This documentation is intended for Confluence developers who want to ensure that their existing plugins and apps are compatible with Confluence 8.8

Watch this page to find out when a new milestone is available and what’s changed. We will publish formal release notes once we release a beta.

Latest milestones

Issues with this milestone?

Hit the Feedback button on the Confluence EAP header or raise an issue to tell us about it.

Planned changes

In this section we'll provide an overview of the changes we intend to make, so you can start thinking how it might impact your app. We'll indicate when a change has been implemented, and in which milestone. 

Struts Action Parameter Changes 

Status: DONE

We have classed this as a major breaking change. Read the information below carefully to ensure your app is set up correctly the latest version of Confluence.

Previously, POJOs that were intended for parameter injection using Struts (also known as complex/nested parameter) needed to be annotated with @ParameterSafe to be accessible. Going forward, all methods/fields intended for parameter injection will need to be annotated with the new @StrutsParameter annotation.

Complex/nested parameters will now also need to specify a depth value as part of the new annotation, which refers to the level of nesting within your Java object parameter. A depth of 1 will suffice for most complex parameters such as Maps, Arrays/Lists, and POJOs. If you have a POJO within a Map/List/POJO, you may require a depth of 2.

Note that the @ParameterSafe annotation will continue to function but at a fixed depth of 2. If you choose to compile against an older Confluence version, you won't be able to specify an alternate parameter depth.

For further details, read the Struts module reference.

Struts OGNL Allowlist

Status: DONE

This is a breaking change. Read the information below carefully to ensure your app is set up correctly for the new release.

OGNL expression executions will now be subject to a strict class allowlist. Confluence will intelligently allowlist almost all classes necessary for executing OGNL expressions. However, there are some edge cases that will require you to manually allowlist classes.

Struts parameters that are annotated with a depth of 2 or greater will require the nested types to be manually allowlisted.

If you notice any other log warnings related to non-allowlisted plugin classes, these also likely need to be included in your allowlist.

Please be aware that public members of any classes you allowlist may be accessible by attackers in the event of a Struts, OGNL or Velocity exploit.

Classes or packages may be manually allowlisted using the following entries within a Struts module descriptor. Allowlisting a package will also allowlist its sub-packages. We recommend avoiding package allowlisting and instead opting to explicitly declare each class.

<constant name="struts.allowlist.classes" value="
                com.company.package.ClassOne,
                com.company.package.ClassTwo
">
<constant name="struts.allowlist.packages" value="
                com.company.package.model,
                com.company.package.dto
">

For further details, see the Struts module documentation.

Removal of Velocity servlet support in Confluence

Status: DONE

Overview - Support for rendering URLs ending in .vm has been removed from this version. As a result, this functionality will stop working, and changes will be required.

Note that this doesn’t impact a plugin’s ability to utilize VM files inside actions.

Action Required - With the removal of Velocity servlet support in Confluence, affected plugins are now required to leverage Struts actions for serving Velocity template-based UI screens, which offer additional server rendering control and security features.

Removal of rarely used rendering methods in Confluence

Status: DONE

This release required the unplanned removal of a number of rarely used rendering methods. In some very rare circumstances this may result in customer-developed plugins or user macros failing to render. If you encounter broken user macros after this upgrade, please contact Atlassian Support.

Changes to app uploads via the Universal Plugin Manager

Status: DONE

To enhance security, we’ve changed how Data Center products, including Confluence, handle app installation through the Universal Plugin Manager (UPM) and REST APIs. The Upload App button of UPM is now disabled by default. System admins can still enable app installation by setting the system property upm.plugin.upload.enabled to true.

This change doesn’t affect the installation of apps from the Atlassian Marketplace. Note that the UPM upload option is still enabled for instances running in dev mode.

Atlassian User Interface (AUI) 9.9.x upgrade

Status: DONE

We will upgrade AUI from version 9.2.2 to 9.9.x. With this upgrade, we expect to see a range of accessibility benefits and fixes. See the AUI 9.x upgrade guide and AUI changelog for information on changes that may affect your app.

New REST APIs

Status: DONE

We are introducing additional REST APIs to help admins automate and script administrative tasks in bulk, including:

• update permissions for a page

• archive and restore spaces

As new APIs are introduced, they'll be reflected in the Confluence API documentation.

Embedded Crowd upgrade

Status: DONE

In this release we plan to upgrade Embedded Crowd from 5.1.6 to 5.2.1. There are several performance and stability improvements we expect to see from this change.

The ATST app upgraded to 1.54.0 with new health checks

Status: DONE

The Atlassian Troubleshooting and Support app (ATST) has been upgraded to version 1.54.0 and now includes checks for:

• Synchrony connectivity

• mail error queue

• user directories

The health checks will be available by default in Confluence Data Center 8.8.

