This documentation is intended for Confluence developers who want to ensure that their existing plugins and apps are compatible with Confluence 10.0.

Watch this page to find out when a new milestone is available and what’s changed. We will publish formal release notes once we release a beta.

Latest milestones

Issues with this milestone?

Hit the Feedback button on the Confluence EAP header or raise an issue to tell us about it.

Planned changes

In this section we'll provide an overview of the changes we intend to make, so you can start thinking how it might impact your app. We'll indicate when a change has been implemented, and in which milestone. 

Spring and Jakarta upgrade

Status: DONE 

To maintain high security standards and keep dependencies supported and up to date, we’re updating Spring to the 6.x line. Spring 6 is no longer compatible with the currently used Jakarta 8, requiring us to also update the Jakarta version to EE Platform 10, specifically:

• Jakarta Servlet 6.0
• Jakarta RESTful Web Services 3.1
• Jakarta Dependency Injection 2.0
• Jakarta Annotations 2.1
• Jakarta Activation 2.1
• Jakarta Mail 2.1
• Jakarta XML Binding 4.0
• Jakarta Bean Validation 3.0

We’re also updating all the other libraries that depend on Spring and Jakarta.

We won’t be making any changes to the Atlassian API unless they’re necessary because of the updates to the Jakarta API. There are also several API changes in Jakarta that may impact apps.

Struts 7.0 upgrade

Status:  DONE

The Struts MVC framework has been upgraded to version 7.0.

In addition to the Servlet API changes mentioned earlier, the primary change is the renaming of the com.opensymphony.xwork2 package to org.apache.struts2. Take care to replace all such imports.

We’ve removed the support for the <xwork> plugin module (deprecated since Confluence 8.5.3). Use the replacement module <struts> instead, which is identical in functionality.

The multipart upload handling utility class com.atlassian.xwork.FileUploadUtils has been replaced with the OSGi service com.atlassian.confluence.struts.StrutsHelper, which is also accessible via the protected field strutsHelper on classes extending ConfluenceActionSupport.

Additionally, the following Atlassian annotations have been replaced:

• com.atlassian.xwork.ParameterSafe → org.apache.struts2.interceptor.parameter.StrutsParameter
• com.atlassian.xwork.PermittedMethods → com.atlassian.struts.httpmethod.PermittedMethods
• com.atlassian.xwork.RequireSecurityToken → com.atlassian.annotations.security.XsrfProtectionExcluded or com.atlassian.struts.xsrf.XsrfProtectionRequired

Removal of OpenSymphony PropertySet

Status: DONE

All APIs that leverage PropertySet are now read-only. These APIs will be permanently removed in Confluence 11.0.

This change affects the following APIs based on PropertySet for Users:

• (Deleted) com.atlassian.confluence.user.UserAccessor#getConfluenceUserPreferences
• (Read-only) com.atlassian.confluence.user.ConfluenceUserPropertySetFactory
• (Read-only) com.atlassian.confluence.user.UserAccessor#getPropertySet

Migrate to use the replacement API:

• com.atlassian.confluence.user.UserAccessor#getUserPreferences(ConfluenceUser)

The following PropertySet data types will remain accessible at the replacement API:

• Boolean
• String (and Text)
• Long
• Integer

Migrate all other data types to a suitable replacement as soon as possible because they will become completely inaccessible from Confluence 11.0.

The following APIs based on PropertySet for Content are also affected:

• (Read-only) com.atlassian.confluence.core.ConfluencePropertySetManager

Migrate any required data in your apps to one of the following alternatives as soon as possible because they will become completely inaccessible from Confluence 11.0.

• (Spaces) com.atlassian.confluence.api.service.content.SpacePropertyService
• (Content) com.atlassian.confluence.api.service.content.ContentPropertyService

To migrate data, you may choose to implement the com.atlassian.sal.api.upgrade.PluginUpgradeTask API in your apps and export it as an OSGi service. For details, see Writing a plugin upgrade task to migrate user data to new user keys.

Removal of Bandana

Status: DONE 

The com.atlassian.bandana.BandanaManager API is now read-only, and the APIs will be deleted entirely in Confluence 11.0.

Migrate any required data in your apps as soon as possible to one of the following alternatives.

• com.atlassian.sal.api.pluginsettings.PluginSettingsFactory
• com.atlassian.confluence.api.service.content.SpacePropertyService
• com.atlassian.activeobjects.external.ActiveObjects (For details, see Active objects)

The following Bandana value types will be automatically copied to PluginSettingsFactory where possible and under the character limit:

• String
• Properties
• List<String>
• Map<String, String>
• Boolean
• Integer
• Long

Note that com.atlassian.confluence.setup.xstream.ConfluenceXStreamManager will remain available for manual serialization and deserialization if needed, for the life of Confluence 10.x version.

