Major upgrades invisible to users, blocking security updates

Forge
, ,
1

Hi,

During the fall, we released a version of our app which was a major upgrade (scope changes).
Thus, admins had to upgrade the app (thanks for removing the “Allow access” prompt - that was worse).

However, we now have some 70% of the installations left sitting with an older, out of date version since the users cannot see that there is a new version and their admins probably have no clue that they need to update the app.

As we are working on another release which will entail a major upgrade, how can we avoid getting into this again?

Are there any changes coming to Forge that will address this problem?

Would really like to see something that lets regular app users know that the app needs to be upgraded, so that they can upgrade (if they have the permission) or ask their admin for an upgrade.

Atlassians - can you shed some light on this?

Thanks,
Fredrik

PS: Here’s a proposal in my previous post on how to notify users: Removal of Forge user consent caused major upgrade but users are not aware - #5 by freatt

5 Likes
2

The security implication of this is pretty interesting.

It would good if the old deployments could at least be revoked/deleted/removed to prevent users from using potentially insecure code. I don’t see a way to do that from developer.atlassian.com. Maybe it’s something Atlassian can help you do from a Support ticket? But ideally your Forge Storage and other data wouldn’t get lost when they are ready to update…

Atlassian has a great security team - surely someone there has thought about this problem…

1 Like
3

In my experience the scope permission tags have been renamed and changed many times with each new @forge/* and CLI version.

ie forge lint will pass fine, some weeks/months pass and you update the CLI or a forge package, and the linter will throw errors asking you to use different scope names. You comply and thus your users are required to manually update the app yet again (which they don’t do).

Additionally there is no ability for Forge apps to fetch their own version data: No API available to get app version for Forge Apps?

So you can’t programmatically show a message such as “update to the latest version to continue using this app”.

Which then means Forge error logging becomes useless since it will simply spam your inbox with noise of bugs fixed in outdated versions that users haven’t yet updated.

I’d be happy with either:

  • an API endpoint to determine latest and installed versions
  • a manifest flag to auto-require admins update to the latest version to use the app
  • a manual one-off trigger in the developer console to require admins update to the latest version

The entire point of cloud-based software is to have all users on the latest version so you can rapidly iterate with multiple daily deployments.

4 Likes