If you’re using Confluence 8.7 or earlier, you can still upgrade the ATST app to 1.54.0 manually through Atlassian Marketplace and start using the newest health checks right away.

Startup error: database attachment storage

Status: DONE

If you're still storing attachments in the database (we deprecated this method in Confluence 5.4), you must migrate these to the file system before upgrading to Confluence 8.8 or later, otherwise Confluence will not start up successfully.

Learn how to migrate your attachments from database storage to file system storage

AES encryption for user directory server passwords

Status: DONE

We are extending our Secret manager solution to include support for user directory password encryption. Now when configuring user directories, the supplied server password will be automatically AES encrypted. For existing instances that have user directories already configured, passwords will be automatically encrypted on upgrade to Confluence 8.8.0. Confluence will automatically generate encryption keys and store them in the keys directory. The directory is not included in site exports, so you must manually back up this directory. To locate it, look in:

• the shared home directory for clustered instances
• the local home directory for single-node instances

Deprecation notice: JavaScript global AJS.ConfluenceDialog

Status: DONE

As part of ongoing efforts to clean up our code base, we will deprecate JavaScript global AJS.ConfluenceDialog with the intention of removing it in Confluence 9.0. Your apps should not be using these dependencies anyway; you should rely on the Atlassian User Interface (AUI) library. 

Bulk deletion of attachments

Status: DONE

Previously, if users wanted to delete attachments from a page or blog post, they’d have to do this one at a time. Now, they’re able to select up to 20 attachments in the page's Attachments interface to delete at once.

Learn how to manage your files

Dark theme for Confluence

Status: ADVANCE NOTICE

Dark theme will officially be shipped in an upcoming release in Q2 2024. For now, you can enable dark theme (alpha) for testing using the theme.switcher dark feature. 

See our guide on preparing your Data Center app for the dark theme

We will provide more information on Confluence dark theme soon. In the mean time, we can confirm the following.

The theme switcher and all dark theme functionality can be enabled by dark feature theme.switcher  both system-wide (`/admin/darkfeatures.action`) or per user (`/users/darkfeatures.action`)

The Theme switcher will post a message of  type=theme.change to all iFrames, both on the same origin and cross-origin.

The query parameters that will be processed by the atlassian-theme are:

atlThemeColorMode = light | dark
atlThemeDark = dark
atlThemeLight = light | original
atlThemeMatchUa = false | true

Removal of Gray APIs

Status: ADVANCE NOTICE

In Confluence 9.0, we plan to remove the ability for plugins to load many third-party libraries (also known as Gray APIs). This upgrade will allow us to improve Confluence more frequently without breaking your app or requiring you to do significant testing and rework when things change.

From Confluence 8.7 to 8.9, these third-party libraries as well as a few Atlassian-specific libraries will no longer be exposed as transitive Maven dependencies of the main confluence artefact. To compensate for this, plugins will need to explicitly declare those dependencies by bundling them.

Note that before Confluence 9.0, there will be no runtime changes affecting the availabilities of these libraries and binary compatibility will be maintained. The changes in Confluence 8.7 through to 8.9 are only built-time changes and will pave the way for runtime removals in Confluence 9.0.

To learn more about this change and get your apps ready, refer to the Gray API developer guide.

OpenSearch opt-in in progress

Status: ADVANCE NOTICE

We're working on an opt-in search engine, OpenSearch, to included in a future Confluence release. This will provide more advanced indexing options leading to less processing requirements. While we work on this change, make sure you keep checking the OpenSearch upgrade guide for updates to ensure a smooth transition.

Implemented changes

In this section we'll provide details of changes we have implemented, organised by the milestone they are first available in. This will help you decide which milestone to use when testing.

RC – 2 February 2024

Milestone 8.8.0-rc1

Contains:

• Minor bug fixes

Beta – 24 January 2024

Milestone 8.8.0-beta1

Contains:

• User directory password encryption
• Minor bug fixes

EAP 2 – 18 January 2024

Milestone 8.8.0-m61

Contains:

• AUI 9.9.0 upgrade bug fixes
• UPM plug-in upload change
• Minor bug fixes

EAP 1 – 8 January 2024

Milestone 8.8.0-m46

Contains:

• New keyboard shortcut (add table row above and below)
• Bulk delete attachments
• AUI 9.9.0 upgrade
• Embedded Crowd 5.2.1 upgrade
• Dark feature: Confluence dark theme
• Startup error for database attachment storage

Removed:

• Confluence.ScrollingInlineDialog component

Deprecated:

• JavaScript global AJS.ConfluenceDialog