To migrate data, you may choose to implement the com.atlassian.sal.api.upgrade.PluginUpgradeTask API in your apps and export it as an OSGi service. For details, see Writing a plugin upgrade task to migrate user data to new user keys.

LESS transformer removal

Status: DONE 

To enhance the security, performance, and overall developer experience, we’re deprecating both the LESS web-resource transformer and the LESS Maven plugin.

We’ve updated Look and Feel to use CSS variables in Confluence 8.9 and 9.0, and all styles will either be CSS or compiled to CSS at build-time. We’re also removing LESS compilation from Java build and runtime. You can continue to use LESS or any other CSS pre-processor at build-time.

We recommend you replace the runtime transformation of LESS files with build-time compilation or move to native CSS files using Design tokens.

For more details and further guidance, check Less transformer removal.

Removal of deprecated components in AUI 10

Status: DONE

AJS.Confluence.Binder.insertOnEvent is no longer available. It used AJS.template to process dynamic templates and insert them into specified elements on a fired event. We found no active usage of this module.

Status: DONE

Autocomplete fields used in macro editor (such as autocomplete-space or autocomplete-page), now accept data-value-key attribute instead of data-template. Previously, it was possible to specify a string with placeholders (like “long text with {placeholder}"). Placeholders would be substituted by values from the data object. Based on internal analysis, this property was only used to specify single keys. The replacement attribute doesn’t require any additional templating syntax.

Status: DONE

The unused portions of the Soy template code (generalpagelisttableLoop) have been removed from the frontend app repository. Initially, the Soy template accepted the parameters htmlEscapeQuotesPageSpaceKey, htmlEscapeQuotesPageTitle, pageGetDatePath, and insertLink. These parameters have now been removed, along with their corresponding unused code in the Soy template file, which means you’ll no longer be able to pass these parameters in

Confluence 10.Status: IN PROGRESS

We’re deprecating and removing some outdated AUI 10 components with design and accessibility issues. Make sure to move to their new versions or migrate to Atlaskit:

• Dropdown 1 - replaced by Dropdown 2 DONE
• Toolbar 1 - replaced by Toolbar 2 DONE
• Dialog 1 - replaced by Dialog 2 IN PROGRESS

We’re upgrading some outdated dependencies:

• npm: dompurify upgrading from 2.5.7 to 3.1.6+. This dependency is used internally on the tooltip titles. Don’t reuse the version under the hood.
• npm: jquery-form upgrading from 2.67 to 4.3.0+. This upgrade will ensure better jQuery 3 compatibility.

We’re deprecating or removing the following:

• Template - AUI Documentation - we’re moving to Soy or the I18n system as appropriate. This is so we can better support fewer languages with tools and prevent security issues from arising from a homebrewed templating language.
• Dark mode (old) - AUI Documentation - we’re removing the old unused dark theme since we’ve introduced a new one. If you’ve followed our recent guide (Prepare your Data Center app for the dark theme) to prepare for dark theme by using design tokens, you should be all set.
• Original theme - since the “light” theme is replacing it, all the fallback values will be gone.
• Redundant polyfills that are now natively supported in browsers, for example, npm: css.escape, custom events, and the <input> placeholder.
• npm: @atlassian/tipsy - this is no longer maintained and the AUI library stopped using it internally from version 9.3. You can bundle it if you wish, but we recommend moving to Floating UI or using Atlaskit or AUI components where possible.
• npm: trim-extra-html-whitespace - this is no longer maintained and is only used internally in our public documentation. This shouldn’t be needed in the browser. You can bundle it if you wish, but we recommend finding a maintained HTML minifier.
• Low-usage and renamed Soy templates, web-resources, and CSS classes.

Other changes include the Node 22 engine requirement. This will only affect using AUI via NPM, not through the running product. 

Removal of hover-related resources

Status: DONE

As part of our continued effort to enhance accessibility in Atlassian products, we're removing the following resources:

Global binder

• Confluence.Binder.userHover

WRM web resources

• confluence.web.resources:userlink
• com.atlassian.confluence.plugins.confluence-frontend:userlink

AMD modules

• confluence/content-hover
• confluence/hover-user

These modules don’t meet accessibility best practices and standards. Depending on your requirements, use one of the following alternatives:

• AUI Tooltip
• AUI Inline Dialog
• Atlaskit Tooltip
• Atlaskit Popup

Basic authentication disabled by default

Status: DONE

We’re disabling authentication with basic authentication by default. This is a first step towards the removal of basic authentication altogether as we develop and mature alternatives to support the remaining few use cases.

Removal of SOAP APIs

Status: DONE

To enhance security and streamline our API offerings, we are retiring the SOAP APIs, which have been deprecated since Confluence 5.5.

We have been progressively improving the REST API to replace the functionality of legacy APIs. To ensure compatibility, security, and ongoing support, we recommend transitioning to the Confluence REST API for all future integrations.

