed third-party libraries will need to take charge of managing these dependencies themselves, including addressing vulnerabilities. We understand that you require technical project details to fully grasp and respond to the impact of this proposed change.

At this stage, we aim to gain a deeper understanding of your challenges. We're here to provide the most effective support during this transition. How can Atlassian assist you best in this process? Your insights are invaluable in helping us help you.

As always, please share your feedback in the comments below. We'll be collecting it until the mid of December and aim to address all your questions during that time.

Additionally, we're keen to speak with administrators or developers regarding the implications of these APIs. We want to learn how you've built your apps and how Atlassian can support you in this process.

What's Involved in the Research:

• Sessions are approximately 1 hour long and conducted via video conference, so you can participate from anywhere in the world.

• During the research, we'll begin with a general chat to get to know you better. Following that, we would like to discuss how you've built your apps, the challenges you face with the proposed approach, and how Atlassian can support you in this process.

Interested in participating? Follow this link  (https://www.userinterviews.com/projects/RYRATtEubA/apply) to provide a few more details to ensure a good fit.

If you have any other questions, please don't hesitate to reply to this message.

 

Best,

Malathi Vangalapati

Senior Product Manager, Atlassian Data Center team