The removal of XML-RPC APIs is planned in Confluence 11.

For more information on how to use the Confluence REST API, refer to Confluence Data Center REST API.

Supported platforms updates

Status: DONE 

We’re adding support for the following databases:

• PostgreSQL 17

We’re also removing support for:

• PostgreSQL 15
• Java 17

Content Security Policy adoption

Status: DONE

We will enable the script-src header as part of implementing and adopting a Content Security Policy (CSP). 

This will be a report-only feature in Confluence 10. In this mode, the system logs violations without blocking any resources. This allows monitoring and gathering data on potential security issues without affecting the user experience. We will also provide additional utilities to setup nonces and even add your own origins to the CSP header. We will enforce CSP completely in Confluence 11.

Make the following JavaScript changes for your apps:

1. Remove JavaScript inline event handlers and javascript: URLs.
2. Remove the eval() method from your JavaScript.
3. Add additional config in your atlassian-plugin.xml in case your JavaScript is coming from external domains.

For detailed steps, check this CDAC post.

Removal of Trusted apps

Status: DONE

We’re working on removing Trusted apps to reduce the number of insecure entry points into the products. We’ll replace this way of exchanging information between Atlassian products with more secure solutions that follow industry best practices, like the OAuth 2.0 protocol.

Global serialization filter

Status: DONE

We’re implementing a global serialization filter that relies on a central blocklist for Java deserialization, Velocity, Struts, and XStream. This filter is designed to block specific classes and patterns that are recognized as vulnerable to Remote Code Execution (RCE) through publicly known gadget chains.

Implemented changes

In this section we'll provide details of changes we have implemented, organised by the milestone they are first available in. This will help you decide which milestone to use when testing.

EAP 20 – 23 June 2025

Milestone 10.0.0-m119 

Contains:

• Removal of hover-related resources complete

• LESS transformer removal complete
• Content Security Policy adoption complete
• Unused portions of the Soy template removed
• Global serialization filter implemented
• Minor bug fixes

EAP 19 – 16 June 2025

Milestone 10.0.0-m105 

Contains:

• Removal of Trusted apps complete

• The option to authenticate with basic authentication by default is disabled

• Minor bug fixes

EAP 18 – 10 June 2025

Milestone 10.0.0-m96 

Contains:

• Minor bug fixes

EAP 17 – 2 June 2025

Milestone 10.0.0-m84 

Contains:

• Removal of outdated AUI components: Dropdown 1 replaced by Dropdown 2; Toolbar 1 - replaced by Toolbar 2

• Minor bug fixes

EAP 16 – 26 May 2025

Milestone 10.0.0-m73 

Contains:

• Removal of Bandana complete (read-only access retained for upgrade tasks)

• PluginSettings API replacement implementation and migration task complete

• Minor bug fixes

EAP 15 – 19 May 2025

Milestone 10.0.0-m58 

Contains:

• Spring and Jakarta upgrade fully completed
• Minor bug fixes

EAP 14 – 12 May 2025

Milestone 10.0.0-m57 

Contains:

• Minor bug fixes

EAP 13 – 5 May 2025

Milestone 10.0.0-m53 

Contains:

• Minor bug fixes

EAP 12 – 28 April 2025

Milestone 10.0.0-m50 

Contains:

• Minor bug fixes

EAP 11 – 22 April 2025

Milestone 10.0.0-m44 

Contains:

• Minor bug fixes

EAP 10 – 14 April 2025

Milestone 10.0.0-m38 

Contains:

• Removal of deprecated components in AUI 10 — autocomplete attribute change
• Servlet API 4.0 leaks fixed
• Minor bug fixes

EAP 9 – 7 April 2025

Milestone 10.0.0-m31 

Contains:

• Minor bug fixes

EAP 8 – 31 March 2025

Milestone 10.0.0-m28 

Contains:

• Minor bug fixes

EAP 7 – 24 March 2025

Milestone 10.0.0-m27 

Contains:

• Minor bug fixes

EAP 6 – 17 March 2025

Milestone 10.0.0-m26 

Contains:

• Minor bug fixes

EAP 5 – 10 March 2025

Milestone 10.0.0-m25 

Contains:

• Added support for PostgreSQL 17
• Removed support for PostgreSQL 15 and Java 17
• Minor bug fixes

EAP 4 – 3 March 2025

Milestone 10.0.0-m23

Contains:

• Removal of AJS.Confluence.Binder.insertOnEvent

• Minor bug fixes

EAP 3 – 24 February 2025

Milestone 10.0.0-m21

Contains:

• Minor bug fixes

EAP 2 – 17 February 2025

Milestone 10.0.0-m20

Contains:

• Minor bug fixes

EAP 1 – 10 February 2025

Milestone 10.0.0-m16

Contains:

• Struts 7.0 upgrade

• Removal of OpenSymphony PropertySet

• Minor bug fixes